From f062bd0e9e2d39329777ce18428a9769981fc473 Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Thu, 18 Sep 2025 14:43:02 -0400
Subject: [PATCH 01/20] Add proposed new fields in .yml format

---
 rfcs/text/0052/gen_ai.yaml | 51 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 rfcs/text/0052/gen_ai.yaml

diff --git a/rfcs/text/0052/gen_ai.yaml b/rfcs/text/0052/gen_ai.yaml
new file mode 100644
index 0000000000..f2dca090dc
--- /dev/null
+++ b/rfcs/text/0052/gen_ai.yaml
@@ -0,0 +1,51 @@
+---
+- name: gen_ai
+  fields:
+    - name: system_instructions
+      type: flattened
+      description: The system message or instructions provided to the GenAI model separately from the chat history.
+      example: TODO
+      level: extended
+      beta: This field reuse is beta and subject to change.
+      otel:
+        - relation: match
+    - name: input.messages
+      type: flattened
+      description: The chat history provided to the model as an input.
+      example: TODO
+      level: extended
+      beta: This field reuse is beta and subject to change.
+      otel:
+        - relation: match
+    - name: output.messages
+      type: flattened
+      description: Messages returned by the model where each message represents a specific model response (choice, candidate).
+      example: TODO
+      level: extended
+      beta: This field reuse is beta and subject to change.
+      otel:
+        - relation: match
+    - name: tool.definitions
+      type: nested
+      description: The list of source system tool definitions available to the GenAI agent or model.
+      example: TODO
+      level: extended
+      beta: This field reuse is beta and subject to change.
+      otel:
+        - relation: match
+    - name: tool.call.arguments
+      type: nested
+      description: Parameters passed to the tool call.
+      example: TODO
+      level: extended
+      beta: This field reuse is beta and subject to change.
+      otel:
+        - relation: match
+    - name: tool.call.results
+      type: nested
+      description: The result returned by the tool call (if any and if execution was successful).
+      example: TODO
+      level: extended
+      beta: This field reuse is beta and subject to change.
+      otel:
+        - relation: match

From bbc490f4f2c2d11f3bf8aad2ce96ea44ecb8e4fb Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Thu, 18 Sep 2025 14:43:35 -0400
Subject: [PATCH 02/20] Add built doc files

---
 docs/reference/ecs-otel-alignment-details.md  |    10 +-
 docs/reference/ecs-otel-alignment-overview.md |     2 +-
 docs/reference/ecs-process.md                 |     6 +
 generated/beats/fields.ecs.yml                | 22022 ++++++++-
 generated/csv/fields.csv                      |  6366 ++-
 generated/ecs/ecs_flat.yml                    | 37091 ++++++++++++++-
 generated/ecs/ecs_nested.yml                  | 37200 +++++++++++++++-
 .../composable/component/client.json          |    24 +
 .../composable/component/destination.json     |    24 +
 .../composable/component/process.json         | 12889 +++++-
 .../composable/component/server.json          |    24 +
 .../composable/component/source.json          |    24 +
 .../composable/component/user.json            |    72 +
 .../elasticsearch/composable/template.json    |    82 +-
 generated/elasticsearch/legacy/template.json  | 13613 +++++-
 15 files changed, 119809 insertions(+), 9640 deletions(-)

diff --git a/docs/reference/ecs-otel-alignment-details.md b/docs/reference/ecs-otel-alignment-details.md
index 579643a85d..910be29ea5 100644
--- a/docs/reference/ecs-otel-alignment-details.md
+++ b/docs/reference/ecs-otel-alignment-details.md
@@ -158,16 +158,16 @@ The following table gives an overview of mappings between individual ECS fields
 | $$$otel-mapping-for-process-args-count$$$ [process.args_count](/reference/ecs-process.md#field-process-args-count) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.args_count](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-args-count) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-command-line$$$ [process.command_line](/reference/ecs-process.md#field-process-command-line) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.command_line](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-command-line) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-executable$$$ [process.executable](/reference/ecs-process.md#field-process-executable) | [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.executable.path](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-executable-path) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-real-user-id$$$ process.real_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-saved-user-id$$$ process.saved_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-user-id$$$ process.user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-saved-user-id$$$ process.saved_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-real-user-id$$$ process.real_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-interactive$$$ [process.interactive](/reference/ecs-process.md#field-process-interactive) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.interactive](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-interactive) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-real-user-name$$$ process.real_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-saved-user-name$$$ process.saved_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-user-name$$$ process.user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-group-leader-pid$$$ process.group_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.group_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-group-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-saved-user-name$$$ process.saved_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-real-user-name$$$ process.real_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-pid$$$ [process.pid](/reference/ecs-process.md#field-process-pid) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-session-leader-pid$$$ process.session_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.session_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-session-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-group-leader-pid$$$ process.group_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.group_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-group-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-title$$$ [process.title](/reference/ecs-process.md#field-process-title) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.title](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-title) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-uptime$$$ [process.uptime](/reference/ecs-process.md#field-process-uptime) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.uptime](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.process.uptime+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-vpid$$$ [process.vpid](/reference/ecs-process.md#field-process-vpid) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.vpid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-vpid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
diff --git a/docs/reference/ecs-otel-alignment-overview.md b/docs/reference/ecs-otel-alignment-overview.md
index 886c26b816..4668c4ad8e 100644
--- a/docs/reference/ecs-otel-alignment-overview.md
+++ b/docs/reference/ecs-otel-alignment-overview.md
@@ -85,7 +85,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | Package | [13](/reference/ecs-package.md) | · | · | · | · | · | · | · | · |
 | PE Header | [23](/reference/ecs-pe.md) | · | · | · | · | · | · | · | · |
 | Peer | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/peer) | · | · | · | · | · | · |  |
-| Process | [34](/reference/ecs-process.md) | [34](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process) | 15 | 2 | · | · | 1 | · | · |
+| Process | [40](/reference/ecs-process.md) | [34](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process) | 15 | 2 | · | · | 1 | · | · |
 | Profile Frame | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/profile) | · | · | · | · | · | · |  |
 | Registry | [7](/reference/ecs-registry.md) | · | · | · | · | · | · | · | · |
 | Related | [4](/reference/ecs-related.md) | · | · | · | · | · | · | · | 4 |
diff --git a/docs/reference/ecs-process.md b/docs/reference/ecs-process.md
index 1fc7c77613..8438ca3433 100644
--- a/docs/reference/ecs-process.md
+++ b/docs/reference/ecs-process.md
@@ -21,7 +21,9 @@ These fields can help you correlate metrics information with a process id/name f
 | $$$field-process-args-count$$$ [process.args_count](#field-process-args-count) | Length of the process.args array.<br><br>This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.<br><br>type: long<br><br>example: `4`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.args_count](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-args-count) | extended |
 | $$$field-process-command-line$$$ [process.command_line](#field-process-command-line) | Full command line that started the process, including the absolute path to the executable, and all arguments.<br><br>Some arguments may be filtered to protect sensitive information.<br><br>type: wildcard<br><br>Multi-fields:<br><br>* process.command_line.text (type: match_only_text)<br><br>example: `/usr/bin/ssh -l user 10.0.0.16`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.command_line](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-command-line) | extended |
 | $$$field-process-end$$$ [process.end](#field-process-end) | The time the process ended.<br><br>type: date<br><br>example: `2016-05-23T08:05:34.853Z` | extended |
+| $$$field-process-endpoint-security-client$$$ [process.endpoint_security_client](#field-process-endpoint-security-client) | _This field is beta and subject to change._ Processes that have an endpoint security client must have the com.apple.endpointsecurity entitlement and the value is set to true in the message.<br><br>type: boolean | extended |
 | $$$field-process-entity-id$$$ [process.entity_id](#field-process-entity-id) | Unique identifier for the process.<br><br>The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.<br><br>Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.<br><br>type: keyword<br><br>example: `c2c455d9f99375d` | extended |
+| $$$field-process-entry-meta-type$$$ [process.entry_meta.type](#field-process-entry-meta-type) | The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console<br><br>Note: This field is only set on process.session_leader.<br><br>type: keyword | extended |
 | $$$field-process-env-vars$$$ [process.env_vars](#field-process-env-vars) | Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.<br><br>May be filtered to protect sensitive information.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]` | extended |
 | $$$field-process-executable$$$ [process.executable](#field-process-executable) | Absolute path to the process executable.<br><br>type: keyword<br><br>Multi-fields:<br><br>* process.executable.text (type: match_only_text)<br><br>example: `/usr/bin/ssh`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.executable.path](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-executable-path) | extended |
 | $$$field-process-exit-code$$$ [process.exit_code](#field-process-exit-code) | The exit code of the process, if this is a termination event.<br><br>The field should be absent if there is no exit code for the event (e.g. process start).<br><br>type: long<br><br>example: `137` | extended |
@@ -36,7 +38,11 @@ These fields can help you correlate metrics information with a process id/name f
 | $$$field-process-io-total-bytes-skipped$$$ [process.io.total_bytes_skipped](#field-process-io-total-bytes-skipped) | The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero<br><br>type: long | extended |
 | $$$field-process-io-type$$$ [process.io.type](#field-process-io-type) | The type of object on which the IO action (read or write) was taken.<br><br>Currently only 'tty' is supported. Other types may be added in the future for 'file' and 'socket' support.<br><br>type: keyword | extended |
 | $$$field-process-name$$$ [process.name](#field-process-name) | Process name.<br><br>Sometimes called program name or similar.<br><br>type: keyword<br><br>Multi-fields:<br><br>* process.name.text (type: match_only_text)<br><br>example: `ssh` | extended |
+| $$$field-process-origin-referrer-url$$$ [process.origin_referrer_url](#field-process-origin-referrer-url) | _This field is beta and subject to change._ The URL of the webpage that linked to the process's executable file.<br><br>type: keyword<br><br>example: `http://example.com/article1.html` | extended |
+| $$$field-process-origin-url$$$ [process.origin_url](#field-process-origin-url) | _This field is beta and subject to change._ The URL where the process's executable file is hosted.<br><br>type: keyword<br><br>example: `http://example.com/files/example.exe` | extended |
 | $$$field-process-pid$$$ [process.pid](#field-process-pid) | Process id.<br><br>type: long<br><br>example: `4242`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-pid) | core |
+| $$$field-process-platform-binary$$$ [process.platform_binary](#field-process-platform-binary) | _This field is beta and subject to change._ Binaries that are shipped by the operating system are defined as platform binaries, this value is then set to true.<br><br>type: boolean | extended |
+| $$$field-process-same-as-process$$$ [process.same_as_process](#field-process-same-as-process) | This boolean is used to identify if a leader process is the same as the top level process.<br><br>For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.<br><br>This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)<br><br>Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`<br><br>Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.<br><br>type: boolean<br><br>example: `True` | extended |
 | $$$field-process-start$$$ [process.start](#field-process-start) | The time the process started.<br><br>type: date<br><br>example: `2016-05-23T08:05:34.853Z` | extended |
 | $$$field-process-thread-capabilities-effective$$$ [process.thread.capabilities.effective](#field-process-thread-capabilities-effective) | This is the set of capabilities used by the kernel to perform permission checks for the thread.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["CAP_BPF", "CAP_SYS_ADMIN"]` | extended |
 | $$$field-process-thread-capabilities-permitted$$$ [process.thread.capabilities.permitted](#field-process-thread-capabilities-permitted) | This is a limiting superset for the effective capabilities that the thread may assume.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["CAP_BPF", "CAP_SYS_ADMIN"]` | extended |
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 4826341eee..44e5458513 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -405,6 +405,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -1244,6 +1290,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -5273,6 +5365,150 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
+    - name: attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
     - name: code_signature.digest_algorithm
       level: extended
       type: keyword
@@ -5630,6 +5866,12 @@
       description: The time the process ended.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
+    - name: endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
     - name: entity_id
       level: extended
       type: keyword
@@ -5665,441 +5907,18991 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
+    - name: entry_leader.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
     - name: entry_leader.attested_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: entry_leader.attested_user.id
-      level: core
+    - name: entry_leader.attested_user.domain
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: entry_leader.attested_user.name
-      level: core
+    - name: entry_leader.attested_user.email
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: User email address.
       default_field: false
-    - name: entry_leader.command_line
+    - name: entry_leader.attested_user.full_name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
+      description: User's full name, if available.
+      example: Albert Einstein
       default_field: false
-    - name: entry_leader.entity_id
+    - name: entry_leader.attested_user.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
+      description: 'Name of the directory the group is a member of.
 
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: entry_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
+    - name: entry_leader.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.entry_meta.type
+    - name: entry_leader.attested_user.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.executable
+    - name: entry_leader.attested_user.hash
       level: extended
       type: keyword
       ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entry_leader.group.id
+    - name: entry_leader.attested_user.risk.calculated_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
       default_field: false
-    - name: entry_leader.group.name
+    - name: entry_leader.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.attested_user.risk.static_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
       default_field: false
-    - name: entry_leader.interactive
+    - name: entry_leader.attested_user.risk.static_score
       level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
       default_field: false
-    - name: entry_leader.name
+    - name: entry_leader.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.attested_user.roles
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: entry_leader.parent.entity_id
+    - name: entry_leader.code_signature.digest_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
+      description: 'The hashing algorithm used to sign the process.
 
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
       default_field: false
-    - name: entry_leader.parent.pid
+    - name: entry_leader.code_signature.exists
       level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
       default_field: false
-    - name: entry_leader.parent.session_leader.entity_id
+    - name: entry_leader.code_signature.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: entry_leader.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
 
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: entry_leader.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
 
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
       default_field: false
-    - name: entry_leader.parent.session_leader.pid
+    - name: entry_leader.code_signature.subject_name
       level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
       default_field: false
-    - name: entry_leader.parent.session_leader.start
+    - name: entry_leader.code_signature.team_id
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: entry_leader.parent.session_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
 
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
       default_field: false
-    - name: entry_leader.parent.start
+    - name: entry_leader.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: entry_leader.code_signature.timestamp
       level: extended
       type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
       default_field: false
-    - name: entry_leader.parent.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
+    - name: entry_leader.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
 
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
       default_field: false
-    - name: entry_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
+    - name: entry_leader.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
       default_field: false
-    - name: entry_leader.real_group.id
+    - name: entry_leader.command_line
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
       default_field: false
-    - name: entry_leader.real_group.name
+    - name: entry_leader.elf.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: Machine architecture of the ELF file.
+      example: x86-64
       default_field: false
-    - name: entry_leader.real_user.id
-      level: core
+    - name: entry_leader.elf.byte_order
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: Byte sequence of ELF file.
+      example: Little Endian
       default_field: false
-    - name: entry_leader.real_user.name
-      level: core
+    - name: entry_leader.elf.cpu_type
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: CPU type of the ELF file.
+      example: Intel
       default_field: false
-    - name: entry_leader.same_as_process
+    - name: entry_leader.elf.creation_date
       level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: entry_leader.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: entry_leader.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: entry_leader.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: entry_leader.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: entry_leader.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: entry_leader.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: entry_leader.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: entry_leader.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: entry_leader.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: entry_leader.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: entry_leader.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: entry_leader.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: entry_leader.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: entry_leader.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: entry_leader.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: entry_leader.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: entry_leader.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: entry_leader.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: entry_leader.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: entry_leader.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: entry_leader.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: entry_leader.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: entry_leader.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: entry_leader.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: entry_leader.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: entry_leader.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: entry_leader.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: entry_leader.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: entry_leader.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: entry_leader.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: entry_leader.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: entry_leader.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: entry_leader.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: entry_leader.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: entry_leader.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: entry_leader.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: entry_leader.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: entry_leader.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: entry_leader.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: entry_leader.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: entry_leader.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: entry_leader.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: entry_leader.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: entry_leader.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: entry_leader.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: entry_leader.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: entry_leader.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: entry_leader.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: entry_leader.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: entry_leader.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: entry_leader.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: entry_leader.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: entry_leader.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: entry_leader.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: entry_leader.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: entry_leader.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: entry_leader.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: entry_leader.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: entry_leader.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: entry_leader.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: entry_leader.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: entry_leader.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: entry_leader.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: entry_leader.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: entry_leader.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: entry_leader.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: entry_leader.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: entry_leader.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: entry_leader.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: entry_leader.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: entry_leader.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: entry_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: entry_leader.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: entry_leader.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: entry_leader.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: entry_leader.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: entry_leader.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: entry_leader.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: entry_leader.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: entry_leader.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: entry_leader.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: entry_leader.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: entry_leader.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: entry_leader.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: entry_leader.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: entry_leader.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: entry_leader.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: entry_leader.parent.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: entry_leader.parent.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: entry_leader.parent.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.parent.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.parent.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.parent.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.parent.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.parent.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: entry_leader.parent.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: entry_leader.parent.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: entry_leader.parent.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: entry_leader.parent.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: entry_leader.parent.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: entry_leader.parent.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: entry_leader.parent.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: entry_leader.parent.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: entry_leader.parent.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: entry_leader.parent.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: entry_leader.parent.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: entry_leader.parent.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: entry_leader.parent.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: entry_leader.parent.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: entry_leader.parent.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: entry_leader.parent.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: entry_leader.parent.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.parent.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.parent.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.parent.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: entry_leader.parent.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: entry_leader.parent.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: entry_leader.parent.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: entry_leader.parent.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: entry_leader.parent.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: entry_leader.parent.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: entry_leader.parent.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: entry_leader.parent.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.parent.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: entry_leader.parent.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: entry_leader.parent.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: entry_leader.parent.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: entry_leader.parent.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: entry_leader.parent.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: entry_leader.parent.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: entry_leader.parent.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: entry_leader.parent.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: entry_leader.parent.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: entry_leader.parent.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: entry_leader.parent.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: entry_leader.parent.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: entry_leader.parent.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: entry_leader.parent.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: entry_leader.parent.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: entry_leader.parent.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: entry_leader.parent.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: entry_leader.parent.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: entry_leader.parent.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: entry_leader.parent.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: entry_leader.parent.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: entry_leader.parent.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: entry_leader.parent.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: entry_leader.parent.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: entry_leader.parent.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: entry_leader.parent.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: entry_leader.parent.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: entry_leader.parent.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: entry_leader.parent.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: entry_leader.parent.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: entry_leader.parent.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: entry_leader.parent.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: entry_leader.parent.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: entry_leader.parent.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: entry_leader.parent.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: entry_leader.parent.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: entry_leader.parent.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: entry_leader.parent.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: entry_leader.parent.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: entry_leader.parent.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: entry_leader.parent.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: entry_leader.parent.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.parent.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.parent.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.parent.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.parent.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: entry_leader.parent.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: entry_leader.parent.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: entry_leader.parent.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: entry_leader.parent.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: entry_leader.parent.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: entry_leader.parent.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: entry_leader.parent.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: entry_leader.parent.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: entry_leader.parent.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: entry_leader.parent.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: entry_leader.parent.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: entry_leader.parent.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: entry_leader.parent.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: entry_leader.parent.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: entry_leader.parent.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.parent.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.parent.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.parent.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: entry_leader.parent.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.parent.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: entry_leader.parent.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: entry_leader.parent.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: entry_leader.parent.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: entry_leader.parent.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: entry_leader.parent.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: entry_leader.parent.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: entry_leader.parent.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: entry_leader.parent.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: entry_leader.parent.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: entry_leader.parent.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: entry_leader.parent.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: entry_leader.parent.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.parent.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.parent.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.parent.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.parent.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.parent.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: entry_leader.parent.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.parent.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.parent.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.parent.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.parent.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.parent.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.session_leader.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: entry_leader.parent.session_leader.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: entry_leader.parent.session_leader.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: entry_leader.parent.session_leader.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: entry_leader.parent.session_leader.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: entry_leader.parent.session_leader.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: entry_leader.parent.session_leader.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: entry_leader.parent.session_leader.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: entry_leader.parent.session_leader.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: entry_leader.parent.session_leader.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: entry_leader.parent.session_leader.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: entry_leader.parent.session_leader.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: entry_leader.parent.session_leader.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: entry_leader.parent.session_leader.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.session_leader.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.session_leader.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: entry_leader.parent.session_leader.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: entry_leader.parent.session_leader.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: entry_leader.parent.session_leader.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: entry_leader.parent.session_leader.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: entry_leader.parent.session_leader.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: entry_leader.parent.session_leader.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: entry_leader.parent.session_leader.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: entry_leader.parent.session_leader.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: entry_leader.parent.session_leader.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: entry_leader.parent.session_leader.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: entry_leader.parent.session_leader.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: entry_leader.parent.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: entry_leader.parent.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: entry_leader.parent.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: entry_leader.parent.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: entry_leader.parent.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: entry_leader.parent.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: entry_leader.parent.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: entry_leader.parent.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: entry_leader.parent.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: entry_leader.parent.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: entry_leader.parent.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: entry_leader.parent.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: entry_leader.parent.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.parent.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.parent.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.parent.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.parent.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.parent.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: entry_leader.parent.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: entry_leader.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: entry_leader.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: entry_leader.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: entry_leader.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: entry_leader.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: entry_leader.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: entry_leader.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: entry_leader.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: entry_leader.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: entry_leader.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: entry_leader.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: entry_leader.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: entry_leader.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: entry_leader.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: entry_leader.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: entry_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: entry_leader.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: entry_leader.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: entry_leader.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: entry_leader.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: entry_leader.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: entry_leader.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: entry_leader.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: entry_leader.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: entry_leader.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: entry_leader.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: entry_leader.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: entry_leader.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: entry_leader.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: entry_leader.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: entry_leader.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: entry_leader.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+    - name: exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: group_leader.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: group_leader.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: group_leader.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: group_leader.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: group_leader.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: group_leader.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: group_leader.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: group_leader.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: group_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: group_leader.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: group_leader.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: group_leader.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: group_leader.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: group_leader.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: group_leader.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: group_leader.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: group_leader.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: group_leader.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: group_leader.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: group_leader.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: group_leader.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: group_leader.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: group_leader.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: group_leader.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: group_leader.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: group_leader.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: group_leader.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: group_leader.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: group_leader.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: group_leader.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: group_leader.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: group_leader.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: group_leader.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: group_leader.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: group_leader.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: group_leader.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: group_leader.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: group_leader.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: group_leader.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: group_leader.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: group_leader.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: group_leader.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: group_leader.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: group_leader.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: group_leader.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: group_leader.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: group_leader.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: group_leader.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: group_leader.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: group_leader.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: group_leader.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: group_leader.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: group_leader.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: group_leader.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: group_leader.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: group_leader.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: group_leader.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: group_leader.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: group_leader.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: group_leader.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: group_leader.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: group_leader.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: group_leader.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: group_leader.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: group_leader.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: group_leader.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: group_leader.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: group_leader.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: group_leader.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: group_leader.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: group_leader.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: group_leader.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: group_leader.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: group_leader.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: group_leader.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: group_leader.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: group_leader.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: group_leader.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: group_leader.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: group_leader.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: group_leader.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: group_leader.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: group_leader.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: group_leader.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: group_leader.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: group_leader.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: group_leader.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: group_leader.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: group_leader.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: group_leader.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: group_leader.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: group_leader.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: group_leader.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: group_leader.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: group_leader.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: group_leader.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: group_leader.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: group_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: group_leader.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: group_leader.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: group_leader.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: group_leader.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: group_leader.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: group_leader.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: group_leader.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: group_leader.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: group_leader.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: group_leader.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: group_leader.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: group_leader.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: group_leader.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: group_leader.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: group_leader.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: group_leader.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: group_leader.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: group_leader.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: group_leader.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: group_leader.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: group_leader.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: group_leader.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: group_leader.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: group_leader.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: group_leader.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: group_leader.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: group_leader.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: group_leader.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: group_leader.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: group_leader.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: group_leader.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: group_leader.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: group_leader.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: group_leader.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: group_leader.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: group_leader.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: group_leader.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: group_leader.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: group_leader.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: group_leader.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: group_leader.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: group_leader.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: group_leader.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: group_leader.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: group_leader.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: group_leader.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: group_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: group_leader.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: group_leader.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: group_leader.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: group_leader.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: group_leader.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: group_leader.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: group_leader.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: group_leader.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: group_leader.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: group_leader.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: group_leader.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: group_leader.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: group_leader.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: group_leader.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: group_leader.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: group_leader.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: group_leader.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: group_leader.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: group_leader.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: group_leader.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: group_leader.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: group_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: group_leader.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: group_leader.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: group_leader.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: group_leader.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: group_leader.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: group_leader.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: group_leader.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: group_leader.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: group_leader.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: group_leader.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: group_leader.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: group_leader.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: group_leader.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: group_leader.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: group_leader.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: group_leader.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: group_leader.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: group_leader.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: group_leader.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: group_leader.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: group_leader.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: group_leader.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: group_leader.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: group_leader.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: group_leader.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: group_leader.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: group_leader.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: group_leader.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: group_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: group_leader.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+    - name: hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+    - name: hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+    - name: hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+    - name: hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+    - name: origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: parent.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: parent.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: parent.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: parent.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: parent.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: parent.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: parent.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: parent.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: parent.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: parent.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: parent.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: parent.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: parent.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: parent.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: parent.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: parent.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: parent.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: parent.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: parent.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: parent.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: parent.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: parent.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: parent.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: parent.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: parent.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: parent.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: parent.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: parent.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: parent.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: parent.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: parent.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: parent.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: parent.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: parent.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: parent.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: parent.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: parent.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: parent.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: parent.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: parent.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: parent.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: parent.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: parent.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: parent.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: parent.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: parent.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: parent.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: parent.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: parent.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: parent.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: parent.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: parent.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: parent.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: parent.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: parent.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: parent.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: parent.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: parent.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: parent.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: parent.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: parent.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: parent.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: parent.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: parent.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: parent.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: parent.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: parent.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: parent.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: parent.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: parent.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: parent.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: parent.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: parent.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: parent.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: parent.group_leader.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: parent.group_leader.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.group_leader.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.group_leader.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.group_leader.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.group_leader.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.group_leader.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.group_leader.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.group_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.group_leader.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.group_leader.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.group_leader.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.group_leader.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.group_leader.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: parent.group_leader.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: parent.group_leader.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: parent.group_leader.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: parent.group_leader.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: parent.group_leader.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: parent.group_leader.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: parent.group_leader.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: parent.group_leader.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: parent.group_leader.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: parent.group_leader.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: parent.group_leader.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: parent.group_leader.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: parent.group_leader.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: parent.group_leader.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: parent.group_leader.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: parent.group_leader.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: parent.group_leader.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.group_leader.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.group_leader.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.group_leader.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.group_leader.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.group_leader.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: parent.group_leader.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: parent.group_leader.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: parent.group_leader.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: parent.group_leader.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: parent.group_leader.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: parent.group_leader.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: parent.group_leader.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: parent.group_leader.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.group_leader.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.group_leader.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.group_leader.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.group_leader.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: parent.group_leader.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: parent.group_leader.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.group_leader.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: parent.group_leader.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: parent.group_leader.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: parent.group_leader.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: parent.group_leader.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: parent.group_leader.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.group_leader.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: parent.group_leader.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: parent.group_leader.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: parent.group_leader.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: parent.group_leader.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: parent.group_leader.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: parent.group_leader.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: parent.group_leader.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: parent.group_leader.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: parent.group_leader.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: parent.group_leader.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: parent.group_leader.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: parent.group_leader.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: parent.group_leader.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: parent.group_leader.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: parent.group_leader.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: parent.group_leader.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: parent.group_leader.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: parent.group_leader.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: parent.group_leader.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: parent.group_leader.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: parent.group_leader.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: parent.group_leader.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: parent.group_leader.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: parent.group_leader.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: parent.group_leader.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: parent.group_leader.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: parent.group_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: parent.group_leader.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: parent.group_leader.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: parent.group_leader.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: parent.group_leader.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: parent.group_leader.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.group_leader.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.group_leader.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.group_leader.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.group_leader.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.group_leader.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.group_leader.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.group_leader.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.group_leader.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.group_leader.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: parent.group_leader.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.group_leader.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: parent.group_leader.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: parent.group_leader.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.group_leader.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: parent.group_leader.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: parent.group_leader.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: parent.group_leader.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: parent.group_leader.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: parent.group_leader.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: parent.group_leader.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: parent.group_leader.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: parent.group_leader.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: parent.group_leader.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.group_leader.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.group_leader.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.group_leader.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.group_leader.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.group_leader.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: parent.group_leader.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.group_leader.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.group_leader.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.group_leader.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.group_leader.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: parent.group_leader.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: parent.group_leader.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: parent.group_leader.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: parent.group_leader.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.group_leader.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: parent.group_leader.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: parent.group_leader.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.group_leader.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: parent.group_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: parent.group_leader.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: parent.group_leader.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.group_leader.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.group_leader.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.group_leader.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.group_leader.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.group_leader.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.group_leader.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.group_leader.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.group_leader.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.group_leader.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.group_leader.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.group_leader.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.group_leader.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: parent.group_leader.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.group_leader.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.group_leader.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.group_leader.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.group_leader.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.group_leader.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.group_leader.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.group_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.group_leader.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.group_leader.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.group_leader.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.group_leader.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.group_leader.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: parent.group_leader.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: parent.group_leader.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: parent.group_leader.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: parent.group_leader.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: parent.group_leader.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: parent.group_leader.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: parent.group_leader.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: parent.group_leader.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: parent.group_leader.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: parent.group_leader.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: parent.group_leader.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: parent.group_leader.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.group_leader.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.group_leader.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.group_leader.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.group_leader.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.group_leader.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.group_leader.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.group_leader.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.group_leader.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.group_leader.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.group_leader.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.group_leader.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.group_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: parent.group_leader.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: parent.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: parent.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: parent.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: parent.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: parent.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: parent.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: parent.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: parent.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: parent.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: parent.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: parent.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: parent.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: parent.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: parent.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: parent.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: parent.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: parent.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: parent.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: parent.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: parent.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: parent.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: parent.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: parent.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: parent.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: parent.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: parent.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: parent.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: parent.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: parent.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: parent.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: parent.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: parent.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: parent.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: parent.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: parent.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: parent.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: parent.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: parent.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: parent.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: parent.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: parent.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: parent.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: parent.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: parent.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: parent.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: parent.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: parent.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: parent.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: parent.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: parent.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: parent.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: parent.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: parent.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: parent.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: parent.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+    - name: platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: previous.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: previous.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: previous.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: previous.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: previous.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: previous.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: previous.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: previous.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: previous.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: previous.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: previous.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: previous.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: previous.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: previous.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: previous.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: previous.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: previous.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: previous.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: previous.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: previous.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: previous.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: previous.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: previous.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: previous.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: previous.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: previous.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: previous.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: previous.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: previous.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: previous.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: previous.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: previous.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: previous.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: previous.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: previous.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: previous.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: previous.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: previous.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: previous.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: previous.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: previous.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: previous.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: previous.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: previous.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: previous.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: previous.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: previous.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: previous.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: previous.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: previous.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: previous.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: previous.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: previous.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: previous.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: previous.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: previous.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: previous.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: previous.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: previous.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: previous.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: previous.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: previous.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: previous.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: previous.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: previous.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: previous.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: previous.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: previous.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: previous.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: previous.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: previous.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: previous.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: previous.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: previous.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: previous.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: previous.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: previous.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: previous.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: previous.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: previous.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: previous.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: previous.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: previous.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: previous.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: previous.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: previous.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: previous.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: previous.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: previous.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: previous.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: previous.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: previous.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: previous.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: previous.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: previous.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: previous.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: previous.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: previous.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: previous.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: previous.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: previous.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: previous.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: previous.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: previous.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: previous.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: previous.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: previous.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: previous.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: previous.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: previous.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: previous.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: previous.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: previous.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: previous.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: previous.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: previous.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: previous.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: previous.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: previous.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: previous.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: previous.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: previous.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: previous.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: previous.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: previous.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: previous.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: previous.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: previous.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: previous.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: previous.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: previous.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: previous.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: previous.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: previous.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: previous.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: previous.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: previous.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: previous.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: previous.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: previous.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: previous.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: previous.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: previous.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: previous.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: previous.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: previous.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: previous.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: previous.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: previous.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: previous.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: previous.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: previous.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: previous.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: previous.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: previous.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: previous.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: previous.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: previous.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: previous.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: previous.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: previous.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: previous.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: previous.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: previous.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: previous.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: previous.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: previous.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: previous.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: previous.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: previous.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: previous.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: previous.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: previous.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: previous.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: previous.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: previous.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: previous.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: previous.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: previous.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: previous.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: previous.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: previous.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: previous.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: previous.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: previous.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: previous.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: previous.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: previous.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: previous.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: previous.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: previous.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: previous.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: previous.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: previous.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: previous.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: previous.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: previous.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: previous.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: previous.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: previous.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: previous.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: previous.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: previous.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: previous.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: previous.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: previous.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: previous.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: previous.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: previous.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: responsible.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: responsible.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: responsible.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: responsible.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: responsible.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: responsible.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: responsible.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: responsible.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: responsible.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: responsible.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: responsible.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: responsible.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: responsible.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: responsible.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: responsible.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: responsible.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: responsible.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: responsible.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: responsible.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: responsible.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: responsible.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: responsible.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: responsible.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: responsible.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: responsible.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: responsible.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: responsible.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: responsible.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: responsible.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: responsible.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: responsible.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: responsible.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: responsible.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: responsible.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: responsible.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: responsible.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: responsible.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: responsible.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: responsible.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: responsible.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: responsible.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: responsible.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: responsible.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: responsible.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: responsible.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: responsible.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: responsible.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: responsible.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: responsible.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: responsible.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: responsible.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: responsible.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: responsible.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: responsible.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: responsible.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: responsible.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: responsible.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: responsible.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: responsible.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: responsible.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: responsible.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: responsible.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: responsible.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: responsible.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: responsible.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: responsible.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: responsible.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: responsible.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: responsible.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: responsible.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: responsible.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: responsible.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: responsible.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: responsible.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: responsible.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: responsible.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: responsible.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: responsible.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: responsible.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: responsible.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: responsible.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: responsible.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: responsible.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: responsible.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: responsible.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: responsible.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: responsible.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: responsible.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: responsible.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: responsible.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: responsible.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: responsible.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: responsible.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: responsible.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: responsible.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: responsible.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: responsible.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: responsible.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: responsible.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: responsible.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: responsible.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: responsible.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: responsible.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: responsible.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: responsible.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: responsible.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: responsible.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: responsible.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: responsible.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: responsible.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: responsible.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: responsible.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: responsible.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: responsible.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: responsible.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: responsible.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: responsible.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: responsible.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: responsible.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: responsible.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: responsible.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: responsible.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: responsible.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: responsible.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: responsible.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: responsible.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: responsible.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: responsible.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: responsible.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: responsible.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: responsible.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: responsible.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: responsible.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: responsible.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: responsible.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: responsible.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: responsible.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: responsible.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: responsible.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: responsible.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: responsible.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: responsible.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: responsible.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: responsible.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: responsible.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: responsible.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: responsible.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: responsible.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: responsible.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: responsible.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: responsible.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: responsible.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: responsible.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: responsible.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: responsible.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: responsible.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: responsible.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: responsible.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: responsible.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: responsible.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: responsible.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: responsible.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: responsible.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: responsible.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: responsible.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: responsible.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: responsible.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: responsible.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: responsible.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: responsible.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: responsible.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: responsible.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: responsible.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: responsible.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: responsible.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: responsible.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: responsible.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: responsible.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: responsible.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: responsible.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: responsible.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: responsible.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: responsible.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: responsible.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: responsible.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: responsible.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: responsible.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: responsible.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: responsible.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: responsible.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: responsible.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: responsible.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: responsible.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: responsible.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: responsible.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: responsible.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: responsible.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: responsible.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: responsible.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: responsible.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: responsible.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: responsible.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: responsible.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: responsible.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: responsible.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: responsible.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: responsible.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: responsible.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: responsible.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: session_leader.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: session_leader.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: session_leader.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: session_leader.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: session_leader.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: session_leader.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: session_leader.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: session_leader.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: session_leader.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: session_leader.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: session_leader.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: session_leader.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: session_leader.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: session_leader.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: session_leader.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: session_leader.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: session_leader.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: session_leader.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: session_leader.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: session_leader.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: session_leader.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: session_leader.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: session_leader.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: session_leader.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: session_leader.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: session_leader.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: session_leader.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: session_leader.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: session_leader.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: session_leader.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: session_leader.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: session_leader.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: session_leader.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: session_leader.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: session_leader.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: session_leader.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: session_leader.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: session_leader.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: session_leader.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: session_leader.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: session_leader.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: session_leader.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: session_leader.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: session_leader.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: session_leader.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: session_leader.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: session_leader.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: session_leader.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: session_leader.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: session_leader.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: session_leader.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: session_leader.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: session_leader.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: session_leader.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: session_leader.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: session_leader.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: session_leader.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: session_leader.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: session_leader.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: session_leader.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: session_leader.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: session_leader.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: session_leader.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: session_leader.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: session_leader.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: session_leader.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: session_leader.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: session_leader.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: session_leader.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: session_leader.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: session_leader.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: session_leader.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: session_leader.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: session_leader.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: session_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: session_leader.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: session_leader.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: session_leader.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: session_leader.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: session_leader.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: session_leader.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: session_leader.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: session_leader.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: session_leader.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: session_leader.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: session_leader.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: session_leader.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: session_leader.parent.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: session_leader.parent.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: session_leader.parent.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.parent.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.parent.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.parent.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.parent.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.parent.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.parent.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: session_leader.parent.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: session_leader.parent.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: session_leader.parent.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: session_leader.parent.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: session_leader.parent.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: session_leader.parent.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: session_leader.parent.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: session_leader.parent.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: session_leader.parent.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: session_leader.parent.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: session_leader.parent.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: session_leader.parent.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: session_leader.parent.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: session_leader.parent.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: session_leader.parent.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: session_leader.parent.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: session_leader.parent.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.parent.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.parent.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.parent.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: session_leader.parent.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: session_leader.parent.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: session_leader.parent.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: session_leader.parent.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: session_leader.parent.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: session_leader.parent.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: session_leader.parent.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: session_leader.parent.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.parent.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.parent.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.parent.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.parent.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: session_leader.parent.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: session_leader.parent.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: session_leader.parent.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: session_leader.parent.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: session_leader.parent.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: session_leader.parent.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: session_leader.parent.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: session_leader.parent.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: session_leader.parent.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: session_leader.parent.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: session_leader.parent.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: session_leader.parent.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: session_leader.parent.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: session_leader.parent.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: session_leader.parent.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: session_leader.parent.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: session_leader.parent.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: session_leader.parent.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: session_leader.parent.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: session_leader.parent.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: session_leader.parent.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: session_leader.parent.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: session_leader.parent.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: session_leader.parent.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: session_leader.parent.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: session_leader.parent.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: session_leader.parent.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: session_leader.parent.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: session_leader.parent.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: session_leader.parent.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: session_leader.parent.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: session_leader.parent.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: session_leader.parent.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: session_leader.parent.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: session_leader.parent.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: session_leader.parent.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: session_leader.parent.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: session_leader.parent.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: session_leader.parent.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.parent.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.parent.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.parent.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.parent.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.parent.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.parent.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.parent.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: session_leader.parent.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: session_leader.parent.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: session_leader.parent.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: session_leader.parent.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: session_leader.parent.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: session_leader.parent.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: session_leader.parent.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: session_leader.parent.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: session_leader.parent.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: session_leader.parent.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: session_leader.parent.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: session_leader.parent.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.parent.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.parent.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.parent.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: session_leader.parent.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.parent.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.parent.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.parent.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.parent.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: session_leader.parent.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: session_leader.parent.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: session_leader.parent.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: session_leader.parent.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: session_leader.parent.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: session_leader.parent.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: session_leader.parent.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: session_leader.parent.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: session_leader.parent.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.parent.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.parent.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.parent.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.parent.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.parent.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.parent.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: session_leader.parent.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.parent.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.parent.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.parent.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.parent.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.parent.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.parent.session_leader.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: session_leader.parent.session_leader.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
 
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
 
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
 
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
 
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
       default_field: false
-    - name: entry_leader.saved_group.id
+    - name: session_leader.parent.session_leader.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: session_leader.parent.session_leader.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.header.class
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: Header class of the ELF file.
       default_field: false
-    - name: entry_leader.saved_group.name
+    - name: session_leader.parent.session_leader.elf.header.data
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: Data table of the ELF header.
       default_field: false
-    - name: entry_leader.saved_user.id
-      level: core
+    - name: session_leader.parent.session_leader.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.header.object_version
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: '"0x1" for original ELF files.'
       default_field: false
-    - name: entry_leader.saved_user.name
-      level: core
+    - name: session_leader.parent.session_leader.elf.header.os_abi
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: Application Binary Interface (ABI) of the Linux OS.
       default_field: false
-    - name: entry_leader.start
+    - name: session_leader.parent.session_leader.elf.header.type
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
       default_field: false
-    - name: entry_leader.supplemental_groups.id
+    - name: session_leader.parent.session_leader.elf.header.version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: Version of the ELF header.
       default_field: false
-    - name: entry_leader.supplemental_groups.name
+    - name: session_leader.parent.session_leader.elf.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: entry_leader.tty
+    - name: session_leader.parent.session_leader.elf.imports
       level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: entry_leader.tty.char_device.major
+    - name: session_leader.parent.session_leader.elf.imports_names_entropy
       level: extended
       type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: entry_leader.tty.char_device.minor
+    - name: session_leader.parent.session_leader.elf.imports_names_var_entropy
       level: extended
       type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: entry_leader.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: session_leader.parent.session_leader.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
       default_field: false
-    - name: entry_leader.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+    - name: session_leader.parent.session_leader.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
       default_field: false
-    - name: entry_leader.vpid
-      level: core
+    - name: session_leader.parent.session_leader.elf.sections.entropy
+      level: extended
       type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
+      format: number
+      description: Shannon entropy calculation from the section.
       default_field: false
-    - name: entry_leader.working_directory
+    - name: session_leader.parent.session_leader.elf.sections.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
+      description: ELF Section List flags.
       default_field: false
-    - name: env_vars
+    - name: session_leader.parent.session_leader.elf.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      description: ELF Section List name.
       default_field: false
-    - name: executable
+    - name: session_leader.parent.session_leader.elf.sections.physical_offset
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-    - name: exit_code
+      description: ELF Section List offset.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.physical_size
       level: extended
       type: long
-      description: 'The exit code of the process, if this is a termination event.
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
 
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
       default_field: false
-    - name: group.id
+    - name: session_leader.parent.session_leader.elf.segments.sections
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: ELF object segment sections.
       default_field: false
-    - name: group.name
+    - name: session_leader.parent.session_leader.elf.segments.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: ELF object segment type.
       default_field: false
-    - name: group_leader.args
+    - name: session_leader.parent.session_leader.elf.shared_libraries
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      description: List of shared libraries used by this ELF object.
       default_field: false
-    - name: group_leader.args_count
+    - name: session_leader.parent.session_leader.elf.telfhash
       level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
       default_field: false
-    - name: group_leader.command_line
+    - name: session_leader.parent.session_leader.end
       level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: group_leader.entity_id
+    - name: session_leader.parent.session_leader.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: session_leader.parent.session_leader.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
@@ -6114,226 +24906,283 @@
         monitored hosts.'
       example: c2c455d9f99375d
       default_field: false
-    - name: group_leader.executable
+    - name: session_leader.parent.session_leader.entry_meta.source.address
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
       default_field: false
-    - name: group_leader.group.id
+    - name: session_leader.parent.session_leader.entry_meta.source.as.number
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
       default_field: false
-    - name: group_leader.group.name
+    - name: session_leader.parent.session_leader.entry_meta.source.as.organization.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
       default_field: false
-    - name: group_leader.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
+    - name: session_leader.parent.session_leader.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
       default_field: false
-    - name: group_leader.name
-      level: extended
+    - name: session_leader.parent.session_leader.entry_meta.source.domain
+      level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
+      description: 'The domain name of the source system.
 
-        Sometimes called program name or similar.'
-      example: ssh
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
       default_field: false
-    - name: group_leader.pid
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.city_name
       level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
       default_field: false
-    - name: group_leader.real_group.id
-      level: extended
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.continent_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: Two-letter code representing continent's name.
+      example: NA
       default_field: false
-    - name: group_leader.real_group.name
-      level: extended
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.continent_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: Name of the continent.
+      example: North America
       default_field: false
-    - name: group_leader.real_user.id
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
       level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: Country ISO code.
+      example: CA
       default_field: false
-    - name: group_leader.real_user.name
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.country_name
       level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: Country name.
+      example: Canada
       default_field: false
-    - name: group_leader.same_as_process
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.name
       level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
 
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
 
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
 
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
       default_field: false
-    - name: group_leader.saved_group.id
-      level: extended
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: Region ISO code.
+      example: CA-QC
       default_field: false
-    - name: group_leader.saved_group.name
-      level: extended
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.region_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: Region name.
+      example: Quebec
       default_field: false
-    - name: group_leader.saved_user.id
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.timezone
       level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
       default_field: false
-    - name: group_leader.saved_user.name
+    - name: session_leader.parent.session_leader.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.mac
       level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
       default_field: false
-    - name: group_leader.start
+    - name: session_leader.parent.session_leader.entry_meta.source.nat.ip
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
       default_field: false
-    - name: group_leader.supplemental_groups.id
+    - name: session_leader.parent.session_leader.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.registered_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
       default_field: false
-    - name: group_leader.supplemental_groups.name
+    - name: session_leader.parent.session_leader.entry_meta.source.subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
       default_field: false
-    - name: group_leader.tty
+    - name: session_leader.parent.session_leader.entry_meta.source.top_level_domain
       level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
       default_field: false
-    - name: group_leader.tty.char_device.major
+    - name: session_leader.parent.session_leader.entry_meta.type
       level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
       default_field: false
-    - name: group_leader.tty.char_device.minor
+    - name: session_leader.parent.session_leader.env_vars
       level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: group_leader.user.id
-      level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       default_field: false
-    - name: group_leader.user.name
-      level: core
+    - name: session_leader.parent.session_leader.executable
+      level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
       default_field: false
-    - name: group_leader.vpid
-      level: core
+    - name: session_leader.parent.session_leader.exit_code
+      level: extended
       type: long
-      format: string
-      description: 'Virtual process id.
+      description: 'The exit code of the process, if this is a termination event.
 
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
       default_field: false
-    - name: group_leader.working_directory
+    - name: session_leader.parent.session_leader.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: hash.cdhash
+    - name: session_leader.parent.session_leader.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.session_leader.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.session_leader.hash.cdhash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -6341,45 +25190,49 @@
         the integrity of the executable code.
       example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
       default_field: false
-    - name: hash.md5
+    - name: session_leader.parent.session_leader.hash.md5
       level: extended
       type: keyword
       ignore_above: 1024
       description: MD5 hash.
-    - name: hash.sha1
+      default_field: false
+    - name: session_leader.parent.session_leader.hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
       description: SHA1 hash.
-    - name: hash.sha256
+      default_field: false
+    - name: session_leader.parent.session_leader.hash.sha256
       level: extended
       type: keyword
       ignore_above: 1024
       description: SHA256 hash.
-    - name: hash.sha384
+      default_field: false
+    - name: session_leader.parent.session_leader.hash.sha384
       level: extended
       type: keyword
       ignore_above: 1024
       description: SHA384 hash.
       default_field: false
-    - name: hash.sha512
+    - name: session_leader.parent.session_leader.hash.sha512
       level: extended
       type: keyword
       ignore_above: 1024
       description: SHA512 hash.
-    - name: hash.ssdeep
+      default_field: false
+    - name: session_leader.parent.session_leader.hash.ssdeep
       level: extended
       type: keyword
       ignore_above: 1024
       description: SSDEEP hash.
       default_field: false
-    - name: hash.tlsh
+    - name: session_leader.parent.session_leader.hash.tlsh
       level: extended
       type: keyword
       ignore_above: 1024
       description: TLSH hash.
       default_field: false
-    - name: interactive
+    - name: session_leader.parent.session_leader.interactive
       level: extended
       type: boolean
       description: 'Whether the process is connected to an interactive shell.
@@ -6395,7 +25248,7 @@
         connected to the controlling TTY.'
       example: true
       default_field: false
-    - name: io
+    - name: session_leader.parent.session_leader.io
       level: extended
       type: object
       description: 'A chunk of input or output (IO) from a single process.
@@ -6403,30 +25256,30 @@
         This field only appears on the top level process object, which is the process
         that wrote the output or read the input.'
       default_field: false
-    - name: io.bytes_skipped
+    - name: session_leader.parent.session_leader.io.bytes_skipped
       level: extended
       type: object
       description: An array of byte offsets and lengths denoting where IO data has
         been skipped.
       default_field: false
-    - name: io.bytes_skipped.length
+    - name: session_leader.parent.session_leader.io.bytes_skipped.length
       level: extended
       type: long
       description: The length of bytes skipped.
       default_field: false
-    - name: io.bytes_skipped.offset
+    - name: session_leader.parent.session_leader.io.bytes_skipped.offset
       level: extended
       type: long
       description: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
       default_field: false
-    - name: io.max_bytes_per_process_exceeded
+    - name: session_leader.parent.session_leader.io.max_bytes_per_process_exceeded
       level: extended
       type: boolean
       description: If true, the process producing the output has exceeded the max_kilobytes_per_process
         configuration setting.
       default_field: false
-    - name: io.text
+    - name: session_leader.parent.session_leader.io.text
       level: extended
       type: wildcard
       description: 'A chunk of output or input sanitized to UTF-8.
@@ -6437,19 +25290,19 @@
         so some string queries may not match due to terminal codes inserted between
         characters of a word.'
       default_field: false
-    - name: io.total_bytes_captured
+    - name: session_leader.parent.session_leader.io.total_bytes_captured
       level: extended
       type: long
       description: The total number of bytes captured in this event.
       default_field: false
-    - name: io.total_bytes_skipped
+    - name: session_leader.parent.session_leader.io.total_bytes_skipped
       level: extended
       type: long
       description: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits. Implementors should strive to ensure
         this value is always zero
       default_field: false
-    - name: io.type
+    - name: session_leader.parent.session_leader.io.type
       level: extended
       type: keyword
       ignore_above: 1024
@@ -6459,7 +25312,7 @@
         Currently only ''tty'' is supported. Other types may be added in the future
         for ''file'' and ''socket'' support.'
       default_field: false
-    - name: macho.go_import_hash
+    - name: session_leader.parent.session_leader.macho.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -6472,30 +25325,30 @@
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: macho.go_imports
+    - name: session_leader.parent.session_leader.macho.go_imports
       level: extended
       type: flattened
       description: List of imported Go language element names and types.
       default_field: false
-    - name: macho.go_imports_names_entropy
+    - name: session_leader.parent.session_leader.macho.go_imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: macho.go_imports_names_var_entropy
+    - name: session_leader.parent.session_leader.macho.go_imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: macho.go_stripped
+    - name: session_leader.parent.session_leader.macho.go_stripped
       level: extended
       type: boolean
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: macho.import_hash
+    - name: session_leader.parent.session_leader.macho.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -6506,26 +25359,26 @@
         This is a synonym for symhash.'
       example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: macho.imports
+    - name: session_leader.parent.session_leader.macho.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
-    - name: macho.imports_names_entropy
+    - name: session_leader.parent.session_leader.macho.imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of imported element names
         and types.
       default_field: false
-    - name: macho.imports_names_var_entropy
+    - name: session_leader.parent.session_leader.macho.imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
       default_field: false
-    - name: macho.sections
+    - name: session_leader.parent.session_leader.macho.sections
       level: extended
       type: nested
       description: 'An array containing an object for each section of the Mach-O file.
@@ -6533,37 +25386,37 @@
         The keys that should be present in these objects are defined by sub-fields
         underneath `macho.sections.*`.'
       default_field: false
-    - name: macho.sections.entropy
+    - name: session_leader.parent.session_leader.macho.sections.entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the section.
       default_field: false
-    - name: macho.sections.name
+    - name: session_leader.parent.session_leader.macho.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Mach-O Section List name.
       default_field: false
-    - name: macho.sections.physical_size
+    - name: session_leader.parent.session_leader.macho.sections.physical_size
       level: extended
       type: long
       format: bytes
       description: Mach-O Section List physical size.
       default_field: false
-    - name: macho.sections.var_entropy
+    - name: session_leader.parent.session_leader.macho.sections.var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: macho.sections.virtual_size
+    - name: session_leader.parent.session_leader.macho.sections.virtual_size
       level: extended
       type: long
       format: string
       description: Mach-O Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: macho.symhash
+    - name: session_leader.parent.session_leader.macho.symhash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -6574,180 +25427,66 @@
         This is a Mach-O implementation of the Windows PE imphash'
       example: d3ccf195b62a9279c3c19af1080497ec
       default_field: false
-    - name: name
+    - name: session_leader.parent.session_leader.name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-        default_field: false
       description: 'Process name.
 
         Sometimes called program name or similar.'
       example: ssh
-    - name: parent.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: parent.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
       default_field: false
-    - name: parent.code_signature.digest_algorithm
+    - name: session_leader.parent.session_leader.origin_referrer_url
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: parent.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
       default_field: false
-    - name: parent.code_signature.flags
+    - name: session_leader.parent.session_leader.origin_url
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
       default_field: false
-    - name: parent.code_signature.signing_id
+    - name: session_leader.parent.session_leader.pe.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
+      description: CPU architecture target for the file.
+      example: x64
       default_field: false
-    - name: parent.code_signature.status
+    - name: session_leader.parent.session_leader.pe.company
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: parent.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
+      description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
       default_field: false
-    - name: parent.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: parent.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: parent.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: parent.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: parent.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: parent.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: parent.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: parent.elf.byte_order
+    - name: session_leader.parent.session_leader.pe.description
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
       default_field: false
-    - name: parent.elf.cpu_type
+    - name: session_leader.parent.session_leader.pe.file_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: parent.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: parent.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
       default_field: false
-    - name: parent.elf.go_import_hash
+    - name: session_leader.parent.session_leader.pe.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
+      description: 'A hash of the Go language imports in a PE file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
         change more traditional hash values.
@@ -6756,686 +25495,638 @@
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: parent.elf.go_imports
+    - name: session_leader.parent.session_leader.pe.go_imports
       level: extended
       type: flattened
       description: List of imported Go language element names and types.
       default_field: false
-    - name: parent.elf.go_imports_names_entropy
+    - name: session_leader.parent.session_leader.pe.go_imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: parent.elf.go_imports_names_var_entropy
+    - name: session_leader.parent.session_leader.pe.go_imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: parent.elf.go_stripped
+    - name: session_leader.parent.session_leader.pe.go_stripped
       level: extended
       type: boolean
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: parent.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: parent.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: parent.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: parent.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: parent.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: parent.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: parent.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: parent.elf.header.version
+    - name: session_leader.parent.session_leader.pe.imphash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
-    - name: parent.elf.import_hash
+    - name: session_leader.parent.session_leader.pe.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
+      description: 'A hash of the imports in a PE file. An import hash can be used
         to fingerprint binaries even after recompilation or other code-level transformations
         have occurred, which would change more traditional hash values.
 
-        This is an ELF implementation of the Windows PE imphash.'
+        This is a synonym for imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: parent.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: parent.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: parent.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: parent.elf.sections
+    - name: session_leader.parent.session_leader.pe.imports
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: parent.elf.sections.chi2
+    - name: session_leader.parent.session_leader.pe.imports_names_entropy
       level: extended
       type: long
       format: number
-      description: Chi-square probability distribution of the section.
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: parent.elf.sections.entropy
+    - name: session_leader.parent.session_leader.pe.imports_names_var_entropy
       level: extended
       type: long
       format: number
-      description: Shannon entropy calculation from the section.
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: parent.elf.sections.flags
+    - name: session_leader.parent.session_leader.pe.original_file_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List flags.
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
       default_field: false
-    - name: parent.elf.sections.name
+    - name: session_leader.parent.session_leader.pe.pehash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List name.
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
       default_field: false
-    - name: parent.elf.sections.physical_offset
+    - name: session_leader.parent.session_leader.pe.product
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List offset.
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
       default_field: false
-    - name: parent.elf.sections.physical_size
+    - name: session_leader.parent.session_leader.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.sections.entropy
       level: extended
       type: long
-      format: bytes
-      description: ELF Section List physical size.
+      format: number
+      description: Shannon entropy calculation from the section.
       default_field: false
-    - name: parent.elf.sections.type
+    - name: session_leader.parent.session_leader.pe.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List type.
+      description: PE Section List name.
       default_field: false
-    - name: parent.elf.sections.var_entropy
+    - name: session_leader.parent.session_leader.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.sections.var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: parent.elf.sections.virtual_address
+    - name: session_leader.parent.session_leader.pe.sections.virtual_size
       level: extended
       type: long
       format: string
-      description: ELF Section List virtual address.
+      description: PE Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: parent.elf.sections.virtual_size
-      level: extended
+    - name: session_leader.parent.session_leader.pid
+      level: core
       type: long
       format: string
-      description: ELF Section List virtual size.
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: parent.elf.segments
+    - name: session_leader.parent.session_leader.platform_binary
       level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
       default_field: false
-    - name: parent.elf.segments.sections
+    - name: session_leader.parent.session_leader.real_group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment sections.
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: parent.elf.segments.type
+    - name: session_leader.parent.session_leader.real_group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: parent.elf.shared_libraries
+    - name: session_leader.parent.session_leader.real_group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
+      description: Name of the group.
       default_field: false
-    - name: parent.elf.telfhash
+    - name: session_leader.parent.session_leader.real_user.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: parent.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: parent.entity_id
+    - name: session_leader.parent.session_leader.real_user.email
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+      description: User email address.
       default_field: false
-    - name: parent.executable
+    - name: session_leader.parent.session_leader.real_user.full_name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
+      description: User's full name, if available.
+      example: Albert Einstein
       default_field: false
-    - name: parent.exit_code
+    - name: session_leader.parent.session_leader.real_user.group.domain
       level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
 
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: parent.group.id
+    - name: session_leader.parent.session_leader.real_user.group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: parent.group.name
+    - name: session_leader.parent.session_leader.real_user.group.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: parent.group_leader.entity_id
+    - name: session_leader.parent.session_leader.real_user.hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
 
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: parent.group_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: parent.group_leader.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
       default_field: false
-    - name: parent.group_leader.vpid
+    - name: session_leader.parent.session_leader.real_user.id
       level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: parent.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: parent.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: parent.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: parent.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: parent.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: parent.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: parent.hash.ssdeep
-      level: extended
       type: keyword
       ignore_above: 1024
-      description: SSDEEP hash.
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: parent.hash.tlsh
-      level: extended
+    - name: session_leader.parent.session_leader.real_user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: parent.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: parent.macho.go_import_hash
+    - name: session_leader.parent.session_leader.real_user.risk.calculated_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: parent.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: parent.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
       default_field: false
-    - name: parent.macho.go_imports_names_var_entropy
+    - name: session_leader.parent.session_leader.real_user.risk.calculated_score
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
       default_field: false
-    - name: parent.macho.go_stripped
+    - name: session_leader.parent.session_leader.real_user.risk.calculated_score_norm
       level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
       default_field: false
-    - name: parent.macho.import_hash
+    - name: session_leader.parent.session_leader.real_user.risk.static_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
       default_field: false
-    - name: parent.macho.imports
+    - name: session_leader.parent.session_leader.real_user.risk.static_score
       level: extended
-      type: flattened
-      description: List of imported element names and types.
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
       default_field: false
-    - name: parent.macho.imports_names_entropy
+    - name: session_leader.parent.session_leader.real_user.risk.static_score_norm
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
       default_field: false
-    - name: parent.macho.imports_names_var_entropy
+    - name: session_leader.parent.session_leader.real_user.roles
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: parent.macho.sections
+    - name: session_leader.parent.session_leader.same_as_process
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: parent.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
       default_field: false
-    - name: parent.macho.sections.name
+    - name: session_leader.parent.session_leader.saved_group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Mach-O Section List name.
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: parent.macho.sections.physical_size
+    - name: session_leader.parent.session_leader.saved_group.id
       level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: parent.macho.sections.var_entropy
+    - name: session_leader.parent.session_leader.saved_group.name
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
       default_field: false
-    - name: parent.macho.sections.virtual_size
+    - name: session_leader.parent.session_leader.saved_user.domain
       level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: parent.macho.symhash
+    - name: session_leader.parent.session_leader.saved_user.email
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
+      description: User email address.
       default_field: false
-    - name: parent.name
+    - name: session_leader.parent.session_leader.saved_user.full_name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: 'Process name.
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
 
-        Sometimes called program name or similar.'
-      example: ssh
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: parent.pe.architecture
+    - name: session_leader.parent.session_leader.saved_user.group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: parent.pe.company
+    - name: session_leader.parent.session_leader.saved_user.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
+      description: Name of the group.
       default_field: false
-    - name: parent.pe.description
+    - name: session_leader.parent.session_leader.saved_user.hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
       default_field: false
-    - name: parent.pe.file_version
+    - name: session_leader.parent.session_leader.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.risk.calculated_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
       default_field: false
-    - name: parent.pe.go_import_hash
+    - name: session_leader.parent.session_leader.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.risk.static_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
       default_field: false
-    - name: parent.pe.go_imports
+    - name: session_leader.parent.session_leader.saved_user.risk.static_score
       level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
       default_field: false
-    - name: parent.pe.go_imports_names_entropy
+    - name: session_leader.parent.session_leader.saved_user.risk.static_score_norm
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
       default_field: false
-    - name: parent.pe.go_imports_names_var_entropy
+    - name: session_leader.parent.session_leader.saved_user.roles
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: parent.pe.go_stripped
+    - name: session_leader.parent.session_leader.start
       level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: parent.pe.imphash
+    - name: session_leader.parent.session_leader.supplemental_groups.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+      description: 'Name of the directory the group is a member of.
 
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: parent.pe.import_hash
+    - name: session_leader.parent.session_leader.supplemental_groups.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: parent.pe.imports
+    - name: session_leader.parent.session_leader.supplemental_groups.name
       level: extended
-      type: flattened
-      description: List of imported element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
       default_field: false
-    - name: parent.pe.imports_names_entropy
+    - name: session_leader.parent.session_leader.thread.capabilities.effective
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: session_leader.parent.session_leader.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
       default_field: false
-    - name: parent.pe.imports_names_var_entropy
+    - name: session_leader.parent.session_leader.thread.id
       level: extended
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+      format: string
+      description: Thread ID.
+      example: 4242
       default_field: false
-    - name: parent.pe.original_file_name
+    - name: session_leader.parent.session_leader.thread.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
+      description: Thread name.
+      example: thread-0
       default_field: false
-    - name: parent.pe.pehash
+    - name: session_leader.parent.session_leader.title
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
 
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
       default_field: false
-    - name: parent.pe.product
+    - name: session_leader.parent.session_leader.tty
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
       default_field: false
-    - name: parent.pe.sections
+    - name: session_leader.parent.session_leader.tty.char_device.major
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
       default_field: false
-    - name: parent.pe.sections.entropy
+    - name: session_leader.parent.session_leader.tty.char_device.minor
       level: extended
       type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
       default_field: false
-    - name: parent.pe.sections.name
+    - name: session_leader.parent.session_leader.tty.columns
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
       default_field: false
-    - name: parent.pe.sections.physical_size
+    - name: session_leader.parent.session_leader.tty.rows
       level: extended
       type: long
-      format: bytes
-      description: PE Section List physical size.
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
       default_field: false
-    - name: parent.pe.sections.var_entropy
+    - name: session_leader.parent.session_leader.uptime
       level: extended
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
+      description: Seconds the process has been up.
+      example: 1325
       default_field: false
-    - name: parent.pe.sections.virtual_size
+    - name: session_leader.parent.session_leader.user.domain
       level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: parent.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
+    - name: session_leader.parent.session_leader.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
       default_field: false
-    - name: parent.real_group.id
+    - name: session_leader.parent.session_leader.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.session_leader.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.user.group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: parent.real_group.name
+    - name: session_leader.parent.session_leader.user.group.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: parent.real_user.id
+    - name: session_leader.parent.session_leader.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.session_leader.user.id
       level: core
       type: keyword
       ignore_above: 1024
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: parent.real_user.name
+    - name: session_leader.parent.session_leader.user.name
       level: core
       type: keyword
       ignore_above: 1024
@@ -7445,54 +26136,107 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: parent.saved_group.id
+    - name: session_leader.parent.session_leader.user.risk.calculated_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
       default_field: false
-    - name: parent.saved_group.name
+    - name: session_leader.parent.session_leader.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.session_leader.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.session_leader.user.risk.static_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
       default_field: false
-    - name: parent.saved_user.id
-      level: core
+    - name: session_leader.parent.session_leader.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.session_leader.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.session_leader.user.roles
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: parent.saved_user.name
+    - name: session_leader.parent.session_leader.vpid
       level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: session_leader.parent.session_leader.working_directory
+      level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: The working directory of the process.
+      example: /home/alice
       default_field: false
-    - name: parent.start
+    - name: session_leader.parent.start
       level: extended
       type: date
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: parent.supplemental_groups.id
+    - name: session_leader.parent.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.supplemental_groups.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: parent.supplemental_groups.name
+    - name: session_leader.parent.supplemental_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: parent.thread.capabilities.effective
+    - name: session_leader.parent.thread.capabilities.effective
       level: extended
       type: keyword
       ignore_above: 1024
@@ -7501,7 +26245,7 @@
       example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
       pattern: ^(CAP_[A-Z_]+|\d+)$
       default_field: false
-    - name: parent.thread.capabilities.permitted
+    - name: session_leader.parent.thread.capabilities.permitted
       level: extended
       type: keyword
       ignore_above: 1024
@@ -7510,21 +26254,21 @@
       example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
       pattern: ^(CAP_[A-Z_]+|\d+)$
       default_field: false
-    - name: parent.thread.id
+    - name: session_leader.parent.thread.id
       level: extended
       type: long
       format: string
       description: Thread ID.
       example: 4242
       default_field: false
-    - name: parent.thread.name
+    - name: session_leader.parent.thread.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Thread name.
       example: thread-0
       default_field: false
-    - name: parent.title
+    - name: session_leader.parent.title
       level: extended
       type: keyword
       ignore_above: 1024
@@ -7536,13 +26280,13 @@
         The proctitle, some times the same as process name. Can also be different:
         for example a browser setting its title to the web page currently opened.'
       default_field: false
-    - name: parent.tty
+    - name: session_leader.parent.tty
       level: extended
       type: object
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
       default_field: false
-    - name: parent.tty.char_device.major
+    - name: session_leader.parent.tty.char_device.major
       level: extended
       type: long
       description: The major number identifies the driver associated with the device.
@@ -7551,7 +26295,7 @@
         For more details, please refer to the Linux kernel documentation.
       example: 4
       default_field: false
-    - name: parent.tty.char_device.minor
+    - name: session_leader.parent.tty.char_device.minor
       level: extended
       type: long
       description: The minor number is used only by the driver specified by the major
@@ -7560,20 +26304,92 @@
         number provides a way for the driver to differentiate among them.
       example: 1
       default_field: false
-    - name: parent.uptime
+    - name: session_leader.parent.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: session_leader.parent.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: session_leader.parent.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: session_leader.parent.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.parent.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.user.group.name
       level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
       default_field: false
-    - name: parent.user.id
+    - name: session_leader.parent.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.user.id
       level: core
       type: keyword
       ignore_above: 1024
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: parent.user.name
+    - name: session_leader.parent.user.name
       level: core
       type: keyword
       ignore_above: 1024
@@ -7583,7 +26399,60 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: parent.vpid
+    - name: session_leader.parent.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.parent.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.parent.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.parent.vpid
       level: core
       type: long
       format: string
@@ -7594,7 +26463,7 @@
         the process exists within.'
       example: 4242
       default_field: false
-    - name: parent.working_directory
+    - name: session_leader.parent.working_directory
       level: extended
       type: keyword
       ignore_above: 1024
@@ -7604,35 +26473,35 @@
       description: The working directory of the process.
       example: /home/alice
       default_field: false
-    - name: pe.architecture
+    - name: session_leader.pe.architecture
       level: extended
       type: keyword
       ignore_above: 1024
       description: CPU architecture target for the file.
       example: x64
       default_field: false
-    - name: pe.company
+    - name: session_leader.pe.company
       level: extended
       type: keyword
       ignore_above: 1024
       description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
       default_field: false
-    - name: pe.description
+    - name: session_leader.pe.description
       level: extended
       type: keyword
       ignore_above: 1024
       description: Internal description of the file, provided at compile-time.
       example: Paint
       default_field: false
-    - name: pe.file_version
+    - name: session_leader.pe.file_version
       level: extended
       type: keyword
       ignore_above: 1024
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
-    - name: pe.go_import_hash
+    - name: session_leader.pe.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -7645,30 +26514,30 @@
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: pe.go_imports
+    - name: session_leader.pe.go_imports
       level: extended
       type: flattened
       description: List of imported Go language element names and types.
       default_field: false
-    - name: pe.go_imports_names_entropy
+    - name: session_leader.pe.go_imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: pe.go_imports_names_var_entropy
+    - name: session_leader.pe.go_imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: pe.go_stripped
+    - name: session_leader.pe.go_stripped
       level: extended
       type: boolean
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: pe.imphash
+    - name: session_leader.pe.imphash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -7679,7 +26548,7 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
-    - name: pe.import_hash
+    - name: session_leader.pe.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -7690,33 +26559,33 @@
         This is a synonym for imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: pe.imports
+    - name: session_leader.pe.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
-    - name: pe.imports_names_entropy
+    - name: session_leader.pe.imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of imported element names
         and types.
       default_field: false
-    - name: pe.imports_names_var_entropy
+    - name: session_leader.pe.imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
       default_field: false
-    - name: pe.original_file_name
+    - name: session_leader.pe.original_file_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
-    - name: pe.pehash
+    - name: session_leader.pe.pehash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -7727,14 +26596,14 @@
         Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
       example: 73ff189b63cd6be375a7ff25179a38d347651975
       default_field: false
-    - name: pe.product
+    - name: session_leader.pe.product
       level: extended
       type: keyword
       ignore_above: 1024
       description: Internal product name of the file, provided at compile-time.
       example: Microsoft® Windows® Operating System
       default_field: false
-    - name: pe.sections
+    - name: session_leader.pe.sections
       level: extended
       type: nested
       description: 'An array containing an object for each section of the PE file.
@@ -7742,411 +26611,430 @@
         The keys that should be present in these objects are defined by sub-fields
         underneath `pe.sections.*`.'
       default_field: false
-    - name: pe.sections.entropy
+    - name: session_leader.pe.sections.entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the section.
       default_field: false
-    - name: pe.sections.name
+    - name: session_leader.pe.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: PE Section List name.
       default_field: false
-    - name: pe.sections.physical_size
+    - name: session_leader.pe.sections.physical_size
       level: extended
       type: long
       format: bytes
       description: PE Section List physical size.
       default_field: false
-    - name: pe.sections.var_entropy
+    - name: session_leader.pe.sections.var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: pe.sections.virtual_size
+    - name: session_leader.pe.sections.virtual_size
       level: extended
       type: long
       format: string
       description: PE Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: pid
+    - name: session_leader.pid
       level: core
       type: long
       format: string
       description: Process id.
       example: 4242
-    - name: previous.args
+      default_field: false
+    - name: session_leader.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: session_leader.real_group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
+      description: 'Name of the directory the group is a member of.
 
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: previous.args_count
+    - name: session_leader.real_group.id
       level: extended
-      type: long
-      description: 'Length of the process.args array.
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
 
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: previous.executable
+    - name: session_leader.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: session_leader.saved_group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: real_group.id
+    - name: session_leader.saved_group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: real_group.name
+    - name: session_leader.saved_group.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: saved_group.id
+    - name: session_leader.saved_user.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: saved_group.name
+    - name: session_leader.saved_user.email
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: User email address.
       default_field: false
-    - name: saved_user.name
-      level: core
+    - name: session_leader.saved_user.full_name
+      level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: User's full name, if available.
+      example: Albert Einstein
       default_field: false
-    - name: session_leader.args
+    - name: session_leader.saved_user.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: session_leader.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: session_leader.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
+      description: 'Name of the directory the group is a member of.
 
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: session_leader.entity_id
+    - name: session_leader.saved_user.group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.executable
+    - name: session_leader.saved_user.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
+      description: Name of the group.
       default_field: false
-    - name: session_leader.group.id
+    - name: session_leader.saved_user.hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
       default_field: false
-    - name: session_leader.group.name
-      level: extended
+    - name: session_leader.saved_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: session_leader.name
-      level: extended
+    - name: session_leader.saved_user.name
+      level: core
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: session_leader.parent.entity_id
+    - name: session_leader.saved_user.risk.calculated_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
       default_field: false
-    - name: session_leader.parent.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
+    - name: session_leader.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
       default_field: false
-    - name: session_leader.parent.session_leader.entity_id
+    - name: session_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.saved_user.risk.static_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: session_leader.parent.session_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
       default_field: false
-    - name: session_leader.parent.session_leader.start
+    - name: session_leader.saved_user.risk.static_score
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: session_leader.parent.session_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
       default_field: false
-    - name: session_leader.parent.start
+    - name: session_leader.saved_user.risk.static_score_norm
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: session_leader.parent.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: session_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
       default_field: false
-    - name: session_leader.real_group.id
+    - name: session_leader.saved_user.roles
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: session_leader.real_group.name
+    - name: session_leader.start
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: session_leader.real_user.name
-      level: core
+    - name: session_leader.supplemental_groups.domain
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
+      description: 'Name of the directory the group is a member of.
 
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: session_leader.saved_group.id
+    - name: session_leader.supplemental_groups.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.saved_group.name
+    - name: session_leader.supplemental_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: session_leader.saved_user.id
-      level: core
+    - name: session_leader.thread.capabilities.effective
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
       default_field: false
-    - name: session_leader.saved_user.name
-      level: core
+    - name: session_leader.thread.capabilities.permitted
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
       default_field: false
-    - name: session_leader.start
+    - name: session_leader.thread.id
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
       default_field: false
-    - name: session_leader.supplemental_groups.id
+    - name: session_leader.thread.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: Thread name.
+      example: thread-0
       default_field: false
-    - name: session_leader.supplemental_groups.name
+    - name: session_leader.title
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
       default_field: false
     - name: session_leader.tty
       level: extended
@@ -8172,6 +27060,84 @@
         number provides a way for the driver to differentiate among them.
       example: 1
       default_field: false
+    - name: session_leader.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: session_leader.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: session_leader.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: session_leader.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
     - name: session_leader.user.id
       level: core
       type: keyword
@@ -8189,6 +27155,59 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: session_leader.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
     - name: session_leader.vpid
       level: core
       type: long
@@ -8215,6 +27234,14 @@
       type: date
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
+    - name: supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
     - name: supplemental_groups.id
       level: extended
       type: keyword
@@ -8311,11 +27338,65 @@
         given IO event. i.e. where event.action = ''text_output'''
       example: 24
       default_field: false
-    - name: uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
+    - name: uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+    - name: user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
     - name: user.id
       level: core
       type: keyword
@@ -8333,6 +27414,59 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
     - name: vpid
       level: core
       type: long
@@ -8840,6 +27974,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -9688,6 +28868,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -13880,6 +33106,52 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: changes.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: changes.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: changes.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: changes.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: changes.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: changes.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: changes.roles
       level: extended
       type: keyword
@@ -13965,6 +33237,52 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: effective.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: effective.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: effective.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: effective.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: effective.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: effective.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: effective.roles
       level: extended
       type: keyword
@@ -14273,6 +33591,52 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: target.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: target.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: target.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: target.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: target.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: target.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: target.roles
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 3871df200a..ad2d151afd 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,1884 +1,4484 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-9.3.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-9.3.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-9.3.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-9.3.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-9.3.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-9.3.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-9.3.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-9.3.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-9.3.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-9.3.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-9.3.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-9.3.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-9.3.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-9.3.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-9.3.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-9.3.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-9.3.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-9.3.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-9.3.0-dev,true,client,client.port,long,core,,,Port of the client.
-9.3.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-9.3.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-9.3.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-9.3.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-9.3.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-9.3.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-9.3.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-9.3.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-9.3.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-9.3.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-9.3.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-9.3.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-9.3.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-9.3.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-9.3.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-9.3.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-9.3.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-9.3.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-9.3.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-9.3.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-9.3.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-9.3.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-9.3.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-9.3.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-9.3.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-9.3.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-9.3.0-dev,true,cloud,cloud.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,cloud,cloud.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,cloud,cloud.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,cloud,cloud.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,cloud,cloud.target.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,cloud,cloud.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,cloud,cloud.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,cloud,cloud.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,cloud,cloud.target.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,cloud,cloud.target.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,cloud,cloud.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,cloud,cloud.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-9.3.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-9.3.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-9.3.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-9.3.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-9.3.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-9.3.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-9.3.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-9.3.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-9.3.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-9.3.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-9.3.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-9.3.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-9.3.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-9.3.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-9.3.0-dev,true,container,container.labels,object,extended,,,Image labels.
-9.3.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-9.3.0-dev,true,container,container.name,keyword,extended,,,Container name.
-9.3.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-9.3.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-9.3.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-9.3.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
-9.3.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-9.3.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-9.3.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-9.3.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-9.3.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-9.3.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-9.3.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-9.3.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-9.3.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-9.3.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-9.3.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-9.3.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-9.3.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-9.3.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-9.3.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-9.3.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-9.3.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-9.3.0-dev,true,device,device.product.id,keyword,extended,,43981,ProductID of the device
-9.3.0-dev,true,device,device.product.name,keyword,extended,,Extreme V2 SSD,Product name of the device
-9.3.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
-9.3.0-dev,true,device,device.type,keyword,extended,,Storage Device,Device type classification
-9.3.0-dev,true,device,device.vendor.id,keyword,extended,,4660,VendorID of the device
-9.3.0-dev,true,device,device.vendor.name,keyword,extended,,SanDisk,Vendor name of the device
-9.3.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,dll,dll.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.3.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-9.3.0-dev,true,dll,dll.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the dll file.
-9.3.0-dev,true,dll,dll.origin_url,keyword,extended,,http://example.com/files/example.dll,The URL where the dll file is hosted.
-9.3.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-9.3.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-9.3.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-9.3.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-9.3.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-9.3.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-9.3.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-9.3.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-9.3.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-9.3.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-9.3.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-9.3.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-9.3.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-9.3.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-9.3.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-9.3.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-9.3.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-9.3.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.3.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-9.3.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-9.3.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-9.3.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-9.3.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-9.3.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-9.3.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-9.3.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-9.3.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-9.3.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-9.3.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-9.3.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-9.3.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-9.3.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-9.3.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-9.3.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-9.3.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-9.3.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-9.3.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-9.3.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-9.3.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-9.3.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-9.3.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-9.3.0-dev,true,error,error.message,match_only_text,core,,,Error message.
-9.3.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-9.3.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-9.3.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-9.3.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-9.3.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-9.3.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-9.3.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-9.3.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-9.3.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-9.3.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-9.3.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
-9.3.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-9.3.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-9.3.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-9.3.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-9.3.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-9.3.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-9.3.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-9.3.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-9.3.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-9.3.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-9.3.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-9.3.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-9.3.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-9.3.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-9.3.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
-9.3.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-9.3.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-9.3.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-9.3.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-9.3.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-9.3.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-9.3.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-9.3.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-9.3.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-9.3.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-9.3.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-9.3.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-9.3.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,file,file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.3.0-dev,true,file,file.created,date,extended,,,File creation time.
-9.3.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-9.3.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-9.3.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-9.3.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-9.3.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-9.3.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-9.3.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-9.3.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-9.3.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-9.3.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.3.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.3.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.3.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.3.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-9.3.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-9.3.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-9.3.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-9.3.0-dev,true,file,file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
-9.3.0-dev,true,file,file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
-9.3.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-9.3.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-9.3.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-9.3.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-9.3.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-9.3.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-9.3.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-9.3.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-9.3.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.3.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.3.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.3.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.3.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.3.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.3.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.3.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.3.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.3.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.3.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.3.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.3.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.3.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.3.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.3.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.3.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.3.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.3.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.3.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.3.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.3.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.3.0-dev,false,gen_ai,gen_ai.agent.description,keyword,extended,,Helps with math problems; Generates fiction stories,Free-form description of the GenAI agent provided by the application.
-9.3.0-dev,true,gen_ai,gen_ai.agent.id,keyword,extended,,asst_5j66UpCpwteGg4YSxUnt7lPY,The unique identifier of the GenAI agent.
-9.3.0-dev,true,gen_ai,gen_ai.agent.name,keyword,extended,,Math Tutor; Fiction Writer,Human-readable name of the GenAI agent provided by the application.
-9.3.0-dev,true,gen_ai,gen_ai.operation.name,keyword,extended,,chat; text_completion; embeddings,The name of the operation being performed.
-9.3.0-dev,true,gen_ai,gen_ai.output.type,keyword,extended,,text; json; image,Represents the content type requested by the client.
-9.3.0-dev,true,gen_ai,gen_ai.request.choice.count,integer,extended,,3,The target number of candidate completions to return.
-9.3.0-dev,true,gen_ai,gen_ai.request.encoding_formats,nested,extended,,"[""float"", ""binary""]","The encoding formats requested in an embeddings operation, if specified."
-9.3.0-dev,true,gen_ai,gen_ai.request.frequency_penalty,double,extended,,0.1,The frequency penalty setting for the GenAI request.
-9.3.0-dev,true,gen_ai,gen_ai.request.max_tokens,integer,extended,,100,The maximum number of tokens the model generates for a request.
-9.3.0-dev,true,gen_ai,gen_ai.request.model,keyword,extended,,gpt-4,The name of the GenAI model a request is being made to.
-9.3.0-dev,true,gen_ai,gen_ai.request.presence_penalty,double,extended,,0.1,The presence penalty setting for the GenAI request.
-9.3.0-dev,true,gen_ai,gen_ai.request.seed,integer,extended,,100,Requests with same seed value more likely to return same result.
-9.3.0-dev,true,gen_ai,gen_ai.request.stop_sequences,nested,extended,,"[""forest"", ""lived""]",List of sequences that the model will use to stop generating further tokens.
-9.3.0-dev,true,gen_ai,gen_ai.request.temperature,double,extended,,0.0,The temperature setting for the GenAI request.
-9.3.0-dev,true,gen_ai,gen_ai.request.top_k,double,extended,,1.0,The top_k sampling setting for the GenAI request.
-9.3.0-dev,true,gen_ai,gen_ai.request.top_p,double,extended,,1.0,The top_p sampling setting for the GenAI request.
-9.3.0-dev,true,gen_ai,gen_ai.response.finish_reasons,nested,extended,,"[""stop"", ""length""]","Array of reasons the model stopped generating tokens, corresponding to each generation received."
-9.3.0-dev,true,gen_ai,gen_ai.response.id,keyword,extended,,chatcmpl-123,The unique identifier for the completion.
-9.3.0-dev,true,gen_ai,gen_ai.response.model,keyword,extended,,gpt-4-0613,The name of the model that generated the response.
-9.3.0-dev,true,gen_ai,gen_ai.system,keyword,extended,,openai,The Generative AI product as identified by the client or server instrumentation.
-9.3.0-dev,true,gen_ai,gen_ai.token.type,keyword,extended,,input; output,The type of token being counted.
-9.3.0-dev,true,gen_ai,gen_ai.tool.call.id,keyword,extended,,call_mszuSIzqtI65i1wAUOE8w5H4,The tool call identifier.
-9.3.0-dev,true,gen_ai,gen_ai.tool.name,keyword,extended,,Flights,Name of the tool utilized by the agent.
-9.3.0-dev,true,gen_ai,gen_ai.tool.type,keyword,extended,,function; extension; datastore,Type of the tool utilized by the agent
-9.3.0-dev,true,gen_ai,gen_ai.usage.input_tokens,integer,extended,,100,The number of tokens used in the GenAI input (prompt).
-9.3.0-dev,true,gen_ai,gen_ai.usage.output_tokens,integer,extended,,180,The number of tokens used in the GenAI response (completion).
-9.3.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-9.3.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-9.3.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-9.3.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-9.3.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-9.3.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-9.3.0-dev,true,host,host.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,host,host.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,host,host.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,host,host.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,host,host.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,host,host.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,host,host.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,host,host.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,host,host.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,host,host.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,host,host.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,host,host.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-9.3.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-9.3.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-9.3.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-9.3.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-9.3.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-9.3.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-9.3.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-9.3.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-9.3.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-9.3.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-9.3.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-9.3.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-9.3.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-9.3.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-9.3.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-9.3.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-9.3.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-9.3.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-9.3.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,host,host.type,keyword,core,,,Type of host.
-9.3.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-9.3.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-9.3.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-9.3.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-9.3.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-9.3.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-9.3.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-9.3.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-9.3.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-9.3.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-9.3.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-9.3.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-9.3.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-9.3.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-9.3.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-9.3.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-9.3.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-9.3.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-9.3.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-9.3.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-9.3.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-9.3.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-9.3.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-9.3.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-9.3.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-9.3.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-9.3.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-9.3.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-9.3.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-9.3.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-9.3.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-9.3.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-9.3.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-9.3.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-9.3.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-9.3.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-9.3.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-9.3.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-9.3.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-9.3.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-9.3.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-9.3.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-9.3.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-9.3.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-9.3.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-9.3.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
-9.3.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-9.3.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-9.3.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-9.3.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-9.3.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-9.3.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-9.3.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-9.3.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-9.3.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-9.3.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-9.3.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-9.3.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-9.3.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-9.3.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-9.3.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-9.3.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-9.3.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-9.3.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-9.3.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-9.3.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-9.3.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-9.3.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-9.3.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-9.3.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-9.3.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-9.3.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-9.3.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-9.3.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-9.3.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-9.3.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-9.3.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-9.3.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-9.3.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-9.3.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-9.3.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-9.3.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-9.3.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-9.3.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-9.3.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-9.3.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-9.3.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-9.3.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-9.3.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-9.3.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
-9.3.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-9.3.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-9.3.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
-9.3.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-9.3.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-9.3.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-9.3.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-9.3.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-9.3.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-9.3.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-9.3.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-9.3.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-9.3.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-9.3.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-9.3.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-9.3.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-9.3.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-9.3.0-dev,true,package,package.name,keyword,extended,,go,Package name
-9.3.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-9.3.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-9.3.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-9.3.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-9.3.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-9.3.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.3.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,process,process.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.3.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.3.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.3.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-9.3.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.3.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.3.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.3.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-9.3.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.3.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.3.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.3.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.3.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.3.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.3.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.3.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.3.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.3.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.3.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.3.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.3.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.3.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.3.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.3.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,process,process.parent.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.3.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.3.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.3.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.3.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.3.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.3.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.3.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-9.3.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-9.3.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-9.3.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-9.3.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-9.3.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.3.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.3.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.3.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-9.3.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.3.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.3.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.3.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-9.3.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-9.3.0-dev,true,process,process.title,keyword,extended,,,Process title.
-9.3.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
-9.3.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-9.3.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.3.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.3.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.3.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-9.3.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-9.3.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-9.3.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-9.3.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-9.3.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-9.3.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-9.3.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-9.3.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-9.3.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-9.3.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-9.3.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-9.3.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-9.3.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-9.3.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-9.3.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-9.3.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-9.3.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-9.3.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-9.3.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-9.3.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-9.3.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-9.3.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-9.3.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-9.3.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-9.3.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-9.3.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-9.3.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-9.3.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-9.3.0-dev,true,server,server.port,long,core,,,Port of the server.
-9.3.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-9.3.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-9.3.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
-9.3.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-9.3.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-9.3.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-9.3.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-9.3.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-9.3.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-9.3.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-9.3.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-9.3.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-9.3.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-9.3.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-9.3.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-9.3.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-9.3.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-9.3.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
-9.3.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-9.3.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-9.3.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-9.3.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-9.3.0-dev,true,service,service.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,service,service.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,service,service.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,service,service.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,service,service.target.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,service,service.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,service,service.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,service,service.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,service,service.target.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,service,service.target.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,service,service.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,service,service.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-9.3.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-9.3.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-9.3.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-9.3.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-9.3.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-9.3.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-9.3.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
-9.3.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-9.3.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-9.3.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-9.3.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-9.3.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-9.3.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.3.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.3.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.3.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-9.3.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-9.3.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-9.3.0-dev,true,source,source.port,long,core,,,Port of the source.
-9.3.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.3.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-9.3.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-9.3.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-9.3.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-9.3.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-9.3.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.3.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.3.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-9.3.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-9.3.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-9.3.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-9.3.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-9.3.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-9.3.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-9.3.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-9.3.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-9.3.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-9.3.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-9.3.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-9.3.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-9.3.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-9.3.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-9.3.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-9.3.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-9.3.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-9.3.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-9.3.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.3.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.3.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-9.3.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-9.3.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-9.3.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-9.3.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-9.3.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-9.3.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-9.3.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-9.3.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-9.3.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-9.3.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-9.3.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-9.3.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-9.3.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-9.3.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-9.3.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-9.3.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-9.3.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-9.3.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-9.3.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-9.3.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,threat,threat.indicator.file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.3.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-9.3.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-9.3.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-9.3.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-9.3.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-9.3.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-9.3.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-9.3.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-9.3.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-9.3.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-9.3.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-9.3.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-9.3.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-9.3.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-9.3.0-dev,true,threat,threat.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
-9.3.0-dev,true,threat,threat.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
-9.3.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-9.3.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-9.3.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-9.3.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-9.3.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-9.3.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-9.3.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-9.3.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-9.3.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.3.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.3.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.3.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.3.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.3.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.3.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.3.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.3.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.3.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.3.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.3.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.3.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.3.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.3.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.3.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-9.3.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator
-9.3.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-9.3.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-9.3.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-9.3.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-9.3.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-9.3.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-9.3.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-9.3.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-9.3.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-9.3.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-9.3.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-9.3.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-9.3.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-9.3.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-9.3.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-9.3.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-9.3.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-9.3.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-9.3.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-9.3.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-9.3.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-9.3.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-9.3.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-9.3.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-9.3.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-9.3.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-9.3.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-9.3.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-9.3.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-9.3.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-9.3.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-9.3.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-9.3.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-9.3.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.3.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.3.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.3.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.3.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.3.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.3.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.3.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.3.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.3.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.3.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.3.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.3.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.3.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.3.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.3.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.3.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.3.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.3.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.3.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-9.3.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-9.3.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-9.3.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-9.3.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-9.3.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-9.3.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-9.3.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-9.3.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-9.3.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-9.3.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-9.3.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-9.3.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-9.3.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-9.3.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-9.3.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-9.3.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-9.3.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-9.3.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-9.3.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-9.3.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-9.3.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-9.3.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-9.3.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-9.3.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-9.3.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-9.3.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-9.3.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-9.3.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-9.3.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-9.3.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.3.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.3.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.3.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.3.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.3.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.3.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.3.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.3.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.3.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.3.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.3.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.3.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.3.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.3.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.3.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.3.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.3.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.3.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.3.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.3.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.3.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.3.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-9.3.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-9.3.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-9.3.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-9.3.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-9.3.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-9.3.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-9.3.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-9.3.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-9.3.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-9.3.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-9.3.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-9.3.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-9.3.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-9.3.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.3.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.3.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.3.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.3.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.3.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.3.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.3.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.3.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.3.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.3.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.3.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.3.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.3.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.3.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.3.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.3.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.3.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.3.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.3.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.3.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.3.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.3.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.3.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-9.3.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-9.3.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-9.3.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-9.3.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-9.3.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-9.3.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-9.3.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-9.3.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-9.3.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-9.3.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-9.3.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-9.3.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-9.3.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-9.3.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-9.3.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-9.3.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-9.3.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-9.3.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-9.3.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-9.3.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,user,user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
-9.3.0-dev,true,user,user.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,user,user.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,user,user.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,user,user.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,user,user.target.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,user,user.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,user,user.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,user,user.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,user,user.target.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,user,user.target.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,user,user.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,user,user.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-9.3.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-9.3.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-9.3.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-9.3.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-9.3.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-9.3.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-9.3.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-9.3.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-9.3.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-9.3.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-9.3.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-9.3.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-9.3.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-9.3.0-dev,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
-9.3.0-dev,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
-9.3.0-dev,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
-9.3.0-dev,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
-9.3.0-dev,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
-9.3.0-dev,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
-9.3.0-dev,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
-9.3.0-dev,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
-9.3.0-dev,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
-9.3.0-dev,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
-9.3.0-dev,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
-9.3.0-dev,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
-9.3.0-dev,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
-9.3.0-dev,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
-9.3.0-dev,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
-9.3.0-dev,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
-9.3.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-9.3.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-9.3.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-9.3.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-9.3.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-9.3.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-9.3.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-9.3.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-9.3.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-9.3.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-9.3.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-9.3.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-9.3.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-9.3.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+9.2.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+9.2.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+9.2.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+9.2.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+9.2.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+9.2.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+9.2.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+9.2.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+9.2.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+9.2.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+9.2.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+9.2.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+9.2.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+9.2.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+9.2.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+9.2.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+9.2.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+9.2.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+9.2.0-dev,true,client,client.port,long,core,,,Port of the client.
+9.2.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+9.2.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,client,client.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,client,client.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,client,client.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,client,client.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,client,client.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,client,client.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+9.2.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+9.2.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.2.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+9.2.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+9.2.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+9.2.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+9.2.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+9.2.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.2.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+9.2.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+9.2.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+9.2.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+9.2.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+9.2.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+9.2.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+9.2.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+9.2.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+9.2.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+9.2.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+9.2.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+9.2.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+9.2.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+9.2.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+9.2.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.2.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+9.2.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+9.2.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+9.2.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+9.2.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+9.2.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+9.2.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+9.2.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+9.2.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+9.2.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+9.2.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+9.2.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+9.2.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+9.2.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+9.2.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+9.2.0-dev,true,container,container.labels,object,extended,,,Image labels.
+9.2.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+9.2.0-dev,true,container,container.name,keyword,extended,,,Container name.
+9.2.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+9.2.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+9.2.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+9.2.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
+9.2.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+9.2.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+9.2.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+9.2.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+9.2.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+9.2.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+9.2.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+9.2.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+9.2.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+9.2.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+9.2.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+9.2.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+9.2.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+9.2.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,destination,destination.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,destination,destination.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,destination,destination.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,destination,destination.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,destination,destination.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,destination,destination.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+9.2.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+9.2.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+9.2.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+9.2.0-dev,true,device,device.product.id,keyword,extended,,43981,ProductID of the device
+9.2.0-dev,true,device,device.product.name,keyword,extended,,Extreme V2 SSD,Product name of the device
+9.2.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
+9.2.0-dev,true,device,device.type,keyword,extended,,Storage Device,Device type classification
+9.2.0-dev,true,device,device.vendor.id,keyword,extended,,4660,VendorID of the device
+9.2.0-dev,true,device,device.vendor.name,keyword,extended,,SanDisk,Vendor name of the device
+9.2.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,dll,dll.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+9.2.0-dev,true,dll,dll.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the dll file.
+9.2.0-dev,true,dll,dll.origin_url,keyword,extended,,http://example.com/files/example.dll,The URL where the dll file is hosted.
+9.2.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+9.2.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+9.2.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+9.2.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+9.2.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+9.2.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+9.2.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+9.2.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+9.2.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+9.2.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+9.2.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+9.2.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+9.2.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+9.2.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+9.2.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+9.2.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+9.2.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+9.2.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+9.2.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+9.2.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+9.2.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+9.2.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+9.2.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+9.2.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+9.2.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+9.2.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+9.2.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+9.2.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+9.2.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+9.2.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+9.2.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+9.2.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+9.2.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+9.2.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+9.2.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+9.2.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+9.2.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+9.2.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+9.2.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+9.2.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+9.2.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+9.2.0-dev,true,error,error.message,match_only_text,core,,,Error message.
+9.2.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+9.2.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+9.2.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+9.2.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+9.2.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+9.2.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+9.2.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+9.2.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+9.2.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+9.2.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+9.2.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
+9.2.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+9.2.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+9.2.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+9.2.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+9.2.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+9.2.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+9.2.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+9.2.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+9.2.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+9.2.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+9.2.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+9.2.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+9.2.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+9.2.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+9.2.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
+9.2.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+9.2.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+9.2.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+9.2.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+9.2.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+9.2.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+9.2.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+9.2.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+9.2.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+9.2.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+9.2.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+9.2.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+9.2.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,file,file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,file,file.created,date,extended,,,File creation time.
+9.2.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+9.2.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+9.2.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+9.2.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+9.2.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+9.2.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+9.2.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+9.2.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+9.2.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+9.2.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.2.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.2.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.2.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.2.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+9.2.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+9.2.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+9.2.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.2.0-dev,true,file,file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
+9.2.0-dev,true,file,file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
+9.2.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+9.2.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.2.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.2.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+9.2.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+9.2.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+9.2.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+9.2.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+9.2.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.2.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.2.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.2.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.2.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.2.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.2.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.2.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.2.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.2.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.2.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.2.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.2.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.2.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.2.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.2.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.2.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.2.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.2.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.2.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.2.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.2.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.2.0-dev,false,gen_ai,gen_ai.agent.description,keyword,extended,,Helps with math problems; Generates fiction stories,Free-form description of the GenAI agent provided by the application.
+9.2.0-dev,true,gen_ai,gen_ai.agent.id,keyword,extended,,asst_5j66UpCpwteGg4YSxUnt7lPY,The unique identifier of the GenAI agent.
+9.2.0-dev,true,gen_ai,gen_ai.agent.name,keyword,extended,,Math Tutor; Fiction Writer,Human-readable name of the GenAI agent provided by the application.
+9.2.0-dev,true,gen_ai,gen_ai.operation.name,keyword,extended,,chat; text_completion; embeddings,The name of the operation being performed.
+9.2.0-dev,true,gen_ai,gen_ai.output.type,keyword,extended,,text; json; image,Represents the content type requested by the client.
+9.2.0-dev,true,gen_ai,gen_ai.request.choice.count,integer,extended,,3,The target number of candidate completions to return.
+9.2.0-dev,true,gen_ai,gen_ai.request.encoding_formats,nested,extended,,"[""float"", ""binary""]","The encoding formats requested in an embeddings operation, if specified."
+9.2.0-dev,true,gen_ai,gen_ai.request.frequency_penalty,double,extended,,0.1,The frequency penalty setting for the GenAI request.
+9.2.0-dev,true,gen_ai,gen_ai.request.max_tokens,integer,extended,,100,The maximum number of tokens the model generates for a request.
+9.2.0-dev,true,gen_ai,gen_ai.request.model,keyword,extended,,gpt-4,The name of the GenAI model a request is being made to.
+9.2.0-dev,true,gen_ai,gen_ai.request.presence_penalty,double,extended,,0.1,The presence penalty setting for the GenAI request.
+9.2.0-dev,true,gen_ai,gen_ai.request.seed,integer,extended,,100,Requests with same seed value more likely to return same result.
+9.2.0-dev,true,gen_ai,gen_ai.request.stop_sequences,nested,extended,,"[""forest"", ""lived""]",List of sequences that the model will use to stop generating further tokens.
+9.2.0-dev,true,gen_ai,gen_ai.request.temperature,double,extended,,0.0,The temperature setting for the GenAI request.
+9.2.0-dev,true,gen_ai,gen_ai.request.top_k,double,extended,,1.0,The top_k sampling setting for the GenAI request.
+9.2.0-dev,true,gen_ai,gen_ai.request.top_p,double,extended,,1.0,The top_p sampling setting for the GenAI request.
+9.2.0-dev,true,gen_ai,gen_ai.response.finish_reasons,nested,extended,,"[""stop"", ""length""]","Array of reasons the model stopped generating tokens, corresponding to each generation received."
+9.2.0-dev,true,gen_ai,gen_ai.response.id,keyword,extended,,chatcmpl-123,The unique identifier for the completion.
+9.2.0-dev,true,gen_ai,gen_ai.response.model,keyword,extended,,gpt-4-0613,The name of the model that generated the response.
+9.2.0-dev,true,gen_ai,gen_ai.system,keyword,extended,,openai,The Generative AI product as identified by the client or server instrumentation.
+9.2.0-dev,true,gen_ai,gen_ai.token.type,keyword,extended,,input; output,The type of token being counted.
+9.2.0-dev,true,gen_ai,gen_ai.tool.call.id,keyword,extended,,call_mszuSIzqtI65i1wAUOE8w5H4,The tool call identifier.
+9.2.0-dev,true,gen_ai,gen_ai.tool.name,keyword,extended,,Flights,Name of the tool utilized by the agent.
+9.2.0-dev,true,gen_ai,gen_ai.tool.type,keyword,extended,,function; extension; datastore,Type of the tool utilized by the agent
+9.2.0-dev,true,gen_ai,gen_ai.usage.input_tokens,integer,extended,,100,The number of tokens used in the GenAI input (prompt).
+9.2.0-dev,true,gen_ai,gen_ai.usage.output_tokens,integer,extended,,180,The number of tokens used in the GenAI response (completion).
+9.2.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+9.2.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+9.2.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+9.2.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+9.2.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+9.2.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+9.2.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+9.2.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+9.2.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+9.2.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+9.2.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+9.2.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+9.2.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+9.2.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+9.2.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+9.2.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+9.2.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.2.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.2.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+9.2.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+9.2.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+9.2.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+9.2.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+9.2.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+9.2.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+9.2.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,host,host.type,keyword,core,,,Type of host.
+9.2.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+9.2.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+9.2.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+9.2.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+9.2.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+9.2.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+9.2.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+9.2.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+9.2.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+9.2.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+9.2.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+9.2.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+9.2.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+9.2.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+9.2.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+9.2.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+9.2.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+9.2.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+9.2.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+9.2.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+9.2.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+9.2.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+9.2.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+9.2.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+9.2.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+9.2.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+9.2.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+9.2.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+9.2.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+9.2.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+9.2.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+9.2.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+9.2.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+9.2.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+9.2.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+9.2.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+9.2.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+9.2.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+9.2.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+9.2.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+9.2.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+9.2.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.2.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.2.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+9.2.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+9.2.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
+9.2.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+9.2.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+9.2.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.2.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.2.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+9.2.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+9.2.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+9.2.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+9.2.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.2.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.2.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+9.2.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+9.2.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+9.2.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+9.2.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+9.2.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+9.2.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.2.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.2.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+9.2.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+9.2.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+9.2.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+9.2.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+9.2.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.2.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.2.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+9.2.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+9.2.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+9.2.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+9.2.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+9.2.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+9.2.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+9.2.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+9.2.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+9.2.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+9.2.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+9.2.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+9.2.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+9.2.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+9.2.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+9.2.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+9.2.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+9.2.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+9.2.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
+9.2.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+9.2.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+9.2.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
+9.2.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+9.2.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+9.2.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+9.2.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+9.2.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+9.2.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+9.2.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+9.2.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+9.2.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+9.2.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+9.2.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+9.2.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+9.2.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+9.2.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+9.2.0-dev,true,package,package.name,keyword,extended,,go,Package name
+9.2.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+9.2.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+9.2.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+9.2.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+9.2.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+9.2.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.2.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+9.2.0-dev,true,process,process.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.attested_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.attested_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.attested_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,process,process.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.2.0-dev,true,process,process.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.2.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.2.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.2.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+9.2.0-dev,true,process,process.entry_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.entry_leader.attested_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.entry_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.attested_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.entry_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.entry_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.entry_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,process,process.entry_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,process,process.entry_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,process,process.entry_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,process,process.entry_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,process,process.entry_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,process,process.entry_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,process,process.entry_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,process,process.entry_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,process,process.entry_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,process,process.entry_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.entry_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,process,process.entry_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,process,process.entry_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,process,process.entry_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,process,process.entry_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.entry_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.entry_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,process,process.entry_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,process,process.entry_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,process,process.entry_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,process,process.entry_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,process,process.entry_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,process,process.entry_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,process,process.entry_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,process,process.entry_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,process,process.entry_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,process,process.entry_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,process,process.entry_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,process,process.entry_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,process,process.entry_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,process,process.entry_leader.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,process,process.entry_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,process,process.entry_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,process,process.entry_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,process,process.entry_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,process,process.entry_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.2.0-dev,true,process,process.entry_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.2.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.address,keyword,extended,,,Source network address.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.port,long,core,,,Port of the source.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,process,process.entry_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.2.0-dev,true,process,process.entry_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.2.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.entry_leader.exit_code,long,extended,,137,The exit code of the process.
+9.2.0-dev,true,process,process.entry_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,process,process.entry_leader.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,process,process.entry_leader.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,process,process.entry_leader.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,process,process.entry_leader.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,process,process.entry_leader.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,process,process.entry_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,process,process.entry_leader.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.2.0-dev,true,process,process.entry_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.2.0-dev,true,process,process.entry_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.2.0-dev,true,process,process.entry_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.2.0-dev,true,process,process.entry_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.2.0-dev,true,process,process.entry_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.2.0-dev,true,process,process.entry_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.2.0-dev,true,process,process.entry_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.2.0-dev,true,process,process.entry_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.2.0-dev,true,process,process.entry_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.2.0-dev,true,process,process.entry_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.2.0-dev,true,process,process.entry_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.entry_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.entry_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.entry_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.2.0-dev,true,process,process.entry_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.2.0-dev,true,process,process.entry_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.2.0-dev,true,process,process.entry_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.entry_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.entry_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.2.0-dev,true,process,process.entry_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.2.0-dev,true,process,process.entry_leader.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.2.0-dev,true,process,process.entry_leader.parent.args_count,long,extended,,4,Length of the process.args array.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.entry_leader.parent.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.entry_leader.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,process,process.entry_leader.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,process,process.entry_leader.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,process,process.entry_leader.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,process,process.entry_leader.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,process,process.entry_leader.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,process,process.entry_leader.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,process,process.entry_leader.parent.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,process,process.entry_leader.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,process,process.entry_leader.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,process,process.entry_leader.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,process,process.entry_leader.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.entry_leader.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,process,process.entry_leader.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,process,process.entry_leader.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,process,process.entry_leader.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.2.0-dev,true,process,process.entry_leader.parent.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.2.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.address,keyword,extended,,,Source network address.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.port,long,core,,,Port of the source.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.2.0-dev,true,process,process.entry_leader.parent.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.2.0-dev,true,process,process.entry_leader.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.entry_leader.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.entry_leader.parent.exit_code,long,extended,,137,The exit code of the process.
+9.2.0-dev,true,process,process.entry_leader.parent.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,process,process.entry_leader.parent.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,process,process.entry_leader.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,process,process.entry_leader.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,process,process.entry_leader.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,process,process.entry_leader.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,process,process.entry_leader.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,process,process.entry_leader.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,process,process.entry_leader.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.2.0-dev,true,process,process.entry_leader.parent.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.2.0-dev,true,process,process.entry_leader.parent.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.2.0-dev,true,process,process.entry_leader.parent.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.2.0-dev,true,process,process.entry_leader.parent.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.2.0-dev,true,process,process.entry_leader.parent.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.2.0-dev,true,process,process.entry_leader.parent.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.2.0-dev,true,process,process.entry_leader.parent.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.2.0-dev,true,process,process.entry_leader.parent.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.2.0-dev,true,process,process.entry_leader.parent.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.entry_leader.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.entry_leader.parent.name,keyword,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.entry_leader.parent.name.text,match_only_text,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.entry_leader.parent.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.2.0-dev,true,process,process.entry_leader.parent.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.entry_leader.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,process,process.entry_leader.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.entry_leader.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.entry_leader.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+9.2.0-dev,true,process,process.entry_leader.parent.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.2.0-dev,true,process,process.entry_leader.parent.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.real_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.entry_leader.parent.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.entry_leader.parent.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.entry_leader.parent.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.args_count,long,extended,,4,Length of the process.args array.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.address,keyword,extended,,,Source network address.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.port,long,core,,,Port of the source.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.exit_code,long,extended,,137,The exit code of the process.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.name,keyword,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.thread.id,long,extended,,4242,Thread ID.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.thread.name,keyword,extended,,thread-0,Thread name.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.title,keyword,extended,,,Process title.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.title.text,match_only_text,extended,,,Process title.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.uptime,long,extended,,1325,Seconds the process has been up.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.entry_leader.parent.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.2.0-dev,true,process,process.entry_leader.parent.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.2.0-dev,true,process,process.entry_leader.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.2.0-dev,true,process,process.entry_leader.parent.thread.id,long,extended,,4242,Thread ID.
+9.2.0-dev,true,process,process.entry_leader.parent.thread.name,keyword,extended,,thread-0,Thread name.
+9.2.0-dev,true,process,process.entry_leader.parent.title,keyword,extended,,,Process title.
+9.2.0-dev,true,process,process.entry_leader.parent.title.text,match_only_text,extended,,,Process title.
+9.2.0-dev,true,process,process.entry_leader.parent.tty,object,extended,,,Information about the controlling TTY device.
+9.2.0-dev,true,process,process.entry_leader.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.2.0-dev,true,process,process.entry_leader.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.2.0-dev,true,process,process.entry_leader.parent.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.2.0-dev,true,process,process.entry_leader.parent.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.2.0-dev,true,process,process.entry_leader.parent.uptime,long,extended,,1325,Seconds the process has been up.
+9.2.0-dev,true,process,process.entry_leader.parent.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.entry_leader.parent.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.parent.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.parent.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.parent.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.parent.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.entry_leader.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.parent.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.parent.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.entry_leader.parent.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.parent.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.entry_leader.parent.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
+9.2.0-dev,true,process,process.entry_leader.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.entry_leader.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.entry_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,process,process.entry_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.entry_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,process,process.entry_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,process,process.entry_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,process,process.entry_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.entry_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.entry_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.entry_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.entry_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.entry_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.entry_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.entry_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,process,process.entry_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.entry_leader.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,process,process.entry_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,process,process.entry_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,process,process.entry_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.entry_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+9.2.0-dev,true,process,process.entry_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.2.0-dev,true,process,process.entry_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.entry_leader.real_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.entry_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.real_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.entry_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.entry_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.2.0-dev,true,process,process.entry_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.entry_leader.saved_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.entry_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.saved_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.entry_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.entry_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.2.0-dev,true,process,process.entry_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.2.0-dev,true,process,process.entry_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.2.0-dev,true,process,process.entry_leader.thread.id,long,extended,,4242,Thread ID.
+9.2.0-dev,true,process,process.entry_leader.thread.name,keyword,extended,,thread-0,Thread name.
+9.2.0-dev,true,process,process.entry_leader.title,keyword,extended,,,Process title.
+9.2.0-dev,true,process,process.entry_leader.title.text,match_only_text,extended,,,Process title.
+9.2.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.2.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.2.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.2.0-dev,true,process,process.entry_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.2.0-dev,true,process,process.entry_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.2.0-dev,true,process,process.entry_leader.uptime,long,extended,,1325,Seconds the process has been up.
+9.2.0-dev,true,process,process.entry_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.entry_leader.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.entry_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.entry_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.entry_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.entry_leader.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.entry_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.entry_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.entry_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.entry_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.entry_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.entry_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
+9.2.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.entry_meta.source.address,keyword,extended,,,Source network address.
+9.2.0-dev,true,process,process.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,process,process.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.2.0-dev,true,process,process.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.2.0-dev,true,process,process.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,process,process.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,process,process.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,process,process.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,process,process.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,process,process.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,process,process.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,process,process.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,process,process.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,process,process.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,process,process.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,process,process.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.2.0-dev,true,process,process.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.2.0-dev,true,process,process.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.2.0-dev,true,process,process.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.2.0-dev,true,process,process.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.2.0-dev,true,process,process.entry_meta.source.port,long,core,,,Port of the source.
+9.2.0-dev,true,process,process.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.2.0-dev,true,process,process.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,process,process.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,process,process.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.2.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.2.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+9.2.0-dev,true,process,process.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.2.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+9.2.0-dev,true,process,process.group_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.group_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.group_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.group_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.group_leader.attested_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.group_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.group_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.group_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.group_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.group_leader.attested_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.group_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.group_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.group_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.group_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.group_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.group_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.group_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.group_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.group_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.group_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.group_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.group_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,process,process.group_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,process,process.group_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,process,process.group_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,process,process.group_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,process,process.group_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,process,process.group_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,process,process.group_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,process,process.group_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,process,process.group_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,process,process.group_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.group_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,process,process.group_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,process,process.group_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,process,process.group_leader.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,process,process.group_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,process,process.group_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,process,process.group_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.group_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.group_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.group_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.group_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,process,process.group_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,process,process.group_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,process,process.group_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,process,process.group_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,process,process.group_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,process,process.group_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,process,process.group_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,process,process.group_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,process,process.group_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.group_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.group_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.group_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,process,process.group_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,process,process.group_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.group_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,process,process.group_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,process,process.group_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,process,process.group_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,process,process.group_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,process,process.group_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.group_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,process,process.group_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,process,process.group_leader.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,process,process.group_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,process,process.group_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,process,process.group_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,process,process.group_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,process,process.group_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.2.0-dev,true,process,process.group_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.2.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.address,keyword,extended,,,Source network address.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.port,long,core,,,Port of the source.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,process,process.group_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,process,process.group_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.2.0-dev,true,process,process.group_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.2.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.group_leader.exit_code,long,extended,,137,The exit code of the process.
+9.2.0-dev,true,process,process.group_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.group_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,process,process.group_leader.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,process,process.group_leader.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,process,process.group_leader.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,process,process.group_leader.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,process,process.group_leader.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,process,process.group_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,process,process.group_leader.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.2.0-dev,true,process,process.group_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.2.0-dev,true,process,process.group_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.2.0-dev,true,process,process.group_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.2.0-dev,true,process,process.group_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.2.0-dev,true,process,process.group_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.2.0-dev,true,process,process.group_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.2.0-dev,true,process,process.group_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.2.0-dev,true,process,process.group_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.2.0-dev,true,process,process.group_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.2.0-dev,true,process,process.group_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.2.0-dev,true,process,process.group_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.group_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.group_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.group_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.group_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.group_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.group_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.group_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.group_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.2.0-dev,true,process,process.group_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.group_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.2.0-dev,true,process,process.group_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.2.0-dev,true,process,process.group_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.group_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.group_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.group_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.2.0-dev,true,process,process.group_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.2.0-dev,true,process,process.group_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,process,process.group_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.group_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,process,process.group_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,process,process.group_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,process,process.group_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.group_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.group_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.group_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.group_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.group_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.group_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.group_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.group_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.group_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.group_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,process,process.group_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.group_leader.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,process,process.group_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.group_leader.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,process,process.group_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,process,process.group_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.group_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
+9.2.0-dev,true,process,process.group_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.2.0-dev,true,process,process.group_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.group_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.group_leader.real_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.group_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.group_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.group_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.group_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.group_leader.real_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.group_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.group_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.group_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.group_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.group_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.group_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.group_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.group_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.2.0-dev,true,process,process.group_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.group_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.group_leader.saved_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.group_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.group_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.group_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.group_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.group_leader.saved_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.group_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.group_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.group_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.group_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.group_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.group_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.group_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.group_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.2.0-dev,true,process,process.group_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.group_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.2.0-dev,true,process,process.group_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.2.0-dev,true,process,process.group_leader.thread.id,long,extended,,4242,Thread ID.
+9.2.0-dev,true,process,process.group_leader.thread.name,keyword,extended,,thread-0,Thread name.
+9.2.0-dev,true,process,process.group_leader.title,keyword,extended,,,Process title.
+9.2.0-dev,true,process,process.group_leader.title.text,match_only_text,extended,,,Process title.
+9.2.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.2.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.2.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.2.0-dev,true,process,process.group_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.2.0-dev,true,process,process.group_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.2.0-dev,true,process,process.group_leader.uptime,long,extended,,1325,Seconds the process has been up.
+9.2.0-dev,true,process,process.group_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.group_leader.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.group_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.group_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.group_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.group_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.group_leader.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.group_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.group_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.group_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.group_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.group_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.group_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.group_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.group_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
+9.2.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.2.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.2.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.2.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.2.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.2.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.2.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.2.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.2.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.2.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.2.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.2.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.2.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.2.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.2.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.2.0-dev,true,process,process.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.2.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.2.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+9.2.0-dev,true,process,process.parent.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.attested_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.parent.attested_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.parent.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.attested_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.parent.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.parent.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.parent.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.parent.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,process,process.parent.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.2.0-dev,true,process,process.parent.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.2.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.2.0-dev,true,process,process.parent.entry_meta.source.address,keyword,extended,,,Source network address.
+9.2.0-dev,true,process,process.parent.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,process,process.parent.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.parent.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.parent.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.2.0-dev,true,process,process.parent.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.2.0-dev,true,process,process.parent.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,process,process.parent.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,process,process.parent.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,process,process.parent.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,process,process.parent.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,process,process.parent.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,process,process.parent.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,process,process.parent.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,process,process.parent.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,process,process.parent.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,process,process.parent.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,process,process.parent.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.2.0-dev,true,process,process.parent.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.2.0-dev,true,process,process.parent.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.2.0-dev,true,process,process.parent.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.2.0-dev,true,process,process.parent.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.2.0-dev,true,process,process.parent.entry_meta.source.port,long,core,,,Port of the source.
+9.2.0-dev,true,process,process.parent.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.2.0-dev,true,process,process.parent.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,process,process.parent.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,process,process.parent.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.2.0-dev,true,process,process.parent.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.2.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+9.2.0-dev,true,process,process.parent.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.2.0-dev,true,process,process.parent.group_leader.args_count,long,extended,,4,Length of the process.args array.
+9.2.0-dev,true,process,process.parent.group_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.group_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.group_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.parent.group_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.parent.group_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,process,process.parent.group_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,process,process.parent.group_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,process,process.parent.group_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,process,process.parent.group_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,process,process.parent.group_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,process,process.parent.group_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,process,process.parent.group_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,process,process.parent.group_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,process,process.parent.group_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,process,process.parent.group_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,process,process.parent.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.parent.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.parent.group_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,process,process.parent.group_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,process,process.parent.group_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,process,process.parent.group_leader.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,process,process.parent.group_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,process,process.parent.group_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,process,process.parent.group_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.parent.group_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.parent.group_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.parent.group_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.parent.group_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,process,process.parent.group_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,process,process.parent.group_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,process,process.parent.group_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,process,process.parent.group_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,process,process.parent.group_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,process,process.parent.group_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,process,process.parent.group_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,process,process.parent.group_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,process,process.parent.group_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.parent.group_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.parent.group_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.parent.group_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,process,process.parent.group_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,process,process.parent.group_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.parent.group_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,process,process.parent.group_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,process,process.parent.group_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,process,process.parent.group_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,process,process.parent.group_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,process,process.parent.group_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.parent.group_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,process,process.parent.group_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,process,process.parent.group_leader.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,process,process.parent.group_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,process,process.parent.group_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,process,process.parent.group_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,process,process.parent.group_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,process,process.parent.group_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.2.0-dev,true,process,process.parent.group_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.2.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.address,keyword,extended,,,Source network address.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.port,long,core,,,Port of the source.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,process,process.parent.group_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.2.0-dev,true,process,process.parent.group_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.2.0-dev,true,process,process.parent.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.parent.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.parent.group_leader.exit_code,long,extended,,137,The exit code of the process.
+9.2.0-dev,true,process,process.parent.group_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.group_leader.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.group_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,process,process.parent.group_leader.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,process,process.parent.group_leader.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,process,process.parent.group_leader.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,process,process.parent.group_leader.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,process,process.parent.group_leader.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,process,process.parent.group_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,process,process.parent.group_leader.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,process,process.parent.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.2.0-dev,true,process,process.parent.group_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.2.0-dev,true,process,process.parent.group_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.2.0-dev,true,process,process.parent.group_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.2.0-dev,true,process,process.parent.group_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.2.0-dev,true,process,process.parent.group_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.2.0-dev,true,process,process.parent.group_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.2.0-dev,true,process,process.parent.group_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.2.0-dev,true,process,process.parent.group_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.2.0-dev,true,process,process.parent.group_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.2.0-dev,true,process,process.parent.group_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.2.0-dev,true,process,process.parent.group_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.parent.group_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.parent.group_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.parent.group_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.parent.group_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.parent.group_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.parent.group_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.parent.group_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.parent.group_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.2.0-dev,true,process,process.parent.group_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.parent.group_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.2.0-dev,true,process,process.parent.group_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.2.0-dev,true,process,process.parent.group_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.parent.group_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.parent.group_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.parent.group_leader.name,keyword,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.parent.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.parent.group_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.2.0-dev,true,process,process.parent.group_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.2.0-dev,true,process,process.parent.group_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,process,process.parent.group_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.parent.group_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,process,process.parent.group_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,process,process.parent.group_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,process,process.parent.group_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.parent.group_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.parent.group_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.parent.group_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.parent.group_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.parent.group_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.parent.group_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.parent.group_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.parent.group_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.parent.group_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.parent.group_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,process,process.parent.group_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.parent.group_leader.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,process,process.parent.group_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.parent.group_leader.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,process,process.parent.group_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,process,process.parent.group_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.parent.group_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+9.2.0-dev,true,process,process.parent.group_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.2.0-dev,true,process,process.parent.group_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.group_leader.real_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.group_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.group_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.group_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.group_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.parent.group_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.parent.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.2.0-dev,true,process,process.parent.group_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.parent.group_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.2.0-dev,true,process,process.parent.group_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.group_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.2.0-dev,true,process,process.parent.group_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.2.0-dev,true,process,process.parent.group_leader.thread.id,long,extended,,4242,Thread ID.
+9.2.0-dev,true,process,process.parent.group_leader.thread.name,keyword,extended,,thread-0,Thread name.
+9.2.0-dev,true,process,process.parent.group_leader.title,keyword,extended,,,Process title.
+9.2.0-dev,true,process,process.parent.group_leader.title.text,match_only_text,extended,,,Process title.
+9.2.0-dev,true,process,process.parent.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.2.0-dev,true,process,process.parent.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.2.0-dev,true,process,process.parent.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.2.0-dev,true,process,process.parent.group_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.2.0-dev,true,process,process.parent.group_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.2.0-dev,true,process,process.parent.group_leader.uptime,long,extended,,1325,Seconds the process has been up.
+9.2.0-dev,true,process,process.parent.group_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.parent.group_leader.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.parent.group_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.group_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.group_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.group_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.group_leader.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.group_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.parent.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.parent.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.group_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.group_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.group_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.parent.group_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.group_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.group_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.parent.group_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
+9.2.0-dev,true,process,process.parent.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.parent.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.2.0-dev,true,process,process.parent.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.2.0-dev,true,process,process.parent.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.2.0-dev,true,process,process.parent.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.2.0-dev,true,process,process.parent.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.2.0-dev,true,process,process.parent.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.2.0-dev,true,process,process.parent.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.2.0-dev,true,process,process.parent.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.2.0-dev,true,process,process.parent.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.2.0-dev,true,process,process.parent.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.2.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.2.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.2.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.2.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.2.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.parent.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.2.0-dev,true,process,process.parent.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.2.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+9.2.0-dev,true,process,process.parent.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.2.0-dev,true,process,process.parent.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.parent.real_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.parent.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.real_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.parent.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.parent.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.parent.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.2.0-dev,true,process,process.parent.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.parent.saved_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.parent.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.saved_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.parent.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.parent.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.2.0-dev,true,process,process.parent.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.2.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.2.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+9.2.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+9.2.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+9.2.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+9.2.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+9.2.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.2.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.2.0-dev,true,process,process.parent.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.2.0-dev,true,process,process.parent.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.2.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+9.2.0-dev,true,process,process.parent.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.parent.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.parent.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.parent.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.parent.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.parent.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.parent.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.parent.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.parent.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.parent.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.parent.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.parent.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
+9.2.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.pid,long,core,,4242,Process id.
+9.2.0-dev,true,process,process.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.2.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.2.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+9.2.0-dev,true,process,process.previous.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.previous.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.previous.attested_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.previous.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.previous.attested_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.previous.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.previous.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.previous.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.previous.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.previous.attested_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.previous.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.previous.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.previous.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.previous.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.previous.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.previous.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.previous.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.previous.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.previous.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.previous.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.previous.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.previous.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,process,process.previous.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,process,process.previous.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,process,process.previous.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,process,process.previous.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,process,process.previous.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,process,process.previous.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,process,process.previous.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,process,process.previous.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,process,process.previous.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,process,process.previous.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,process,process.previous.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.previous.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.previous.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,process,process.previous.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,process,process.previous.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,process,process.previous.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,process,process.previous.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,process,process.previous.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,process,process.previous.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.previous.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.previous.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.previous.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.previous.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,process,process.previous.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,process,process.previous.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,process,process.previous.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,process,process.previous.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,process,process.previous.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,process,process.previous.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,process,process.previous.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,process,process.previous.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,process,process.previous.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.previous.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.previous.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.previous.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,process,process.previous.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,process,process.previous.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.previous.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,process,process.previous.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,process,process.previous.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,process,process.previous.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,process,process.previous.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,process,process.previous.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.previous.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,process,process.previous.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,process,process.previous.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,process,process.previous.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,process,process.previous.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,process,process.previous.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,process,process.previous.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,process,process.previous.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.2.0-dev,true,process,process.previous.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.2.0-dev,true,process,process.previous.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.2.0-dev,true,process,process.previous.entry_meta.source.address,keyword,extended,,,Source network address.
+9.2.0-dev,true,process,process.previous.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,process,process.previous.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.previous.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.previous.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.2.0-dev,true,process,process.previous.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.2.0-dev,true,process,process.previous.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,process,process.previous.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,process,process.previous.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,process,process.previous.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,process,process.previous.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,process,process.previous.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,process,process.previous.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,process,process.previous.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,process,process.previous.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,process,process.previous.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,process,process.previous.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,process,process.previous.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.2.0-dev,true,process,process.previous.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.2.0-dev,true,process,process.previous.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.2.0-dev,true,process,process.previous.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.2.0-dev,true,process,process.previous.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.2.0-dev,true,process,process.previous.entry_meta.source.port,long,core,,,Port of the source.
+9.2.0-dev,true,process,process.previous.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.2.0-dev,true,process,process.previous.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,process,process.previous.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,process,process.previous.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.2.0-dev,true,process,process.previous.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.2.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.previous.exit_code,long,extended,,137,The exit code of the process.
+9.2.0-dev,true,process,process.previous.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.previous.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.previous.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.previous.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,process,process.previous.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,process,process.previous.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,process,process.previous.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,process,process.previous.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,process,process.previous.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,process,process.previous.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,process,process.previous.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,process,process.previous.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.2.0-dev,true,process,process.previous.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.2.0-dev,true,process,process.previous.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.2.0-dev,true,process,process.previous.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.2.0-dev,true,process,process.previous.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.2.0-dev,true,process,process.previous.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.2.0-dev,true,process,process.previous.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.2.0-dev,true,process,process.previous.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.2.0-dev,true,process,process.previous.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.2.0-dev,true,process,process.previous.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.2.0-dev,true,process,process.previous.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.2.0-dev,true,process,process.previous.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.previous.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.previous.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.previous.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.previous.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.previous.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.previous.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.previous.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.previous.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.2.0-dev,true,process,process.previous.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.previous.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.2.0-dev,true,process,process.previous.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.2.0-dev,true,process,process.previous.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.previous.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.previous.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.previous.name,keyword,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.previous.name.text,match_only_text,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.previous.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.2.0-dev,true,process,process.previous.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.2.0-dev,true,process,process.previous.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,process,process.previous.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.previous.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,process,process.previous.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,process,process.previous.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,process,process.previous.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.previous.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.previous.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.previous.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.previous.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.previous.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.previous.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.previous.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.previous.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.previous.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.previous.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,process,process.previous.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.previous.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,process,process.previous.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.previous.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,process,process.previous.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,process,process.previous.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.previous.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.previous.pid,long,core,,4242,Process id.
+9.2.0-dev,true,process,process.previous.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.2.0-dev,true,process,process.previous.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.previous.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.previous.real_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.previous.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.previous.real_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.previous.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.previous.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.previous.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.previous.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.previous.real_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.previous.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.previous.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.previous.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.previous.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.previous.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.previous.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.previous.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.previous.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.previous.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.previous.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.previous.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.previous.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.2.0-dev,true,process,process.previous.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.previous.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.previous.saved_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.previous.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.previous.saved_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.previous.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.previous.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.previous.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.previous.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.previous.saved_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.previous.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.previous.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.previous.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.previous.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.previous.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.previous.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.previous.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.previous.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.previous.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.previous.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.previous.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.previous.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.2.0-dev,true,process,process.previous.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.previous.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.previous.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.previous.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.2.0-dev,true,process,process.previous.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.2.0-dev,true,process,process.previous.thread.id,long,extended,,4242,Thread ID.
+9.2.0-dev,true,process,process.previous.thread.name,keyword,extended,,thread-0,Thread name.
+9.2.0-dev,true,process,process.previous.title,keyword,extended,,,Process title.
+9.2.0-dev,true,process,process.previous.title.text,match_only_text,extended,,,Process title.
+9.2.0-dev,true,process,process.previous.tty,object,extended,,,Information about the controlling TTY device.
+9.2.0-dev,true,process,process.previous.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.2.0-dev,true,process,process.previous.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.2.0-dev,true,process,process.previous.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.2.0-dev,true,process,process.previous.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.2.0-dev,true,process,process.previous.uptime,long,extended,,1325,Seconds the process has been up.
+9.2.0-dev,true,process,process.previous.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.previous.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.previous.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.previous.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.previous.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.previous.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.previous.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.previous.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.previous.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.previous.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.previous.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.previous.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.previous.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.previous.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.previous.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.previous.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.previous.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.previous.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.previous.vpid,long,core,,4242,Virtual process id.
+9.2.0-dev,true,process,process.previous.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.previous.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.real_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.real_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.responsible.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.2.0-dev,true,process,process.responsible.args_count,long,extended,,4,Length of the process.args array.
+9.2.0-dev,true,process,process.responsible.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.responsible.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.responsible.attested_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.responsible.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.responsible.attested_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.responsible.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.responsible.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.responsible.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.responsible.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.responsible.attested_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.responsible.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.responsible.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.responsible.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.responsible.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.responsible.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.responsible.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.responsible.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.responsible.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.responsible.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.responsible.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.responsible.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.responsible.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,process,process.responsible.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,process,process.responsible.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,process,process.responsible.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,process,process.responsible.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,process,process.responsible.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,process,process.responsible.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,process,process.responsible.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,process,process.responsible.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,process,process.responsible.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,process,process.responsible.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,process,process.responsible.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.responsible.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.responsible.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,process,process.responsible.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,process,process.responsible.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,process,process.responsible.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,process,process.responsible.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,process,process.responsible.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,process,process.responsible.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.responsible.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.responsible.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.responsible.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.responsible.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,process,process.responsible.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,process,process.responsible.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,process,process.responsible.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,process,process.responsible.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,process,process.responsible.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,process,process.responsible.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,process,process.responsible.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,process,process.responsible.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,process,process.responsible.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.responsible.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.responsible.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.responsible.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,process,process.responsible.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,process,process.responsible.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.responsible.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,process,process.responsible.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,process,process.responsible.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,process,process.responsible.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,process,process.responsible.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,process,process.responsible.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.responsible.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,process,process.responsible.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,process,process.responsible.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,process,process.responsible.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,process,process.responsible.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,process,process.responsible.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,process,process.responsible.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,process,process.responsible.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.2.0-dev,true,process,process.responsible.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.2.0-dev,true,process,process.responsible.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.address,keyword,extended,,,Source network address.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.2.0-dev,true,process,process.responsible.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.2.0-dev,true,process,process.responsible.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.port,long,core,,,Port of the source.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.2.0-dev,true,process,process.responsible.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,process,process.responsible.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,process,process.responsible.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.2.0-dev,true,process,process.responsible.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.2.0-dev,true,process,process.responsible.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.responsible.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.responsible.exit_code,long,extended,,137,The exit code of the process.
+9.2.0-dev,true,process,process.responsible.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.responsible.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.responsible.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.responsible.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,process,process.responsible.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,process,process.responsible.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,process,process.responsible.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,process,process.responsible.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,process,process.responsible.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,process,process.responsible.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,process,process.responsible.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,process,process.responsible.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.2.0-dev,true,process,process.responsible.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.2.0-dev,true,process,process.responsible.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.2.0-dev,true,process,process.responsible.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.2.0-dev,true,process,process.responsible.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.2.0-dev,true,process,process.responsible.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.2.0-dev,true,process,process.responsible.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.2.0-dev,true,process,process.responsible.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.2.0-dev,true,process,process.responsible.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.2.0-dev,true,process,process.responsible.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.2.0-dev,true,process,process.responsible.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.2.0-dev,true,process,process.responsible.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.responsible.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.responsible.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.responsible.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.responsible.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.responsible.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.responsible.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.responsible.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.responsible.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.2.0-dev,true,process,process.responsible.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.responsible.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.2.0-dev,true,process,process.responsible.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.2.0-dev,true,process,process.responsible.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.responsible.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.responsible.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.responsible.name,keyword,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.responsible.name.text,match_only_text,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.responsible.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.2.0-dev,true,process,process.responsible.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.2.0-dev,true,process,process.responsible.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,process,process.responsible.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.responsible.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,process,process.responsible.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,process,process.responsible.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,process,process.responsible.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.responsible.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.responsible.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.responsible.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.responsible.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.responsible.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.responsible.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.responsible.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.responsible.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.responsible.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.responsible.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,process,process.responsible.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.responsible.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,process,process.responsible.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.responsible.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,process,process.responsible.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,process,process.responsible.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.responsible.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.responsible.pid,long,core,,4242,Process id.
+9.2.0-dev,true,process,process.responsible.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.2.0-dev,true,process,process.responsible.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.responsible.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.responsible.real_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.responsible.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.responsible.real_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.responsible.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.responsible.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.responsible.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.responsible.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.responsible.real_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.responsible.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.responsible.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.responsible.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.responsible.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.responsible.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.responsible.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.responsible.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.responsible.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.responsible.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.responsible.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.responsible.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.responsible.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.2.0-dev,true,process,process.responsible.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.responsible.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.responsible.saved_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.responsible.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.responsible.saved_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.responsible.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.responsible.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.responsible.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.responsible.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.responsible.saved_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.responsible.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.responsible.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.responsible.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.responsible.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.responsible.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.responsible.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.responsible.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.responsible.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.responsible.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.responsible.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.responsible.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.responsible.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.2.0-dev,true,process,process.responsible.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.responsible.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.responsible.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.responsible.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.2.0-dev,true,process,process.responsible.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.2.0-dev,true,process,process.responsible.thread.id,long,extended,,4242,Thread ID.
+9.2.0-dev,true,process,process.responsible.thread.name,keyword,extended,,thread-0,Thread name.
+9.2.0-dev,true,process,process.responsible.title,keyword,extended,,,Process title.
+9.2.0-dev,true,process,process.responsible.title.text,match_only_text,extended,,,Process title.
+9.2.0-dev,true,process,process.responsible.tty,object,extended,,,Information about the controlling TTY device.
+9.2.0-dev,true,process,process.responsible.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.2.0-dev,true,process,process.responsible.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.2.0-dev,true,process,process.responsible.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.2.0-dev,true,process,process.responsible.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.2.0-dev,true,process,process.responsible.uptime,long,extended,,1325,Seconds the process has been up.
+9.2.0-dev,true,process,process.responsible.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.responsible.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.responsible.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.responsible.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.responsible.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.responsible.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.responsible.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.responsible.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.responsible.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.responsible.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.responsible.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.responsible.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.responsible.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.responsible.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.responsible.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.responsible.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.responsible.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.responsible.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.responsible.vpid,long,core,,4242,Virtual process id.
+9.2.0-dev,true,process,process.responsible.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.responsible.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.2.0-dev,true,process,process.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.saved_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.saved_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.2.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+9.2.0-dev,true,process,process.session_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.session_leader.attested_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.session_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.attested_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.session_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.session_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.session_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.session_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.session_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,process,process.session_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,process,process.session_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,process,process.session_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,process,process.session_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,process,process.session_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,process,process.session_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,process,process.session_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,process,process.session_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,process,process.session_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,process,process.session_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.session_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,process,process.session_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,process,process.session_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,process,process.session_leader.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,process,process.session_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,process,process.session_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,process,process.session_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.session_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.session_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,process,process.session_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,process,process.session_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,process,process.session_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,process,process.session_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,process,process.session_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,process,process.session_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,process,process.session_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,process,process.session_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,process,process.session_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,process,process.session_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,process,process.session_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,process,process.session_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,process,process.session_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,process,process.session_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,process,process.session_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,process,process.session_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,process,process.session_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,process,process.session_leader.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,process,process.session_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,process,process.session_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,process,process.session_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,process,process.session_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,process,process.session_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.2.0-dev,true,process,process.session_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.2.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.address,keyword,extended,,,Source network address.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.port,long,core,,,Port of the source.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,process,process.session_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,process,process.session_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.2.0-dev,true,process,process.session_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.2.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.session_leader.exit_code,long,extended,,137,The exit code of the process.
+9.2.0-dev,true,process,process.session_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,process,process.session_leader.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,process,process.session_leader.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,process,process.session_leader.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,process,process.session_leader.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,process,process.session_leader.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,process,process.session_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,process,process.session_leader.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.2.0-dev,true,process,process.session_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.2.0-dev,true,process,process.session_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.2.0-dev,true,process,process.session_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.2.0-dev,true,process,process.session_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.2.0-dev,true,process,process.session_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.2.0-dev,true,process,process.session_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.2.0-dev,true,process,process.session_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.2.0-dev,true,process,process.session_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.2.0-dev,true,process,process.session_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.2.0-dev,true,process,process.session_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.2.0-dev,true,process,process.session_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.session_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.session_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.session_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.2.0-dev,true,process,process.session_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.2.0-dev,true,process,process.session_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.2.0-dev,true,process,process.session_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.session_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.session_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.2.0-dev,true,process,process.session_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.2.0-dev,true,process,process.session_leader.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.2.0-dev,true,process,process.session_leader.parent.args_count,long,extended,,4,Length of the process.args array.
+9.2.0-dev,true,process,process.session_leader.parent.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.attested_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.session_leader.parent.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.session_leader.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,process,process.session_leader.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,process,process.session_leader.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,process,process.session_leader.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,process,process.session_leader.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,process,process.session_leader.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,process,process.session_leader.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,process,process.session_leader.parent.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,process,process.session_leader.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,process,process.session_leader.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,process,process.session_leader.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,process,process.session_leader.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.session_leader.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.session_leader.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,process,process.session_leader.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.session_leader.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,process,process.session_leader.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,process,process.session_leader.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,process,process.session_leader.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,process,process.session_leader.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,process,process.session_leader.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,process,process.session_leader.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,process,process.session_leader.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,process,process.session_leader.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,process,process.session_leader.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,process,process.session_leader.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,process,process.session_leader.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,process,process.session_leader.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,process,process.session_leader.parent.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,process,process.session_leader.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,process,process.session_leader.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,process,process.session_leader.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,process,process.session_leader.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.2.0-dev,true,process,process.session_leader.parent.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.2.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.address,keyword,extended,,,Source network address.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.port,long,core,,,Port of the source.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,process,process.session_leader.parent.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.2.0-dev,true,process,process.session_leader.parent.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.2.0-dev,true,process,process.session_leader.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.session_leader.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.session_leader.parent.exit_code,long,extended,,137,The exit code of the process.
+9.2.0-dev,true,process,process.session_leader.parent.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,process,process.session_leader.parent.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,process,process.session_leader.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,process,process.session_leader.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,process,process.session_leader.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,process,process.session_leader.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,process,process.session_leader.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,process,process.session_leader.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,process,process.session_leader.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.2.0-dev,true,process,process.session_leader.parent.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.2.0-dev,true,process,process.session_leader.parent.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.2.0-dev,true,process,process.session_leader.parent.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.2.0-dev,true,process,process.session_leader.parent.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.2.0-dev,true,process,process.session_leader.parent.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.2.0-dev,true,process,process.session_leader.parent.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.2.0-dev,true,process,process.session_leader.parent.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.2.0-dev,true,process,process.session_leader.parent.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.2.0-dev,true,process,process.session_leader.parent.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.2.0-dev,true,process,process.session_leader.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.2.0-dev,true,process,process.session_leader.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.session_leader.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.session_leader.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.2.0-dev,true,process,process.session_leader.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.2.0-dev,true,process,process.session_leader.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.2.0-dev,true,process,process.session_leader.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.session_leader.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.session_leader.parent.name,keyword,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.session_leader.parent.name.text,match_only_text,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.session_leader.parent.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.2.0-dev,true,process,process.session_leader.parent.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.2.0-dev,true,process,process.session_leader.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,process,process.session_leader.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.session_leader.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,process,process.session_leader.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,process,process.session_leader.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,process,process.session_leader.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.session_leader.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.session_leader.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.session_leader.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.session_leader.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,process,process.session_leader.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.session_leader.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,process,process.session_leader.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,process,process.session_leader.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,process,process.session_leader.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+9.2.0-dev,true,process,process.session_leader.parent.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.2.0-dev,true,process,process.session_leader.parent.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.real_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.session_leader.parent.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.session_leader.parent.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.2.0-dev,true,process,process.session_leader.parent.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.saved_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.session_leader.parent.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.args_count,long,extended,,4,Length of the process.args array.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.address,keyword,extended,,,Source network address.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.port,long,core,,,Port of the source.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.exit_code,long,extended,,137,The exit code of the process.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.name,keyword,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.thread.id,long,extended,,4242,Thread ID.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.thread.name,keyword,extended,,thread-0,Thread name.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.title,keyword,extended,,,Process title.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.title.text,match_only_text,extended,,,Process title.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.uptime,long,extended,,1325,Seconds the process has been up.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.session_leader.parent.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.2.0-dev,true,process,process.session_leader.parent.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.2.0-dev,true,process,process.session_leader.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.2.0-dev,true,process,process.session_leader.parent.thread.id,long,extended,,4242,Thread ID.
+9.2.0-dev,true,process,process.session_leader.parent.thread.name,keyword,extended,,thread-0,Thread name.
+9.2.0-dev,true,process,process.session_leader.parent.title,keyword,extended,,,Process title.
+9.2.0-dev,true,process,process.session_leader.parent.title.text,match_only_text,extended,,,Process title.
+9.2.0-dev,true,process,process.session_leader.parent.tty,object,extended,,,Information about the controlling TTY device.
+9.2.0-dev,true,process,process.session_leader.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.2.0-dev,true,process,process.session_leader.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.2.0-dev,true,process,process.session_leader.parent.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.2.0-dev,true,process,process.session_leader.parent.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.2.0-dev,true,process,process.session_leader.parent.uptime,long,extended,,1325,Seconds the process has been up.
+9.2.0-dev,true,process,process.session_leader.parent.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.session_leader.parent.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.parent.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.parent.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.parent.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.parent.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.session_leader.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.session_leader.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.parent.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.parent.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.session_leader.parent.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.parent.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.session_leader.parent.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
+9.2.0-dev,true,process,process.session_leader.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.session_leader.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.session_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,process,process.session_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.session_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,process,process.session_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,process,process.session_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,process,process.session_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,process,process.session_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,process,process.session_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,process,process.session_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.session_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,process,process.session_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,process,process.session_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.session_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,process,process.session_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,process,process.session_leader.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,process,process.session_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,process,process.session_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,process,process.session_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,process,process.session_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
+9.2.0-dev,true,process,process.session_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.2.0-dev,true,process,process.session_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.session_leader.real_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.session_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.real_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.session_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.session_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.2.0-dev,true,process,process.session_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.session_leader.saved_user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.session_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.saved_user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.session_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.session_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.2.0-dev,true,process,process.session_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.2.0-dev,true,process,process.session_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.2.0-dev,true,process,process.session_leader.thread.id,long,extended,,4242,Thread ID.
+9.2.0-dev,true,process,process.session_leader.thread.name,keyword,extended,,thread-0,Thread name.
+9.2.0-dev,true,process,process.session_leader.title,keyword,extended,,,Process title.
+9.2.0-dev,true,process,process.session_leader.title.text,match_only_text,extended,,,Process title.
+9.2.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.2.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.2.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.2.0-dev,true,process,process.session_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.2.0-dev,true,process,process.session_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.2.0-dev,true,process,process.session_leader.uptime,long,extended,,1325,Seconds the process has been up.
+9.2.0-dev,true,process,process.session_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.session_leader.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.session_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.session_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.session_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.session_leader.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.session_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.session_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.session_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.session_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.session_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.session_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
+9.2.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.2.0-dev,true,process,process.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.2.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.2.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+9.2.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+9.2.0-dev,true,process,process.title,keyword,extended,,,Process title.
+9.2.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
+9.2.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+9.2.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.2.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.2.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.2.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.2.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+9.2.0-dev,true,process,process.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,process,process.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,process,process.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,process,process.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,process,process.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,process,process.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,process,process.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,process,process.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,process,process.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,process,process.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,process,process.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,process,process.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
+9.2.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.2.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+9.2.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+9.2.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+9.2.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+9.2.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+9.2.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+9.2.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+9.2.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+9.2.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+9.2.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+9.2.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+9.2.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+9.2.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+9.2.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+9.2.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+9.2.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+9.2.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+9.2.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+9.2.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+9.2.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+9.2.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+9.2.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+9.2.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+9.2.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+9.2.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+9.2.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+9.2.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+9.2.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+9.2.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+9.2.0-dev,true,server,server.port,long,core,,,Port of the server.
+9.2.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+9.2.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,server,server.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,server,server.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,server,server.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,server,server.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,server,server.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,server,server.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.2.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
+9.2.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+9.2.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+9.2.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+9.2.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+9.2.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+9.2.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+9.2.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.2.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+9.2.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+9.2.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+9.2.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+9.2.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+9.2.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+9.2.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+9.2.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
+9.2.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+9.2.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+9.2.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+9.2.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.2.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+9.2.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+9.2.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+9.2.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+9.2.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+9.2.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+9.2.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+9.2.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
+9.2.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+9.2.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+9.2.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+9.2.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+9.2.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+9.2.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.2.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.2.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+9.2.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.2.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+9.2.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+9.2.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+9.2.0-dev,true,source,source.port,long,core,,,Port of the source.
+9.2.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.2.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,source,source.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,source,source.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,source,source.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,source,source.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,source,source.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,source,source.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+9.2.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+9.2.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+9.2.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+9.2.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+9.2.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.2.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.2.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+9.2.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+9.2.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+9.2.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+9.2.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+9.2.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+9.2.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+9.2.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+9.2.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+9.2.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+9.2.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+9.2.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+9.2.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+9.2.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+9.2.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+9.2.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+9.2.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+9.2.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+9.2.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+9.2.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.2.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.2.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+9.2.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+9.2.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+9.2.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+9.2.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+9.2.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+9.2.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+9.2.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+9.2.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+9.2.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+9.2.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+9.2.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+9.2.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+9.2.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+9.2.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+9.2.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.2.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.2.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.2.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+9.2.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+9.2.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+9.2.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+9.2.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+9.2.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.2.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.2.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.2.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.2.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.2.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.2.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.2.0-dev,true,threat,threat.indicator.file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.2.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.2.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.2.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.2.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+9.2.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+9.2.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+9.2.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+9.2.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+9.2.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.2.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.2.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.2.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+9.2.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.2.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.2.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.2.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.2.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.2.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.2.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.2.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.2.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.2.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.2.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.2.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.2.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.2.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.2.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.2.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.2.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.2.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.2.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.2.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.2.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+9.2.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.2.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.2.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.2.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.2.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+9.2.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+9.2.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+9.2.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+9.2.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.2.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+9.2.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.2.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.2.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.2.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.2.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.2.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.2.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+9.2.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+9.2.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+9.2.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+9.2.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.2.0-dev,true,threat,threat.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
+9.2.0-dev,true,threat,threat.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
+9.2.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+9.2.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.2.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.2.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.2.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.2.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.2.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.2.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.2.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.2.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.2.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.2.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.2.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.2.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.2.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.2.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.2.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.2.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.2.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+9.2.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.2.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+9.2.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.2.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.2.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.2.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+9.2.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+9.2.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+9.2.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+9.2.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+9.2.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.2.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.2.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.2.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.2.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.2.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.2.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.2.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.2.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.2.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.2.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.2.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.2.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.2.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.2.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.2.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+9.2.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+9.2.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+9.2.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.2.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.2.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+9.2.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.2.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.2.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+9.2.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.2.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+9.2.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.2.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator
+9.2.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+9.2.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+9.2.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+9.2.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+9.2.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+9.2.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+9.2.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+9.2.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+9.2.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+9.2.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+9.2.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+9.2.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+9.2.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+9.2.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+9.2.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+9.2.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+9.2.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+9.2.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+9.2.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+9.2.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+9.2.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+9.2.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+9.2.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.2.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.2.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.2.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.2.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+9.2.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+9.2.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+9.2.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+9.2.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+9.2.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+9.2.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+9.2.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.2.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.2.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.2.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.2.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.2.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.2.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.2.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.2.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.2.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.2.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.2.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.2.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.2.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.2.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.2.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.2.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.2.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.2.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.2.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+9.2.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+9.2.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+9.2.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+9.2.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+9.2.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+9.2.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+9.2.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+9.2.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+9.2.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+9.2.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+9.2.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+9.2.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+9.2.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+9.2.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+9.2.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+9.2.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+9.2.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+9.2.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+9.2.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+9.2.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+9.2.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+9.2.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+9.2.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+9.2.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+9.2.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+9.2.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+9.2.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+9.2.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+9.2.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+9.2.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.2.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.2.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.2.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.2.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.2.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.2.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.2.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.2.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.2.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.2.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.2.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.2.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.2.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.2.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.2.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.2.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.2.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.2.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.2.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.2.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.2.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.2.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+9.2.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+9.2.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+9.2.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+9.2.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+9.2.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+9.2.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+9.2.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+9.2.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+9.2.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+9.2.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+9.2.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+9.2.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+9.2.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+9.2.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.2.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.2.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.2.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.2.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.2.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.2.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.2.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.2.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.2.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.2.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.2.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.2.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.2.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.2.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.2.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.2.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.2.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.2.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.2.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.2.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.2.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.2.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.2.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+9.2.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+9.2.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+9.2.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+9.2.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+9.2.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+9.2.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+9.2.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.2.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.2.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.2.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.2.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+9.2.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+9.2.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+9.2.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+9.2.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+9.2.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+9.2.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.2.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.2.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+9.2.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+9.2.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+9.2.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,user,user.email,keyword,extended,,,User email address.
+9.2.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.2.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+9.2.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.2.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.2.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.2.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+9.2.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.2.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.2.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0-dev,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0-dev,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0-dev,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0-dev,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.2.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.2.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+9.2.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+9.2.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+9.2.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+9.2.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+9.2.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.2.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.2.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+9.2.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+9.2.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+9.2.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+9.2.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+9.2.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+9.2.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+9.2.0-dev,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
+9.2.0-dev,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
+9.2.0-dev,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
+9.2.0-dev,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
+9.2.0-dev,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
+9.2.0-dev,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
+9.2.0-dev,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
+9.2.0-dev,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
+9.2.0-dev,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
+9.2.0-dev,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
+9.2.0-dev,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
+9.2.0-dev,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
+9.2.0-dev,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
+9.2.0-dev,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
+9.2.0-dev,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
+9.2.0-dev,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
+9.2.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+9.2.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+9.2.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+9.2.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+9.2.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+9.2.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+9.2.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+9.2.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+9.2.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+9.2.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+9.2.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+9.2.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+9.2.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+9.2.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 68c3dd6471..8ce7e27f2a 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -569,6 +569,86 @@ client.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+client.user.risk.calculated_level:
+  dashed_name: client-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: client.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+client.user.risk.calculated_score:
+  dashed_name: client-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: client.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+client.user.risk.calculated_score_norm:
+  dashed_name: client-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: client.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+client.user.risk.static_level:
+  dashed_name: client-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: client.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+client.user.risk.static_score:
+  dashed_name: client-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: client.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+client.user.risk.static_score_norm:
+  dashed_name: client-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: client.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 client.user.roles:
   dashed_name: client-user-roles
   description: Array of user roles at the time of the event.
@@ -1961,6 +2041,86 @@ destination.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+destination.user.risk.calculated_level:
+  dashed_name: destination-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: destination.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+destination.user.risk.calculated_score:
+  dashed_name: destination-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: destination.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+destination.user.risk.calculated_score_norm:
+  dashed_name: destination-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: destination.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+destination.user.risk.static_level:
+  dashed_name: destination-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: destination.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+destination.user.risk.static_score:
+  dashed_name: destination-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: destination.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+destination.user.risk.static_score_norm:
+  dashed_name: destination-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: destination.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 destination.user.roles:
   dashed_name: destination-user-roles
   description: Array of user roles at the time of the event.
@@ -9086,6 +9246,253 @@ process.args_count:
     stability: development
   short: Length of the process.args array.
   type: long
+process.attested_groups.domain:
+  dashed_name: process-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.attested_groups.id:
+  dashed_name: process-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.attested_groups.name:
+  dashed_name: process-attested-groups-name
+  description: Name of the group.
+  flat_name: process.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.attested_user.domain:
+  dashed_name: process-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.attested_user.email:
+  dashed_name: process-attested-user-email
+  description: User email address.
+  flat_name: process.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.attested_user.full_name:
+  dashed_name: process-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.attested_user.group.domain:
+  dashed_name: process-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.attested_user.group.id:
+  dashed_name: process-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.attested_user.group.name:
+  dashed_name: process-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.attested_user.hash:
+  dashed_name: process-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.attested_user.id:
+  dashed_name: process-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.attested_user.name:
+  dashed_name: process-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.attested_user.risk.calculated_level:
+  dashed_name: process-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.attested_user.risk.calculated_score:
+  dashed_name: process-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.attested_user.risk.calculated_score_norm:
+  dashed_name: process-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.attested_user.risk.static_level:
+  dashed_name: process-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.attested_user.risk.static_score:
+  dashed_name: process-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.attested_user.risk.static_score_norm:
+  dashed_name: process-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.attested_user.roles:
+  dashed_name: process-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
 process.code_signature.digest_algorithm:
   dashed_name: process-code-signature-digest-algorithm
   description: 'The hashing algorithm used to sign the process.
@@ -9709,6 +10116,17 @@ process.end:
   normalize: []
   short: The time the process ended.
   type: date
+process.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
 process.entity_id:
   dashed_name: process-entity-id
   description: 'Unique identifier for the process.
@@ -9759,6 +10177,30 @@ process.entry_leader.args_count:
   original_fieldset: process
   short: Length of the process.args array.
   type: long
+process.entry_leader.attested_groups.domain:
+  dashed_name: process-entry-leader-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.attested_groups.id:
+  dashed_name: process-entry-leader-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
 process.entry_leader.attested_groups.name:
   dashed_name: process-entry-leader-attested-groups-name
   description: Name of the group.
@@ -9770,6 +10212,96 @@ process.entry_leader.attested_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
+process.entry_leader.attested_user.domain:
+  dashed_name: process-entry-leader-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.attested_user.email:
+  dashed_name: process-entry-leader-attested-user-email
+  description: User email address.
+  flat_name: process.entry_leader.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.attested_user.full_name:
+  dashed_name: process-entry-leader-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.attested_user.group.domain:
+  dashed_name: process-entry-leader-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.attested_user.group.id:
+  dashed_name: process-entry-leader-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.attested_user.group.name:
+  dashed_name: process-entry-leader-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.attested_user.hash:
+  dashed_name: process-entry-leader-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
 process.entry_leader.attested_user.id:
   dashed_name: process-entry-leader-attested-user-id
   description: Unique identifier of the user.
@@ -9798,696 +10330,30459 @@ process.entry_leader.attested_user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.entry_leader.command_line:
-  dashed_name: process-entry-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.entry_leader.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.entry_leader.entity_id:
-  dashed_name: process-entry-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.entry_leader.entity_id
+process.entry_leader.attested_user.risk.calculated_level:
+  dashed_name: process-entry-leader-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.attested_user.risk.calculated_level
   ignore_above: 1024
   level: extended
-  name: entity_id
+  name: calculated_level
   normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
   type: keyword
-process.entry_leader.entry_meta.source.ip:
-  dashed_name: process-entry-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.entry_leader.entry_meta.source.ip
-  level: core
-  name: ip
+process.entry_leader.attested_user.risk.calculated_score:
+  dashed_name: process-entry-leader-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
   normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.entry_leader.entry_meta.type:
-  dashed_name: process-entry-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.entry_leader.entry_meta.type
-  ignore_above: 1024
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.attested_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.attested_user.risk.calculated_score_norm
   level: extended
-  name: entry_meta.type
+  name: calculated_score_norm
   normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.entry_leader.executable:
-  dashed_name: process-entry-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.entry_leader.executable
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.attested_user.risk.static_level:
+  dashed_name: process-entry-leader-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.attested_user.risk.static_level
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
+  name: static_level
   normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
   type: keyword
-process.entry_leader.group.id:
-  dashed_name: process-entry-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.group.id
-  ignore_above: 1024
+process.entry_leader.attested_user.risk.static_score:
+  dashed_name: process-entry-leader-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.attested_user.risk.static_score
   level: extended
-  name: id
+  name: static_score
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.group.name:
-  dashed_name: process-entry-leader-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.group.name
-  ignore_above: 1024
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.attested_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.attested_user.risk.static_score_norm
   level: extended
-  name: name
+  name: static_score_norm
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.attested_user.roles:
+  dashed_name: process-entry-leader-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
   type: keyword
-process.entry_leader.interactive:
-  dashed_name: process-entry-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
+process.entry_leader.code_signature.digest_algorithm:
+  dashed_name: process-entry-leader-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
 
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.entry_leader.interactive
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.entry_leader.code_signature.digest_algorithm
+  ignore_above: 1024
   level: extended
-  name: interactive
+  name: digest_algorithm
   normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.entry_leader.code_signature.exists:
+  dashed_name: process-entry-leader-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.entry_leader.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
   type: boolean
-process.entry_leader.name:
-  dashed_name: process-entry-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.entry_leader.name
+process.entry_leader.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.entry_leader.code_signature.flags
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
+  name: flags
   normalize: []
-  original_fieldset: process
-  short: Process name.
+  original_fieldset: code_signature
+  short: Code signing flags of the process
   type: keyword
-process.entry_leader.parent.entity_id:
-  dashed_name: process-entry-leader-parent-entity-id
-  description: 'Unique identifier for the process.
+process.entry_leader.code_signature.signing_id:
+  dashed_name: process-entry-leader-code-signature-signing-id
+  description: 'The identifier used to sign the process.
 
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.entry_leader.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.entry_leader.code_signature.status:
+  dashed_name: process-entry-leader-code-signature-status
+  description: 'Additional information about the certificate status.
 
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.entry_leader.parent.entity_id
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.entry_leader.code_signature.status
   ignore_above: 1024
   level: extended
-  name: entity_id
+  name: status
   normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
   type: keyword
-process.entry_leader.parent.pid:
-  dashed_name: process-entry-leader-parent-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.entry_leader.parent.pid
-  format: string
+process.entry_leader.code_signature.subject_name:
+  dashed_name: process-entry-leader-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.entry_leader.code_signature.subject_name
+  ignore_above: 1024
   level: core
-  name: pid
+  name: subject_name
   normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.entry_leader.parent.session_leader.entity_id:
-  dashed_name: process-entry-leader-parent-session-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.entry_leader.code_signature.team_id:
+  dashed_name: process-entry-leader-code-signature-team-id
+  description: 'The team identifier used to sign the process.
 
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.entry_leader.parent.session_leader.entity_id
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.entry_leader.code_signature.team_id
   ignore_above: 1024
   level: extended
-  name: entity_id
+  name: team_id
   normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
   type: keyword
-process.entry_leader.parent.session_leader.pid:
-  dashed_name: process-entry-leader-parent-session-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.entry_leader.parent.session_leader.pid
-  format: string
-  level: core
-  name: pid
+process.entry_leader.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.entry_leader.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
   normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.entry_leader.parent.session_leader.start:
-  dashed_name: process-entry-leader-parent-session-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.parent.session_leader.start
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.entry_leader.code_signature.timestamp:
+  dashed_name: process-entry-leader-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.entry_leader.code_signature.timestamp
   level: extended
-  name: start
+  name: timestamp
   normalize: []
-  original_fieldset: process
-  short: The time the process started.
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
   type: date
-process.entry_leader.parent.session_leader.vpid:
-  dashed_name: process-entry-leader-parent-session-leader-vpid
-  description: 'Virtual process id.
+process.entry_leader.code_signature.trusted:
+  dashed_name: process-entry-leader-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
 
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.entry_leader.parent.session_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.entry_leader.parent.start:
-  dashed_name: process-entry-leader-parent-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.parent.start
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.entry_leader.code_signature.trusted
   level: extended
-  name: start
+  name: trusted
   normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.entry_leader.parent.vpid:
-  dashed_name: process-entry-leader-parent-vpid
-  description: 'Virtual process id.
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.entry_leader.code_signature.valid:
+  dashed_name: process-entry-leader-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
 
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.entry_leader.parent.vpid
-  format: string
-  level: core
-  name: vpid
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.entry_leader.code_signature.valid
+  level: extended
+  name: valid
   normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.entry_leader.pid:
-  dashed_name: process-entry-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.entry_leader.pid
-  format: string
-  level: core
-  name: pid
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.entry_leader.command_line:
+  dashed_name: process-entry-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.entry_leader.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
   normalize: []
   original_fieldset: process
-  short: Process id.
-  type: long
-process.entry_leader.real_group.id:
-  dashed_name: process-entry-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.real_group.id
+  short: Full command line that started the process.
+  type: wildcard
+process.entry_leader.elf.architecture:
+  dashed_name: process-entry-leader-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.entry_leader.elf.architecture
   ignore_above: 1024
   level: extended
-  name: id
+  name: architecture
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
   type: keyword
-process.entry_leader.real_group.name:
-  dashed_name: process-entry-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.real_group.name
+process.entry_leader.elf.byte_order:
+  dashed_name: process-entry-leader-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.entry_leader.elf.byte_order
   ignore_above: 1024
   level: extended
-  name: name
+  name: byte_order
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
   type: keyword
-process.entry_leader.real_user.id:
-  dashed_name: process-entry-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.real_user.id
+process.entry_leader.elf.cpu_type:
+  dashed_name: process-entry-leader-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.entry_leader.elf.cpu_type
   ignore_above: 1024
-  level: core
-  name: id
+  level: extended
+  name: cpu_type
   normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
+  original_fieldset: elf
+  short: CPU type of the ELF file.
   type: keyword
-process.entry_leader.real_user.name:
+process.entry_leader.elf.creation_date:
+  dashed_name: process-entry-leader-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.entry_leader.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.entry_leader.elf.exports:
+  dashed_name: process-entry-leader-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.entry_leader.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.entry_leader.elf.go_import_hash:
+  dashed_name: process-entry-leader-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.entry_leader.elf.go_imports:
+  dashed_name: process-entry-leader-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.elf.go_imports_names_entropy:
+  dashed_name: process-entry-leader-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.elf.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.elf.go_stripped:
+  dashed_name: process-entry-leader-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.entry_leader.elf.header.abi_version:
+  dashed_name: process-entry-leader-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.entry_leader.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.entry_leader.elf.header.class:
+  dashed_name: process-entry-leader-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.entry_leader.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.entry_leader.elf.header.data:
+  dashed_name: process-entry-leader-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.entry_leader.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.entry_leader.elf.header.entrypoint:
+  dashed_name: process-entry-leader-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.entry_leader.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.entry_leader.elf.header.object_version:
+  dashed_name: process-entry-leader-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.entry_leader.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.entry_leader.elf.header.os_abi:
+  dashed_name: process-entry-leader-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.entry_leader.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.entry_leader.elf.header.type:
+  dashed_name: process-entry-leader-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.entry_leader.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.entry_leader.elf.header.version:
+  dashed_name: process-entry-leader-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.entry_leader.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.entry_leader.elf.import_hash:
+  dashed_name: process-entry-leader-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.entry_leader.elf.imports:
+  dashed_name: process-entry-leader-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.elf.imports_names_entropy:
+  dashed_name: process-entry-leader-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.elf.imports_names_var_entropy:
+  dashed_name: process-entry-leader-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.elf.sections:
+  dashed_name: process-entry-leader-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.entry_leader.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.entry_leader.elf.sections.chi2:
+  dashed_name: process-entry-leader-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.entry_leader.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.entry_leader.elf.sections.entropy:
+  dashed_name: process-entry-leader-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.elf.sections.flags:
+  dashed_name: process-entry-leader-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.entry_leader.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.entry_leader.elf.sections.name:
+  dashed_name: process-entry-leader-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.entry_leader.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.entry_leader.elf.sections.physical_offset:
+  dashed_name: process-entry-leader-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.entry_leader.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.entry_leader.elf.sections.physical_size:
+  dashed_name: process-entry-leader-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.entry_leader.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.entry_leader.elf.sections.type:
+  dashed_name: process-entry-leader-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.entry_leader.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.entry_leader.elf.sections.var_entropy:
+  dashed_name: process-entry-leader-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.elf.sections.virtual_address:
+  dashed_name: process-entry-leader-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.entry_leader.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.entry_leader.elf.sections.virtual_size:
+  dashed_name: process-entry-leader-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.entry_leader.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.entry_leader.elf.segments:
+  dashed_name: process-entry-leader-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.entry_leader.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.entry_leader.elf.segments.sections:
+  dashed_name: process-entry-leader-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.entry_leader.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.entry_leader.elf.segments.type:
+  dashed_name: process-entry-leader-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.entry_leader.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.entry_leader.elf.shared_libraries:
+  dashed_name: process-entry-leader-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.entry_leader.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.entry_leader.elf.telfhash:
+  dashed_name: process-entry-leader-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.entry_leader.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.entry_leader.end:
+  dashed_name: process-entry-leader-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.entry_leader.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.entry_leader.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.entry_leader.entity_id:
+  dashed_name: process-entry-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.entry_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.entry_leader.entry_meta.source.address:
+  dashed_name: process-entry-leader-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.entry_leader.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.entry_leader.entry_meta.source.as.number:
+  dashed_name: process-entry-leader-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.entry_leader.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.entry_leader.entry_meta.source.as.organization.name:
+  dashed_name: process-entry-leader-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.entry_leader.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.entry_leader.entry_meta.source.bytes:
+  dashed_name: process-entry-leader-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.entry_leader.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.entry_leader.entry_meta.source.domain:
+  dashed_name: process-entry-leader-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.entry_leader.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.entry_leader.entry_meta.source.geo.city_name:
+  dashed_name: process-entry-leader-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.entry_leader.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.entry_leader.entry_meta.source.geo.continent_code:
+  dashed_name: process-entry-leader-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.entry_leader.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.entry_leader.entry_meta.source.geo.continent_name:
+  dashed_name: process-entry-leader-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.entry_leader.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.entry_leader.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-entry-leader-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.entry_leader.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.entry_leader.entry_meta.source.geo.country_name:
+  dashed_name: process-entry-leader-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.entry_leader.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.entry_leader.entry_meta.source.geo.location:
+  dashed_name: process-entry-leader-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.entry_leader.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.entry_leader.entry_meta.source.geo.name:
+  dashed_name: process-entry-leader-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.entry_leader.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.entry_leader.entry_meta.source.geo.postal_code:
+  dashed_name: process-entry-leader-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.entry_leader.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.entry_leader.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-entry-leader-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.entry_leader.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.entry_leader.entry_meta.source.geo.region_name:
+  dashed_name: process-entry-leader-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.entry_leader.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.entry_leader.entry_meta.source.geo.timezone:
+  dashed_name: process-entry-leader-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.entry_leader.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.entry_leader.entry_meta.source.ip:
+  dashed_name: process-entry-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.entry_leader.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.entry_leader.entry_meta.source.mac:
+  dashed_name: process-entry-leader-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.entry_leader.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.entry_leader.entry_meta.source.nat.ip:
+  dashed_name: process-entry-leader-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.entry_leader.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.entry_leader.entry_meta.source.nat.port:
+  dashed_name: process-entry-leader-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.entry_leader.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.entry_leader.entry_meta.source.packets:
+  dashed_name: process-entry-leader-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.entry_leader.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.entry_leader.entry_meta.source.port:
+  dashed_name: process-entry-leader-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.entry_leader.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.entry_leader.entry_meta.source.registered_domain:
+  dashed_name: process-entry-leader-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.entry_leader.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.entry_leader.entry_meta.source.subdomain:
+  dashed_name: process-entry-leader-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.entry_leader.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.entry_leader.entry_meta.source.top_level_domain:
+  dashed_name: process-entry-leader-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.entry_leader.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.entry_leader.entry_meta.type:
+  dashed_name: process-entry-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.entry_leader.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.entry_leader.env_vars:
+  dashed_name: process-entry-leader-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.entry_leader.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.executable:
+  dashed_name: process-entry-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.entry_leader.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.entry_leader.exit_code:
+  dashed_name: process-entry-leader-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.entry_leader.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.entry_leader.group.domain:
+  dashed_name: process-entry-leader-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.group.id:
+  dashed_name: process-entry-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.group.name:
+  dashed_name: process-entry-leader-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.entry_leader.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.entry_leader.hash.md5:
+  dashed_name: process-entry-leader-hash-md5
+  description: MD5 hash.
+  flat_name: process.entry_leader.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.entry_leader.hash.sha1:
+  dashed_name: process-entry-leader-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.entry_leader.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.entry_leader.hash.sha256:
+  dashed_name: process-entry-leader-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.entry_leader.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.entry_leader.hash.sha384:
+  dashed_name: process-entry-leader-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.entry_leader.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.entry_leader.hash.sha512:
+  dashed_name: process-entry-leader-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.entry_leader.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.entry_leader.hash.ssdeep:
+  dashed_name: process-entry-leader-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.entry_leader.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.entry_leader.hash.tlsh:
+  dashed_name: process-entry-leader-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.entry_leader.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.entry_leader.interactive:
+  dashed_name: process-entry-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.entry_leader.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.entry_leader.io:
+  dashed_name: process-entry-leader-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.entry_leader.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.entry_leader.io.bytes_skipped:
+  dashed_name: process-entry-leader-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.entry_leader.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.entry_leader.io.bytes_skipped.length:
+  dashed_name: process-entry-leader-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.entry_leader.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.entry_leader.io.bytes_skipped.offset:
+  dashed_name: process-entry-leader-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.entry_leader.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.entry_leader.io.max_bytes_per_process_exceeded:
+  dashed_name: process-entry-leader-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.entry_leader.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.entry_leader.io.text:
+  dashed_name: process-entry-leader-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.entry_leader.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.entry_leader.io.total_bytes_captured:
+  dashed_name: process-entry-leader-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.entry_leader.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.entry_leader.io.total_bytes_skipped:
+  dashed_name: process-entry-leader-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.entry_leader.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.entry_leader.io.type:
+  dashed_name: process-entry-leader-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.entry_leader.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.entry_leader.macho.go_import_hash:
+  dashed_name: process-entry-leader-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.entry_leader.macho.go_imports:
+  dashed_name: process-entry-leader-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.macho.go_imports_names_entropy:
+  dashed_name: process-entry-leader-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.macho.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.macho.go_stripped:
+  dashed_name: process-entry-leader-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.entry_leader.macho.import_hash:
+  dashed_name: process-entry-leader-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.entry_leader.macho.imports:
+  dashed_name: process-entry-leader-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.macho.imports_names_entropy:
+  dashed_name: process-entry-leader-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.macho.imports_names_var_entropy:
+  dashed_name: process-entry-leader-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.macho.sections:
+  dashed_name: process-entry-leader-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.entry_leader.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.entry_leader.macho.sections.entropy:
+  dashed_name: process-entry-leader-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.macho.sections.name:
+  dashed_name: process-entry-leader-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.entry_leader.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.entry_leader.macho.sections.physical_size:
+  dashed_name: process-entry-leader-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.entry_leader.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.entry_leader.macho.sections.var_entropy:
+  dashed_name: process-entry-leader-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.macho.sections.virtual_size:
+  dashed_name: process-entry-leader-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.entry_leader.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.entry_leader.macho.symhash:
+  dashed_name: process-entry-leader-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.entry_leader.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.entry_leader.name:
+  dashed_name: process-entry-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.entry_leader.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.entry_leader.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.entry_leader.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.entry_leader.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.entry_leader.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.entry_leader.parent.args:
+  dashed_name: process-entry-leader-parent-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.entry_leader.parent.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.entry_leader.parent.args_count:
+  dashed_name: process-entry-leader-parent-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.entry_leader.parent.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.entry_leader.parent.attested_groups.domain:
+  dashed_name: process-entry-leader-parent-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.attested_groups.id:
+  dashed_name: process-entry-leader-parent-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.attested_groups.name:
+  dashed_name: process-entry-leader-parent-attested-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.attested_user.domain:
+  dashed_name: process-entry-leader-parent-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.attested_user.email:
+  dashed_name: process-entry-leader-parent-attested-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.attested_user.full_name:
+  dashed_name: process-entry-leader-parent-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.attested_user.group.domain:
+  dashed_name: process-entry-leader-parent-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.attested_user.group.id:
+  dashed_name: process-entry-leader-parent-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.attested_user.group.name:
+  dashed_name: process-entry-leader-parent-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.attested_user.hash:
+  dashed_name: process-entry-leader-parent-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.attested_user.id:
+  dashed_name: process-entry-leader-parent-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.attested_user.name:
+  dashed_name: process-entry-leader-parent-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.attested_user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.attested_user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.attested_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.attested_user.risk.static_level:
+  dashed_name: process-entry-leader-parent-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.attested_user.risk.static_score:
+  dashed_name: process-entry-leader-parent-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.attested_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.attested_user.roles:
+  dashed_name: process-entry-leader-parent-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.code_signature.digest_algorithm:
+  dashed_name: process-entry-leader-parent-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.entry_leader.parent.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.entry_leader.parent.code_signature.exists:
+  dashed_name: process-entry-leader-parent-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.entry_leader.parent.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.entry_leader.parent.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.entry_leader.parent.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.entry_leader.parent.code_signature.signing_id:
+  dashed_name: process-entry-leader-parent-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.entry_leader.parent.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.entry_leader.parent.code_signature.status:
+  dashed_name: process-entry-leader-parent-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.entry_leader.parent.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.entry_leader.parent.code_signature.subject_name:
+  dashed_name: process-entry-leader-parent-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.entry_leader.parent.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.entry_leader.parent.code_signature.team_id:
+  dashed_name: process-entry-leader-parent-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.entry_leader.parent.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.entry_leader.parent.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.entry_leader.parent.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.entry_leader.parent.code_signature.timestamp:
+  dashed_name: process-entry-leader-parent-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.entry_leader.parent.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.entry_leader.parent.code_signature.trusted:
+  dashed_name: process-entry-leader-parent-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.entry_leader.parent.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.entry_leader.parent.code_signature.valid:
+  dashed_name: process-entry-leader-parent-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.entry_leader.parent.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.entry_leader.parent.command_line:
+  dashed_name: process-entry-leader-parent-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.entry_leader.parent.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.entry_leader.parent.elf.architecture:
+  dashed_name: process-entry-leader-parent-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.entry_leader.parent.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.entry_leader.parent.elf.byte_order:
+  dashed_name: process-entry-leader-parent-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.entry_leader.parent.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.entry_leader.parent.elf.cpu_type:
+  dashed_name: process-entry-leader-parent-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.entry_leader.parent.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.entry_leader.parent.elf.creation_date:
+  dashed_name: process-entry-leader-parent-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.entry_leader.parent.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.entry_leader.parent.elf.exports:
+  dashed_name: process-entry-leader-parent-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.entry_leader.parent.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.entry_leader.parent.elf.go_import_hash:
+  dashed_name: process-entry-leader-parent-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.parent.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.entry_leader.parent.elf.go_imports:
+  dashed_name: process-entry-leader-parent-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.parent.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.parent.elf.go_imports_names_entropy:
+  dashed_name: process-entry-leader-parent-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.elf.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.elf.go_stripped:
+  dashed_name: process-entry-leader-parent-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.parent.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.entry_leader.parent.elf.header.abi_version:
+  dashed_name: process-entry-leader-parent-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.entry_leader.parent.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.entry_leader.parent.elf.header.class:
+  dashed_name: process-entry-leader-parent-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.entry_leader.parent.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.entry_leader.parent.elf.header.data:
+  dashed_name: process-entry-leader-parent-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.entry_leader.parent.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.entry_leader.parent.elf.header.entrypoint:
+  dashed_name: process-entry-leader-parent-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.entry_leader.parent.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.entry_leader.parent.elf.header.object_version:
+  dashed_name: process-entry-leader-parent-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.entry_leader.parent.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.entry_leader.parent.elf.header.os_abi:
+  dashed_name: process-entry-leader-parent-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.entry_leader.parent.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.entry_leader.parent.elf.header.type:
+  dashed_name: process-entry-leader-parent-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.entry_leader.parent.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.entry_leader.parent.elf.header.version:
+  dashed_name: process-entry-leader-parent-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.entry_leader.parent.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.entry_leader.parent.elf.import_hash:
+  dashed_name: process-entry-leader-parent-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.parent.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.entry_leader.parent.elf.imports:
+  dashed_name: process-entry-leader-parent-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.parent.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.parent.elf.imports_names_entropy:
+  dashed_name: process-entry-leader-parent-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.parent.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.parent.elf.imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.parent.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.parent.elf.sections:
+  dashed_name: process-entry-leader-parent-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.entry_leader.parent.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.entry_leader.parent.elf.sections.chi2:
+  dashed_name: process-entry-leader-parent-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.entry_leader.parent.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.entry_leader.parent.elf.sections.entropy:
+  dashed_name: process-entry-leader-parent-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.elf.sections.flags:
+  dashed_name: process-entry-leader-parent-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.entry_leader.parent.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.entry_leader.parent.elf.sections.name:
+  dashed_name: process-entry-leader-parent-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.entry_leader.parent.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.entry_leader.parent.elf.sections.physical_offset:
+  dashed_name: process-entry-leader-parent-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.entry_leader.parent.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.entry_leader.parent.elf.sections.physical_size:
+  dashed_name: process-entry-leader-parent-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.entry_leader.parent.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.entry_leader.parent.elf.sections.type:
+  dashed_name: process-entry-leader-parent-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.entry_leader.parent.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.entry_leader.parent.elf.sections.var_entropy:
+  dashed_name: process-entry-leader-parent-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.elf.sections.virtual_address:
+  dashed_name: process-entry-leader-parent-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.entry_leader.parent.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.entry_leader.parent.elf.sections.virtual_size:
+  dashed_name: process-entry-leader-parent-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.entry_leader.parent.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.entry_leader.parent.elf.segments:
+  dashed_name: process-entry-leader-parent-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.entry_leader.parent.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.entry_leader.parent.elf.segments.sections:
+  dashed_name: process-entry-leader-parent-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.entry_leader.parent.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.entry_leader.parent.elf.segments.type:
+  dashed_name: process-entry-leader-parent-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.entry_leader.parent.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.entry_leader.parent.elf.shared_libraries:
+  dashed_name: process-entry-leader-parent-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.entry_leader.parent.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.entry_leader.parent.elf.telfhash:
+  dashed_name: process-entry-leader-parent-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.entry_leader.parent.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.entry_leader.parent.end:
+  dashed_name: process-entry-leader-parent-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.parent.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.entry_leader.parent.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.entry_leader.parent.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.entry_leader.parent.entity_id:
+  dashed_name: process-entry-leader-parent-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.entry_leader.parent.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.address:
+  dashed_name: process-entry-leader-parent-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.entry_leader.parent.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.as.number:
+  dashed_name: process-entry-leader-parent-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.entry_leader.parent.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.entry_leader.parent.entry_meta.source.as.organization.name:
+  dashed_name: process-entry-leader-parent-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.bytes:
+  dashed_name: process-entry-leader-parent-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.entry_leader.parent.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.entry_leader.parent.entry_meta.source.domain:
+  dashed_name: process-entry-leader-parent-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.entry_leader.parent.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.city_name:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.continent_code:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.continent_name:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.country_name:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.location:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.entry_leader.parent.entry_meta.source.geo.name:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.postal_code:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.region_name:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.timezone:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.ip:
+  dashed_name: process-entry-leader-parent-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.entry_leader.parent.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.entry_leader.parent.entry_meta.source.mac:
+  dashed_name: process-entry-leader-parent-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.entry_leader.parent.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.nat.ip:
+  dashed_name: process-entry-leader-parent-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.entry_leader.parent.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.entry_leader.parent.entry_meta.source.nat.port:
+  dashed_name: process-entry-leader-parent-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.entry_leader.parent.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.entry_leader.parent.entry_meta.source.packets:
+  dashed_name: process-entry-leader-parent-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.entry_leader.parent.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.entry_leader.parent.entry_meta.source.port:
+  dashed_name: process-entry-leader-parent-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.entry_leader.parent.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.entry_leader.parent.entry_meta.source.registered_domain:
+  dashed_name: process-entry-leader-parent-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.entry_leader.parent.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.subdomain:
+  dashed_name: process-entry-leader-parent-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.entry_leader.parent.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.top_level_domain:
+  dashed_name: process-entry-leader-parent-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.entry_leader.parent.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.entry_leader.parent.entry_meta.type:
+  dashed_name: process-entry-leader-parent-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.entry_leader.parent.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.entry_leader.parent.env_vars:
+  dashed_name: process-entry-leader-parent-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.entry_leader.parent.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.executable:
+  dashed_name: process-entry-leader-parent-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.entry_leader.parent.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.entry_leader.parent.exit_code:
+  dashed_name: process-entry-leader-parent-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.entry_leader.parent.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.entry_leader.parent.group.domain:
+  dashed_name: process-entry-leader-parent-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.group.id:
+  dashed_name: process-entry-leader-parent-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.group.name:
+  dashed_name: process-entry-leader-parent-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.entry_leader.parent.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.entry_leader.parent.hash.md5:
+  dashed_name: process-entry-leader-parent-hash-md5
+  description: MD5 hash.
+  flat_name: process.entry_leader.parent.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.entry_leader.parent.hash.sha1:
+  dashed_name: process-entry-leader-parent-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.entry_leader.parent.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.entry_leader.parent.hash.sha256:
+  dashed_name: process-entry-leader-parent-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.entry_leader.parent.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.entry_leader.parent.hash.sha384:
+  dashed_name: process-entry-leader-parent-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.entry_leader.parent.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.entry_leader.parent.hash.sha512:
+  dashed_name: process-entry-leader-parent-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.entry_leader.parent.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.entry_leader.parent.hash.ssdeep:
+  dashed_name: process-entry-leader-parent-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.entry_leader.parent.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.entry_leader.parent.hash.tlsh:
+  dashed_name: process-entry-leader-parent-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.entry_leader.parent.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.entry_leader.parent.interactive:
+  dashed_name: process-entry-leader-parent-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.entry_leader.parent.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.entry_leader.parent.io:
+  dashed_name: process-entry-leader-parent-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.entry_leader.parent.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.entry_leader.parent.io.bytes_skipped:
+  dashed_name: process-entry-leader-parent-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.entry_leader.parent.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.entry_leader.parent.io.bytes_skipped.length:
+  dashed_name: process-entry-leader-parent-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.entry_leader.parent.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.entry_leader.parent.io.bytes_skipped.offset:
+  dashed_name: process-entry-leader-parent-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.entry_leader.parent.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.entry_leader.parent.io.max_bytes_per_process_exceeded:
+  dashed_name: process-entry-leader-parent-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.entry_leader.parent.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.entry_leader.parent.io.text:
+  dashed_name: process-entry-leader-parent-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.entry_leader.parent.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.entry_leader.parent.io.total_bytes_captured:
+  dashed_name: process-entry-leader-parent-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.entry_leader.parent.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.entry_leader.parent.io.total_bytes_skipped:
+  dashed_name: process-entry-leader-parent-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.entry_leader.parent.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.entry_leader.parent.io.type:
+  dashed_name: process-entry-leader-parent-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.entry_leader.parent.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.entry_leader.parent.macho.go_import_hash:
+  dashed_name: process-entry-leader-parent-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.parent.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.entry_leader.parent.macho.go_imports:
+  dashed_name: process-entry-leader-parent-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.parent.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.parent.macho.go_imports_names_entropy:
+  dashed_name: process-entry-leader-parent-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.macho.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.macho.go_stripped:
+  dashed_name: process-entry-leader-parent-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.parent.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.entry_leader.parent.macho.import_hash:
+  dashed_name: process-entry-leader-parent-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.parent.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.entry_leader.parent.macho.imports:
+  dashed_name: process-entry-leader-parent-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.parent.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.parent.macho.imports_names_entropy:
+  dashed_name: process-entry-leader-parent-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.parent.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.parent.macho.imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.parent.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.parent.macho.sections:
+  dashed_name: process-entry-leader-parent-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.entry_leader.parent.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.entry_leader.parent.macho.sections.entropy:
+  dashed_name: process-entry-leader-parent-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.macho.sections.name:
+  dashed_name: process-entry-leader-parent-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.entry_leader.parent.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.entry_leader.parent.macho.sections.physical_size:
+  dashed_name: process-entry-leader-parent-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.entry_leader.parent.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.entry_leader.parent.macho.sections.var_entropy:
+  dashed_name: process-entry-leader-parent-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.macho.sections.virtual_size:
+  dashed_name: process-entry-leader-parent-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.entry_leader.parent.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.entry_leader.parent.macho.symhash:
+  dashed_name: process-entry-leader-parent-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.entry_leader.parent.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.entry_leader.parent.name:
+  dashed_name: process-entry-leader-parent-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.entry_leader.parent.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.entry_leader.parent.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.entry_leader.parent.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.entry_leader.parent.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.entry_leader.parent.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.entry_leader.parent.pe.architecture:
+  dashed_name: process-entry-leader-parent-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.entry_leader.parent.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.entry_leader.parent.pe.company:
+  dashed_name: process-entry-leader-parent-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.entry_leader.parent.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.parent.pe.description:
+  dashed_name: process-entry-leader-parent-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.entry_leader.parent.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.parent.pe.file_version:
+  dashed_name: process-entry-leader-parent-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.entry_leader.parent.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.entry_leader.parent.pe.go_import_hash:
+  dashed_name: process-entry-leader-parent-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.parent.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.entry_leader.parent.pe.go_imports:
+  dashed_name: process-entry-leader-parent-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.parent.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.parent.pe.go_imports_names_entropy:
+  dashed_name: process-entry-leader-parent-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.pe.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.pe.go_stripped:
+  dashed_name: process-entry-leader-parent-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.parent.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.entry_leader.parent.pe.imphash:
+  dashed_name: process-entry-leader-parent-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.entry_leader.parent.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.entry_leader.parent.pe.import_hash:
+  dashed_name: process-entry-leader-parent-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.parent.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.entry_leader.parent.pe.imports:
+  dashed_name: process-entry-leader-parent-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.parent.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.parent.pe.imports_names_entropy:
+  dashed_name: process-entry-leader-parent-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.parent.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.parent.pe.imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.parent.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.parent.pe.original_file_name:
+  dashed_name: process-entry-leader-parent-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.entry_leader.parent.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.parent.pe.pehash:
+  dashed_name: process-entry-leader-parent-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.entry_leader.parent.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.entry_leader.parent.pe.product:
+  dashed_name: process-entry-leader-parent-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.entry_leader.parent.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.parent.pe.sections:
+  dashed_name: process-entry-leader-parent-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.entry_leader.parent.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.entry_leader.parent.pe.sections.entropy:
+  dashed_name: process-entry-leader-parent-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.pe.sections.name:
+  dashed_name: process-entry-leader-parent-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.entry_leader.parent.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.entry_leader.parent.pe.sections.physical_size:
+  dashed_name: process-entry-leader-parent-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.entry_leader.parent.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.entry_leader.parent.pe.sections.var_entropy:
+  dashed_name: process-entry-leader-parent-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.pe.sections.virtual_size:
+  dashed_name: process-entry-leader-parent-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.entry_leader.parent.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.entry_leader.parent.pid:
+  dashed_name: process-entry-leader-parent-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.entry_leader.parent.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.entry_leader.parent.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.entry_leader.parent.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.entry_leader.parent.real_group.domain:
+  dashed_name: process-entry-leader-parent-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.real_group.id:
+  dashed_name: process-entry-leader-parent-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.real_group.name:
+  dashed_name: process-entry-leader-parent-real-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.real_user.domain:
+  dashed_name: process-entry-leader-parent-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.real_user.email:
+  dashed_name: process-entry-leader-parent-real-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.real_user.full_name:
+  dashed_name: process-entry-leader-parent-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.real_user.group.domain:
+  dashed_name: process-entry-leader-parent-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.real_user.group.id:
+  dashed_name: process-entry-leader-parent-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.real_user.group.name:
+  dashed_name: process-entry-leader-parent-real-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.real_user.hash:
+  dashed_name: process-entry-leader-parent-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.real_user.id:
+  dashed_name: process-entry-leader-parent-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.real_user.name:
+  dashed_name: process-entry-leader-parent-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.real_user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.real_user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.real_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.real_user.risk.static_level:
+  dashed_name: process-entry-leader-parent-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.real_user.risk.static_score:
+  dashed_name: process-entry-leader-parent-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.real_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.real_user.roles:
+  dashed_name: process-entry-leader-parent-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.same_as_process:
+  dashed_name: process-entry-leader-parent-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.entry_leader.parent.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.entry_leader.parent.saved_group.domain:
+  dashed_name: process-entry-leader-parent-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.saved_group.id:
+  dashed_name: process-entry-leader-parent-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.saved_group.name:
+  dashed_name: process-entry-leader-parent-saved-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.saved_user.domain:
+  dashed_name: process-entry-leader-parent-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.saved_user.email:
+  dashed_name: process-entry-leader-parent-saved-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.saved_user.full_name:
+  dashed_name: process-entry-leader-parent-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.saved_user.group.domain:
+  dashed_name: process-entry-leader-parent-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.saved_user.group.id:
+  dashed_name: process-entry-leader-parent-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.saved_user.group.name:
+  dashed_name: process-entry-leader-parent-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.saved_user.hash:
+  dashed_name: process-entry-leader-parent-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.saved_user.id:
+  dashed_name: process-entry-leader-parent-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.saved_user.name:
+  dashed_name: process-entry-leader-parent-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.saved_user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.saved_user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.saved_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.saved_user.risk.static_level:
+  dashed_name: process-entry-leader-parent-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.saved_user.risk.static_score:
+  dashed_name: process-entry-leader-parent-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.saved_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.saved_user.roles:
+  dashed_name: process-entry-leader-parent-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.args:
+  dashed_name: process-entry-leader-parent-session-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.entry_leader.parent.session_leader.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.entry_leader.parent.session_leader.args_count:
+  dashed_name: process-entry-leader-parent-session-leader-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.entry_leader.parent.session_leader.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.entry_leader.parent.session_leader.attested_groups.domain:
+  dashed_name: process-entry-leader-parent-session-leader-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_groups.id:
+  dashed_name: process-entry-leader-parent-session-leader-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_groups.name:
+  dashed_name: process-entry-leader-parent-session-leader-attested-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.domain:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.email:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.full_name:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.session_leader.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.group.id:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.group.name:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.hash:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.session_leader.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.id:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.session_leader.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.name:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.session_leader.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.session_leader.attested_user.risk.static_level:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.risk.static_score:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.session_leader.attested_user.roles:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.session_leader.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.digest_algorithm:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.entry_leader.parent.session_leader.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.exists:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.entry_leader.parent.session_leader.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.entry_leader.parent.session_leader.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.entry_leader.parent.session_leader.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.signing_id:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.entry_leader.parent.session_leader.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.status:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.entry_leader.parent.session_leader.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.subject_name:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.entry_leader.parent.session_leader.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.team_id:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.entry_leader.parent.session_leader.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.timestamp:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.entry_leader.parent.session_leader.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.entry_leader.parent.session_leader.code_signature.trusted:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.entry_leader.parent.session_leader.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.entry_leader.parent.session_leader.code_signature.valid:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.entry_leader.parent.session_leader.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.entry_leader.parent.session_leader.command_line:
+  dashed_name: process-entry-leader-parent-session-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.entry_leader.parent.session_leader.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.entry_leader.parent.session_leader.elf.architecture:
+  dashed_name: process-entry-leader-parent-session-leader-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.entry_leader.parent.session_leader.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.byte_order:
+  dashed_name: process-entry-leader-parent-session-leader-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.entry_leader.parent.session_leader.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.cpu_type:
+  dashed_name: process-entry-leader-parent-session-leader-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.entry_leader.parent.session_leader.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.creation_date:
+  dashed_name: process-entry-leader-parent-session-leader-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.entry_leader.parent.session_leader.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.entry_leader.parent.session_leader.elf.exports:
+  dashed_name: process-entry-leader-parent-session-leader-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.entry_leader.parent.session_leader.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.elf.go_import_hash:
+  dashed_name: process-entry-leader-parent-session-leader-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.parent.session_leader.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.go_imports:
+  dashed_name: process-entry-leader-parent-session-leader-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.parent.session_leader.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.elf.go_imports_names_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.session_leader.elf.go_stripped:
+  dashed_name: process-entry-leader-parent-session-leader-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.parent.session_leader.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.entry_leader.parent.session_leader.elf.header.abi_version:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.entry_leader.parent.session_leader.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.entry_leader.parent.session_leader.elf.header.class:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.entry_leader.parent.session_leader.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.header.data:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.entry_leader.parent.session_leader.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.header.entrypoint:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.entry_leader.parent.session_leader.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.entry_leader.parent.session_leader.elf.header.object_version:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.entry_leader.parent.session_leader.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.entry_leader.parent.session_leader.elf.header.os_abi:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.entry_leader.parent.session_leader.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.header.type:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.entry_leader.parent.session_leader.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.header.version:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.entry_leader.parent.session_leader.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.import_hash:
+  dashed_name: process-entry-leader-parent-session-leader-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.parent.session_leader.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.imports:
+  dashed_name: process-entry-leader-parent-session-leader-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.parent.session_leader.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.elf.imports_names_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.parent.session_leader.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.parent.session_leader.elf.imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.parent.session_leader.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.parent.session_leader.elf.sections:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.entry_leader.parent.session_leader.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.entry_leader.parent.session_leader.elf.sections.chi2:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.entry_leader.parent.session_leader.elf.sections.entropy:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.session_leader.elf.sections.flags:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.sections.name:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.sections.physical_offset:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.sections.physical_size:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.entry_leader.parent.session_leader.elf.sections.type:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.sections.var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.session_leader.elf.sections.virtual_address:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.entry_leader.parent.session_leader.elf.sections.virtual_size:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.entry_leader.parent.session_leader.elf.segments:
+  dashed_name: process-entry-leader-parent-session-leader-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.entry_leader.parent.session_leader.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.entry_leader.parent.session_leader.elf.segments.sections:
+  dashed_name: process-entry-leader-parent-session-leader-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.entry_leader.parent.session_leader.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.segments.type:
+  dashed_name: process-entry-leader-parent-session-leader-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.entry_leader.parent.session_leader.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.shared_libraries:
+  dashed_name: process-entry-leader-parent-session-leader-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.entry_leader.parent.session_leader.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.telfhash:
+  dashed_name: process-entry-leader-parent-session-leader-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.entry_leader.parent.session_leader.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.end:
+  dashed_name: process-entry-leader-parent-session-leader-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.parent.session_leader.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.entry_leader.parent.session_leader.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.entry_leader.parent.session_leader.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.entry_leader.parent.session_leader.entity_id:
+  dashed_name: process-entry-leader-parent-session-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.entry_leader.parent.session_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.address:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.as.number:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.bytes:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.entry_leader.parent.session_leader.entry_meta.source.domain:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.location:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.entry_leader.parent.session_leader.entry_meta.source.geo.name:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.ip:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.entry_leader.parent.session_leader.entry_meta.source.mac:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.nat.ip:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.entry_leader.parent.session_leader.entry_meta.source.nat.port:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.entry_leader.parent.session_leader.entry_meta.source.packets:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.entry_leader.parent.session_leader.entry_meta.source.port:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.entry_leader.parent.session_leader.entry_meta.source.registered_domain:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.subdomain:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.type:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.entry_leader.parent.session_leader.env_vars:
+  dashed_name: process-entry-leader-parent-session-leader-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.entry_leader.parent.session_leader.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.executable:
+  dashed_name: process-entry-leader-parent-session-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.entry_leader.parent.session_leader.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.entry_leader.parent.session_leader.exit_code:
+  dashed_name: process-entry-leader-parent-session-leader-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.entry_leader.parent.session_leader.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.entry_leader.parent.session_leader.group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.group.id:
+  dashed_name: process-entry-leader-parent-session-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.group.name:
+  dashed_name: process-entry-leader-parent-session-leader-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.entry_leader.parent.session_leader.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.md5:
+  dashed_name: process-entry-leader-parent-session-leader-hash-md5
+  description: MD5 hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.sha1:
+  dashed_name: process-entry-leader-parent-session-leader-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.sha256:
+  dashed_name: process-entry-leader-parent-session-leader-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.sha384:
+  dashed_name: process-entry-leader-parent-session-leader-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.sha512:
+  dashed_name: process-entry-leader-parent-session-leader-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.ssdeep:
+  dashed_name: process-entry-leader-parent-session-leader-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.tlsh:
+  dashed_name: process-entry-leader-parent-session-leader-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.entry_leader.parent.session_leader.interactive:
+  dashed_name: process-entry-leader-parent-session-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.entry_leader.parent.session_leader.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.entry_leader.parent.session_leader.io:
+  dashed_name: process-entry-leader-parent-session-leader-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.entry_leader.parent.session_leader.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.entry_leader.parent.session_leader.io.bytes_skipped:
+  dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.entry_leader.parent.session_leader.io.bytes_skipped.length:
+  dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.entry_leader.parent.session_leader.io.bytes_skipped.offset:
+  dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
+  dashed_name: process-entry-leader-parent-session-leader-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.entry_leader.parent.session_leader.io.text:
+  dashed_name: process-entry-leader-parent-session-leader-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.entry_leader.parent.session_leader.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.entry_leader.parent.session_leader.io.total_bytes_captured:
+  dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.entry_leader.parent.session_leader.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.entry_leader.parent.session_leader.io.total_bytes_skipped:
+  dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.entry_leader.parent.session_leader.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.entry_leader.parent.session_leader.io.type:
+  dashed_name: process-entry-leader-parent-session-leader-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.entry_leader.parent.session_leader.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.entry_leader.parent.session_leader.macho.go_import_hash:
+  dashed_name: process-entry-leader-parent-session-leader-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.parent.session_leader.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.entry_leader.parent.session_leader.macho.go_imports:
+  dashed_name: process-entry-leader-parent-session-leader-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.parent.session_leader.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.macho.go_imports_names_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.session_leader.macho.go_stripped:
+  dashed_name: process-entry-leader-parent-session-leader-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.parent.session_leader.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.entry_leader.parent.session_leader.macho.import_hash:
+  dashed_name: process-entry-leader-parent-session-leader-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.parent.session_leader.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.entry_leader.parent.session_leader.macho.imports:
+  dashed_name: process-entry-leader-parent-session-leader-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.parent.session_leader.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.macho.imports_names_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.parent.session_leader.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.parent.session_leader.macho.imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.parent.session_leader.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.parent.session_leader.macho.sections:
+  dashed_name: process-entry-leader-parent-session-leader-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.entry_leader.parent.session_leader.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.entry_leader.parent.session_leader.macho.sections.entropy:
+  dashed_name: process-entry-leader-parent-session-leader-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.session_leader.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.session_leader.macho.sections.name:
+  dashed_name: process-entry-leader-parent-session-leader-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.entry_leader.parent.session_leader.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.entry_leader.parent.session_leader.macho.sections.physical_size:
+  dashed_name: process-entry-leader-parent-session-leader-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.entry_leader.parent.session_leader.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.entry_leader.parent.session_leader.macho.sections.var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.session_leader.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.session_leader.macho.sections.virtual_size:
+  dashed_name: process-entry-leader-parent-session-leader-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.entry_leader.parent.session_leader.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.entry_leader.parent.session_leader.macho.symhash:
+  dashed_name: process-entry-leader-parent-session-leader-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.entry_leader.parent.session_leader.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.entry_leader.parent.session_leader.name:
+  dashed_name: process-entry-leader-parent-session-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.entry_leader.parent.session_leader.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.entry_leader.parent.session_leader.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.entry_leader.parent.session_leader.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.entry_leader.parent.session_leader.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.entry_leader.parent.session_leader.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.architecture:
+  dashed_name: process-entry-leader-parent-session-leader-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.entry_leader.parent.session_leader.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.company:
+  dashed_name: process-entry-leader-parent-session-leader-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.entry_leader.parent.session_leader.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.description:
+  dashed_name: process-entry-leader-parent-session-leader-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.entry_leader.parent.session_leader.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.file_version:
+  dashed_name: process-entry-leader-parent-session-leader-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.entry_leader.parent.session_leader.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.go_import_hash:
+  dashed_name: process-entry-leader-parent-session-leader-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.parent.session_leader.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.go_imports:
+  dashed_name: process-entry-leader-parent-session-leader-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.parent.session_leader.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.pe.go_imports_names_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.session_leader.pe.go_stripped:
+  dashed_name: process-entry-leader-parent-session-leader-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.parent.session_leader.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.entry_leader.parent.session_leader.pe.imphash:
+  dashed_name: process-entry-leader-parent-session-leader-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.entry_leader.parent.session_leader.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.import_hash:
+  dashed_name: process-entry-leader-parent-session-leader-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.parent.session_leader.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.imports:
+  dashed_name: process-entry-leader-parent-session-leader-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.parent.session_leader.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.pe.imports_names_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.parent.session_leader.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.parent.session_leader.pe.imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.parent.session_leader.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.parent.session_leader.pe.original_file_name:
+  dashed_name: process-entry-leader-parent-session-leader-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.entry_leader.parent.session_leader.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.pehash:
+  dashed_name: process-entry-leader-parent-session-leader-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.entry_leader.parent.session_leader.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.product:
+  dashed_name: process-entry-leader-parent-session-leader-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.entry_leader.parent.session_leader.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.sections:
+  dashed_name: process-entry-leader-parent-session-leader-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.entry_leader.parent.session_leader.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.entry_leader.parent.session_leader.pe.sections.entropy:
+  dashed_name: process-entry-leader-parent-session-leader-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.session_leader.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.session_leader.pe.sections.name:
+  dashed_name: process-entry-leader-parent-session-leader-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.entry_leader.parent.session_leader.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.sections.physical_size:
+  dashed_name: process-entry-leader-parent-session-leader-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.entry_leader.parent.session_leader.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.entry_leader.parent.session_leader.pe.sections.var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.session_leader.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.session_leader.pe.sections.virtual_size:
+  dashed_name: process-entry-leader-parent-session-leader-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.entry_leader.parent.session_leader.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.entry_leader.parent.session_leader.pid:
+  dashed_name: process-entry-leader-parent-session-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.entry_leader.parent.session_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.entry_leader.parent.session_leader.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.entry_leader.parent.session_leader.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.entry_leader.parent.session_leader.real_group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.real_group.id:
+  dashed_name: process-entry-leader-parent-session-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.real_group.name:
+  dashed_name: process-entry-leader-parent-session-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.domain:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.email:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.session_leader.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.full_name:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.session_leader.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.group.id:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.group.name:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.hash:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.session_leader.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.id:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.session_leader.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.name:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.session_leader.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.session_leader.real_user.risk.static_level:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.risk.static_score:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.session_leader.real_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.session_leader.real_user.roles:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.session_leader.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.same_as_process:
+  dashed_name: process-entry-leader-parent-session-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.entry_leader.parent.session_leader.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.entry_leader.parent.session_leader.saved_group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_group.id:
+  dashed_name: process-entry-leader-parent-session-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_group.name:
+  dashed_name: process-entry-leader-parent-session-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.domain:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.email:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.full_name:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.session_leader.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.group.id:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.group.name:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.hash:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.session_leader.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.id:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.session_leader.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.name:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.session_leader.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.session_leader.saved_user.risk.static_level:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.risk.static_score:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.session_leader.saved_user.roles:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.session_leader.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.start:
+  dashed_name: process-entry-leader-parent-session-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.parent.session_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.entry_leader.parent.session_leader.supplemental_groups.domain:
+  dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.supplemental_groups.id:
+  dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.supplemental_groups.name:
+  dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.thread.capabilities.effective:
+  dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.entry_leader.parent.session_leader.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.thread.capabilities.permitted:
+  dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.entry_leader.parent.session_leader.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.thread.id:
+  dashed_name: process-entry-leader-parent-session-leader-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.entry_leader.parent.session_leader.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.entry_leader.parent.session_leader.thread.name:
+  dashed_name: process-entry-leader-parent-session-leader-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.entry_leader.parent.session_leader.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.entry_leader.parent.session_leader.title:
+  dashed_name: process-entry-leader-parent-session-leader-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.entry_leader.parent.session_leader.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.entry_leader.parent.session_leader.tty:
+  dashed_name: process-entry-leader-parent-session-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.entry_leader.parent.session_leader.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.entry_leader.parent.session_leader.tty.char_device.major:
+  dashed_name: process-entry-leader-parent-session-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.entry_leader.parent.session_leader.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.entry_leader.parent.session_leader.tty.char_device.minor:
+  dashed_name: process-entry-leader-parent-session-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.entry_leader.parent.session_leader.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.entry_leader.parent.session_leader.tty.columns:
+  dashed_name: process-entry-leader-parent-session-leader-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.entry_leader.parent.session_leader.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.entry_leader.parent.session_leader.tty.rows:
+  dashed_name: process-entry-leader-parent-session-leader-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.entry_leader.parent.session_leader.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.entry_leader.parent.session_leader.uptime:
+  dashed_name: process-entry-leader-parent-session-leader-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.entry_leader.parent.session_leader.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.entry_leader.parent.session_leader.user.domain:
+  dashed_name: process-entry-leader-parent-session-leader-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.user.email:
+  dashed_name: process-entry-leader-parent-session-leader-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.session_leader.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.session_leader.user.full_name:
+  dashed_name: process-entry-leader-parent-session-leader-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.session_leader.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.session_leader.user.group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.user.group.id:
+  dashed_name: process-entry-leader-parent-session-leader-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.user.group.name:
+  dashed_name: process-entry-leader-parent-session-leader-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.user.hash:
+  dashed_name: process-entry-leader-parent-session-leader-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.session_leader.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.session_leader.user.id:
+  dashed_name: process-entry-leader-parent-session-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.session_leader.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.user.name:
+  dashed_name: process-entry-leader-parent-session-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.session_leader.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.session_leader.user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.session_leader.user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.session_leader.user.risk.static_level:
+  dashed_name: process-entry-leader-parent-session-leader-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.session_leader.user.risk.static_score:
+  dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.session_leader.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.session_leader.user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.session_leader.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.session_leader.user.roles:
+  dashed_name: process-entry-leader-parent-session-leader-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.session_leader.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.vpid:
+  dashed_name: process-entry-leader-parent-session-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.parent.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.entry_leader.parent.session_leader.working_directory:
+  dashed_name: process-entry-leader-parent-session-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.entry_leader.parent.session_leader.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.entry_leader.parent.start:
+  dashed_name: process-entry-leader-parent-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.parent.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.entry_leader.parent.supplemental_groups.domain:
+  dashed_name: process-entry-leader-parent-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.supplemental_groups.id:
+  dashed_name: process-entry-leader-parent-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.supplemental_groups.name:
+  dashed_name: process-entry-leader-parent-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.thread.capabilities.effective:
+  dashed_name: process-entry-leader-parent-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.entry_leader.parent.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.thread.capabilities.permitted:
+  dashed_name: process-entry-leader-parent-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.entry_leader.parent.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.thread.id:
+  dashed_name: process-entry-leader-parent-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.entry_leader.parent.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.entry_leader.parent.thread.name:
+  dashed_name: process-entry-leader-parent-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.entry_leader.parent.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.entry_leader.parent.title:
+  dashed_name: process-entry-leader-parent-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.entry_leader.parent.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.entry_leader.parent.tty:
+  dashed_name: process-entry-leader-parent-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.entry_leader.parent.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.entry_leader.parent.tty.char_device.major:
+  dashed_name: process-entry-leader-parent-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.entry_leader.parent.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.entry_leader.parent.tty.char_device.minor:
+  dashed_name: process-entry-leader-parent-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.entry_leader.parent.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.entry_leader.parent.tty.columns:
+  dashed_name: process-entry-leader-parent-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.entry_leader.parent.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.entry_leader.parent.tty.rows:
+  dashed_name: process-entry-leader-parent-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.entry_leader.parent.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.entry_leader.parent.uptime:
+  dashed_name: process-entry-leader-parent-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.entry_leader.parent.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.entry_leader.parent.user.domain:
+  dashed_name: process-entry-leader-parent-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.user.email:
+  dashed_name: process-entry-leader-parent-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.user.full_name:
+  dashed_name: process-entry-leader-parent-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.user.group.domain:
+  dashed_name: process-entry-leader-parent-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.user.group.id:
+  dashed_name: process-entry-leader-parent-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.user.group.name:
+  dashed_name: process-entry-leader-parent-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.user.hash:
+  dashed_name: process-entry-leader-parent-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.user.id:
+  dashed_name: process-entry-leader-parent-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.user.name:
+  dashed_name: process-entry-leader-parent-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.user.risk.static_level:
+  dashed_name: process-entry-leader-parent-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.user.risk.static_score:
+  dashed_name: process-entry-leader-parent-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.user.roles:
+  dashed_name: process-entry-leader-parent-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.vpid:
+  dashed_name: process-entry-leader-parent-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.entry_leader.parent.working_directory:
+  dashed_name: process-entry-leader-parent-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.entry_leader.parent.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.entry_leader.pe.architecture:
+  dashed_name: process-entry-leader-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.entry_leader.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.entry_leader.pe.company:
+  dashed_name: process-entry-leader-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.entry_leader.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.pe.description:
+  dashed_name: process-entry-leader-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.entry_leader.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.pe.file_version:
+  dashed_name: process-entry-leader-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.entry_leader.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.entry_leader.pe.go_import_hash:
+  dashed_name: process-entry-leader-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.entry_leader.pe.go_imports:
+  dashed_name: process-entry-leader-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.pe.go_imports_names_entropy:
+  dashed_name: process-entry-leader-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.pe.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.pe.go_stripped:
+  dashed_name: process-entry-leader-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.entry_leader.pe.imphash:
+  dashed_name: process-entry-leader-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.entry_leader.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.entry_leader.pe.import_hash:
+  dashed_name: process-entry-leader-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.entry_leader.pe.imports:
+  dashed_name: process-entry-leader-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.pe.imports_names_entropy:
+  dashed_name: process-entry-leader-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.pe.imports_names_var_entropy:
+  dashed_name: process-entry-leader-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.pe.original_file_name:
+  dashed_name: process-entry-leader-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.entry_leader.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.pe.pehash:
+  dashed_name: process-entry-leader-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.entry_leader.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.entry_leader.pe.product:
+  dashed_name: process-entry-leader-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.entry_leader.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.pe.sections:
+  dashed_name: process-entry-leader-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.entry_leader.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.entry_leader.pe.sections.entropy:
+  dashed_name: process-entry-leader-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.pe.sections.name:
+  dashed_name: process-entry-leader-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.entry_leader.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.entry_leader.pe.sections.physical_size:
+  dashed_name: process-entry-leader-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.entry_leader.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.entry_leader.pe.sections.var_entropy:
+  dashed_name: process-entry-leader-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.pe.sections.virtual_size:
+  dashed_name: process-entry-leader-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.entry_leader.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.entry_leader.pid:
+  dashed_name: process-entry-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.entry_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.entry_leader.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.entry_leader.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.entry_leader.real_group.domain:
+  dashed_name: process-entry-leader-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.real_group.id:
+  dashed_name: process-entry-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.real_group.name:
+  dashed_name: process-entry-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.real_user.domain:
+  dashed_name: process-entry-leader-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.real_user.email:
+  dashed_name: process-entry-leader-real-user-email
+  description: User email address.
+  flat_name: process.entry_leader.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.real_user.full_name:
+  dashed_name: process-entry-leader-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.real_user.group.domain:
+  dashed_name: process-entry-leader-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.real_user.group.id:
+  dashed_name: process-entry-leader-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.real_user.group.name:
+  dashed_name: process-entry-leader-real-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.real_user.hash:
+  dashed_name: process-entry-leader-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.real_user.id:
+  dashed_name: process-entry-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.real_user.name:
   dashed_name: process-entry-leader-real-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.entry_leader.real_user.name
+  flat_name: process.entry_leader.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.real_user.risk.calculated_level:
+  dashed_name: process-entry-leader-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.real_user.risk.calculated_score:
+  dashed_name: process-entry-leader-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.real_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.real_user.risk.static_level:
+  dashed_name: process-entry-leader-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.real_user.risk.static_score:
+  dashed_name: process-entry-leader-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.real_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.real_user.roles:
+  dashed_name: process-entry-leader-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.same_as_process:
+  dashed_name: process-entry-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.entry_leader.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.entry_leader.saved_group.domain:
+  dashed_name: process-entry-leader-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.saved_group.id:
+  dashed_name: process-entry-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.saved_group.name:
+  dashed_name: process-entry-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.saved_user.domain:
+  dashed_name: process-entry-leader-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.saved_user.email:
+  dashed_name: process-entry-leader-saved-user-email
+  description: User email address.
+  flat_name: process.entry_leader.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.saved_user.full_name:
+  dashed_name: process-entry-leader-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.saved_user.group.domain:
+  dashed_name: process-entry-leader-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.saved_user.group.id:
+  dashed_name: process-entry-leader-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.saved_user.group.name:
+  dashed_name: process-entry-leader-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.saved_user.hash:
+  dashed_name: process-entry-leader-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.saved_user.id:
+  dashed_name: process-entry-leader-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.saved_user.name:
+  dashed_name: process-entry-leader-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.saved_user.risk.calculated_level:
+  dashed_name: process-entry-leader-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.saved_user.risk.calculated_score:
+  dashed_name: process-entry-leader-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.saved_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.saved_user.risk.static_level:
+  dashed_name: process-entry-leader-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.saved_user.risk.static_score:
+  dashed_name: process-entry-leader-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.saved_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.saved_user.roles:
+  dashed_name: process-entry-leader-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.start:
+  dashed_name: process-entry-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.entry_leader.supplemental_groups.domain:
+  dashed_name: process-entry-leader-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.supplemental_groups.id:
+  dashed_name: process-entry-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.supplemental_groups.name:
+  dashed_name: process-entry-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.thread.capabilities.effective:
+  dashed_name: process-entry-leader-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.entry_leader.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.thread.capabilities.permitted:
+  dashed_name: process-entry-leader-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.entry_leader.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.thread.id:
+  dashed_name: process-entry-leader-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.entry_leader.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.entry_leader.thread.name:
+  dashed_name: process-entry-leader-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.entry_leader.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.entry_leader.title:
+  dashed_name: process-entry-leader-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.entry_leader.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.entry_leader.tty:
+  dashed_name: process-entry-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.entry_leader.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.entry_leader.tty.char_device.major:
+  dashed_name: process-entry-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.entry_leader.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.entry_leader.tty.char_device.minor:
+  dashed_name: process-entry-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.entry_leader.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.entry_leader.tty.columns:
+  dashed_name: process-entry-leader-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.entry_leader.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.entry_leader.tty.rows:
+  dashed_name: process-entry-leader-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.entry_leader.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.entry_leader.uptime:
+  dashed_name: process-entry-leader-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.entry_leader.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.entry_leader.user.domain:
+  dashed_name: process-entry-leader-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.user.email:
+  dashed_name: process-entry-leader-user-email
+  description: User email address.
+  flat_name: process.entry_leader.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.user.full_name:
+  dashed_name: process-entry-leader-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.user.group.domain:
+  dashed_name: process-entry-leader-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.user.group.id:
+  dashed_name: process-entry-leader-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.user.group.name:
+  dashed_name: process-entry-leader-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.user.hash:
+  dashed_name: process-entry-leader-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.user.id:
+  dashed_name: process-entry-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.user.name:
+  dashed_name: process-entry-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.user.risk.calculated_level:
+  dashed_name: process-entry-leader-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.user.risk.calculated_score:
+  dashed_name: process-entry-leader-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.user.risk.static_level:
+  dashed_name: process-entry-leader-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.user.risk.static_score:
+  dashed_name: process-entry-leader-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.user.risk.static_score_norm:
+  dashed_name: process-entry-leader-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.user.roles:
+  dashed_name: process-entry-leader-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.vpid:
+  dashed_name: process-entry-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.entry_leader.working_directory:
+  dashed_name: process-entry-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.entry_leader.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.entry_meta.source.address:
+  dashed_name: process-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.entry_meta.source.as.number:
+  dashed_name: process-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.entry_meta.source.as.organization.name:
+  dashed_name: process-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.entry_meta.source.bytes:
+  dashed_name: process-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.entry_meta.source.domain:
+  dashed_name: process-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.entry_meta.source.geo.city_name:
+  dashed_name: process-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.entry_meta.source.geo.continent_code:
+  dashed_name: process-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.entry_meta.source.geo.continent_name:
+  dashed_name: process-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.entry_meta.source.geo.country_name:
+  dashed_name: process-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.entry_meta.source.geo.location:
+  dashed_name: process-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.entry_meta.source.geo.name:
+  dashed_name: process-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.entry_meta.source.geo.postal_code:
+  dashed_name: process-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.entry_meta.source.geo.region_name:
+  dashed_name: process-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.entry_meta.source.geo.timezone:
+  dashed_name: process-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.entry_meta.source.ip:
+  dashed_name: process-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.entry_meta.source.mac:
+  dashed_name: process-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.entry_meta.source.nat.ip:
+  dashed_name: process-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.entry_meta.source.nat.port:
+  dashed_name: process-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.entry_meta.source.packets:
+  dashed_name: process-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.entry_meta.source.port:
+  dashed_name: process-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.entry_meta.source.registered_domain:
+  dashed_name: process-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.entry_meta.source.subdomain:
+  dashed_name: process-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.entry_meta.source.top_level_domain:
+  dashed_name: process-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.entry_meta.type:
+  dashed_name: process-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  short: The entry type for the entry session leader.
+  type: keyword
+process.env_vars:
+  dashed_name: process-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.executable:
+  dashed_name: process-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  otel:
+  - attribute: process.executable.path
+    relation: equivalent
+    stability: development
+  short: Absolute path to the process executable.
+  type: keyword
+process.exit_code:
+  dashed_name: process-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  short: The exit code of the process.
+  type: long
+process.group.domain:
+  dashed_name: process-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group.id:
+  dashed_name: process-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group.name:
+  dashed_name: process-group-name
+  description: Name of the group.
+  flat_name: process.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.args:
+  dashed_name: process-group-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.group_leader.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.group_leader.args_count:
+  dashed_name: process-group-leader-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.group_leader.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.group_leader.attested_groups.domain:
+  dashed_name: process-group-leader-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.attested_groups.id:
+  dashed_name: process-group-leader-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.attested_groups.name:
+  dashed_name: process-group-leader-attested-groups-name
+  description: Name of the group.
+  flat_name: process.group_leader.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.attested_user.domain:
+  dashed_name: process-group-leader-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.group_leader.attested_user.email:
+  dashed_name: process-group-leader-attested-user-email
+  description: User email address.
+  flat_name: process.group_leader.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.group_leader.attested_user.full_name:
+  dashed_name: process-group-leader-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.group_leader.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.group_leader.attested_user.group.domain:
+  dashed_name: process-group-leader-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.attested_user.group.id:
+  dashed_name: process-group-leader-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.attested_user.group.name:
+  dashed_name: process-group-leader-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.attested_user.hash:
+  dashed_name: process-group-leader-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.group_leader.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.group_leader.attested_user.id:
+  dashed_name: process-group-leader-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.group_leader.attested_user.name:
+  dashed_name: process-group-leader-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.group_leader.attested_user.risk.calculated_level:
+  dashed_name: process-group-leader-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.group_leader.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.group_leader.attested_user.risk.calculated_score:
+  dashed_name: process-group-leader-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.group_leader.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.group_leader.attested_user.risk.calculated_score_norm:
+  dashed_name: process-group-leader-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.group_leader.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.group_leader.attested_user.risk.static_level:
+  dashed_name: process-group-leader-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.group_leader.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.group_leader.attested_user.risk.static_score:
+  dashed_name: process-group-leader-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.group_leader.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.group_leader.attested_user.risk.static_score_norm:
+  dashed_name: process-group-leader-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.group_leader.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.group_leader.attested_user.roles:
+  dashed_name: process-group-leader-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.group_leader.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.code_signature.digest_algorithm:
+  dashed_name: process-group-leader-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.group_leader.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.group_leader.code_signature.exists:
+  dashed_name: process-group-leader-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.group_leader.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.group_leader.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.group_leader.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.group_leader.code_signature.signing_id:
+  dashed_name: process-group-leader-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.group_leader.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.group_leader.code_signature.status:
+  dashed_name: process-group-leader-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.group_leader.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.group_leader.code_signature.subject_name:
+  dashed_name: process-group-leader-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.group_leader.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.group_leader.code_signature.team_id:
+  dashed_name: process-group-leader-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.group_leader.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.group_leader.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.group_leader.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.group_leader.code_signature.timestamp:
+  dashed_name: process-group-leader-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.group_leader.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.group_leader.code_signature.trusted:
+  dashed_name: process-group-leader-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.group_leader.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.group_leader.code_signature.valid:
+  dashed_name: process-group-leader-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.group_leader.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.group_leader.command_line:
+  dashed_name: process-group-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.group_leader.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.group_leader.elf.architecture:
+  dashed_name: process-group-leader-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.group_leader.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.group_leader.elf.byte_order:
+  dashed_name: process-group-leader-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.group_leader.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.group_leader.elf.cpu_type:
+  dashed_name: process-group-leader-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.group_leader.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.group_leader.elf.creation_date:
+  dashed_name: process-group-leader-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.group_leader.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.group_leader.elf.exports:
+  dashed_name: process-group-leader-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.group_leader.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.group_leader.elf.go_import_hash:
+  dashed_name: process-group-leader-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.group_leader.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.group_leader.elf.go_imports:
+  dashed_name: process-group-leader-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.group_leader.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.group_leader.elf.go_imports_names_entropy:
+  dashed_name: process-group-leader-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.group_leader.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.group_leader.elf.go_imports_names_var_entropy:
+  dashed_name: process-group-leader-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.group_leader.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.group_leader.elf.go_stripped:
+  dashed_name: process-group-leader-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.group_leader.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.group_leader.elf.header.abi_version:
+  dashed_name: process-group-leader-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.group_leader.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.group_leader.elf.header.class:
+  dashed_name: process-group-leader-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.group_leader.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.group_leader.elf.header.data:
+  dashed_name: process-group-leader-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.group_leader.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.group_leader.elf.header.entrypoint:
+  dashed_name: process-group-leader-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.group_leader.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.group_leader.elf.header.object_version:
+  dashed_name: process-group-leader-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.group_leader.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.group_leader.elf.header.os_abi:
+  dashed_name: process-group-leader-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.group_leader.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.group_leader.elf.header.type:
+  dashed_name: process-group-leader-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.group_leader.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.group_leader.elf.header.version:
+  dashed_name: process-group-leader-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.group_leader.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.group_leader.elf.import_hash:
+  dashed_name: process-group-leader-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.group_leader.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.group_leader.elf.imports:
+  dashed_name: process-group-leader-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.group_leader.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.group_leader.elf.imports_names_entropy:
+  dashed_name: process-group-leader-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.group_leader.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.group_leader.elf.imports_names_var_entropy:
+  dashed_name: process-group-leader-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.group_leader.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.group_leader.elf.sections:
+  dashed_name: process-group-leader-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.group_leader.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.group_leader.elf.sections.chi2:
+  dashed_name: process-group-leader-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.group_leader.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.group_leader.elf.sections.entropy:
+  dashed_name: process-group-leader-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.group_leader.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.group_leader.elf.sections.flags:
+  dashed_name: process-group-leader-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.group_leader.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.group_leader.elf.sections.name:
+  dashed_name: process-group-leader-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.group_leader.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.group_leader.elf.sections.physical_offset:
+  dashed_name: process-group-leader-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.group_leader.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.group_leader.elf.sections.physical_size:
+  dashed_name: process-group-leader-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.group_leader.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.group_leader.elf.sections.type:
+  dashed_name: process-group-leader-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.group_leader.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.group_leader.elf.sections.var_entropy:
+  dashed_name: process-group-leader-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.group_leader.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.group_leader.elf.sections.virtual_address:
+  dashed_name: process-group-leader-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.group_leader.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.group_leader.elf.sections.virtual_size:
+  dashed_name: process-group-leader-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.group_leader.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.group_leader.elf.segments:
+  dashed_name: process-group-leader-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.group_leader.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.group_leader.elf.segments.sections:
+  dashed_name: process-group-leader-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.group_leader.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.group_leader.elf.segments.type:
+  dashed_name: process-group-leader-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.group_leader.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.group_leader.elf.shared_libraries:
+  dashed_name: process-group-leader-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.group_leader.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.group_leader.elf.telfhash:
+  dashed_name: process-group-leader-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.group_leader.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.group_leader.end:
+  dashed_name: process-group-leader-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.group_leader.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.group_leader.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.group_leader.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.group_leader.entity_id:
+  dashed_name: process-group-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.group_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.group_leader.entry_meta.source.address:
+  dashed_name: process-group-leader-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.group_leader.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.group_leader.entry_meta.source.as.number:
+  dashed_name: process-group-leader-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.group_leader.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.group_leader.entry_meta.source.as.organization.name:
+  dashed_name: process-group-leader-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.group_leader.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.group_leader.entry_meta.source.bytes:
+  dashed_name: process-group-leader-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.group_leader.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.group_leader.entry_meta.source.domain:
+  dashed_name: process-group-leader-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.group_leader.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.group_leader.entry_meta.source.geo.city_name:
+  dashed_name: process-group-leader-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.group_leader.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.group_leader.entry_meta.source.geo.continent_code:
+  dashed_name: process-group-leader-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.group_leader.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.group_leader.entry_meta.source.geo.continent_name:
+  dashed_name: process-group-leader-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.group_leader.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.group_leader.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-group-leader-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.group_leader.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.group_leader.entry_meta.source.geo.country_name:
+  dashed_name: process-group-leader-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.group_leader.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.group_leader.entry_meta.source.geo.location:
+  dashed_name: process-group-leader-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.group_leader.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.group_leader.entry_meta.source.geo.name:
+  dashed_name: process-group-leader-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.group_leader.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.group_leader.entry_meta.source.geo.postal_code:
+  dashed_name: process-group-leader-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.group_leader.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.group_leader.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-group-leader-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.group_leader.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.group_leader.entry_meta.source.geo.region_name:
+  dashed_name: process-group-leader-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.group_leader.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.group_leader.entry_meta.source.geo.timezone:
+  dashed_name: process-group-leader-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.group_leader.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.group_leader.entry_meta.source.ip:
+  dashed_name: process-group-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.group_leader.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.group_leader.entry_meta.source.mac:
+  dashed_name: process-group-leader-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.group_leader.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.group_leader.entry_meta.source.nat.ip:
+  dashed_name: process-group-leader-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.group_leader.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.group_leader.entry_meta.source.nat.port:
+  dashed_name: process-group-leader-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.group_leader.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.group_leader.entry_meta.source.packets:
+  dashed_name: process-group-leader-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.group_leader.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.group_leader.entry_meta.source.port:
+  dashed_name: process-group-leader-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.group_leader.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.group_leader.entry_meta.source.registered_domain:
+  dashed_name: process-group-leader-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.group_leader.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.group_leader.entry_meta.source.subdomain:
+  dashed_name: process-group-leader-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.group_leader.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.group_leader.entry_meta.source.top_level_domain:
+  dashed_name: process-group-leader-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.group_leader.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.group_leader.entry_meta.type:
+  dashed_name: process-group-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.group_leader.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.group_leader.env_vars:
+  dashed_name: process-group-leader-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.group_leader.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.executable:
+  dashed_name: process-group-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.group_leader.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.group_leader.exit_code:
+  dashed_name: process-group-leader-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.group_leader.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.group_leader.group.domain:
+  dashed_name: process-group-leader-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.group.id:
+  dashed_name: process-group-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.group.name:
+  dashed_name: process-group-leader-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.group_leader.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.group_leader.hash.md5:
+  dashed_name: process-group-leader-hash-md5
+  description: MD5 hash.
+  flat_name: process.group_leader.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.group_leader.hash.sha1:
+  dashed_name: process-group-leader-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.group_leader.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.group_leader.hash.sha256:
+  dashed_name: process-group-leader-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.group_leader.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.group_leader.hash.sha384:
+  dashed_name: process-group-leader-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.group_leader.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.group_leader.hash.sha512:
+  dashed_name: process-group-leader-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.group_leader.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.group_leader.hash.ssdeep:
+  dashed_name: process-group-leader-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.group_leader.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.group_leader.hash.tlsh:
+  dashed_name: process-group-leader-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.group_leader.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.group_leader.interactive:
+  dashed_name: process-group-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.group_leader.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.group_leader.io:
+  dashed_name: process-group-leader-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.group_leader.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.group_leader.io.bytes_skipped:
+  dashed_name: process-group-leader-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.group_leader.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.group_leader.io.bytes_skipped.length:
+  dashed_name: process-group-leader-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.group_leader.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.group_leader.io.bytes_skipped.offset:
+  dashed_name: process-group-leader-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.group_leader.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.group_leader.io.max_bytes_per_process_exceeded:
+  dashed_name: process-group-leader-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.group_leader.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.group_leader.io.text:
+  dashed_name: process-group-leader-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.group_leader.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.group_leader.io.total_bytes_captured:
+  dashed_name: process-group-leader-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.group_leader.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.group_leader.io.total_bytes_skipped:
+  dashed_name: process-group-leader-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.group_leader.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.group_leader.io.type:
+  dashed_name: process-group-leader-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.group_leader.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.group_leader.macho.go_import_hash:
+  dashed_name: process-group-leader-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.group_leader.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.group_leader.macho.go_imports:
+  dashed_name: process-group-leader-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.group_leader.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.group_leader.macho.go_imports_names_entropy:
+  dashed_name: process-group-leader-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.group_leader.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.group_leader.macho.go_imports_names_var_entropy:
+  dashed_name: process-group-leader-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.group_leader.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.group_leader.macho.go_stripped:
+  dashed_name: process-group-leader-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.group_leader.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.group_leader.macho.import_hash:
+  dashed_name: process-group-leader-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.group_leader.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.group_leader.macho.imports:
+  dashed_name: process-group-leader-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.group_leader.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.group_leader.macho.imports_names_entropy:
+  dashed_name: process-group-leader-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.group_leader.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.group_leader.macho.imports_names_var_entropy:
+  dashed_name: process-group-leader-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.group_leader.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.group_leader.macho.sections:
+  dashed_name: process-group-leader-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.group_leader.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.group_leader.macho.sections.entropy:
+  dashed_name: process-group-leader-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.group_leader.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.group_leader.macho.sections.name:
+  dashed_name: process-group-leader-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.group_leader.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.group_leader.macho.sections.physical_size:
+  dashed_name: process-group-leader-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.group_leader.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.group_leader.macho.sections.var_entropy:
+  dashed_name: process-group-leader-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.group_leader.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.group_leader.macho.sections.virtual_size:
+  dashed_name: process-group-leader-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.group_leader.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.group_leader.macho.symhash:
+  dashed_name: process-group-leader-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.group_leader.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.group_leader.name:
+  dashed_name: process-group-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.group_leader.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.group_leader.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.group_leader.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.group_leader.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.group_leader.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.group_leader.pe.architecture:
+  dashed_name: process-group-leader-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.group_leader.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.group_leader.pe.company:
+  dashed_name: process-group-leader-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.group_leader.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.group_leader.pe.description:
+  dashed_name: process-group-leader-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.group_leader.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.group_leader.pe.file_version:
+  dashed_name: process-group-leader-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.group_leader.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.group_leader.pe.go_import_hash:
+  dashed_name: process-group-leader-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.group_leader.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.group_leader.pe.go_imports:
+  dashed_name: process-group-leader-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.group_leader.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.group_leader.pe.go_imports_names_entropy:
+  dashed_name: process-group-leader-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.group_leader.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.group_leader.pe.go_imports_names_var_entropy:
+  dashed_name: process-group-leader-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.group_leader.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.group_leader.pe.go_stripped:
+  dashed_name: process-group-leader-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.group_leader.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.group_leader.pe.imphash:
+  dashed_name: process-group-leader-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.group_leader.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.group_leader.pe.import_hash:
+  dashed_name: process-group-leader-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.group_leader.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.group_leader.pe.imports:
+  dashed_name: process-group-leader-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.group_leader.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.group_leader.pe.imports_names_entropy:
+  dashed_name: process-group-leader-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.group_leader.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.group_leader.pe.imports_names_var_entropy:
+  dashed_name: process-group-leader-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.group_leader.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.group_leader.pe.original_file_name:
+  dashed_name: process-group-leader-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.group_leader.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.group_leader.pe.pehash:
+  dashed_name: process-group-leader-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.group_leader.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.group_leader.pe.product:
+  dashed_name: process-group-leader-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.group_leader.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.group_leader.pe.sections:
+  dashed_name: process-group-leader-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.group_leader.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.group_leader.pe.sections.entropy:
+  dashed_name: process-group-leader-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.group_leader.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.group_leader.pe.sections.name:
+  dashed_name: process-group-leader-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.group_leader.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.group_leader.pe.sections.physical_size:
+  dashed_name: process-group-leader-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.group_leader.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.group_leader.pe.sections.var_entropy:
+  dashed_name: process-group-leader-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.group_leader.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.group_leader.pe.sections.virtual_size:
+  dashed_name: process-group-leader-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.group_leader.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.group_leader.pid:
+  dashed_name: process-group-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.group_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  otel:
+  - relation: match
+    stability: development
+  short: Process id.
+  type: long
+process.group_leader.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.group_leader.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.group_leader.real_group.domain:
+  dashed_name: process-group-leader-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.real_group.id:
+  dashed_name: process-group-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.real_group.name:
+  dashed_name: process-group-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.real_user.domain:
+  dashed_name: process-group-leader-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.group_leader.real_user.email:
+  dashed_name: process-group-leader-real-user-email
+  description: User email address.
+  flat_name: process.group_leader.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.group_leader.real_user.full_name:
+  dashed_name: process-group-leader-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.group_leader.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.group_leader.real_user.group.domain:
+  dashed_name: process-group-leader-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.real_user.group.id:
+  dashed_name: process-group-leader-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.real_user.group.name:
+  dashed_name: process-group-leader-real-user-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.real_user.hash:
+  dashed_name: process-group-leader-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.group_leader.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.group_leader.real_user.id:
+  dashed_name: process-group-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.group_leader.real_user.name:
+  dashed_name: process-group-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.group_leader.real_user.risk.calculated_level:
+  dashed_name: process-group-leader-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.group_leader.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.group_leader.real_user.risk.calculated_score:
+  dashed_name: process-group-leader-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.group_leader.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.group_leader.real_user.risk.calculated_score_norm:
+  dashed_name: process-group-leader-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.group_leader.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.group_leader.real_user.risk.static_level:
+  dashed_name: process-group-leader-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.group_leader.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.group_leader.real_user.risk.static_score:
+  dashed_name: process-group-leader-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.group_leader.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.group_leader.real_user.risk.static_score_norm:
+  dashed_name: process-group-leader-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.group_leader.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.group_leader.real_user.roles:
+  dashed_name: process-group-leader-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.group_leader.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.same_as_process:
+  dashed_name: process-group-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.group_leader.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.group_leader.saved_group.domain:
+  dashed_name: process-group-leader-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.saved_group.id:
+  dashed_name: process-group-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.saved_group.name:
+  dashed_name: process-group-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.saved_user.domain:
+  dashed_name: process-group-leader-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.group_leader.saved_user.email:
+  dashed_name: process-group-leader-saved-user-email
+  description: User email address.
+  flat_name: process.group_leader.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.group_leader.saved_user.full_name:
+  dashed_name: process-group-leader-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.group_leader.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.group_leader.saved_user.group.domain:
+  dashed_name: process-group-leader-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.saved_user.group.id:
+  dashed_name: process-group-leader-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.saved_user.group.name:
+  dashed_name: process-group-leader-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.saved_user.hash:
+  dashed_name: process-group-leader-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.group_leader.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.group_leader.saved_user.id:
+  dashed_name: process-group-leader-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.group_leader.saved_user.name:
+  dashed_name: process-group-leader-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.group_leader.saved_user.risk.calculated_level:
+  dashed_name: process-group-leader-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.group_leader.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.group_leader.saved_user.risk.calculated_score:
+  dashed_name: process-group-leader-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.group_leader.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.group_leader.saved_user.risk.calculated_score_norm:
+  dashed_name: process-group-leader-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.group_leader.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.group_leader.saved_user.risk.static_level:
+  dashed_name: process-group-leader-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.group_leader.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.group_leader.saved_user.risk.static_score:
+  dashed_name: process-group-leader-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.group_leader.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.group_leader.saved_user.risk.static_score_norm:
+  dashed_name: process-group-leader-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.group_leader.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.group_leader.saved_user.roles:
+  dashed_name: process-group-leader-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.group_leader.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.start:
+  dashed_name: process-group-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.group_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.group_leader.supplemental_groups.domain:
+  dashed_name: process-group-leader-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.supplemental_groups.id:
+  dashed_name: process-group-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.supplemental_groups.name:
+  dashed_name: process-group-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.group_leader.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.thread.capabilities.effective:
+  dashed_name: process-group-leader-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.group_leader.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.thread.capabilities.permitted:
+  dashed_name: process-group-leader-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.group_leader.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.thread.id:
+  dashed_name: process-group-leader-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.group_leader.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.group_leader.thread.name:
+  dashed_name: process-group-leader-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.group_leader.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.group_leader.title:
+  dashed_name: process-group-leader-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.group_leader.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.group_leader.tty:
+  dashed_name: process-group-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.group_leader.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.group_leader.tty.char_device.major:
+  dashed_name: process-group-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.group_leader.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.group_leader.tty.char_device.minor:
+  dashed_name: process-group-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.group_leader.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.group_leader.tty.columns:
+  dashed_name: process-group-leader-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.group_leader.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.group_leader.tty.rows:
+  dashed_name: process-group-leader-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.group_leader.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.group_leader.uptime:
+  dashed_name: process-group-leader-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.group_leader.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.group_leader.user.domain:
+  dashed_name: process-group-leader-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.group_leader.user.email:
+  dashed_name: process-group-leader-user-email
+  description: User email address.
+  flat_name: process.group_leader.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.group_leader.user.full_name:
+  dashed_name: process-group-leader-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.group_leader.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.group_leader.user.group.domain:
+  dashed_name: process-group-leader-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.user.group.id:
+  dashed_name: process-group-leader-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.user.group.name:
+  dashed_name: process-group-leader-user-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.user.hash:
+  dashed_name: process-group-leader-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.group_leader.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.group_leader.user.id:
+  dashed_name: process-group-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.group_leader.user.name:
+  dashed_name: process-group-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.group_leader.user.risk.calculated_level:
+  dashed_name: process-group-leader-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.group_leader.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.group_leader.user.risk.calculated_score:
+  dashed_name: process-group-leader-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.group_leader.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.group_leader.user.risk.calculated_score_norm:
+  dashed_name: process-group-leader-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.group_leader.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.group_leader.user.risk.static_level:
+  dashed_name: process-group-leader-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.group_leader.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.group_leader.user.risk.static_score:
+  dashed_name: process-group-leader-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.group_leader.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.group_leader.user.risk.static_score_norm:
+  dashed_name: process-group-leader-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.group_leader.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.group_leader.user.roles:
+  dashed_name: process-group-leader-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.group_leader.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.vpid:
+  dashed_name: process-group-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.group_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.group_leader.working_directory:
+  dashed_name: process-group-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.group_leader.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.hash.md5:
+  dashed_name: process-hash-md5
+  description: MD5 hash.
+  flat_name: process.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.hash.sha1:
+  dashed_name: process-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.hash.sha256:
+  dashed_name: process-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.hash.sha384:
+  dashed_name: process-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.hash.sha512:
+  dashed_name: process-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.hash.ssdeep:
+  dashed_name: process-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.hash.tlsh:
+  dashed_name: process-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.interactive:
+  dashed_name: process-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  otel:
+  - relation: match
+    stability: development
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.io:
+  dashed_name: process-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.io
+  level: extended
+  name: io
+  normalize: []
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.io.bytes_skipped:
+  dashed_name: process-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.io.bytes_skipped.length:
+  dashed_name: process-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  short: The length of bytes skipped.
+  type: long
+process.io.bytes_skipped.offset:
+  dashed_name: process-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.io.max_bytes_per_process_exceeded:
+  dashed_name: process-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.io.text:
+  dashed_name: process-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.io.total_bytes_captured:
+  dashed_name: process-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  short: The total number of bytes captured in this event.
+  type: long
+process.io.total_bytes_skipped:
+  dashed_name: process-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.io.type:
+  dashed_name: process-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.macho.go_import_hash:
+  dashed_name: process-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.macho.go_imports:
+  dashed_name: process-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.macho.go_imports_names_entropy:
+  dashed_name: process-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.macho.go_imports_names_var_entropy:
+  dashed_name: process-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.macho.go_stripped:
+  dashed_name: process-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.macho.import_hash:
+  dashed_name: process-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.macho.imports:
+  dashed_name: process-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.macho.imports_names_entropy:
+  dashed_name: process-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.macho.imports_names_var_entropy:
+  dashed_name: process-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.macho.sections:
+  dashed_name: process-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.macho.sections.entropy:
+  dashed_name: process-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.macho.sections.name:
+  dashed_name: process-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.macho.sections.physical_size:
+  dashed_name: process-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.macho.sections.var_entropy:
+  dashed_name: process-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.macho.sections.virtual_size:
+  dashed_name: process-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.macho.symhash:
+  dashed_name: process-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.name:
+  dashed_name: process-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  short: Process name.
+  type: keyword
+process.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.parent.args:
+  dashed_name: process-parent-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.parent.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.parent.args_count:
+  dashed_name: process-parent-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.parent.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.parent.attested_groups.domain:
+  dashed_name: process-parent-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.attested_groups.id:
+  dashed_name: process-parent-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.attested_groups.name:
+  dashed_name: process-parent-attested-groups-name
+  description: Name of the group.
+  flat_name: process.parent.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.attested_user.domain:
+  dashed_name: process-parent-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.attested_user.email:
+  dashed_name: process-parent-attested-user-email
+  description: User email address.
+  flat_name: process.parent.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.attested_user.full_name:
+  dashed_name: process-parent-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.attested_user.group.domain:
+  dashed_name: process-parent-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.attested_user.group.id:
+  dashed_name: process-parent-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.attested_user.group.name:
+  dashed_name: process-parent-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.attested_user.hash:
+  dashed_name: process-parent-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.attested_user.id:
+  dashed_name: process-parent-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.attested_user.name:
+  dashed_name: process-parent-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.attested_user.risk.calculated_level:
+  dashed_name: process-parent-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.attested_user.risk.calculated_score:
+  dashed_name: process-parent-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.attested_user.risk.calculated_score_norm:
+  dashed_name: process-parent-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.attested_user.risk.static_level:
+  dashed_name: process-parent-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.attested_user.risk.static_score:
+  dashed_name: process-parent-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.attested_user.risk.static_score_norm:
+  dashed_name: process-parent-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.attested_user.roles:
+  dashed_name: process-parent-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.code_signature.digest_algorithm:
+  dashed_name: process-parent-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.parent.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.parent.code_signature.exists:
+  dashed_name: process-parent-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.parent.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.parent.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.parent.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.parent.code_signature.signing_id:
+  dashed_name: process-parent-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.parent.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.parent.code_signature.status:
+  dashed_name: process-parent-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.parent.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.parent.code_signature.subject_name:
+  dashed_name: process-parent-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.parent.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.parent.code_signature.team_id:
+  dashed_name: process-parent-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.parent.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.parent.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.parent.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.parent.code_signature.timestamp:
+  dashed_name: process-parent-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.parent.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.parent.code_signature.trusted:
+  dashed_name: process-parent-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.parent.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.parent.code_signature.valid:
+  dashed_name: process-parent-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.parent.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.parent.command_line:
+  dashed_name: process-parent-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.parent.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.parent.elf.architecture:
+  dashed_name: process-parent-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.parent.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.parent.elf.byte_order:
+  dashed_name: process-parent-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.parent.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.parent.elf.cpu_type:
+  dashed_name: process-parent-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.parent.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.parent.elf.creation_date:
+  dashed_name: process-parent-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.parent.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.parent.elf.exports:
+  dashed_name: process-parent-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.parent.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.parent.elf.go_import_hash:
+  dashed_name: process-parent-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.parent.elf.go_imports:
+  dashed_name: process-parent-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.elf.go_imports_names_entropy:
+  dashed_name: process-parent-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.elf.go_imports_names_var_entropy:
+  dashed_name: process-parent-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.elf.go_stripped:
+  dashed_name: process-parent-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.elf.header.abi_version:
+  dashed_name: process-parent-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.parent.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.parent.elf.header.class:
+  dashed_name: process-parent-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.parent.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.parent.elf.header.data:
+  dashed_name: process-parent-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.parent.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.parent.elf.header.entrypoint:
+  dashed_name: process-parent-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.parent.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.parent.elf.header.object_version:
+  dashed_name: process-parent-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.parent.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.parent.elf.header.os_abi:
+  dashed_name: process-parent-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.parent.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.parent.elf.header.type:
+  dashed_name: process-parent-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.parent.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.parent.elf.header.version:
+  dashed_name: process-parent-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.parent.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.parent.elf.import_hash:
+  dashed_name: process-parent-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.parent.elf.imports:
+  dashed_name: process-parent-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.parent.elf.imports_names_entropy:
+  dashed_name: process-parent-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.elf.imports_names_var_entropy:
+  dashed_name: process-parent-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.elf.sections:
+  dashed_name: process-parent-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.parent.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.parent.elf.sections.chi2:
+  dashed_name: process-parent-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.parent.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.parent.elf.sections.entropy:
+  dashed_name: process-parent-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.elf.sections.flags:
+  dashed_name: process-parent-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.parent.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.parent.elf.sections.name:
+  dashed_name: process-parent-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.parent.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.parent.elf.sections.physical_offset:
+  dashed_name: process-parent-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.parent.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.parent.elf.sections.physical_size:
+  dashed_name: process-parent-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.parent.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.parent.elf.sections.type:
+  dashed_name: process-parent-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.parent.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.parent.elf.sections.var_entropy:
+  dashed_name: process-parent-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.elf.sections.virtual_address:
+  dashed_name: process-parent-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.parent.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.parent.elf.sections.virtual_size:
+  dashed_name: process-parent-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.parent.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.parent.elf.segments:
+  dashed_name: process-parent-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.parent.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.parent.elf.segments.sections:
+  dashed_name: process-parent-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.parent.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.parent.elf.segments.type:
+  dashed_name: process-parent-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.parent.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.parent.elf.shared_libraries:
+  dashed_name: process-parent-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.parent.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.parent.elf.telfhash:
+  dashed_name: process-parent-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.parent.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.parent.end:
+  dashed_name: process-parent-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.parent.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.parent.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.parent.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.parent.entity_id:
+  dashed_name: process-parent-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.parent.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.parent.entry_meta.source.address:
+  dashed_name: process-parent-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.parent.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.parent.entry_meta.source.as.number:
+  dashed_name: process-parent-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.parent.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.parent.entry_meta.source.as.organization.name:
+  dashed_name: process-parent-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.parent.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.parent.entry_meta.source.bytes:
+  dashed_name: process-parent-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.parent.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.parent.entry_meta.source.domain:
+  dashed_name: process-parent-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.parent.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.parent.entry_meta.source.geo.city_name:
+  dashed_name: process-parent-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.parent.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.parent.entry_meta.source.geo.continent_code:
+  dashed_name: process-parent-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.parent.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.parent.entry_meta.source.geo.continent_name:
+  dashed_name: process-parent-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.parent.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.parent.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-parent-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.parent.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.parent.entry_meta.source.geo.country_name:
+  dashed_name: process-parent-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.parent.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.parent.entry_meta.source.geo.location:
+  dashed_name: process-parent-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.parent.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.parent.entry_meta.source.geo.name:
+  dashed_name: process-parent-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.parent.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.parent.entry_meta.source.geo.postal_code:
+  dashed_name: process-parent-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.parent.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.parent.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-parent-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.parent.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.parent.entry_meta.source.geo.region_name:
+  dashed_name: process-parent-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.parent.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.parent.entry_meta.source.geo.timezone:
+  dashed_name: process-parent-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.parent.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.parent.entry_meta.source.ip:
+  dashed_name: process-parent-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.parent.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.parent.entry_meta.source.mac:
+  dashed_name: process-parent-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.parent.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.parent.entry_meta.source.nat.ip:
+  dashed_name: process-parent-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.parent.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.parent.entry_meta.source.nat.port:
+  dashed_name: process-parent-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.parent.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.parent.entry_meta.source.packets:
+  dashed_name: process-parent-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.parent.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.parent.entry_meta.source.port:
+  dashed_name: process-parent-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.parent.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.parent.entry_meta.source.registered_domain:
+  dashed_name: process-parent-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.parent.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.parent.entry_meta.source.subdomain:
+  dashed_name: process-parent-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.parent.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.parent.entry_meta.source.top_level_domain:
+  dashed_name: process-parent-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.parent.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.parent.entry_meta.type:
+  dashed_name: process-parent-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.parent.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.parent.env_vars:
+  dashed_name: process-parent-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.parent.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.executable:
+  dashed_name: process-parent-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.parent.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.parent.exit_code:
+  dashed_name: process-parent-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.parent.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.parent.group.domain:
+  dashed_name: process-parent-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group.id:
+  dashed_name: process-parent-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group.name:
+  dashed_name: process-parent-group-name
+  description: Name of the group.
+  flat_name: process.parent.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.args:
+  dashed_name: process-parent-group-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.parent.group_leader.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.parent.group_leader.args_count:
+  dashed_name: process-parent-group-leader-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.parent.group_leader.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.parent.group_leader.attested_groups.domain:
+  dashed_name: process-parent-group-leader-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.attested_groups.id:
+  dashed_name: process-parent-group-leader-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.attested_groups.name:
+  dashed_name: process-parent-group-leader-attested-groups-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.attested_user.domain:
+  dashed_name: process-parent-group-leader-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.group_leader.attested_user.email:
+  dashed_name: process-parent-group-leader-attested-user-email
+  description: User email address.
+  flat_name: process.parent.group_leader.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.group_leader.attested_user.full_name:
+  dashed_name: process-parent-group-leader-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.group_leader.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.group_leader.attested_user.group.domain:
+  dashed_name: process-parent-group-leader-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.attested_user.group.id:
+  dashed_name: process-parent-group-leader-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.attested_user.group.name:
+  dashed_name: process-parent-group-leader-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.attested_user.hash:
+  dashed_name: process-parent-group-leader-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.group_leader.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.group_leader.attested_user.id:
+  dashed_name: process-parent-group-leader-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.group_leader.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.group_leader.attested_user.name:
+  dashed_name: process-parent-group-leader-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.group_leader.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.group_leader.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.group_leader.attested_user.risk.calculated_level:
+  dashed_name: process-parent-group-leader-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.group_leader.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.group_leader.attested_user.risk.calculated_score:
+  dashed_name: process-parent-group-leader-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.group_leader.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.group_leader.attested_user.risk.calculated_score_norm:
+  dashed_name: process-parent-group-leader-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.group_leader.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.group_leader.attested_user.risk.static_level:
+  dashed_name: process-parent-group-leader-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.group_leader.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.group_leader.attested_user.risk.static_score:
+  dashed_name: process-parent-group-leader-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.group_leader.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.group_leader.attested_user.risk.static_score_norm:
+  dashed_name: process-parent-group-leader-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.group_leader.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.group_leader.attested_user.roles:
+  dashed_name: process-parent-group-leader-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.group_leader.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.code_signature.digest_algorithm:
+  dashed_name: process-parent-group-leader-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.parent.group_leader.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.parent.group_leader.code_signature.exists:
+  dashed_name: process-parent-group-leader-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.parent.group_leader.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.parent.group_leader.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.parent.group_leader.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.parent.group_leader.code_signature.signing_id:
+  dashed_name: process-parent-group-leader-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.parent.group_leader.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.parent.group_leader.code_signature.status:
+  dashed_name: process-parent-group-leader-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.parent.group_leader.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.parent.group_leader.code_signature.subject_name:
+  dashed_name: process-parent-group-leader-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.parent.group_leader.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.parent.group_leader.code_signature.team_id:
+  dashed_name: process-parent-group-leader-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.parent.group_leader.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.parent.group_leader.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.parent.group_leader.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.parent.group_leader.code_signature.timestamp:
+  dashed_name: process-parent-group-leader-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.parent.group_leader.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.parent.group_leader.code_signature.trusted:
+  dashed_name: process-parent-group-leader-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.parent.group_leader.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.parent.group_leader.code_signature.valid:
+  dashed_name: process-parent-group-leader-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.parent.group_leader.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.parent.group_leader.command_line:
+  dashed_name: process-parent-group-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.parent.group_leader.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.parent.group_leader.elf.architecture:
+  dashed_name: process-parent-group-leader-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.parent.group_leader.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.parent.group_leader.elf.byte_order:
+  dashed_name: process-parent-group-leader-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.parent.group_leader.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.parent.group_leader.elf.cpu_type:
+  dashed_name: process-parent-group-leader-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.parent.group_leader.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.parent.group_leader.elf.creation_date:
+  dashed_name: process-parent-group-leader-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.parent.group_leader.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.parent.group_leader.elf.exports:
+  dashed_name: process-parent-group-leader-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.parent.group_leader.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.parent.group_leader.elf.go_import_hash:
+  dashed_name: process-parent-group-leader-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.group_leader.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.parent.group_leader.elf.go_imports:
+  dashed_name: process-parent-group-leader-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.group_leader.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.group_leader.elf.go_imports_names_entropy:
+  dashed_name: process-parent-group-leader-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.group_leader.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.group_leader.elf.go_imports_names_var_entropy:
+  dashed_name: process-parent-group-leader-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.group_leader.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.group_leader.elf.go_stripped:
+  dashed_name: process-parent-group-leader-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.group_leader.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.group_leader.elf.header.abi_version:
+  dashed_name: process-parent-group-leader-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.parent.group_leader.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.parent.group_leader.elf.header.class:
+  dashed_name: process-parent-group-leader-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.parent.group_leader.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.parent.group_leader.elf.header.data:
+  dashed_name: process-parent-group-leader-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.parent.group_leader.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.parent.group_leader.elf.header.entrypoint:
+  dashed_name: process-parent-group-leader-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.parent.group_leader.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.parent.group_leader.elf.header.object_version:
+  dashed_name: process-parent-group-leader-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.parent.group_leader.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.parent.group_leader.elf.header.os_abi:
+  dashed_name: process-parent-group-leader-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.parent.group_leader.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.parent.group_leader.elf.header.type:
+  dashed_name: process-parent-group-leader-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.parent.group_leader.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.parent.group_leader.elf.header.version:
+  dashed_name: process-parent-group-leader-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.parent.group_leader.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.parent.group_leader.elf.import_hash:
+  dashed_name: process-parent-group-leader-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.group_leader.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.parent.group_leader.elf.imports:
+  dashed_name: process-parent-group-leader-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.group_leader.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.parent.group_leader.elf.imports_names_entropy:
+  dashed_name: process-parent-group-leader-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.group_leader.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.group_leader.elf.imports_names_var_entropy:
+  dashed_name: process-parent-group-leader-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.group_leader.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.group_leader.elf.sections:
+  dashed_name: process-parent-group-leader-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.parent.group_leader.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.parent.group_leader.elf.sections.chi2:
+  dashed_name: process-parent-group-leader-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.parent.group_leader.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.parent.group_leader.elf.sections.entropy:
+  dashed_name: process-parent-group-leader-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.group_leader.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.group_leader.elf.sections.flags:
+  dashed_name: process-parent-group-leader-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.parent.group_leader.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.parent.group_leader.elf.sections.name:
+  dashed_name: process-parent-group-leader-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.parent.group_leader.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.parent.group_leader.elf.sections.physical_offset:
+  dashed_name: process-parent-group-leader-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.parent.group_leader.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.parent.group_leader.elf.sections.physical_size:
+  dashed_name: process-parent-group-leader-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.parent.group_leader.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.parent.group_leader.elf.sections.type:
+  dashed_name: process-parent-group-leader-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.parent.group_leader.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.parent.group_leader.elf.sections.var_entropy:
+  dashed_name: process-parent-group-leader-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.group_leader.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.group_leader.elf.sections.virtual_address:
+  dashed_name: process-parent-group-leader-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.parent.group_leader.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.parent.group_leader.elf.sections.virtual_size:
+  dashed_name: process-parent-group-leader-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.parent.group_leader.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.parent.group_leader.elf.segments:
+  dashed_name: process-parent-group-leader-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.parent.group_leader.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.parent.group_leader.elf.segments.sections:
+  dashed_name: process-parent-group-leader-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.parent.group_leader.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.parent.group_leader.elf.segments.type:
+  dashed_name: process-parent-group-leader-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.parent.group_leader.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.parent.group_leader.elf.shared_libraries:
+  dashed_name: process-parent-group-leader-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.parent.group_leader.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.parent.group_leader.elf.telfhash:
+  dashed_name: process-parent-group-leader-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.parent.group_leader.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.parent.group_leader.end:
+  dashed_name: process-parent-group-leader-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.parent.group_leader.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.parent.group_leader.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.parent.group_leader.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.parent.group_leader.entity_id:
+  dashed_name: process-parent-group-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.parent.group_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.parent.group_leader.entry_meta.source.address:
+  dashed_name: process-parent-group-leader-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.parent.group_leader.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.parent.group_leader.entry_meta.source.as.number:
+  dashed_name: process-parent-group-leader-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.parent.group_leader.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.parent.group_leader.entry_meta.source.as.organization.name:
+  dashed_name: process-parent-group-leader-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.parent.group_leader.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.parent.group_leader.entry_meta.source.bytes:
+  dashed_name: process-parent-group-leader-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.parent.group_leader.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.parent.group_leader.entry_meta.source.domain:
+  dashed_name: process-parent-group-leader-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.parent.group_leader.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.city_name:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.parent.group_leader.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.continent_code:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.parent.group_leader.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.continent_name:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.parent.group_leader.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.parent.group_leader.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.country_name:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.parent.group_leader.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.location:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.parent.group_leader.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.parent.group_leader.entry_meta.source.geo.name:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.parent.group_leader.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.postal_code:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.parent.group_leader.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.parent.group_leader.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.region_name:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.parent.group_leader.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.timezone:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.parent.group_leader.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.parent.group_leader.entry_meta.source.ip:
+  dashed_name: process-parent-group-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.parent.group_leader.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.parent.group_leader.entry_meta.source.mac:
+  dashed_name: process-parent-group-leader-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.parent.group_leader.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.parent.group_leader.entry_meta.source.nat.ip:
+  dashed_name: process-parent-group-leader-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.parent.group_leader.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.parent.group_leader.entry_meta.source.nat.port:
+  dashed_name: process-parent-group-leader-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.parent.group_leader.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.parent.group_leader.entry_meta.source.packets:
+  dashed_name: process-parent-group-leader-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.parent.group_leader.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.parent.group_leader.entry_meta.source.port:
+  dashed_name: process-parent-group-leader-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.parent.group_leader.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.parent.group_leader.entry_meta.source.registered_domain:
+  dashed_name: process-parent-group-leader-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.parent.group_leader.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.parent.group_leader.entry_meta.source.subdomain:
+  dashed_name: process-parent-group-leader-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.parent.group_leader.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.parent.group_leader.entry_meta.source.top_level_domain:
+  dashed_name: process-parent-group-leader-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.parent.group_leader.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.parent.group_leader.entry_meta.type:
+  dashed_name: process-parent-group-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.parent.group_leader.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.parent.group_leader.env_vars:
+  dashed_name: process-parent-group-leader-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.parent.group_leader.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.executable:
+  dashed_name: process-parent-group-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.parent.group_leader.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.parent.group_leader.exit_code:
+  dashed_name: process-parent-group-leader-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.parent.group_leader.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.parent.group_leader.group.domain:
+  dashed_name: process-parent-group-leader-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.group.id:
+  dashed_name: process-parent-group-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.group.name:
+  dashed_name: process-parent-group-leader-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.parent.group_leader.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.parent.group_leader.hash.md5:
+  dashed_name: process-parent-group-leader-hash-md5
+  description: MD5 hash.
+  flat_name: process.parent.group_leader.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.parent.group_leader.hash.sha1:
+  dashed_name: process-parent-group-leader-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.parent.group_leader.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.parent.group_leader.hash.sha256:
+  dashed_name: process-parent-group-leader-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.parent.group_leader.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.parent.group_leader.hash.sha384:
+  dashed_name: process-parent-group-leader-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.parent.group_leader.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.parent.group_leader.hash.sha512:
+  dashed_name: process-parent-group-leader-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.parent.group_leader.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.parent.group_leader.hash.ssdeep:
+  dashed_name: process-parent-group-leader-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.parent.group_leader.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.parent.group_leader.hash.tlsh:
+  dashed_name: process-parent-group-leader-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.parent.group_leader.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.parent.group_leader.interactive:
+  dashed_name: process-parent-group-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.parent.group_leader.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.parent.group_leader.io:
+  dashed_name: process-parent-group-leader-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.parent.group_leader.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.parent.group_leader.io.bytes_skipped:
+  dashed_name: process-parent-group-leader-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.parent.group_leader.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.parent.group_leader.io.bytes_skipped.length:
+  dashed_name: process-parent-group-leader-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.parent.group_leader.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.parent.group_leader.io.bytes_skipped.offset:
+  dashed_name: process-parent-group-leader-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.parent.group_leader.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.parent.group_leader.io.max_bytes_per_process_exceeded:
+  dashed_name: process-parent-group-leader-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.parent.group_leader.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.parent.group_leader.io.text:
+  dashed_name: process-parent-group-leader-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.parent.group_leader.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.parent.group_leader.io.total_bytes_captured:
+  dashed_name: process-parent-group-leader-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.parent.group_leader.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.parent.group_leader.io.total_bytes_skipped:
+  dashed_name: process-parent-group-leader-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.parent.group_leader.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.parent.group_leader.io.type:
+  dashed_name: process-parent-group-leader-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.parent.group_leader.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.parent.group_leader.macho.go_import_hash:
+  dashed_name: process-parent-group-leader-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.group_leader.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.parent.group_leader.macho.go_imports:
+  dashed_name: process-parent-group-leader-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.group_leader.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.group_leader.macho.go_imports_names_entropy:
+  dashed_name: process-parent-group-leader-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.group_leader.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.group_leader.macho.go_imports_names_var_entropy:
+  dashed_name: process-parent-group-leader-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.group_leader.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.group_leader.macho.go_stripped:
+  dashed_name: process-parent-group-leader-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.group_leader.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.group_leader.macho.import_hash:
+  dashed_name: process-parent-group-leader-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.group_leader.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.parent.group_leader.macho.imports:
+  dashed_name: process-parent-group-leader-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.group_leader.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.parent.group_leader.macho.imports_names_entropy:
+  dashed_name: process-parent-group-leader-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.group_leader.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.group_leader.macho.imports_names_var_entropy:
+  dashed_name: process-parent-group-leader-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.group_leader.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.group_leader.macho.sections:
+  dashed_name: process-parent-group-leader-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.parent.group_leader.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.parent.group_leader.macho.sections.entropy:
+  dashed_name: process-parent-group-leader-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.group_leader.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.group_leader.macho.sections.name:
+  dashed_name: process-parent-group-leader-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.parent.group_leader.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.parent.group_leader.macho.sections.physical_size:
+  dashed_name: process-parent-group-leader-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.parent.group_leader.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.parent.group_leader.macho.sections.var_entropy:
+  dashed_name: process-parent-group-leader-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.group_leader.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.group_leader.macho.sections.virtual_size:
+  dashed_name: process-parent-group-leader-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.group_leader.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.parent.group_leader.macho.symhash:
+  dashed_name: process-parent-group-leader-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.parent.group_leader.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.parent.group_leader.name:
+  dashed_name: process-parent-group-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.parent.group_leader.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.parent.group_leader.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.parent.group_leader.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.parent.group_leader.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.parent.group_leader.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.parent.group_leader.pe.architecture:
+  dashed_name: process-parent-group-leader-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.parent.group_leader.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.parent.group_leader.pe.company:
+  dashed_name: process-parent-group-leader-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.parent.group_leader.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.parent.group_leader.pe.description:
+  dashed_name: process-parent-group-leader-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.parent.group_leader.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.parent.group_leader.pe.file_version:
+  dashed_name: process-parent-group-leader-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.parent.group_leader.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.parent.group_leader.pe.go_import_hash:
+  dashed_name: process-parent-group-leader-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.group_leader.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.parent.group_leader.pe.go_imports:
+  dashed_name: process-parent-group-leader-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.group_leader.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.group_leader.pe.go_imports_names_entropy:
+  dashed_name: process-parent-group-leader-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.group_leader.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.group_leader.pe.go_imports_names_var_entropy:
+  dashed_name: process-parent-group-leader-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.group_leader.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.group_leader.pe.go_stripped:
+  dashed_name: process-parent-group-leader-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.group_leader.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.group_leader.pe.imphash:
+  dashed_name: process-parent-group-leader-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.parent.group_leader.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.parent.group_leader.pe.import_hash:
+  dashed_name: process-parent-group-leader-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.group_leader.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.parent.group_leader.pe.imports:
+  dashed_name: process-parent-group-leader-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.group_leader.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.parent.group_leader.pe.imports_names_entropy:
+  dashed_name: process-parent-group-leader-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.group_leader.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.group_leader.pe.imports_names_var_entropy:
+  dashed_name: process-parent-group-leader-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.group_leader.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.group_leader.pe.original_file_name:
+  dashed_name: process-parent-group-leader-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.parent.group_leader.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.parent.group_leader.pe.pehash:
+  dashed_name: process-parent-group-leader-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.parent.group_leader.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.parent.group_leader.pe.product:
+  dashed_name: process-parent-group-leader-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.parent.group_leader.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.parent.group_leader.pe.sections:
+  dashed_name: process-parent-group-leader-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.parent.group_leader.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.parent.group_leader.pe.sections.entropy:
+  dashed_name: process-parent-group-leader-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.group_leader.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.group_leader.pe.sections.name:
+  dashed_name: process-parent-group-leader-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.parent.group_leader.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.parent.group_leader.pe.sections.physical_size:
+  dashed_name: process-parent-group-leader-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.parent.group_leader.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.parent.group_leader.pe.sections.var_entropy:
+  dashed_name: process-parent-group-leader-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.group_leader.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.group_leader.pe.sections.virtual_size:
+  dashed_name: process-parent-group-leader-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.group_leader.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.parent.group_leader.pid:
+  dashed_name: process-parent-group-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.parent.group_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.parent.group_leader.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.parent.group_leader.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.parent.group_leader.real_group.domain:
+  dashed_name: process-parent-group-leader-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.real_group.id:
+  dashed_name: process-parent-group-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.real_group.name:
+  dashed_name: process-parent-group-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.real_user.domain:
+  dashed_name: process-parent-group-leader-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.group_leader.real_user.email:
+  dashed_name: process-parent-group-leader-real-user-email
+  description: User email address.
+  flat_name: process.parent.group_leader.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.group_leader.real_user.full_name:
+  dashed_name: process-parent-group-leader-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.group_leader.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.group_leader.real_user.group.domain:
+  dashed_name: process-parent-group-leader-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.real_user.group.id:
+  dashed_name: process-parent-group-leader-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.real_user.group.name:
+  dashed_name: process-parent-group-leader-real-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.real_user.hash:
+  dashed_name: process-parent-group-leader-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.group_leader.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.group_leader.real_user.id:
+  dashed_name: process-parent-group-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.group_leader.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.group_leader.real_user.name:
+  dashed_name: process-parent-group-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.group_leader.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.group_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.group_leader.real_user.risk.calculated_level:
+  dashed_name: process-parent-group-leader-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.group_leader.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.group_leader.real_user.risk.calculated_score:
+  dashed_name: process-parent-group-leader-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.group_leader.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.group_leader.real_user.risk.calculated_score_norm:
+  dashed_name: process-parent-group-leader-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.group_leader.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.group_leader.real_user.risk.static_level:
+  dashed_name: process-parent-group-leader-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.group_leader.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.group_leader.real_user.risk.static_score:
+  dashed_name: process-parent-group-leader-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.group_leader.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.group_leader.real_user.risk.static_score_norm:
+  dashed_name: process-parent-group-leader-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.group_leader.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.group_leader.real_user.roles:
+  dashed_name: process-parent-group-leader-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.group_leader.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.same_as_process:
+  dashed_name: process-parent-group-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.parent.group_leader.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.parent.group_leader.saved_group.domain:
+  dashed_name: process-parent-group-leader-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.saved_group.id:
+  dashed_name: process-parent-group-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.saved_group.name:
+  dashed_name: process-parent-group-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.saved_user.domain:
+  dashed_name: process-parent-group-leader-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.group_leader.saved_user.email:
+  dashed_name: process-parent-group-leader-saved-user-email
+  description: User email address.
+  flat_name: process.parent.group_leader.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.group_leader.saved_user.full_name:
+  dashed_name: process-parent-group-leader-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.group_leader.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.group_leader.saved_user.group.domain:
+  dashed_name: process-parent-group-leader-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.saved_user.group.id:
+  dashed_name: process-parent-group-leader-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.saved_user.group.name:
+  dashed_name: process-parent-group-leader-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.saved_user.hash:
+  dashed_name: process-parent-group-leader-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.group_leader.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.group_leader.saved_user.id:
+  dashed_name: process-parent-group-leader-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.group_leader.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.group_leader.saved_user.name:
+  dashed_name: process-parent-group-leader-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.group_leader.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.group_leader.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.group_leader.saved_user.risk.calculated_level:
+  dashed_name: process-parent-group-leader-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.group_leader.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.group_leader.saved_user.risk.calculated_score:
+  dashed_name: process-parent-group-leader-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.group_leader.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.group_leader.saved_user.risk.calculated_score_norm:
+  dashed_name: process-parent-group-leader-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.group_leader.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.group_leader.saved_user.risk.static_level:
+  dashed_name: process-parent-group-leader-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.group_leader.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.group_leader.saved_user.risk.static_score:
+  dashed_name: process-parent-group-leader-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.group_leader.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.group_leader.saved_user.risk.static_score_norm:
+  dashed_name: process-parent-group-leader-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.group_leader.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.group_leader.saved_user.roles:
+  dashed_name: process-parent-group-leader-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.group_leader.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.start:
+  dashed_name: process-parent-group-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.parent.group_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.parent.group_leader.supplemental_groups.domain:
+  dashed_name: process-parent-group-leader-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.supplemental_groups.id:
+  dashed_name: process-parent-group-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.supplemental_groups.name:
+  dashed_name: process-parent-group-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.thread.capabilities.effective:
+  dashed_name: process-parent-group-leader-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.group_leader.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.thread.capabilities.permitted:
+  dashed_name: process-parent-group-leader-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.group_leader.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.thread.id:
+  dashed_name: process-parent-group-leader-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.parent.group_leader.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.parent.group_leader.thread.name:
+  dashed_name: process-parent-group-leader-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.parent.group_leader.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.parent.group_leader.title:
+  dashed_name: process-parent-group-leader-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.parent.group_leader.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.parent.group_leader.tty:
+  dashed_name: process-parent-group-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.parent.group_leader.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.parent.group_leader.tty.char_device.major:
+  dashed_name: process-parent-group-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.parent.group_leader.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.parent.group_leader.tty.char_device.minor:
+  dashed_name: process-parent-group-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.parent.group_leader.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.parent.group_leader.tty.columns:
+  dashed_name: process-parent-group-leader-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.parent.group_leader.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.parent.group_leader.tty.rows:
+  dashed_name: process-parent-group-leader-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.parent.group_leader.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.parent.group_leader.uptime:
+  dashed_name: process-parent-group-leader-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.parent.group_leader.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.parent.group_leader.user.domain:
+  dashed_name: process-parent-group-leader-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.group_leader.user.email:
+  dashed_name: process-parent-group-leader-user-email
+  description: User email address.
+  flat_name: process.parent.group_leader.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.group_leader.user.full_name:
+  dashed_name: process-parent-group-leader-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.group_leader.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.group_leader.user.group.domain:
+  dashed_name: process-parent-group-leader-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.user.group.id:
+  dashed_name: process-parent-group-leader-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.user.group.name:
+  dashed_name: process-parent-group-leader-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.user.hash:
+  dashed_name: process-parent-group-leader-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.group_leader.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.group_leader.user.id:
+  dashed_name: process-parent-group-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.group_leader.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.group_leader.user.name:
+  dashed_name: process-parent-group-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.group_leader.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.group_leader.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.group_leader.user.risk.calculated_level:
+  dashed_name: process-parent-group-leader-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.group_leader.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.group_leader.user.risk.calculated_score:
+  dashed_name: process-parent-group-leader-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.group_leader.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.group_leader.user.risk.calculated_score_norm:
+  dashed_name: process-parent-group-leader-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.group_leader.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.group_leader.user.risk.static_level:
+  dashed_name: process-parent-group-leader-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.group_leader.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.group_leader.user.risk.static_score:
+  dashed_name: process-parent-group-leader-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.group_leader.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.group_leader.user.risk.static_score_norm:
+  dashed_name: process-parent-group-leader-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.group_leader.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.group_leader.user.roles:
+  dashed_name: process-parent-group-leader-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.group_leader.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.vpid:
+  dashed_name: process-parent-group-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.parent.group_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.parent.group_leader.working_directory:
+  dashed_name: process-parent-group-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.parent.group_leader.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.parent.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.parent.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.parent.hash.md5:
+  dashed_name: process-parent-hash-md5
+  description: MD5 hash.
+  flat_name: process.parent.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.parent.hash.sha1:
+  dashed_name: process-parent-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.parent.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.parent.hash.sha256:
+  dashed_name: process-parent-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.parent.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.parent.hash.sha384:
+  dashed_name: process-parent-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.parent.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.parent.hash.sha512:
+  dashed_name: process-parent-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.parent.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.parent.hash.ssdeep:
+  dashed_name: process-parent-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.parent.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.parent.hash.tlsh:
+  dashed_name: process-parent-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.parent.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.parent.interactive:
+  dashed_name: process-parent-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.parent.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.parent.io:
+  dashed_name: process-parent-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.parent.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.parent.io.bytes_skipped:
+  dashed_name: process-parent-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.parent.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.parent.io.bytes_skipped.length:
+  dashed_name: process-parent-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.parent.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.parent.io.bytes_skipped.offset:
+  dashed_name: process-parent-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.parent.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.parent.io.max_bytes_per_process_exceeded:
+  dashed_name: process-parent-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.parent.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.parent.io.text:
+  dashed_name: process-parent-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.parent.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.parent.io.total_bytes_captured:
+  dashed_name: process-parent-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.parent.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.parent.io.total_bytes_skipped:
+  dashed_name: process-parent-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.parent.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.parent.io.type:
+  dashed_name: process-parent-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.parent.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.parent.macho.go_import_hash:
+  dashed_name: process-parent-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.parent.macho.go_imports:
+  dashed_name: process-parent-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.macho.go_imports_names_entropy:
+  dashed_name: process-parent-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.macho.go_imports_names_var_entropy:
+  dashed_name: process-parent-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.macho.go_stripped:
+  dashed_name: process-parent-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.macho.import_hash:
+  dashed_name: process-parent-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.parent.macho.imports:
+  dashed_name: process-parent-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.parent.macho.imports_names_entropy:
+  dashed_name: process-parent-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.macho.imports_names_var_entropy:
+  dashed_name: process-parent-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.macho.sections:
+  dashed_name: process-parent-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.parent.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.parent.macho.sections.entropy:
+  dashed_name: process-parent-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.macho.sections.name:
+  dashed_name: process-parent-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.parent.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.parent.macho.sections.physical_size:
+  dashed_name: process-parent-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.parent.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.parent.macho.sections.var_entropy:
+  dashed_name: process-parent-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.macho.sections.virtual_size:
+  dashed_name: process-parent-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.parent.macho.symhash:
+  dashed_name: process-parent-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.parent.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.parent.name:
+  dashed_name: process-parent-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.parent.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.parent.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.parent.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.parent.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.parent.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.parent.pe.architecture:
+  dashed_name: process-parent-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.parent.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.parent.pe.company:
+  dashed_name: process-parent-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.parent.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.parent.pe.description:
+  dashed_name: process-parent-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.parent.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.parent.pe.file_version:
+  dashed_name: process-parent-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.parent.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.parent.pe.go_import_hash:
+  dashed_name: process-parent-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.parent.pe.go_imports:
+  dashed_name: process-parent-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.pe.go_imports_names_entropy:
+  dashed_name: process-parent-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.pe.go_imports_names_var_entropy:
+  dashed_name: process-parent-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.pe.go_stripped:
+  dashed_name: process-parent-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.pe.imphash:
+  dashed_name: process-parent-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.parent.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.parent.pe.import_hash:
+  dashed_name: process-parent-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.parent.pe.imports:
+  dashed_name: process-parent-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.parent.pe.imports_names_entropy:
+  dashed_name: process-parent-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.pe.imports_names_var_entropy:
+  dashed_name: process-parent-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.pe.original_file_name:
+  dashed_name: process-parent-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.parent.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.parent.pe.pehash:
+  dashed_name: process-parent-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.parent.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.parent.pe.product:
+  dashed_name: process-parent-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.parent.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.parent.pe.sections:
+  dashed_name: process-parent-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.parent.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.parent.pe.sections.entropy:
+  dashed_name: process-parent-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.pe.sections.name:
+  dashed_name: process-parent-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.parent.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.parent.pe.sections.physical_size:
+  dashed_name: process-parent-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.parent.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.parent.pe.sections.var_entropy:
+  dashed_name: process-parent-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.pe.sections.virtual_size:
+  dashed_name: process-parent-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.parent.pid:
+  dashed_name: process-parent-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.parent.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.parent.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.parent.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.parent.real_group.domain:
+  dashed_name: process-parent-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.real_group.id:
+  dashed_name: process-parent-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.real_group.name:
+  dashed_name: process-parent-real-group-name
+  description: Name of the group.
+  flat_name: process.parent.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.real_user.domain:
+  dashed_name: process-parent-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.real_user.email:
+  dashed_name: process-parent-real-user-email
+  description: User email address.
+  flat_name: process.parent.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.real_user.full_name:
+  dashed_name: process-parent-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.real_user.group.domain:
+  dashed_name: process-parent-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.real_user.group.id:
+  dashed_name: process-parent-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.real_user.group.name:
+  dashed_name: process-parent-real-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.real_user.hash:
+  dashed_name: process-parent-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.real_user.id:
+  dashed_name: process-parent-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.real_user.name:
+  dashed_name: process-parent-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.real_user.risk.calculated_level:
+  dashed_name: process-parent-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.real_user.risk.calculated_score:
+  dashed_name: process-parent-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.real_user.risk.calculated_score_norm:
+  dashed_name: process-parent-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.real_user.risk.static_level:
+  dashed_name: process-parent-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.real_user.risk.static_score:
+  dashed_name: process-parent-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.real_user.risk.static_score_norm:
+  dashed_name: process-parent-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.real_user.roles:
+  dashed_name: process-parent-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.same_as_process:
+  dashed_name: process-parent-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.parent.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.parent.saved_group.domain:
+  dashed_name: process-parent-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.saved_group.id:
+  dashed_name: process-parent-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.saved_group.name:
+  dashed_name: process-parent-saved-group-name
+  description: Name of the group.
+  flat_name: process.parent.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.saved_user.domain:
+  dashed_name: process-parent-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.saved_user.email:
+  dashed_name: process-parent-saved-user-email
+  description: User email address.
+  flat_name: process.parent.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.saved_user.full_name:
+  dashed_name: process-parent-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.saved_user.group.domain:
+  dashed_name: process-parent-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.saved_user.group.id:
+  dashed_name: process-parent-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.saved_user.group.name:
+  dashed_name: process-parent-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.saved_user.hash:
+  dashed_name: process-parent-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.saved_user.id:
+  dashed_name: process-parent-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.saved_user.name:
+  dashed_name: process-parent-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.saved_user.risk.calculated_level:
+  dashed_name: process-parent-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.saved_user.risk.calculated_score:
+  dashed_name: process-parent-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.saved_user.risk.calculated_score_norm:
+  dashed_name: process-parent-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.saved_user.risk.static_level:
+  dashed_name: process-parent-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.saved_user.risk.static_score:
+  dashed_name: process-parent-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.saved_user.risk.static_score_norm:
+  dashed_name: process-parent-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.saved_user.roles:
+  dashed_name: process-parent-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.start:
+  dashed_name: process-parent-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.parent.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.parent.supplemental_groups.domain:
+  dashed_name: process-parent-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.supplemental_groups.id:
+  dashed_name: process-parent-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.supplemental_groups.name:
+  dashed_name: process-parent-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.parent.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.thread.capabilities.effective:
+  dashed_name: process-parent-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.thread.capabilities.permitted:
+  dashed_name: process-parent-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.thread.id:
+  dashed_name: process-parent-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.parent.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.parent.thread.name:
+  dashed_name: process-parent-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.parent.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.parent.title:
+  dashed_name: process-parent-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.parent.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.parent.tty:
+  dashed_name: process-parent-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.parent.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.parent.tty.char_device.major:
+  dashed_name: process-parent-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.parent.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.parent.tty.char_device.minor:
+  dashed_name: process-parent-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.parent.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.parent.tty.columns:
+  dashed_name: process-parent-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.parent.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.parent.tty.rows:
+  dashed_name: process-parent-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.parent.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.parent.uptime:
+  dashed_name: process-parent-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.parent.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.parent.user.domain:
+  dashed_name: process-parent-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.user.email:
+  dashed_name: process-parent-user-email
+  description: User email address.
+  flat_name: process.parent.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.user.full_name:
+  dashed_name: process-parent-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.user.group.domain:
+  dashed_name: process-parent-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.user.group.id:
+  dashed_name: process-parent-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.user.group.name:
+  dashed_name: process-parent-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.user.hash:
+  dashed_name: process-parent-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.user.id:
+  dashed_name: process-parent-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.user.name:
+  dashed_name: process-parent-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.user.risk.calculated_level:
+  dashed_name: process-parent-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.user.risk.calculated_score:
+  dashed_name: process-parent-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.user.risk.calculated_score_norm:
+  dashed_name: process-parent-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.user.risk.static_level:
+  dashed_name: process-parent-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.user.risk.static_score:
+  dashed_name: process-parent-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.user.risk.static_score_norm:
+  dashed_name: process-parent-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.user.roles:
+  dashed_name: process-parent-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.vpid:
+  dashed_name: process-parent-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.parent.working_directory:
+  dashed_name: process-parent-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.parent.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.pe.architecture:
+  dashed_name: process-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.pe.company:
+  dashed_name: process-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.pe.description:
+  dashed_name: process-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.pe.file_version:
+  dashed_name: process-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.pe.go_import_hash:
+  dashed_name: process-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.pe.go_imports:
+  dashed_name: process-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.pe.go_imports_names_entropy:
+  dashed_name: process-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.pe.go_imports_names_var_entropy:
+  dashed_name: process-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.pe.go_stripped:
+  dashed_name: process-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.pe.imphash:
+  dashed_name: process-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.pe.import_hash:
+  dashed_name: process-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.pe.imports:
+  dashed_name: process-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.pe.imports_names_entropy:
+  dashed_name: process-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.pe.imports_names_var_entropy:
+  dashed_name: process-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.pe.original_file_name:
+  dashed_name: process-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.pe.pehash:
+  dashed_name: process-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.pe.product:
+  dashed_name: process-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.pe.sections:
+  dashed_name: process-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.pe.sections.entropy:
+  dashed_name: process-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.pe.sections.name:
+  dashed_name: process-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.pe.sections.physical_size:
+  dashed_name: process-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.pe.sections.var_entropy:
+  dashed_name: process-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.pe.sections.virtual_size:
+  dashed_name: process-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.pid:
+  dashed_name: process-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  otel:
+  - relation: match
+    stability: development
+  short: Process id.
+  type: long
+process.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.previous.args:
+  dashed_name: process-previous-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.previous.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.previous.args_count:
+  dashed_name: process-previous-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.previous.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.previous.attested_groups.domain:
+  dashed_name: process-previous-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.attested_groups.id:
+  dashed_name: process-previous-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.attested_groups.name:
+  dashed_name: process-previous-attested-groups-name
+  description: Name of the group.
+  flat_name: process.previous.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.attested_user.domain:
+  dashed_name: process-previous-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.previous.attested_user.email:
+  dashed_name: process-previous-attested-user-email
+  description: User email address.
+  flat_name: process.previous.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.previous.attested_user.full_name:
+  dashed_name: process-previous-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.previous.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.previous.attested_user.group.domain:
+  dashed_name: process-previous-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.attested_user.group.id:
+  dashed_name: process-previous-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.attested_user.group.name:
+  dashed_name: process-previous-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.previous.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.attested_user.hash:
+  dashed_name: process-previous-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.previous.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.previous.attested_user.id:
+  dashed_name: process-previous-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.previous.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.previous.attested_user.name:
+  dashed_name: process-previous-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.previous.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.previous.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.previous.attested_user.risk.calculated_level:
+  dashed_name: process-previous-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.previous.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.previous.attested_user.risk.calculated_score:
+  dashed_name: process-previous-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.previous.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.previous.attested_user.risk.calculated_score_norm:
+  dashed_name: process-previous-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.previous.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.previous.attested_user.risk.static_level:
+  dashed_name: process-previous-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.previous.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.previous.attested_user.risk.static_score:
+  dashed_name: process-previous-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.previous.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.previous.attested_user.risk.static_score_norm:
+  dashed_name: process-previous-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.previous.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.previous.attested_user.roles:
+  dashed_name: process-previous-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.previous.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.code_signature.digest_algorithm:
+  dashed_name: process-previous-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.previous.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.previous.code_signature.exists:
+  dashed_name: process-previous-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.previous.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.previous.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.previous.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.previous.code_signature.signing_id:
+  dashed_name: process-previous-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.previous.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.previous.code_signature.status:
+  dashed_name: process-previous-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.previous.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.previous.code_signature.subject_name:
+  dashed_name: process-previous-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.previous.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.previous.code_signature.team_id:
+  dashed_name: process-previous-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.previous.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.previous.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.previous.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.previous.code_signature.timestamp:
+  dashed_name: process-previous-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.previous.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.previous.code_signature.trusted:
+  dashed_name: process-previous-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.previous.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.previous.code_signature.valid:
+  dashed_name: process-previous-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.previous.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.previous.command_line:
+  dashed_name: process-previous-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.previous.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.previous.elf.architecture:
+  dashed_name: process-previous-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.previous.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.previous.elf.byte_order:
+  dashed_name: process-previous-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.previous.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.previous.elf.cpu_type:
+  dashed_name: process-previous-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.previous.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.previous.elf.creation_date:
+  dashed_name: process-previous-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.previous.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.previous.elf.exports:
+  dashed_name: process-previous-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.previous.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.previous.elf.go_import_hash:
+  dashed_name: process-previous-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.previous.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.previous.elf.go_imports:
+  dashed_name: process-previous-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.previous.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.previous.elf.go_imports_names_entropy:
+  dashed_name: process-previous-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.previous.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.previous.elf.go_imports_names_var_entropy:
+  dashed_name: process-previous-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.previous.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.previous.elf.go_stripped:
+  dashed_name: process-previous-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.previous.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.previous.elf.header.abi_version:
+  dashed_name: process-previous-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.previous.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.previous.elf.header.class:
+  dashed_name: process-previous-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.previous.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.previous.elf.header.data:
+  dashed_name: process-previous-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.previous.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.previous.elf.header.entrypoint:
+  dashed_name: process-previous-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.previous.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.previous.elf.header.object_version:
+  dashed_name: process-previous-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.previous.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.previous.elf.header.os_abi:
+  dashed_name: process-previous-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.previous.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.previous.elf.header.type:
+  dashed_name: process-previous-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.previous.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.previous.elf.header.version:
+  dashed_name: process-previous-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.previous.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.previous.elf.import_hash:
+  dashed_name: process-previous-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.previous.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.previous.elf.imports:
+  dashed_name: process-previous-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.previous.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.previous.elf.imports_names_entropy:
+  dashed_name: process-previous-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.previous.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.previous.elf.imports_names_var_entropy:
+  dashed_name: process-previous-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.previous.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.previous.elf.sections:
+  dashed_name: process-previous-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.previous.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.previous.elf.sections.chi2:
+  dashed_name: process-previous-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.previous.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.previous.elf.sections.entropy:
+  dashed_name: process-previous-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.previous.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.previous.elf.sections.flags:
+  dashed_name: process-previous-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.previous.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.previous.elf.sections.name:
+  dashed_name: process-previous-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.previous.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.previous.elf.sections.physical_offset:
+  dashed_name: process-previous-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.previous.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.previous.elf.sections.physical_size:
+  dashed_name: process-previous-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.previous.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.previous.elf.sections.type:
+  dashed_name: process-previous-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.previous.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.previous.elf.sections.var_entropy:
+  dashed_name: process-previous-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.previous.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.previous.elf.sections.virtual_address:
+  dashed_name: process-previous-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.previous.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.previous.elf.sections.virtual_size:
+  dashed_name: process-previous-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.previous.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.previous.elf.segments:
+  dashed_name: process-previous-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.previous.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.previous.elf.segments.sections:
+  dashed_name: process-previous-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.previous.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.previous.elf.segments.type:
+  dashed_name: process-previous-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.previous.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.previous.elf.shared_libraries:
+  dashed_name: process-previous-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.previous.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.previous.elf.telfhash:
+  dashed_name: process-previous-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.previous.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.previous.end:
+  dashed_name: process-previous-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.previous.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.previous.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.previous.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.previous.entity_id:
+  dashed_name: process-previous-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.previous.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.previous.entry_meta.source.address:
+  dashed_name: process-previous-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.previous.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.previous.entry_meta.source.as.number:
+  dashed_name: process-previous-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.previous.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.previous.entry_meta.source.as.organization.name:
+  dashed_name: process-previous-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.previous.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.previous.entry_meta.source.bytes:
+  dashed_name: process-previous-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.previous.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.previous.entry_meta.source.domain:
+  dashed_name: process-previous-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.previous.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.previous.entry_meta.source.geo.city_name:
+  dashed_name: process-previous-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.previous.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.previous.entry_meta.source.geo.continent_code:
+  dashed_name: process-previous-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.previous.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.previous.entry_meta.source.geo.continent_name:
+  dashed_name: process-previous-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.previous.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.previous.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-previous-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.previous.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.previous.entry_meta.source.geo.country_name:
+  dashed_name: process-previous-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.previous.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.previous.entry_meta.source.geo.location:
+  dashed_name: process-previous-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.previous.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.previous.entry_meta.source.geo.name:
+  dashed_name: process-previous-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.previous.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.previous.entry_meta.source.geo.postal_code:
+  dashed_name: process-previous-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.previous.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.previous.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-previous-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.previous.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.previous.entry_meta.source.geo.region_name:
+  dashed_name: process-previous-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.previous.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.previous.entry_meta.source.geo.timezone:
+  dashed_name: process-previous-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.previous.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.previous.entry_meta.source.ip:
+  dashed_name: process-previous-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.previous.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.previous.entry_meta.source.mac:
+  dashed_name: process-previous-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.previous.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.previous.entry_meta.source.nat.ip:
+  dashed_name: process-previous-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.previous.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.previous.entry_meta.source.nat.port:
+  dashed_name: process-previous-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.previous.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.previous.entry_meta.source.packets:
+  dashed_name: process-previous-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.previous.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.previous.entry_meta.source.port:
+  dashed_name: process-previous-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.previous.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.previous.entry_meta.source.registered_domain:
+  dashed_name: process-previous-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.previous.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.previous.entry_meta.source.subdomain:
+  dashed_name: process-previous-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.previous.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.previous.entry_meta.source.top_level_domain:
+  dashed_name: process-previous-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.previous.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.previous.entry_meta.type:
+  dashed_name: process-previous-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.previous.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.previous.env_vars:
+  dashed_name: process-previous-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.previous.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.executable:
+  dashed_name: process-previous-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.previous.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.previous.exit_code:
+  dashed_name: process-previous-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.previous.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.previous.group.domain:
+  dashed_name: process-previous-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.group.id:
+  dashed_name: process-previous-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.group.name:
+  dashed_name: process-previous-group-name
+  description: Name of the group.
+  flat_name: process.previous.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.previous.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.previous.hash.md5:
+  dashed_name: process-previous-hash-md5
+  description: MD5 hash.
+  flat_name: process.previous.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.previous.hash.sha1:
+  dashed_name: process-previous-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.previous.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.previous.hash.sha256:
+  dashed_name: process-previous-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.previous.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.previous.hash.sha384:
+  dashed_name: process-previous-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.previous.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.previous.hash.sha512:
+  dashed_name: process-previous-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.previous.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.previous.hash.ssdeep:
+  dashed_name: process-previous-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.previous.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.previous.hash.tlsh:
+  dashed_name: process-previous-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.previous.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.previous.interactive:
+  dashed_name: process-previous-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.previous.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.previous.io:
+  dashed_name: process-previous-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.previous.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.previous.io.bytes_skipped:
+  dashed_name: process-previous-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.previous.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.previous.io.bytes_skipped.length:
+  dashed_name: process-previous-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.previous.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.previous.io.bytes_skipped.offset:
+  dashed_name: process-previous-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.previous.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.previous.io.max_bytes_per_process_exceeded:
+  dashed_name: process-previous-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.previous.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.previous.io.text:
+  dashed_name: process-previous-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.previous.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.previous.io.total_bytes_captured:
+  dashed_name: process-previous-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.previous.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.previous.io.total_bytes_skipped:
+  dashed_name: process-previous-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.previous.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.previous.io.type:
+  dashed_name: process-previous-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.previous.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.previous.macho.go_import_hash:
+  dashed_name: process-previous-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.previous.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.previous.macho.go_imports:
+  dashed_name: process-previous-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.previous.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.previous.macho.go_imports_names_entropy:
+  dashed_name: process-previous-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.previous.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.previous.macho.go_imports_names_var_entropy:
+  dashed_name: process-previous-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.previous.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.previous.macho.go_stripped:
+  dashed_name: process-previous-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.previous.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.previous.macho.import_hash:
+  dashed_name: process-previous-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.previous.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.previous.macho.imports:
+  dashed_name: process-previous-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.previous.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.previous.macho.imports_names_entropy:
+  dashed_name: process-previous-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.previous.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.previous.macho.imports_names_var_entropy:
+  dashed_name: process-previous-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.previous.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.previous.macho.sections:
+  dashed_name: process-previous-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.previous.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.previous.macho.sections.entropy:
+  dashed_name: process-previous-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.previous.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.previous.macho.sections.name:
+  dashed_name: process-previous-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.previous.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.previous.macho.sections.physical_size:
+  dashed_name: process-previous-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.previous.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.previous.macho.sections.var_entropy:
+  dashed_name: process-previous-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.previous.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.previous.macho.sections.virtual_size:
+  dashed_name: process-previous-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.previous.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.previous.macho.symhash:
+  dashed_name: process-previous-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.previous.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.previous.name:
+  dashed_name: process-previous-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.previous.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.previous.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.previous.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.previous.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.previous.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.previous.pe.architecture:
+  dashed_name: process-previous-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.previous.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.previous.pe.company:
+  dashed_name: process-previous-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.previous.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.previous.pe.description:
+  dashed_name: process-previous-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.previous.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.previous.pe.file_version:
+  dashed_name: process-previous-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.previous.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.previous.pe.go_import_hash:
+  dashed_name: process-previous-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.previous.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.previous.pe.go_imports:
+  dashed_name: process-previous-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.previous.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.previous.pe.go_imports_names_entropy:
+  dashed_name: process-previous-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.previous.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.previous.pe.go_imports_names_var_entropy:
+  dashed_name: process-previous-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.previous.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.previous.pe.go_stripped:
+  dashed_name: process-previous-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.previous.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.previous.pe.imphash:
+  dashed_name: process-previous-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.previous.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.previous.pe.import_hash:
+  dashed_name: process-previous-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.previous.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.previous.pe.imports:
+  dashed_name: process-previous-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.previous.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.previous.pe.imports_names_entropy:
+  dashed_name: process-previous-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.previous.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.previous.pe.imports_names_var_entropy:
+  dashed_name: process-previous-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.previous.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.previous.pe.original_file_name:
+  dashed_name: process-previous-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.previous.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.previous.pe.pehash:
+  dashed_name: process-previous-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.previous.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.previous.pe.product:
+  dashed_name: process-previous-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.previous.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.previous.pe.sections:
+  dashed_name: process-previous-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.previous.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.previous.pe.sections.entropy:
+  dashed_name: process-previous-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.previous.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.previous.pe.sections.name:
+  dashed_name: process-previous-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.previous.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.previous.pe.sections.physical_size:
+  dashed_name: process-previous-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.previous.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.previous.pe.sections.var_entropy:
+  dashed_name: process-previous-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.previous.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.previous.pe.sections.virtual_size:
+  dashed_name: process-previous-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.previous.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.previous.pid:
+  dashed_name: process-previous-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.previous.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.previous.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.previous.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.previous.real_group.domain:
+  dashed_name: process-previous-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.real_group.id:
+  dashed_name: process-previous-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.real_group.name:
+  dashed_name: process-previous-real-group-name
+  description: Name of the group.
+  flat_name: process.previous.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.real_user.domain:
+  dashed_name: process-previous-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.previous.real_user.email:
+  dashed_name: process-previous-real-user-email
+  description: User email address.
+  flat_name: process.previous.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.previous.real_user.full_name:
+  dashed_name: process-previous-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.previous.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.previous.real_user.group.domain:
+  dashed_name: process-previous-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.real_user.group.id:
+  dashed_name: process-previous-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.real_user.group.name:
+  dashed_name: process-previous-real-user-group-name
+  description: Name of the group.
+  flat_name: process.previous.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.real_user.hash:
+  dashed_name: process-previous-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.previous.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.previous.real_user.id:
+  dashed_name: process-previous-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.previous.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.previous.real_user.name:
+  dashed_name: process-previous-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.previous.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.previous.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.previous.real_user.risk.calculated_level:
+  dashed_name: process-previous-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.previous.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.previous.real_user.risk.calculated_score:
+  dashed_name: process-previous-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.previous.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.previous.real_user.risk.calculated_score_norm:
+  dashed_name: process-previous-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.previous.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.previous.real_user.risk.static_level:
+  dashed_name: process-previous-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.previous.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.previous.real_user.risk.static_score:
+  dashed_name: process-previous-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.previous.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.previous.real_user.risk.static_score_norm:
+  dashed_name: process-previous-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.previous.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.previous.real_user.roles:
+  dashed_name: process-previous-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.previous.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.same_as_process:
+  dashed_name: process-previous-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.previous.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.previous.saved_group.domain:
+  dashed_name: process-previous-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.saved_group.id:
+  dashed_name: process-previous-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.saved_group.name:
+  dashed_name: process-previous-saved-group-name
+  description: Name of the group.
+  flat_name: process.previous.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.saved_user.domain:
+  dashed_name: process-previous-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.previous.saved_user.email:
+  dashed_name: process-previous-saved-user-email
+  description: User email address.
+  flat_name: process.previous.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.previous.saved_user.full_name:
+  dashed_name: process-previous-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.previous.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.previous.saved_user.group.domain:
+  dashed_name: process-previous-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.saved_user.group.id:
+  dashed_name: process-previous-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.saved_user.group.name:
+  dashed_name: process-previous-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.previous.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.saved_user.hash:
+  dashed_name: process-previous-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.previous.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.previous.saved_user.id:
+  dashed_name: process-previous-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.previous.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.previous.saved_user.name:
+  dashed_name: process-previous-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.previous.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.previous.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.previous.saved_user.risk.calculated_level:
+  dashed_name: process-previous-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.previous.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.previous.saved_user.risk.calculated_score:
+  dashed_name: process-previous-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.previous.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.previous.saved_user.risk.calculated_score_norm:
+  dashed_name: process-previous-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.previous.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.previous.saved_user.risk.static_level:
+  dashed_name: process-previous-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.previous.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.previous.saved_user.risk.static_score:
+  dashed_name: process-previous-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.previous.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.previous.saved_user.risk.static_score_norm:
+  dashed_name: process-previous-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.previous.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.previous.saved_user.roles:
+  dashed_name: process-previous-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.previous.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.start:
+  dashed_name: process-previous-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.previous.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.previous.supplemental_groups.domain:
+  dashed_name: process-previous-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.supplemental_groups.id:
+  dashed_name: process-previous-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.supplemental_groups.name:
+  dashed_name: process-previous-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.previous.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.thread.capabilities.effective:
+  dashed_name: process-previous-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.previous.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.thread.capabilities.permitted:
+  dashed_name: process-previous-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.previous.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.thread.id:
+  dashed_name: process-previous-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.previous.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.previous.thread.name:
+  dashed_name: process-previous-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.previous.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.previous.title:
+  dashed_name: process-previous-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.previous.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.previous.tty:
+  dashed_name: process-previous-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.previous.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.previous.tty.char_device.major:
+  dashed_name: process-previous-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.previous.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.previous.tty.char_device.minor:
+  dashed_name: process-previous-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.previous.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.previous.tty.columns:
+  dashed_name: process-previous-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.previous.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.previous.tty.rows:
+  dashed_name: process-previous-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.previous.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.previous.uptime:
+  dashed_name: process-previous-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.previous.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.previous.user.domain:
+  dashed_name: process-previous-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.previous.user.email:
+  dashed_name: process-previous-user-email
+  description: User email address.
+  flat_name: process.previous.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.previous.user.full_name:
+  dashed_name: process-previous-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.previous.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.previous.user.group.domain:
+  dashed_name: process-previous-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.user.group.id:
+  dashed_name: process-previous-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.user.group.name:
+  dashed_name: process-previous-user-group-name
+  description: Name of the group.
+  flat_name: process.previous.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.user.hash:
+  dashed_name: process-previous-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.previous.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.previous.user.id:
+  dashed_name: process-previous-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.previous.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.previous.user.name:
+  dashed_name: process-previous-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.previous.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.previous.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.previous.user.risk.calculated_level:
+  dashed_name: process-previous-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.previous.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.previous.user.risk.calculated_score:
+  dashed_name: process-previous-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.previous.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.previous.user.risk.calculated_score_norm:
+  dashed_name: process-previous-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.previous.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.previous.user.risk.static_level:
+  dashed_name: process-previous-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.previous.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.previous.user.risk.static_score:
+  dashed_name: process-previous-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.previous.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.previous.user.risk.static_score_norm:
+  dashed_name: process-previous-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.previous.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.previous.user.roles:
+  dashed_name: process-previous-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.previous.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.vpid:
+  dashed_name: process-previous-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.previous.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.previous.working_directory:
+  dashed_name: process-previous-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.previous.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.real_group.domain:
+  dashed_name: process-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.real_group.id:
+  dashed_name: process-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.real_group.name:
+  dashed_name: process-real-group-name
+  description: Name of the group.
+  flat_name: process.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.real_user.domain:
+  dashed_name: process-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.real_user.email:
+  dashed_name: process-real-user-email
+  description: User email address.
+  flat_name: process.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.real_user.full_name:
+  dashed_name: process-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.real_user.group.domain:
+  dashed_name: process-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.real_user.group.id:
+  dashed_name: process-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.real_user.group.name:
+  dashed_name: process-real-user-group-name
+  description: Name of the group.
+  flat_name: process.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.real_user.hash:
+  dashed_name: process-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.real_user.id:
+  dashed_name: process-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  otel:
+  - relation: match
+    stability: development
+  short: Unique identifier of the user.
+  type: keyword
+process.real_user.name:
+  dashed_name: process-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  otel:
+  - relation: match
+    stability: development
+  short: Short name or login of the user.
+  type: keyword
+process.real_user.risk.calculated_level:
+  dashed_name: process-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.real_user.risk.calculated_score:
+  dashed_name: process-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.real_user.risk.calculated_score_norm:
+  dashed_name: process-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.real_user.risk.static_level:
+  dashed_name: process-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.real_user.risk.static_score:
+  dashed_name: process-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.real_user.risk.static_score_norm:
+  dashed_name: process-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.real_user.roles:
+  dashed_name: process-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.args:
+  dashed_name: process-responsible-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.responsible.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.responsible.args_count:
+  dashed_name: process-responsible-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.responsible.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.responsible.attested_groups.domain:
+  dashed_name: process-responsible-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.attested_groups.id:
+  dashed_name: process-responsible-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.attested_groups.name:
+  dashed_name: process-responsible-attested-groups-name
+  description: Name of the group.
+  flat_name: process.responsible.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.attested_user.domain:
+  dashed_name: process-responsible-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.responsible.attested_user.email:
+  dashed_name: process-responsible-attested-user-email
+  description: User email address.
+  flat_name: process.responsible.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.responsible.attested_user.full_name:
+  dashed_name: process-responsible-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.responsible.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.responsible.attested_user.group.domain:
+  dashed_name: process-responsible-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.attested_user.group.id:
+  dashed_name: process-responsible-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.attested_user.group.name:
+  dashed_name: process-responsible-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.responsible.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.attested_user.hash:
+  dashed_name: process-responsible-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.responsible.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.responsible.attested_user.id:
+  dashed_name: process-responsible-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.responsible.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.responsible.attested_user.name:
+  dashed_name: process-responsible-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.responsible.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.responsible.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.responsible.attested_user.risk.calculated_level:
+  dashed_name: process-responsible-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.responsible.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.responsible.attested_user.risk.calculated_score:
+  dashed_name: process-responsible-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.responsible.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.responsible.attested_user.risk.calculated_score_norm:
+  dashed_name: process-responsible-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.responsible.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.responsible.attested_user.risk.static_level:
+  dashed_name: process-responsible-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.responsible.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.responsible.attested_user.risk.static_score:
+  dashed_name: process-responsible-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.responsible.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.responsible.attested_user.risk.static_score_norm:
+  dashed_name: process-responsible-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.responsible.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.responsible.attested_user.roles:
+  dashed_name: process-responsible-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.responsible.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.code_signature.digest_algorithm:
+  dashed_name: process-responsible-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.responsible.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.responsible.code_signature.exists:
+  dashed_name: process-responsible-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.responsible.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.responsible.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.responsible.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.responsible.code_signature.signing_id:
+  dashed_name: process-responsible-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.responsible.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.responsible.code_signature.status:
+  dashed_name: process-responsible-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.responsible.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.responsible.code_signature.subject_name:
+  dashed_name: process-responsible-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.responsible.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.responsible.code_signature.team_id:
+  dashed_name: process-responsible-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.responsible.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.responsible.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.responsible.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.responsible.code_signature.timestamp:
+  dashed_name: process-responsible-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.responsible.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.responsible.code_signature.trusted:
+  dashed_name: process-responsible-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.responsible.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.responsible.code_signature.valid:
+  dashed_name: process-responsible-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.responsible.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.responsible.command_line:
+  dashed_name: process-responsible-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.responsible.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.responsible.elf.architecture:
+  dashed_name: process-responsible-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.responsible.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.responsible.elf.byte_order:
+  dashed_name: process-responsible-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.responsible.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.responsible.elf.cpu_type:
+  dashed_name: process-responsible-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.responsible.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.responsible.elf.creation_date:
+  dashed_name: process-responsible-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.responsible.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.responsible.elf.exports:
+  dashed_name: process-responsible-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.responsible.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.responsible.elf.go_import_hash:
+  dashed_name: process-responsible-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.responsible.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.responsible.elf.go_imports:
+  dashed_name: process-responsible-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.responsible.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.responsible.elf.go_imports_names_entropy:
+  dashed_name: process-responsible-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.responsible.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.responsible.elf.go_imports_names_var_entropy:
+  dashed_name: process-responsible-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.responsible.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.responsible.elf.go_stripped:
+  dashed_name: process-responsible-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.responsible.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.responsible.elf.header.abi_version:
+  dashed_name: process-responsible-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.responsible.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.responsible.elf.header.class:
+  dashed_name: process-responsible-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.responsible.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.responsible.elf.header.data:
+  dashed_name: process-responsible-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.responsible.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.responsible.elf.header.entrypoint:
+  dashed_name: process-responsible-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.responsible.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.responsible.elf.header.object_version:
+  dashed_name: process-responsible-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.responsible.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.responsible.elf.header.os_abi:
+  dashed_name: process-responsible-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.responsible.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.responsible.elf.header.type:
+  dashed_name: process-responsible-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.responsible.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.responsible.elf.header.version:
+  dashed_name: process-responsible-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.responsible.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.responsible.elf.import_hash:
+  dashed_name: process-responsible-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.responsible.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.responsible.elf.imports:
+  dashed_name: process-responsible-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.responsible.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.responsible.elf.imports_names_entropy:
+  dashed_name: process-responsible-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.responsible.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.responsible.elf.imports_names_var_entropy:
+  dashed_name: process-responsible-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.responsible.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.responsible.elf.sections:
+  dashed_name: process-responsible-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.responsible.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.responsible.elf.sections.chi2:
+  dashed_name: process-responsible-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.responsible.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.responsible.elf.sections.entropy:
+  dashed_name: process-responsible-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.responsible.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.responsible.elf.sections.flags:
+  dashed_name: process-responsible-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.responsible.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.responsible.elf.sections.name:
+  dashed_name: process-responsible-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.responsible.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.responsible.elf.sections.physical_offset:
+  dashed_name: process-responsible-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.responsible.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.responsible.elf.sections.physical_size:
+  dashed_name: process-responsible-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.responsible.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.responsible.elf.sections.type:
+  dashed_name: process-responsible-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.responsible.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.responsible.elf.sections.var_entropy:
+  dashed_name: process-responsible-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.responsible.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.responsible.elf.sections.virtual_address:
+  dashed_name: process-responsible-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.responsible.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.responsible.elf.sections.virtual_size:
+  dashed_name: process-responsible-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.responsible.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.responsible.elf.segments:
+  dashed_name: process-responsible-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.responsible.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.responsible.elf.segments.sections:
+  dashed_name: process-responsible-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.responsible.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.responsible.elf.segments.type:
+  dashed_name: process-responsible-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.responsible.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.responsible.elf.shared_libraries:
+  dashed_name: process-responsible-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.responsible.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.responsible.elf.telfhash:
+  dashed_name: process-responsible-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.responsible.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.responsible.end:
+  dashed_name: process-responsible-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.responsible.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.responsible.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.responsible.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.responsible.entity_id:
+  dashed_name: process-responsible-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.responsible.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.responsible.entry_meta.source.address:
+  dashed_name: process-responsible-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.responsible.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.responsible.entry_meta.source.as.number:
+  dashed_name: process-responsible-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.responsible.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.responsible.entry_meta.source.as.organization.name:
+  dashed_name: process-responsible-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.responsible.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.responsible.entry_meta.source.bytes:
+  dashed_name: process-responsible-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.responsible.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.responsible.entry_meta.source.domain:
+  dashed_name: process-responsible-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.responsible.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.responsible.entry_meta.source.geo.city_name:
+  dashed_name: process-responsible-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.responsible.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.responsible.entry_meta.source.geo.continent_code:
+  dashed_name: process-responsible-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.responsible.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.responsible.entry_meta.source.geo.continent_name:
+  dashed_name: process-responsible-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.responsible.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.responsible.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-responsible-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.responsible.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.responsible.entry_meta.source.geo.country_name:
+  dashed_name: process-responsible-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.responsible.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.responsible.entry_meta.source.geo.location:
+  dashed_name: process-responsible-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.responsible.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.responsible.entry_meta.source.geo.name:
+  dashed_name: process-responsible-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.responsible.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.responsible.entry_meta.source.geo.postal_code:
+  dashed_name: process-responsible-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.responsible.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.responsible.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-responsible-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.responsible.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.responsible.entry_meta.source.geo.region_name:
+  dashed_name: process-responsible-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.responsible.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.responsible.entry_meta.source.geo.timezone:
+  dashed_name: process-responsible-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.responsible.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.responsible.entry_meta.source.ip:
+  dashed_name: process-responsible-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.responsible.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.responsible.entry_meta.source.mac:
+  dashed_name: process-responsible-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.responsible.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.responsible.entry_meta.source.nat.ip:
+  dashed_name: process-responsible-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.responsible.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.responsible.entry_meta.source.nat.port:
+  dashed_name: process-responsible-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.responsible.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.responsible.entry_meta.source.packets:
+  dashed_name: process-responsible-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.responsible.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.responsible.entry_meta.source.port:
+  dashed_name: process-responsible-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.responsible.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.responsible.entry_meta.source.registered_domain:
+  dashed_name: process-responsible-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.responsible.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.responsible.entry_meta.source.subdomain:
+  dashed_name: process-responsible-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.responsible.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.responsible.entry_meta.source.top_level_domain:
+  dashed_name: process-responsible-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.responsible.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.responsible.entry_meta.type:
+  dashed_name: process-responsible-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.responsible.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.responsible.env_vars:
+  dashed_name: process-responsible-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.responsible.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.executable:
+  dashed_name: process-responsible-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.responsible.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.responsible.exit_code:
+  dashed_name: process-responsible-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.responsible.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.responsible.group.domain:
+  dashed_name: process-responsible-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.group.id:
+  dashed_name: process-responsible-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.group.name:
+  dashed_name: process-responsible-group-name
+  description: Name of the group.
+  flat_name: process.responsible.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.responsible.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.responsible.hash.md5:
+  dashed_name: process-responsible-hash-md5
+  description: MD5 hash.
+  flat_name: process.responsible.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.responsible.hash.sha1:
+  dashed_name: process-responsible-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.responsible.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.responsible.hash.sha256:
+  dashed_name: process-responsible-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.responsible.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.responsible.hash.sha384:
+  dashed_name: process-responsible-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.responsible.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.responsible.hash.sha512:
+  dashed_name: process-responsible-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.responsible.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.responsible.hash.ssdeep:
+  dashed_name: process-responsible-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.responsible.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.responsible.hash.tlsh:
+  dashed_name: process-responsible-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.responsible.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.responsible.interactive:
+  dashed_name: process-responsible-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.responsible.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.responsible.io:
+  dashed_name: process-responsible-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.responsible.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.responsible.io.bytes_skipped:
+  dashed_name: process-responsible-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.responsible.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.responsible.io.bytes_skipped.length:
+  dashed_name: process-responsible-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.responsible.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.responsible.io.bytes_skipped.offset:
+  dashed_name: process-responsible-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.responsible.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.responsible.io.max_bytes_per_process_exceeded:
+  dashed_name: process-responsible-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.responsible.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.responsible.io.text:
+  dashed_name: process-responsible-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.responsible.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.responsible.io.total_bytes_captured:
+  dashed_name: process-responsible-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.responsible.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.responsible.io.total_bytes_skipped:
+  dashed_name: process-responsible-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.responsible.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.responsible.io.type:
+  dashed_name: process-responsible-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.responsible.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.responsible.macho.go_import_hash:
+  dashed_name: process-responsible-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.responsible.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.responsible.macho.go_imports:
+  dashed_name: process-responsible-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.responsible.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.responsible.macho.go_imports_names_entropy:
+  dashed_name: process-responsible-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.responsible.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.responsible.macho.go_imports_names_var_entropy:
+  dashed_name: process-responsible-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.responsible.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.responsible.macho.go_stripped:
+  dashed_name: process-responsible-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.responsible.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.responsible.macho.import_hash:
+  dashed_name: process-responsible-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.responsible.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.responsible.macho.imports:
+  dashed_name: process-responsible-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.responsible.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.responsible.macho.imports_names_entropy:
+  dashed_name: process-responsible-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.responsible.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.responsible.macho.imports_names_var_entropy:
+  dashed_name: process-responsible-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.responsible.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.responsible.macho.sections:
+  dashed_name: process-responsible-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.responsible.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.responsible.macho.sections.entropy:
+  dashed_name: process-responsible-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.responsible.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.responsible.macho.sections.name:
+  dashed_name: process-responsible-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.responsible.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.responsible.macho.sections.physical_size:
+  dashed_name: process-responsible-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.responsible.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.responsible.macho.sections.var_entropy:
+  dashed_name: process-responsible-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.responsible.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.responsible.macho.sections.virtual_size:
+  dashed_name: process-responsible-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.responsible.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.responsible.macho.symhash:
+  dashed_name: process-responsible-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.responsible.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.responsible.name:
+  dashed_name: process-responsible-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.responsible.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.responsible.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.responsible.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.responsible.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.responsible.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.responsible.pe.architecture:
+  dashed_name: process-responsible-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.responsible.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.responsible.pe.company:
+  dashed_name: process-responsible-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.responsible.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.responsible.pe.description:
+  dashed_name: process-responsible-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.responsible.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.responsible.pe.file_version:
+  dashed_name: process-responsible-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.responsible.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.responsible.pe.go_import_hash:
+  dashed_name: process-responsible-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.responsible.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.responsible.pe.go_imports:
+  dashed_name: process-responsible-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.responsible.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.responsible.pe.go_imports_names_entropy:
+  dashed_name: process-responsible-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.responsible.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.responsible.pe.go_imports_names_var_entropy:
+  dashed_name: process-responsible-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.responsible.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.responsible.pe.go_stripped:
+  dashed_name: process-responsible-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.responsible.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.responsible.pe.imphash:
+  dashed_name: process-responsible-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.responsible.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.responsible.pe.import_hash:
+  dashed_name: process-responsible-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.responsible.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.responsible.pe.imports:
+  dashed_name: process-responsible-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.responsible.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.responsible.pe.imports_names_entropy:
+  dashed_name: process-responsible-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.responsible.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.responsible.pe.imports_names_var_entropy:
+  dashed_name: process-responsible-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.responsible.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.responsible.pe.original_file_name:
+  dashed_name: process-responsible-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.responsible.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.responsible.pe.pehash:
+  dashed_name: process-responsible-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.responsible.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.responsible.pe.product:
+  dashed_name: process-responsible-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.responsible.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.responsible.pe.sections:
+  dashed_name: process-responsible-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.responsible.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.responsible.pe.sections.entropy:
+  dashed_name: process-responsible-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.responsible.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.responsible.pe.sections.name:
+  dashed_name: process-responsible-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.responsible.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.responsible.pe.sections.physical_size:
+  dashed_name: process-responsible-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.responsible.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.responsible.pe.sections.var_entropy:
+  dashed_name: process-responsible-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.responsible.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.responsible.pe.sections.virtual_size:
+  dashed_name: process-responsible-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.responsible.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.responsible.pid:
+  dashed_name: process-responsible-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.responsible.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.responsible.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.responsible.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.responsible.real_group.domain:
+  dashed_name: process-responsible-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.real_group.id:
+  dashed_name: process-responsible-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.real_group.name:
+  dashed_name: process-responsible-real-group-name
+  description: Name of the group.
+  flat_name: process.responsible.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.real_user.domain:
+  dashed_name: process-responsible-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.responsible.real_user.email:
+  dashed_name: process-responsible-real-user-email
+  description: User email address.
+  flat_name: process.responsible.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.responsible.real_user.full_name:
+  dashed_name: process-responsible-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.responsible.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.responsible.real_user.group.domain:
+  dashed_name: process-responsible-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.real_user.group.id:
+  dashed_name: process-responsible-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.real_user.group.name:
+  dashed_name: process-responsible-real-user-group-name
+  description: Name of the group.
+  flat_name: process.responsible.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.real_user.hash:
+  dashed_name: process-responsible-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.responsible.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.responsible.real_user.id:
+  dashed_name: process-responsible-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.responsible.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.responsible.real_user.name:
+  dashed_name: process-responsible-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.responsible.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.responsible.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.responsible.real_user.risk.calculated_level:
+  dashed_name: process-responsible-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.responsible.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.responsible.real_user.risk.calculated_score:
+  dashed_name: process-responsible-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.responsible.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.responsible.real_user.risk.calculated_score_norm:
+  dashed_name: process-responsible-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.responsible.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.responsible.real_user.risk.static_level:
+  dashed_name: process-responsible-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.responsible.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.responsible.real_user.risk.static_score:
+  dashed_name: process-responsible-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.responsible.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.responsible.real_user.risk.static_score_norm:
+  dashed_name: process-responsible-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.responsible.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.responsible.real_user.roles:
+  dashed_name: process-responsible-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.responsible.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.same_as_process:
+  dashed_name: process-responsible-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.responsible.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.responsible.saved_group.domain:
+  dashed_name: process-responsible-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.saved_group.id:
+  dashed_name: process-responsible-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.saved_group.name:
+  dashed_name: process-responsible-saved-group-name
+  description: Name of the group.
+  flat_name: process.responsible.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.saved_user.domain:
+  dashed_name: process-responsible-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.responsible.saved_user.email:
+  dashed_name: process-responsible-saved-user-email
+  description: User email address.
+  flat_name: process.responsible.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.responsible.saved_user.full_name:
+  dashed_name: process-responsible-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.responsible.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.responsible.saved_user.group.domain:
+  dashed_name: process-responsible-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.saved_user.group.id:
+  dashed_name: process-responsible-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.saved_user.group.name:
+  dashed_name: process-responsible-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.responsible.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.saved_user.hash:
+  dashed_name: process-responsible-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.responsible.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.responsible.saved_user.id:
+  dashed_name: process-responsible-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.responsible.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.responsible.saved_user.name:
+  dashed_name: process-responsible-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.responsible.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.responsible.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.responsible.saved_user.risk.calculated_level:
+  dashed_name: process-responsible-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.responsible.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.responsible.saved_user.risk.calculated_score:
+  dashed_name: process-responsible-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.responsible.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.responsible.saved_user.risk.calculated_score_norm:
+  dashed_name: process-responsible-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.responsible.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.responsible.saved_user.risk.static_level:
+  dashed_name: process-responsible-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.responsible.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.responsible.saved_user.risk.static_score:
+  dashed_name: process-responsible-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.responsible.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.responsible.saved_user.risk.static_score_norm:
+  dashed_name: process-responsible-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.responsible.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.responsible.saved_user.roles:
+  dashed_name: process-responsible-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.responsible.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.start:
+  dashed_name: process-responsible-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.responsible.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.responsible.supplemental_groups.domain:
+  dashed_name: process-responsible-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.supplemental_groups.id:
+  dashed_name: process-responsible-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.supplemental_groups.name:
+  dashed_name: process-responsible-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.responsible.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.thread.capabilities.effective:
+  dashed_name: process-responsible-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.responsible.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.thread.capabilities.permitted:
+  dashed_name: process-responsible-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.responsible.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.thread.id:
+  dashed_name: process-responsible-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.responsible.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.responsible.thread.name:
+  dashed_name: process-responsible-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.responsible.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.responsible.title:
+  dashed_name: process-responsible-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.responsible.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.responsible.tty:
+  dashed_name: process-responsible-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.responsible.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.responsible.tty.char_device.major:
+  dashed_name: process-responsible-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.responsible.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.responsible.tty.char_device.minor:
+  dashed_name: process-responsible-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.responsible.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.responsible.tty.columns:
+  dashed_name: process-responsible-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.responsible.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.responsible.tty.rows:
+  dashed_name: process-responsible-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.responsible.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.responsible.uptime:
+  dashed_name: process-responsible-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.responsible.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.responsible.user.domain:
+  dashed_name: process-responsible-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.responsible.user.email:
+  dashed_name: process-responsible-user-email
+  description: User email address.
+  flat_name: process.responsible.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.responsible.user.full_name:
+  dashed_name: process-responsible-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.responsible.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.responsible.user.group.domain:
+  dashed_name: process-responsible-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.user.group.id:
+  dashed_name: process-responsible-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.user.group.name:
+  dashed_name: process-responsible-user-group-name
+  description: Name of the group.
+  flat_name: process.responsible.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.user.hash:
+  dashed_name: process-responsible-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.responsible.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.responsible.user.id:
+  dashed_name: process-responsible-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.responsible.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.responsible.user.name:
+  dashed_name: process-responsible-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.responsible.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.responsible.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.responsible.user.risk.calculated_level:
+  dashed_name: process-responsible-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.responsible.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.responsible.user.risk.calculated_score:
+  dashed_name: process-responsible-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.responsible.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.responsible.user.risk.calculated_score_norm:
+  dashed_name: process-responsible-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.responsible.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.responsible.user.risk.static_level:
+  dashed_name: process-responsible-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.responsible.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.responsible.user.risk.static_score:
+  dashed_name: process-responsible-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.responsible.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.responsible.user.risk.static_score_norm:
+  dashed_name: process-responsible-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.responsible.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.responsible.user.roles:
+  dashed_name: process-responsible-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.responsible.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.vpid:
+  dashed_name: process-responsible-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.responsible.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.responsible.working_directory:
+  dashed_name: process-responsible-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.responsible.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.same_as_process:
+  dashed_name: process-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.saved_group.domain:
+  dashed_name: process-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.saved_group.id:
+  dashed_name: process-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.saved_group.name:
+  dashed_name: process-saved-group-name
+  description: Name of the group.
+  flat_name: process.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.saved_user.domain:
+  dashed_name: process-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.saved_user.email:
+  dashed_name: process-saved-user-email
+  description: User email address.
+  flat_name: process.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.saved_user.full_name:
+  dashed_name: process-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.saved_user.group.domain:
+  dashed_name: process-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.saved_user.group.id:
+  dashed_name: process-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.saved_user.group.name:
+  dashed_name: process-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.saved_user.hash:
+  dashed_name: process-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.saved_user.id:
+  dashed_name: process-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  otel:
+  - relation: match
+    stability: development
+  short: Unique identifier of the user.
+  type: keyword
+process.saved_user.name:
+  dashed_name: process-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  otel:
+  - relation: match
+    stability: development
+  short: Short name or login of the user.
+  type: keyword
+process.saved_user.risk.calculated_level:
+  dashed_name: process-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.saved_user.risk.calculated_score:
+  dashed_name: process-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.saved_user.risk.calculated_score_norm:
+  dashed_name: process-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.saved_user.risk.static_level:
+  dashed_name: process-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.saved_user.risk.static_score:
+  dashed_name: process-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.saved_user.risk.static_score_norm:
+  dashed_name: process-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.saved_user.roles:
+  dashed_name: process-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.args:
+  dashed_name: process-session-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.session_leader.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.session_leader.args_count:
+  dashed_name: process-session-leader-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.session_leader.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.session_leader.attested_groups.domain:
+  dashed_name: process-session-leader-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.attested_groups.id:
+  dashed_name: process-session-leader-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.attested_groups.name:
+  dashed_name: process-session-leader-attested-groups-name
+  description: Name of the group.
+  flat_name: process.session_leader.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.attested_user.domain:
+  dashed_name: process-session-leader-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.attested_user.email:
+  dashed_name: process-session-leader-attested-user-email
+  description: User email address.
+  flat_name: process.session_leader.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.attested_user.full_name:
+  dashed_name: process-session-leader-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.attested_user.group.domain:
+  dashed_name: process-session-leader-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.attested_user.group.id:
+  dashed_name: process-session-leader-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.attested_user.group.name:
+  dashed_name: process-session-leader-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.attested_user.hash:
+  dashed_name: process-session-leader-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.attested_user.id:
+  dashed_name: process-session-leader-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.attested_user.name:
+  dashed_name: process-session-leader-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.attested_user.risk.calculated_level:
+  dashed_name: process-session-leader-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.attested_user.risk.calculated_score:
+  dashed_name: process-session-leader-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.attested_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.attested_user.risk.static_level:
+  dashed_name: process-session-leader-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.attested_user.risk.static_score:
+  dashed_name: process-session-leader-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.attested_user.risk.static_score_norm:
+  dashed_name: process-session-leader-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.attested_user.roles:
+  dashed_name: process-session-leader-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.code_signature.digest_algorithm:
+  dashed_name: process-session-leader-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.session_leader.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.session_leader.code_signature.exists:
+  dashed_name: process-session-leader-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.session_leader.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.session_leader.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.session_leader.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.session_leader.code_signature.signing_id:
+  dashed_name: process-session-leader-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.session_leader.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.session_leader.code_signature.status:
+  dashed_name: process-session-leader-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.session_leader.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.session_leader.code_signature.subject_name:
+  dashed_name: process-session-leader-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.session_leader.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.session_leader.code_signature.team_id:
+  dashed_name: process-session-leader-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.session_leader.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.session_leader.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.session_leader.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.session_leader.code_signature.timestamp:
+  dashed_name: process-session-leader-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.session_leader.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.session_leader.code_signature.trusted:
+  dashed_name: process-session-leader-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.session_leader.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.session_leader.code_signature.valid:
+  dashed_name: process-session-leader-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.session_leader.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.session_leader.command_line:
+  dashed_name: process-session-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.session_leader.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.session_leader.elf.architecture:
+  dashed_name: process-session-leader-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.session_leader.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.session_leader.elf.byte_order:
+  dashed_name: process-session-leader-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.session_leader.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.session_leader.elf.cpu_type:
+  dashed_name: process-session-leader-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.session_leader.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.session_leader.elf.creation_date:
+  dashed_name: process-session-leader-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.session_leader.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.session_leader.elf.exports:
+  dashed_name: process-session-leader-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.session_leader.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.session_leader.elf.go_import_hash:
+  dashed_name: process-session-leader-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.session_leader.elf.go_imports:
+  dashed_name: process-session-leader-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.elf.go_imports_names_entropy:
+  dashed_name: process-session-leader-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.elf.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.elf.go_stripped:
+  dashed_name: process-session-leader-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.elf.header.abi_version:
+  dashed_name: process-session-leader-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.session_leader.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.session_leader.elf.header.class:
+  dashed_name: process-session-leader-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.session_leader.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.session_leader.elf.header.data:
+  dashed_name: process-session-leader-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.session_leader.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.session_leader.elf.header.entrypoint:
+  dashed_name: process-session-leader-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.session_leader.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.session_leader.elf.header.object_version:
+  dashed_name: process-session-leader-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.session_leader.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.session_leader.elf.header.os_abi:
+  dashed_name: process-session-leader-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.session_leader.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.session_leader.elf.header.type:
+  dashed_name: process-session-leader-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.session_leader.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.session_leader.elf.header.version:
+  dashed_name: process-session-leader-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.session_leader.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.session_leader.elf.import_hash:
+  dashed_name: process-session-leader-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.session_leader.elf.imports:
+  dashed_name: process-session-leader-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.elf.imports_names_entropy:
+  dashed_name: process-session-leader-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.elf.imports_names_var_entropy:
+  dashed_name: process-session-leader-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.elf.sections:
+  dashed_name: process-session-leader-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.session_leader.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.session_leader.elf.sections.chi2:
+  dashed_name: process-session-leader-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.session_leader.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.session_leader.elf.sections.entropy:
+  dashed_name: process-session-leader-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.elf.sections.flags:
+  dashed_name: process-session-leader-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.session_leader.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.session_leader.elf.sections.name:
+  dashed_name: process-session-leader-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.session_leader.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.session_leader.elf.sections.physical_offset:
+  dashed_name: process-session-leader-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.session_leader.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.session_leader.elf.sections.physical_size:
+  dashed_name: process-session-leader-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.session_leader.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.session_leader.elf.sections.type:
+  dashed_name: process-session-leader-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.session_leader.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.session_leader.elf.sections.var_entropy:
+  dashed_name: process-session-leader-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.elf.sections.virtual_address:
+  dashed_name: process-session-leader-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.session_leader.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.session_leader.elf.sections.virtual_size:
+  dashed_name: process-session-leader-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.session_leader.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.session_leader.elf.segments:
+  dashed_name: process-session-leader-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.session_leader.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.session_leader.elf.segments.sections:
+  dashed_name: process-session-leader-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.session_leader.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.session_leader.elf.segments.type:
+  dashed_name: process-session-leader-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.session_leader.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.session_leader.elf.shared_libraries:
+  dashed_name: process-session-leader-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.session_leader.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.session_leader.elf.telfhash:
+  dashed_name: process-session-leader-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.session_leader.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.session_leader.end:
+  dashed_name: process-session-leader-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.session_leader.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.session_leader.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.session_leader.entity_id:
+  dashed_name: process-session-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.session_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.session_leader.entry_meta.source.address:
+  dashed_name: process-session-leader-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.session_leader.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.session_leader.entry_meta.source.as.number:
+  dashed_name: process-session-leader-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.session_leader.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.session_leader.entry_meta.source.as.organization.name:
+  dashed_name: process-session-leader-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.session_leader.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.session_leader.entry_meta.source.bytes:
+  dashed_name: process-session-leader-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.session_leader.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.session_leader.entry_meta.source.domain:
+  dashed_name: process-session-leader-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.session_leader.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.session_leader.entry_meta.source.geo.city_name:
+  dashed_name: process-session-leader-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.session_leader.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.session_leader.entry_meta.source.geo.continent_code:
+  dashed_name: process-session-leader-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.session_leader.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.session_leader.entry_meta.source.geo.continent_name:
+  dashed_name: process-session-leader-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.session_leader.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.session_leader.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-session-leader-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.session_leader.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.session_leader.entry_meta.source.geo.country_name:
+  dashed_name: process-session-leader-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.session_leader.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.session_leader.entry_meta.source.geo.location:
+  dashed_name: process-session-leader-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.session_leader.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.session_leader.entry_meta.source.geo.name:
+  dashed_name: process-session-leader-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.session_leader.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.session_leader.entry_meta.source.geo.postal_code:
+  dashed_name: process-session-leader-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.session_leader.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.session_leader.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-session-leader-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.session_leader.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.session_leader.entry_meta.source.geo.region_name:
+  dashed_name: process-session-leader-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.session_leader.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.session_leader.entry_meta.source.geo.timezone:
+  dashed_name: process-session-leader-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.session_leader.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.session_leader.entry_meta.source.ip:
+  dashed_name: process-session-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.session_leader.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.session_leader.entry_meta.source.mac:
+  dashed_name: process-session-leader-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.session_leader.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.session_leader.entry_meta.source.nat.ip:
+  dashed_name: process-session-leader-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.session_leader.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.session_leader.entry_meta.source.nat.port:
+  dashed_name: process-session-leader-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.session_leader.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.session_leader.entry_meta.source.packets:
+  dashed_name: process-session-leader-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.session_leader.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.session_leader.entry_meta.source.port:
+  dashed_name: process-session-leader-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.session_leader.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.session_leader.entry_meta.source.registered_domain:
+  dashed_name: process-session-leader-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.session_leader.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.session_leader.entry_meta.source.subdomain:
+  dashed_name: process-session-leader-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.session_leader.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.session_leader.entry_meta.source.top_level_domain:
+  dashed_name: process-session-leader-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.session_leader.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.session_leader.entry_meta.type:
+  dashed_name: process-session-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.session_leader.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.session_leader.env_vars:
+  dashed_name: process-session-leader-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.session_leader.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.executable:
+  dashed_name: process-session-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.session_leader.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.session_leader.exit_code:
+  dashed_name: process-session-leader-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.session_leader.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.session_leader.group.domain:
+  dashed_name: process-session-leader-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.group.id:
+  dashed_name: process-session-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.group.name:
+  dashed_name: process-session-leader-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.session_leader.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.session_leader.hash.md5:
+  dashed_name: process-session-leader-hash-md5
+  description: MD5 hash.
+  flat_name: process.session_leader.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.session_leader.hash.sha1:
+  dashed_name: process-session-leader-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.session_leader.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.session_leader.hash.sha256:
+  dashed_name: process-session-leader-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.session_leader.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.session_leader.hash.sha384:
+  dashed_name: process-session-leader-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.session_leader.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.session_leader.hash.sha512:
+  dashed_name: process-session-leader-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.session_leader.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.session_leader.hash.ssdeep:
+  dashed_name: process-session-leader-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.session_leader.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.session_leader.hash.tlsh:
+  dashed_name: process-session-leader-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.session_leader.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.session_leader.interactive:
+  dashed_name: process-session-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.session_leader.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.session_leader.io:
+  dashed_name: process-session-leader-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.session_leader.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.session_leader.io.bytes_skipped:
+  dashed_name: process-session-leader-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.session_leader.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.session_leader.io.bytes_skipped.length:
+  dashed_name: process-session-leader-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.session_leader.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.session_leader.io.bytes_skipped.offset:
+  dashed_name: process-session-leader-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.session_leader.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.session_leader.io.max_bytes_per_process_exceeded:
+  dashed_name: process-session-leader-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.session_leader.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.session_leader.io.text:
+  dashed_name: process-session-leader-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.session_leader.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.session_leader.io.total_bytes_captured:
+  dashed_name: process-session-leader-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.session_leader.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.session_leader.io.total_bytes_skipped:
+  dashed_name: process-session-leader-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.session_leader.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.session_leader.io.type:
+  dashed_name: process-session-leader-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.session_leader.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.session_leader.macho.go_import_hash:
+  dashed_name: process-session-leader-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.session_leader.macho.go_imports:
+  dashed_name: process-session-leader-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.macho.go_imports_names_entropy:
+  dashed_name: process-session-leader-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.macho.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.macho.go_stripped:
+  dashed_name: process-session-leader-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.macho.import_hash:
+  dashed_name: process-session-leader-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.session_leader.macho.imports:
+  dashed_name: process-session-leader-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.macho.imports_names_entropy:
+  dashed_name: process-session-leader-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.macho.imports_names_var_entropy:
+  dashed_name: process-session-leader-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.macho.sections:
+  dashed_name: process-session-leader-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.session_leader.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.session_leader.macho.sections.entropy:
+  dashed_name: process-session-leader-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.macho.sections.name:
+  dashed_name: process-session-leader-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.session_leader.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.session_leader.macho.sections.physical_size:
+  dashed_name: process-session-leader-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.session_leader.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.session_leader.macho.sections.var_entropy:
+  dashed_name: process-session-leader-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.macho.sections.virtual_size:
+  dashed_name: process-session-leader-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.session_leader.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.session_leader.macho.symhash:
+  dashed_name: process-session-leader-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.session_leader.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.session_leader.name:
+  dashed_name: process-session-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.session_leader.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.session_leader.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.session_leader.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.session_leader.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.session_leader.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.session_leader.parent.args:
+  dashed_name: process-session-leader-parent-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.session_leader.parent.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.session_leader.parent.args_count:
+  dashed_name: process-session-leader-parent-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.session_leader.parent.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.session_leader.parent.attested_groups.domain:
+  dashed_name: process-session-leader-parent-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.attested_groups.id:
+  dashed_name: process-session-leader-parent-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.attested_groups.name:
+  dashed_name: process-session-leader-parent-attested-groups-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.attested_user.domain:
+  dashed_name: process-session-leader-parent-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.parent.attested_user.email:
+  dashed_name: process-session-leader-parent-attested-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.attested_user.full_name:
+  dashed_name: process-session-leader-parent-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.parent.attested_user.group.domain:
+  dashed_name: process-session-leader-parent-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.attested_user.group.id:
+  dashed_name: process-session-leader-parent-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.attested_user.group.name:
+  dashed_name: process-session-leader-parent-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.attested_user.hash:
+  dashed_name: process-session-leader-parent-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.attested_user.id:
+  dashed_name: process-session-leader-parent-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.parent.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.parent.attested_user.name:
+  dashed_name: process-session-leader-parent-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.parent.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.parent.attested_user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.attested_user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.attested_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.attested_user.risk.static_level:
+  dashed_name: process-session-leader-parent-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.parent.attested_user.risk.static_score:
+  dashed_name: process-session-leader-parent-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.attested_user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.attested_user.roles:
+  dashed_name: process-session-leader-parent-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.code_signature.digest_algorithm:
+  dashed_name: process-session-leader-parent-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.session_leader.parent.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.session_leader.parent.code_signature.exists:
+  dashed_name: process-session-leader-parent-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.session_leader.parent.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.session_leader.parent.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.session_leader.parent.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.session_leader.parent.code_signature.signing_id:
+  dashed_name: process-session-leader-parent-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.session_leader.parent.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.session_leader.parent.code_signature.status:
+  dashed_name: process-session-leader-parent-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.session_leader.parent.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.session_leader.parent.code_signature.subject_name:
+  dashed_name: process-session-leader-parent-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.session_leader.parent.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.session_leader.parent.code_signature.team_id:
+  dashed_name: process-session-leader-parent-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.session_leader.parent.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.session_leader.parent.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.session_leader.parent.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.session_leader.parent.code_signature.timestamp:
+  dashed_name: process-session-leader-parent-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.session_leader.parent.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.session_leader.parent.code_signature.trusted:
+  dashed_name: process-session-leader-parent-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.session_leader.parent.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.session_leader.parent.code_signature.valid:
+  dashed_name: process-session-leader-parent-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.session_leader.parent.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.session_leader.parent.command_line:
+  dashed_name: process-session-leader-parent-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.session_leader.parent.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.session_leader.parent.elf.architecture:
+  dashed_name: process-session-leader-parent-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.session_leader.parent.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.session_leader.parent.elf.byte_order:
+  dashed_name: process-session-leader-parent-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.session_leader.parent.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.session_leader.parent.elf.cpu_type:
+  dashed_name: process-session-leader-parent-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.session_leader.parent.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.session_leader.parent.elf.creation_date:
+  dashed_name: process-session-leader-parent-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.session_leader.parent.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.session_leader.parent.elf.exports:
+  dashed_name: process-session-leader-parent-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.session_leader.parent.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.session_leader.parent.elf.go_import_hash:
+  dashed_name: process-session-leader-parent-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.parent.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.session_leader.parent.elf.go_imports:
+  dashed_name: process-session-leader-parent-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.parent.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.parent.elf.go_imports_names_entropy:
+  dashed_name: process-session-leader-parent-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.elf.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.elf.go_stripped:
+  dashed_name: process-session-leader-parent-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.parent.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.parent.elf.header.abi_version:
+  dashed_name: process-session-leader-parent-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.session_leader.parent.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.session_leader.parent.elf.header.class:
+  dashed_name: process-session-leader-parent-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.session_leader.parent.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.session_leader.parent.elf.header.data:
+  dashed_name: process-session-leader-parent-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.session_leader.parent.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.session_leader.parent.elf.header.entrypoint:
+  dashed_name: process-session-leader-parent-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.session_leader.parent.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.session_leader.parent.elf.header.object_version:
+  dashed_name: process-session-leader-parent-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.session_leader.parent.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.session_leader.parent.elf.header.os_abi:
+  dashed_name: process-session-leader-parent-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.session_leader.parent.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.session_leader.parent.elf.header.type:
+  dashed_name: process-session-leader-parent-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.session_leader.parent.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.session_leader.parent.elf.header.version:
+  dashed_name: process-session-leader-parent-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.session_leader.parent.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.session_leader.parent.elf.import_hash:
+  dashed_name: process-session-leader-parent-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.parent.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.session_leader.parent.elf.imports:
+  dashed_name: process-session-leader-parent-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.parent.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.parent.elf.imports_names_entropy:
+  dashed_name: process-session-leader-parent-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.parent.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.parent.elf.imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.parent.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.parent.elf.sections:
+  dashed_name: process-session-leader-parent-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.session_leader.parent.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.session_leader.parent.elf.sections.chi2:
+  dashed_name: process-session-leader-parent-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.session_leader.parent.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.session_leader.parent.elf.sections.entropy:
+  dashed_name: process-session-leader-parent-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.elf.sections.flags:
+  dashed_name: process-session-leader-parent-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.session_leader.parent.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.session_leader.parent.elf.sections.name:
+  dashed_name: process-session-leader-parent-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.session_leader.parent.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.session_leader.parent.elf.sections.physical_offset:
+  dashed_name: process-session-leader-parent-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.session_leader.parent.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.session_leader.parent.elf.sections.physical_size:
+  dashed_name: process-session-leader-parent-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.session_leader.parent.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.session_leader.parent.elf.sections.type:
+  dashed_name: process-session-leader-parent-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.session_leader.parent.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.session_leader.parent.elf.sections.var_entropy:
+  dashed_name: process-session-leader-parent-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.elf.sections.virtual_address:
+  dashed_name: process-session-leader-parent-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.session_leader.parent.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.session_leader.parent.elf.sections.virtual_size:
+  dashed_name: process-session-leader-parent-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.session_leader.parent.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.session_leader.parent.elf.segments:
+  dashed_name: process-session-leader-parent-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.session_leader.parent.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.session_leader.parent.elf.segments.sections:
+  dashed_name: process-session-leader-parent-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.session_leader.parent.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.session_leader.parent.elf.segments.type:
+  dashed_name: process-session-leader-parent-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.session_leader.parent.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.session_leader.parent.elf.shared_libraries:
+  dashed_name: process-session-leader-parent-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.session_leader.parent.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.session_leader.parent.elf.telfhash:
+  dashed_name: process-session-leader-parent-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.session_leader.parent.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.session_leader.parent.end:
+  dashed_name: process-session-leader-parent-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.parent.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.session_leader.parent.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.session_leader.parent.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.session_leader.parent.entity_id:
+  dashed_name: process-session-leader-parent-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.session_leader.parent.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.session_leader.parent.entry_meta.source.address:
+  dashed_name: process-session-leader-parent-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.session_leader.parent.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.session_leader.parent.entry_meta.source.as.number:
+  dashed_name: process-session-leader-parent-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.session_leader.parent.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.session_leader.parent.entry_meta.source.as.organization.name:
+  dashed_name: process-session-leader-parent-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.session_leader.parent.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.session_leader.parent.entry_meta.source.bytes:
+  dashed_name: process-session-leader-parent-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.session_leader.parent.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.session_leader.parent.entry_meta.source.domain:
+  dashed_name: process-session-leader-parent-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.session_leader.parent.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.city_name:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.session_leader.parent.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.continent_code:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.session_leader.parent.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.continent_name:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.session_leader.parent.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.session_leader.parent.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.country_name:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.session_leader.parent.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.location:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.session_leader.parent.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.session_leader.parent.entry_meta.source.geo.name:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.session_leader.parent.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.postal_code:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.session_leader.parent.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.session_leader.parent.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.region_name:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.session_leader.parent.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.timezone:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.session_leader.parent.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.session_leader.parent.entry_meta.source.ip:
+  dashed_name: process-session-leader-parent-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.session_leader.parent.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.session_leader.parent.entry_meta.source.mac:
+  dashed_name: process-session-leader-parent-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.session_leader.parent.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.session_leader.parent.entry_meta.source.nat.ip:
+  dashed_name: process-session-leader-parent-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.session_leader.parent.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.session_leader.parent.entry_meta.source.nat.port:
+  dashed_name: process-session-leader-parent-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.session_leader.parent.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.session_leader.parent.entry_meta.source.packets:
+  dashed_name: process-session-leader-parent-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.session_leader.parent.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.session_leader.parent.entry_meta.source.port:
+  dashed_name: process-session-leader-parent-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.session_leader.parent.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.session_leader.parent.entry_meta.source.registered_domain:
+  dashed_name: process-session-leader-parent-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.session_leader.parent.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.session_leader.parent.entry_meta.source.subdomain:
+  dashed_name: process-session-leader-parent-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.session_leader.parent.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.session_leader.parent.entry_meta.source.top_level_domain:
+  dashed_name: process-session-leader-parent-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.session_leader.parent.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.session_leader.parent.entry_meta.type:
+  dashed_name: process-session-leader-parent-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.session_leader.parent.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.session_leader.parent.env_vars:
+  dashed_name: process-session-leader-parent-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.session_leader.parent.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.executable:
+  dashed_name: process-session-leader-parent-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.session_leader.parent.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.session_leader.parent.exit_code:
+  dashed_name: process-session-leader-parent-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.session_leader.parent.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.session_leader.parent.group.domain:
+  dashed_name: process-session-leader-parent-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.group.id:
+  dashed_name: process-session-leader-parent-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.group.name:
+  dashed_name: process-session-leader-parent-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.session_leader.parent.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.session_leader.parent.hash.md5:
+  dashed_name: process-session-leader-parent-hash-md5
+  description: MD5 hash.
+  flat_name: process.session_leader.parent.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.session_leader.parent.hash.sha1:
+  dashed_name: process-session-leader-parent-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.session_leader.parent.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.session_leader.parent.hash.sha256:
+  dashed_name: process-session-leader-parent-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.session_leader.parent.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.session_leader.parent.hash.sha384:
+  dashed_name: process-session-leader-parent-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.session_leader.parent.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.session_leader.parent.hash.sha512:
+  dashed_name: process-session-leader-parent-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.session_leader.parent.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.session_leader.parent.hash.ssdeep:
+  dashed_name: process-session-leader-parent-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.session_leader.parent.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.session_leader.parent.hash.tlsh:
+  dashed_name: process-session-leader-parent-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.session_leader.parent.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.session_leader.parent.interactive:
+  dashed_name: process-session-leader-parent-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.session_leader.parent.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.session_leader.parent.io:
+  dashed_name: process-session-leader-parent-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.session_leader.parent.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.session_leader.parent.io.bytes_skipped:
+  dashed_name: process-session-leader-parent-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.session_leader.parent.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.session_leader.parent.io.bytes_skipped.length:
+  dashed_name: process-session-leader-parent-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.session_leader.parent.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.session_leader.parent.io.bytes_skipped.offset:
+  dashed_name: process-session-leader-parent-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.session_leader.parent.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.session_leader.parent.io.max_bytes_per_process_exceeded:
+  dashed_name: process-session-leader-parent-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.session_leader.parent.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.session_leader.parent.io.text:
+  dashed_name: process-session-leader-parent-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.session_leader.parent.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.session_leader.parent.io.total_bytes_captured:
+  dashed_name: process-session-leader-parent-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.session_leader.parent.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.session_leader.parent.io.total_bytes_skipped:
+  dashed_name: process-session-leader-parent-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.session_leader.parent.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.session_leader.parent.io.type:
+  dashed_name: process-session-leader-parent-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.session_leader.parent.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.session_leader.parent.macho.go_import_hash:
+  dashed_name: process-session-leader-parent-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.parent.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.session_leader.parent.macho.go_imports:
+  dashed_name: process-session-leader-parent-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.parent.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.parent.macho.go_imports_names_entropy:
+  dashed_name: process-session-leader-parent-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.macho.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.macho.go_stripped:
+  dashed_name: process-session-leader-parent-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.parent.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.parent.macho.import_hash:
+  dashed_name: process-session-leader-parent-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.parent.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.session_leader.parent.macho.imports:
+  dashed_name: process-session-leader-parent-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.parent.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.parent.macho.imports_names_entropy:
+  dashed_name: process-session-leader-parent-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.parent.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.parent.macho.imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.parent.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.parent.macho.sections:
+  dashed_name: process-session-leader-parent-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.session_leader.parent.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.session_leader.parent.macho.sections.entropy:
+  dashed_name: process-session-leader-parent-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.macho.sections.name:
+  dashed_name: process-session-leader-parent-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.session_leader.parent.macho.sections.name
   ignore_above: 1024
-  level: core
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.session_leader.parent.macho.sections.physical_size:
+  dashed_name: process-session-leader-parent-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.session_leader.parent.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.session_leader.parent.macho.sections.var_entropy:
+  dashed_name: process-session-leader-parent-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.macho.sections.virtual_size:
+  dashed_name: process-session-leader-parent-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.session_leader.parent.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.session_leader.parent.macho.symhash:
+  dashed_name: process-session-leader-parent-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.session_leader.parent.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.session_leader.parent.name:
+  dashed_name: process-session-leader-parent-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.session_leader.parent.name
+  ignore_above: 1024
+  level: extended
   multi_fields:
-  - flat_name: process.entry_leader.real_user.name.text
+  - flat_name: process.session_leader.parent.name.text
     name: text
     type: match_only_text
   name: name
   normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
+  original_fieldset: process
+  short: Process name.
   type: keyword
-process.entry_leader.same_as_process:
-  dashed_name: process-entry-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.entry_leader.same_as_process
+process.session_leader.parent.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.session_leader.parent.origin_referrer_url
+  ignore_above: 8192
   level: extended
-  name: same_as_process
+  name: origin_referrer_url
   normalize: []
   original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.entry_leader.saved_group.id:
-  dashed_name: process-entry-leader-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.saved_group.id
-  ignore_above: 1024
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.session_leader.parent.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.session_leader.parent.origin_url
+  ignore_above: 8192
   level: extended
-  name: id
+  name: origin_url
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
   type: keyword
-process.entry_leader.saved_group.name:
-  dashed_name: process-entry-leader-saved-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.saved_group.name
+process.session_leader.parent.pe.architecture:
+  dashed_name: process-session-leader-parent-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.session_leader.parent.pe.architecture
   ignore_above: 1024
   level: extended
-  name: name
+  name: architecture
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: pe
+  short: CPU architecture target for the file.
   type: keyword
-process.entry_leader.saved_user.id:
-  dashed_name: process-entry-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.saved_user.id
+process.session_leader.parent.pe.company:
+  dashed_name: process-session-leader-parent-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.session_leader.parent.pe.company
   ignore_above: 1024
-  level: core
-  name: id
+  level: extended
+  name: company
   normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
   type: keyword
-process.entry_leader.saved_user.name:
-  dashed_name: process-entry-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.saved_user.name
+process.session_leader.parent.pe.description:
+  dashed_name: process-session-leader-parent-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.session_leader.parent.pe.description
   ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.start:
-  dashed_name: process-entry-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.start
   level: extended
-  name: start
+  name: description
   normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.entry_leader.supplemental_groups.id:
-  dashed_name: process-entry-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.supplemental_groups.id
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.session_leader.parent.pe.file_version:
+  dashed_name: process-session-leader-parent-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.session_leader.parent.pe.file_version
   ignore_above: 1024
   level: extended
-  name: id
+  name: file_version
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: pe
+  short: Process name.
   type: keyword
-process.entry_leader.supplemental_groups.name:
-  dashed_name: process-entry-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.entry_leader.supplemental_groups.name
+process.session_leader.parent.pe.go_import_hash:
+  dashed_name: process-session-leader-parent-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.parent.pe.go_import_hash
   ignore_above: 1024
   level: extended
-  name: name
+  name: go_import_hash
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
   type: keyword
-process.entry_leader.tty:
-  dashed_name: process-entry-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.entry_leader.tty
+process.session_leader.parent.pe.go_imports:
+  dashed_name: process-session-leader-parent-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.parent.pe.go_imports
   level: extended
-  name: tty
+  name: go_imports
   normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.entry_leader.tty.char_device.major:
-  dashed_name: process-entry-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.entry_leader.tty.char_device.major
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.parent.pe.go_imports_names_entropy:
+  dashed_name: process-session-leader-parent-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.pe.go_imports_names_entropy
+  format: number
   level: extended
-  name: tty.char_device.major
+  name: go_imports_names_entropy
   normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.entry_leader.tty.char_device.minor:
-  dashed_name: process-entry-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.entry_leader.tty.char_device.minor
+process.session_leader.parent.pe.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.pe.go_imports_names_var_entropy
+  format: number
   level: extended
-  name: tty.char_device.minor
+  name: go_imports_names_var_entropy
   normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.entry_leader.user.id:
-  dashed_name: process-entry-leader-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.user.id
-  ignore_above: 1024
-  level: core
-  name: id
+process.session_leader.parent.pe.go_stripped:
+  dashed_name: process-session-leader-parent-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.parent.pe.go_stripped
+  level: extended
+  name: go_stripped
   normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.user.name:
-  dashed_name: process-entry-leader-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.user.name
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.parent.pe.imphash:
+  dashed_name: process-session-leader-parent-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.session_leader.parent.pe.imphash
   ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.user.name.text
-    name: text
-    type: match_only_text
-  name: name
+  level: extended
+  name: imphash
   normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
   type: keyword
-process.entry_leader.vpid:
-  dashed_name: process-entry-leader-vpid
-  description: 'Virtual process id.
+process.session_leader.parent.pe.import_hash:
+  dashed_name: process-session-leader-parent-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
 
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.entry_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.entry_leader.working_directory:
-  dashed_name: process-entry-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.entry_leader.working_directory
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.parent.pe.import_hash
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
+  name: import_hash
   normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
   type: keyword
-process.env_vars:
-  dashed_name: process-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.env_vars
-  ignore_above: 1024
+process.session_leader.parent.pe.imports:
+  dashed_name: process-session-leader-parent-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.parent.pe.imports
   level: extended
-  name: env_vars
+  name: imports
   normalize:
   - array
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.executable:
-  dashed_name: process-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.executable
-  ignore_above: 1024
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.parent.pe.imports_names_entropy:
+  dashed_name: process-session-leader-parent-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.parent.pe.imports_names_entropy
+  format: number
   level: extended
-  multi_fields:
-  - flat_name: process.executable.text
-    name: text
-    type: match_only_text
-  name: executable
+  name: imports_names_entropy
   normalize: []
-  otel:
-  - attribute: process.executable.path
-    relation: equivalent
-    stability: development
-  short: Absolute path to the process executable.
-  type: keyword
-process.exit_code:
-  dashed_name: process-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.exit_code
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.parent.pe.imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.parent.pe.imports_names_var_entropy
+  format: number
   level: extended
-  name: exit_code
+  name: imports_names_var_entropy
   normalize: []
-  short: The exit code of the process.
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
   type: long
-process.group.id:
-  dashed_name: process-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group.id
+process.session_leader.parent.pe.original_file_name:
+  dashed_name: process-session-leader-parent-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.session_leader.parent.pe.original_file_name
   ignore_above: 1024
   level: extended
-  name: id
+  name: original_file_name
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
   type: keyword
-process.group.name:
-  dashed_name: process-group-name
-  description: Name of the group.
-  flat_name: process.group.name
+process.session_leader.parent.pe.pehash:
+  dashed_name: process-session-leader-parent-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.session_leader.parent.pe.pehash
   ignore_above: 1024
   level: extended
-  name: name
+  name: pehash
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
   type: keyword
-process.group_leader.args:
-  dashed_name: process-group-leader-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.group_leader.args
+process.session_leader.parent.pe.product:
+  dashed_name: process-session-leader-parent-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.session_leader.parent.pe.product
   ignore_above: 1024
   level: extended
-  name: args
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.session_leader.parent.pe.sections:
+  dashed_name: process-session-leader-parent-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.session_leader.parent.pe.sections
+  level: extended
+  name: sections
   normalize:
   - array
-  original_fieldset: process
-  short: Array of process arguments.
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.session_leader.parent.pe.sections.entropy:
+  dashed_name: process-session-leader-parent-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.pe.sections.name:
+  dashed_name: process-session-leader-parent-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.session_leader.parent.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
   type: keyword
-process.group_leader.args_count:
-  dashed_name: process-group-leader-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.group_leader.args_count
+process.session_leader.parent.pe.sections.physical_size:
+  dashed_name: process-session-leader-parent-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.session_leader.parent.pe.sections.physical_size
+  format: bytes
   level: extended
-  name: args_count
+  name: sections.physical_size
   normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
+  original_fieldset: pe
+  short: PE Section List physical size.
   type: long
-process.group_leader.command_line:
-  dashed_name: process-group-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.group_leader.command_line
+process.session_leader.parent.pe.sections.var_entropy:
+  dashed_name: process-session-leader-parent-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.pe.sections.var_entropy
+  format: number
   level: extended
-  multi_fields:
-  - flat_name: process.group_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.pe.sections.virtual_size:
+  dashed_name: process-session-leader-parent-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.session_leader.parent.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.session_leader.parent.pid:
+  dashed_name: process-session-leader-parent-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.session_leader.parent.pid
+  format: string
+  level: core
+  name: pid
   normalize: []
   original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.group_leader.entity_id:
-  dashed_name: process-group-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.group_leader.entity_id
-  ignore_above: 1024
+  short: Process id.
+  type: long
+process.session_leader.parent.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.session_leader.parent.platform_binary
   level: extended
-  name: entity_id
+  name: platform_binary
   normalize: []
   original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.group_leader.executable:
-  dashed_name: process-group-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.group_leader.executable
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.session_leader.parent.real_group.domain:
+  dashed_name: process-session-leader-parent-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.real_group.domain
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.group_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
+  name: domain
   normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
   type: keyword
-process.group_leader.group.id:
-  dashed_name: process-group-leader-group-id
+process.session_leader.parent.real_group.id:
+  dashed_name: process-session-leader-parent-real-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.group.id
+  flat_name: process.session_leader.parent.real_group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -10495,10 +40790,10 @@ process.group_leader.group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.group_leader.group.name:
-  dashed_name: process-group-leader-group-name
+process.session_leader.parent.real_group.name:
+  dashed_name: process-session-leader-parent-real-group-name
   description: Name of the group.
-  flat_name: process.group_leader.group.name
+  flat_name: process.session_leader.parent.real_group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -10506,64 +40801,63 @@ process.group_leader.group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.group_leader.interactive:
-  dashed_name: process-group-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
+process.session_leader.parent.real_user.domain:
+  dashed_name: process-session-leader-parent-real-user-domain
+  description: 'Name of the directory the user is a member of.
 
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.group_leader.interactive
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.real_user.domain
+  ignore_above: 1024
   level: extended
-  name: interactive
+  name: domain
   normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.group_leader.name:
-  dashed_name: process-group-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.group_leader.name
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.parent.real_user.email:
+  dashed_name: process-session-leader-parent-real-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.real_user.full_name:
+  dashed_name: process-session-leader-parent-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.real_user.full_name
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.group_leader.name.text
+  - flat_name: process.session_leader.parent.real_user.full_name.text
     name: text
     type: match_only_text
-  name: name
+  name: full_name
   normalize: []
-  original_fieldset: process
-  short: Process name.
+  original_fieldset: user
+  short: User's full name, if available.
   type: keyword
-process.group_leader.pid:
-  dashed_name: process-group-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.group_leader.pid
-  format: string
-  level: core
-  name: pid
+process.session_leader.parent.real_user.group.domain:
+  dashed_name: process-session-leader-parent-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
   normalize: []
-  original_fieldset: process
-  otel:
-  - relation: match
-    stability: development
-  short: Process id.
-  type: long
-process.group_leader.real_group.id:
-  dashed_name: process-group-leader-real-group-id
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.real_user.group.id:
+  dashed_name: process-session-leader-parent-real-user-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.real_group.id
+  flat_name: process.session_leader.parent.real_user.group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -10571,10 +40865,10 @@ process.group_leader.real_group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.group_leader.real_group.name:
-  dashed_name: process-group-leader-real-group-name
+process.session_leader.parent.real_user.group.name:
+  dashed_name: process-session-leader-parent-real-user-group-name
   description: Name of the group.
-  flat_name: process.group_leader.real_group.name
+  flat_name: process.session_leader.parent.real_user.group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -10582,11 +40876,26 @@ process.group_leader.real_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.group_leader.real_user.id:
-  dashed_name: process-group-leader-real-user-id
+process.session_leader.parent.real_user.hash:
+  dashed_name: process-session-leader-parent-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.real_user.id:
+  dashed_name: process-session-leader-parent-real-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.real_user.id
+  flat_name: process.session_leader.parent.real_user.id
   ignore_above: 1024
   level: core
   name: id
@@ -10594,15 +40903,15 @@ process.group_leader.real_user.id:
   original_fieldset: user
   short: Unique identifier of the user.
   type: keyword
-process.group_leader.real_user.name:
-  dashed_name: process-group-leader-real-user-name
+process.session_leader.parent.real_user.name:
+  dashed_name: process-session-leader-parent-real-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.group_leader.real_user.name
+  flat_name: process.session_leader.parent.real_user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.group_leader.real_user.name.text
+  - flat_name: process.session_leader.parent.real_user.name.text
     name: text
     type: match_only_text
   name: name
@@ -10610,8 +40919,102 @@ process.group_leader.real_user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.group_leader.same_as_process:
-  dashed_name: process-group-leader-same-as-process
+process.session_leader.parent.real_user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.real_user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.real_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.real_user.risk.static_level:
+  dashed_name: process-session-leader-parent-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.parent.real_user.risk.static_score:
+  dashed_name: process-session-leader-parent-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.real_user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.real_user.roles:
+  dashed_name: process-session-leader-parent-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.same_as_process:
+  dashed_name: process-session-leader-parent-same-as-process
   description: 'This boolean is used to identify if a leader process is the same as
     the top level process.
 
@@ -10632,7 +41035,7 @@ process.group_leader.same_as_process:
     Note: This field is only set on `process.entry_leader`, `process.session_leader`
     and `process.group_leader`.'
   example: true
-  flat_name: process.group_leader.same_as_process
+  flat_name: process.session_leader.parent.same_as_process
   level: extended
   name: same_as_process
   normalize: []
@@ -10640,10 +41043,23 @@ process.group_leader.same_as_process:
   short: This boolean is used to identify if a leader process is the same as the top
     level process.
   type: boolean
-process.group_leader.saved_group.id:
-  dashed_name: process-group-leader-saved-group-id
+process.session_leader.parent.saved_group.domain:
+  dashed_name: process-session-leader-parent-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.saved_group.id:
+  dashed_name: process-session-leader-parent-saved-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.saved_group.id
+  flat_name: process.session_leader.parent.saved_group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -10651,10 +41067,10 @@ process.group_leader.saved_group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.group_leader.saved_group.name:
-  dashed_name: process-group-leader-saved-group-name
+process.session_leader.parent.saved_group.name:
+  dashed_name: process-session-leader-parent-saved-group-name
   description: Name of the group.
-  flat_name: process.group_leader.saved_group.name
+  flat_name: process.session_leader.parent.saved_group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -10662,49 +41078,63 @@ process.group_leader.saved_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.group_leader.saved_user.id:
-  dashed_name: process-group-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.saved_user.id
+process.session_leader.parent.saved_user.domain:
+  dashed_name: process-session-leader-parent-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.saved_user.domain
   ignore_above: 1024
-  level: core
-  name: id
+  level: extended
+  name: domain
   normalize: []
   original_fieldset: user
-  short: Unique identifier of the user.
+  short: Name of the directory the user is a member of.
   type: keyword
-process.group_leader.saved_user.name:
-  dashed_name: process-group-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.group_leader.saved_user.name
+process.session_leader.parent.saved_user.email:
+  dashed_name: process-session-leader-parent-saved-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.saved_user.email
   ignore_above: 1024
-  level: core
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.saved_user.full_name:
+  dashed_name: process-session-leader-parent-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.saved_user.full_name
+  ignore_above: 1024
+  level: extended
   multi_fields:
-  - flat_name: process.group_leader.saved_user.name.text
+  - flat_name: process.session_leader.parent.saved_user.full_name.text
     name: text
     type: match_only_text
-  name: name
+  name: full_name
   normalize: []
   original_fieldset: user
-  short: Short name or login of the user.
+  short: User's full name, if available.
   type: keyword
-process.group_leader.start:
-  dashed_name: process-group-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.group_leader.start
+process.session_leader.parent.saved_user.group.domain:
+  dashed_name: process-session-leader-parent-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.saved_user.group.domain
+  ignore_above: 1024
   level: extended
-  name: start
+  name: domain
   normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.group_leader.supplemental_groups.id:
-  dashed_name: process-group-leader-supplemental-groups-id
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.saved_user.group.id:
+  dashed_name: process-session-leader-parent-saved-user-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.supplemental_groups.id
+  flat_name: process.session_leader.parent.saved_user.group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -10712,10 +41142,10 @@ process.group_leader.supplemental_groups.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.group_leader.supplemental_groups.name:
-  dashed_name: process-group-leader-supplemental-groups-name
+process.session_leader.parent.saved_user.group.name:
+  dashed_name: process-session-leader-parent-saved-user-group-name
   description: Name of the group.
-  flat_name: process.group_leader.supplemental_groups.name
+  flat_name: process.session_leader.parent.saved_user.group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -10723,50 +41153,26 @@ process.group_leader.supplemental_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.group_leader.tty:
-  dashed_name: process-group-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.group_leader.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.group_leader.tty.char_device.major:
-  dashed_name: process-group-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.group_leader.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.group_leader.tty.char_device.minor:
-  dashed_name: process-group-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.group_leader.tty.char_device.minor
+process.session_leader.parent.saved_user.hash:
+  dashed_name: process-session-leader-parent-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.saved_user.hash
+  ignore_above: 1024
   level: extended
-  name: tty.char_device.minor
+  name: hash
   normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.group_leader.user.id:
-  dashed_name: process-group-leader-user-id
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.saved_user.id:
+  dashed_name: process-session-leader-parent-saved-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.user.id
+  flat_name: process.session_leader.parent.saved_user.id
   ignore_above: 1024
   level: core
   name: id
@@ -10774,15 +41180,15 @@ process.group_leader.user.id:
   original_fieldset: user
   short: Unique identifier of the user.
   type: keyword
-process.group_leader.user.name:
-  dashed_name: process-group-leader-user-name
+process.session_leader.parent.saved_user.name:
+  dashed_name: process-session-leader-parent-saved-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.group_leader.user.name
+  flat_name: process.session_leader.parent.saved_user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.group_leader.user.name.text
+  - flat_name: process.session_leader.parent.saved_user.name.text
     name: text
     type: match_only_text
   name: name
@@ -10790,508 +41196,386 @@ process.group_leader.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.group_leader.vpid:
-  dashed_name: process-group-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.group_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.group_leader.working_directory:
-  dashed_name: process-group-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.group_leader.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.hash.md5:
-  dashed_name: process-hash-md5
-  description: MD5 hash.
-  flat_name: process.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.hash.sha1:
-  dashed_name: process-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.hash.sha256:
-  dashed_name: process-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.hash.sha384:
-  dashed_name: process-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.hash.sha512:
-  dashed_name: process-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.hash.ssdeep:
-  dashed_name: process-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.hash.tlsh:
-  dashed_name: process-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.hash.tlsh
+process.session_leader.parent.saved_user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.saved_user.risk.calculated_level
   ignore_above: 1024
   level: extended
-  name: tlsh
+  name: calculated_level
   normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
   type: keyword
-process.interactive:
-  dashed_name: process-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  otel:
-  - relation: match
-    stability: development
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.io:
-  dashed_name: process-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.io
+process.session_leader.parent.saved_user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.saved_user.risk.calculated_score
   level: extended
-  name: io
+  name: calculated_score
   normalize: []
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.io.bytes_skipped:
-  dashed_name: process-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.io.bytes_skipped.length:
-  dashed_name: process-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.io.bytes_skipped.length
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.saved_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.saved_user.risk.calculated_score_norm
   level: extended
-  name: io.bytes_skipped.length
+  name: calculated_score_norm
   normalize: []
-  short: The length of bytes skipped.
-  type: long
-process.io.bytes_skipped.offset:
-  dashed_name: process-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.io.bytes_skipped.offset
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.saved_user.risk.static_level:
+  dashed_name: process-session-leader-parent-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.saved_user.risk.static_level
+  ignore_above: 1024
   level: extended
-  name: io.bytes_skipped.offset
+  name: static_level
   normalize: []
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.io.max_bytes_per_process_exceeded:
-  dashed_name: process-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.io.max_bytes_per_process_exceeded
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.parent.saved_user.risk.static_score:
+  dashed_name: process-session-leader-parent-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.saved_user.risk.static_score
   level: extended
-  name: io.max_bytes_per_process_exceeded
+  name: static_score
   normalize: []
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.io.text:
-  dashed_name: process-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.io.text
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.saved_user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.saved_user.risk.static_score_norm
   level: extended
-  name: io.text
+  name: static_score_norm
   normalize: []
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.io.total_bytes_captured:
-  dashed_name: process-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.io.total_bytes_captured
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.saved_user.roles:
+  dashed_name: process-session-leader-parent-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.saved_user.roles
+  ignore_above: 1024
   level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  short: The total number of bytes captured in this event.
-  type: long
-process.io.total_bytes_skipped:
-  dashed_name: process-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.io.total_bytes_skipped
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.session_leader.args:
+  dashed_name: process-session-leader-parent-session-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.session_leader.parent.session_leader.args
+  ignore_above: 1024
   level: extended
-  name: io.total_bytes_skipped
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.session_leader.parent.session_leader.args_count:
+  dashed_name: process-session-leader-parent-session-leader-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.session_leader.parent.session_leader.args_count
+  level: extended
+  name: args_count
   normalize: []
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
+  original_fieldset: process
+  short: Length of the process.args array.
   type: long
-process.io.type:
-  dashed_name: process-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
+process.session_leader.parent.session_leader.attested_groups.domain:
+  dashed_name: process-session-leader-parent-session-leader-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
 
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.io.type
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.attested_groups.domain
   ignore_above: 1024
   level: extended
-  name: io.type
+  name: domain
   normalize: []
-  short: The type of object on which the IO action (read or write) was taken.
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
   type: keyword
-process.macho.go_import_hash:
-  dashed_name: process-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.macho.go_import_hash
+process.session_leader.parent.session_leader.attested_groups.id:
+  dashed_name: process-session-leader-parent-session-leader-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.attested_groups.id
   ignore_above: 1024
   level: extended
-  name: go_import_hash
+  name: id
   normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.macho.go_imports:
-  dashed_name: process-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.macho.go_imports
+process.session_leader.parent.session_leader.attested_groups.name:
+  dashed_name: process-session-leader-parent-session-leader-attested-groups-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.attested_groups.name
+  ignore_above: 1024
   level: extended
-  name: go_imports
+  name: name
   normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.macho.go_imports_names_entropy:
-  dashed_name: process-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.macho.go_imports_names_entropy
-  format: number
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.domain:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.attested_user.domain
+  ignore_above: 1024
   level: extended
-  name: go_imports_names_entropy
+  name: domain
   normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.macho.go_imports_names_var_entropy:
-  dashed_name: process-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.macho.go_imports_names_var_entropy
-  format: number
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.email:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.session_leader.attested_user.email
+  ignore_above: 1024
   level: extended
-  name: go_imports_names_var_entropy
+  name: email
   normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.macho.go_stripped:
-  dashed_name: process-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.macho.go_stripped
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.full_name:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.session_leader.attested_user.full_name
+  ignore_above: 1024
   level: extended
-  name: go_stripped
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
   normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.macho.import_hash:
-  dashed_name: process-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.group.domain:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
 
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.macho.import_hash
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.attested_user.group.domain
   ignore_above: 1024
   level: extended
-  name: import_hash
+  name: domain
   normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
   type: keyword
-process.macho.imports:
-  dashed_name: process-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.macho.imports_names_entropy:
-  dashed_name: process-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.macho.imports_names_entropy
-  format: number
+process.session_leader.parent.session_leader.attested_user.group.id:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.attested_user.group.id
+  ignore_above: 1024
   level: extended
-  name: imports_names_entropy
+  name: id
   normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.macho.imports_names_var_entropy:
-  dashed_name: process-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.macho.imports_names_var_entropy
-  format: number
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.group.name:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.attested_user.group.name
+  ignore_above: 1024
   level: extended
-  name: imports_names_var_entropy
+  name: name
   normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.macho.sections:
-  dashed_name: process-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.hash:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
 
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.macho.sections.entropy:
-  dashed_name: process-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.macho.sections.entropy
-  format: number
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.session_leader.attested_user.hash
+  ignore_above: 1024
   level: extended
-  name: sections.entropy
+  name: hash
   normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.macho.sections.name:
-  dashed_name: process-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.macho.sections.name
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.id:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.parent.session_leader.attested_user.id
   ignore_above: 1024
-  level: extended
-  name: sections.name
+  level: core
+  name: id
   normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.macho.sections.physical_size:
-  dashed_name: process-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.macho.sections.physical_size
-  format: bytes
+process.session_leader.parent.session_leader.attested_user.name:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.parent.session_leader.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_level
+  ignore_above: 1024
   level: extended
-  name: sections.physical_size
+  name: calculated_level
   normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.macho.sections.var_entropy:
-  dashed_name: process-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.macho.sections.var_entropy
-  format: number
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score
   level: extended
-  name: sections.var_entropy
+  name: calculated_score
   normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.macho.sections.virtual_size:
-  dashed_name: process-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.macho.sections.virtual_size
-  format: string
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm
   level: extended
-  name: sections.virtual_size
+  name: calculated_score_norm
   normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.macho.symhash:
-  dashed_name: process-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.macho.symhash
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.session_leader.attested_user.risk.static_level:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_level
   ignore_above: 1024
   level: extended
-  name: symhash
+  name: static_level
   normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
   type: keyword
-process.name:
-  dashed_name: process-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.name
-  ignore_above: 1024
+process.session_leader.parent.session_leader.attested_user.risk.static_score:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score
   level: extended
-  multi_fields:
-  - flat_name: process.name.text
-    name: text
-    type: match_only_text
-  name: name
+  name: static_score
   normalize: []
-  short: Process name.
-  type: keyword
-process.parent.args:
-  dashed_name: process-parent-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.parent.args
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.session_leader.attested_user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.session_leader.attested_user.roles:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.session_leader.attested_user.roles
   ignore_above: 1024
   level: extended
-  name: args
+  name: roles
   normalize:
   - array
-  original_fieldset: process
-  short: Array of process arguments.
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
   type: keyword
-process.parent.args_count:
-  dashed_name: process-parent-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.parent.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.parent.code_signature.digest_algorithm:
-  dashed_name: process-parent-code-signature-digest-algorithm
+process.session_leader.parent.session_leader.code_signature.digest_algorithm:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-digest-algorithm
   description: 'The hashing algorithm used to sign the process.
 
     This value can distinguish signatures when a file is signed multiple times by
     the same signer but with a different digest algorithm.'
   example: sha256
-  flat_name: process.parent.code_signature.digest_algorithm
+  flat_name: process.session_leader.parent.session_leader.code_signature.digest_algorithm
   ignore_above: 1024
   level: extended
   name: digest_algorithm
@@ -11299,23 +41583,23 @@ process.parent.code_signature.digest_algorithm:
   original_fieldset: code_signature
   short: Hashing algorithm used to sign the process.
   type: keyword
-process.parent.code_signature.exists:
-  dashed_name: process-parent-code-signature-exists
+process.session_leader.parent.session_leader.code_signature.exists:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-exists
   description: Boolean to capture if a signature is present.
   example: 'true'
-  flat_name: process.parent.code_signature.exists
+  flat_name: process.session_leader.parent.session_leader.code_signature.exists
   level: core
   name: exists
   normalize: []
   original_fieldset: code_signature
   short: Boolean to capture if a signature is present.
   type: boolean
-process.parent.code_signature.flags:
+process.session_leader.parent.session_leader.code_signature.flags:
   beta: This field is beta and subject to change.
-  dashed_name: process-parent-code-signature-flags
+  dashed_name: process-session-leader-parent-session-leader-code-signature-flags
   description: The flags used to sign the process.
   example: 570522385
-  flat_name: process.parent.code_signature.flags
+  flat_name: process.session_leader.parent.session_leader.code_signature.flags
   ignore_above: 1024
   level: extended
   name: flags
@@ -11323,14 +41607,14 @@ process.parent.code_signature.flags:
   original_fieldset: code_signature
   short: Code signing flags of the process
   type: keyword
-process.parent.code_signature.signing_id:
-  dashed_name: process-parent-code-signature-signing-id
+process.session_leader.parent.session_leader.code_signature.signing_id:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-signing-id
   description: 'The identifier used to sign the process.
 
     This is used to identify the application manufactured by a software vendor. The
     field is relevant to Apple *OS only.'
   example: com.apple.xpc.proxy
-  flat_name: process.parent.code_signature.signing_id
+  flat_name: process.session_leader.parent.session_leader.code_signature.signing_id
   ignore_above: 1024
   level: extended
   name: signing_id
@@ -11338,15 +41622,15 @@ process.parent.code_signature.signing_id:
   original_fieldset: code_signature
   short: The identifier used to sign the process.
   type: keyword
-process.parent.code_signature.status:
-  dashed_name: process-parent-code-signature-status
+process.session_leader.parent.session_leader.code_signature.status:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-status
   description: 'Additional information about the certificate status.
 
     This is useful for logging cryptographic errors with the certificate validity
     or trust status. Leave unpopulated if the validity or trust of the certificate
     was unchecked.'
   example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.parent.code_signature.status
+  flat_name: process.session_leader.parent.session_leader.code_signature.status
   ignore_above: 1024
   level: extended
   name: status
@@ -11354,11 +41638,11 @@ process.parent.code_signature.status:
   original_fieldset: code_signature
   short: Additional information about the certificate status.
   type: keyword
-process.parent.code_signature.subject_name:
-  dashed_name: process-parent-code-signature-subject-name
+process.session_leader.parent.session_leader.code_signature.subject_name:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-subject-name
   description: Subject name of the code signer
   example: Microsoft Corporation
-  flat_name: process.parent.code_signature.subject_name
+  flat_name: process.session_leader.parent.session_leader.code_signature.subject_name
   ignore_above: 1024
   level: core
   name: subject_name
@@ -11366,14 +41650,14 @@ process.parent.code_signature.subject_name:
   original_fieldset: code_signature
   short: Subject name of the code signer
   type: keyword
-process.parent.code_signature.team_id:
-  dashed_name: process-parent-code-signature-team-id
+process.session_leader.parent.session_leader.code_signature.team_id:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-team-id
   description: 'The team identifier used to sign the process.
 
     This is used to identify the team or vendor of a software product. The field is
     relevant to Apple *OS only.'
   example: EQHXZ8M8AV
-  flat_name: process.parent.code_signature.team_id
+  flat_name: process.session_leader.parent.session_leader.code_signature.team_id
   ignore_above: 1024
   level: extended
   name: team_id
@@ -11381,12 +41665,12 @@ process.parent.code_signature.team_id:
   original_fieldset: code_signature
   short: The team identifier used to sign the process.
   type: keyword
-process.parent.code_signature.thumbprint_sha256:
+process.session_leader.parent.session_leader.code_signature.thumbprint_sha256:
   beta: This field is beta and subject to change.
-  dashed_name: process-parent-code-signature-thumbprint-sha256
+  dashed_name: process-session-leader-parent-session-leader-code-signature-thumbprint-sha256
   description: Certificate SHA256 hash that uniquely identifies the code signer.
   example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.parent.code_signature.thumbprint_sha256
+  flat_name: process.session_leader.parent.session_leader.code_signature.thumbprint_sha256
   ignore_above: 64
   level: extended
   name: thumbprint_sha256
@@ -11395,39 +41679,39 @@ process.parent.code_signature.thumbprint_sha256:
   pattern: ^[0-9a-f]{64}$
   short: SHA256 hash of the certificate.
   type: keyword
-process.parent.code_signature.timestamp:
-  dashed_name: process-parent-code-signature-timestamp
+process.session_leader.parent.session_leader.code_signature.timestamp:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-timestamp
   description: Date and time when the code signature was generated and signed.
   example: '2021-01-01T12:10:30Z'
-  flat_name: process.parent.code_signature.timestamp
+  flat_name: process.session_leader.parent.session_leader.code_signature.timestamp
   level: extended
   name: timestamp
   normalize: []
   original_fieldset: code_signature
   short: When the signature was generated and signed.
   type: date
-process.parent.code_signature.trusted:
-  dashed_name: process-parent-code-signature-trusted
+process.session_leader.parent.session_leader.code_signature.trusted:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-trusted
   description: 'Stores the trust status of the certificate chain.
 
     Validating the trust of the certificate chain may be complicated, and this field
     should only be populated by tools that actively check the status.'
   example: 'true'
-  flat_name: process.parent.code_signature.trusted
+  flat_name: process.session_leader.parent.session_leader.code_signature.trusted
   level: extended
   name: trusted
   normalize: []
   original_fieldset: code_signature
   short: Stores the trust status of the certificate chain.
   type: boolean
-process.parent.code_signature.valid:
-  dashed_name: process-parent-code-signature-valid
+process.session_leader.parent.session_leader.code_signature.valid:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-valid
   description: 'Boolean to capture if the digital signature is verified against the
     binary content.
 
     Leave unpopulated if a certificate was unchecked.'
   example: 'true'
-  flat_name: process.parent.code_signature.valid
+  flat_name: process.session_leader.parent.session_leader.code_signature.valid
   level: extended
   name: valid
   normalize: []
@@ -11435,17 +41719,17 @@ process.parent.code_signature.valid:
   short: Boolean to capture if the digital signature is verified against the binary
     content.
   type: boolean
-process.parent.command_line:
-  dashed_name: process-parent-command-line
+process.session_leader.parent.session_leader.command_line:
+  dashed_name: process-session-leader-parent-session-leader-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
 
     Some arguments may be filtered to protect sensitive information.'
   example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.parent.command_line
+  flat_name: process.session_leader.parent.session_leader.command_line
   level: extended
   multi_fields:
-  - flat_name: process.parent.command_line.text
+  - flat_name: process.session_leader.parent.session_leader.command_line.text
     name: text
     type: match_only_text
   name: command_line
@@ -11453,11 +41737,11 @@ process.parent.command_line:
   original_fieldset: process
   short: Full command line that started the process.
   type: wildcard
-process.parent.elf.architecture:
-  dashed_name: process-parent-elf-architecture
+process.session_leader.parent.session_leader.elf.architecture:
+  dashed_name: process-session-leader-parent-session-leader-elf-architecture
   description: Machine architecture of the ELF file.
   example: x86-64
-  flat_name: process.parent.elf.architecture
+  flat_name: process.session_leader.parent.session_leader.elf.architecture
   ignore_above: 1024
   level: extended
   name: architecture
@@ -11465,11 +41749,11 @@ process.parent.elf.architecture:
   original_fieldset: elf
   short: Machine architecture of the ELF file.
   type: keyword
-process.parent.elf.byte_order:
-  dashed_name: process-parent-elf-byte-order
+process.session_leader.parent.session_leader.elf.byte_order:
+  dashed_name: process-session-leader-parent-session-leader-elf-byte-order
   description: Byte sequence of ELF file.
   example: Little Endian
-  flat_name: process.parent.elf.byte_order
+  flat_name: process.session_leader.parent.session_leader.elf.byte_order
   ignore_above: 1024
   level: extended
   name: byte_order
@@ -11477,11 +41761,11 @@ process.parent.elf.byte_order:
   original_fieldset: elf
   short: Byte sequence of ELF file.
   type: keyword
-process.parent.elf.cpu_type:
-  dashed_name: process-parent-elf-cpu-type
+process.session_leader.parent.session_leader.elf.cpu_type:
+  dashed_name: process-session-leader-parent-session-leader-elf-cpu-type
   description: CPU type of the ELF file.
   example: Intel
-  flat_name: process.parent.elf.cpu_type
+  flat_name: process.session_leader.parent.session_leader.elf.cpu_type
   ignore_above: 1024
   level: extended
   name: cpu_type
@@ -11489,21 +41773,21 @@ process.parent.elf.cpu_type:
   original_fieldset: elf
   short: CPU type of the ELF file.
   type: keyword
-process.parent.elf.creation_date:
-  dashed_name: process-parent-elf-creation-date
+process.session_leader.parent.session_leader.elf.creation_date:
+  dashed_name: process-session-leader-parent-session-leader-elf-creation-date
   description: Extracted when possible from the file's metadata. Indicates when it
     was built or compiled. It can also be faked by malware creators.
-  flat_name: process.parent.elf.creation_date
+  flat_name: process.session_leader.parent.session_leader.elf.creation_date
   level: extended
   name: creation_date
   normalize: []
   original_fieldset: elf
   short: Build or compile date.
   type: date
-process.parent.elf.exports:
-  dashed_name: process-parent-elf-exports
+process.session_leader.parent.session_leader.elf.exports:
+  dashed_name: process-session-leader-parent-session-leader-elf-exports
   description: List of exported element names and types.
-  flat_name: process.parent.elf.exports
+  flat_name: process.session_leader.parent.session_leader.elf.exports
   level: extended
   name: exports
   normalize:
@@ -11511,8 +41795,8 @@ process.parent.elf.exports:
   original_fieldset: elf
   short: List of exported element names and types.
   type: flattened
-process.parent.elf.go_import_hash:
-  dashed_name: process-parent-elf-go-import-hash
+process.session_leader.parent.session_leader.elf.go_import_hash:
+  dashed_name: process-session-leader-parent-session-leader-elf-go-import-hash
   description: 'A hash of the Go language imports in an ELF file excluding standard
     library imports. An import hash can be used to fingerprint binaries even after
     recompilation or other code-level transformations have occurred, which would change
@@ -11521,7 +41805,7 @@ process.parent.elf.go_import_hash:
     The algorithm used to calculate the Go symbol hash and a reference implementation
     are available here: https://github.com/elastic/toutoumomoma'
   example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.elf.go_import_hash
+  flat_name: process.session_leader.parent.session_leader.elf.go_import_hash
   ignore_above: 1024
   level: extended
   name: go_import_hash
@@ -11529,20 +41813,20 @@ process.parent.elf.go_import_hash:
   original_fieldset: elf
   short: A hash of the Go language imports in an ELF file.
   type: keyword
-process.parent.elf.go_imports:
-  dashed_name: process-parent-elf-go-imports
+process.session_leader.parent.session_leader.elf.go_imports:
+  dashed_name: process-session-leader-parent-session-leader-elf-go-imports
   description: List of imported Go language element names and types.
-  flat_name: process.parent.elf.go_imports
+  flat_name: process.session_leader.parent.session_leader.elf.go_imports
   level: extended
   name: go_imports
   normalize: []
   original_fieldset: elf
   short: List of imported Go language element names and types.
   type: flattened
-process.parent.elf.go_imports_names_entropy:
-  dashed_name: process-parent-elf-go-imports-names-entropy
+process.session_leader.parent.session_leader.elf.go_imports_names_entropy:
+  dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-entropy
   description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.elf.go_imports_names_entropy
+  flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_entropy
   format: number
   level: extended
   name: go_imports_names_entropy
@@ -11550,10 +41834,10 @@ process.parent.elf.go_imports_names_entropy:
   original_fieldset: elf
   short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.parent.elf.go_imports_names_var_entropy:
-  dashed_name: process-parent-elf-go-imports-names-var-entropy
+process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.elf.go_imports_names_var_entropy
+  flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
@@ -11561,21 +41845,21 @@ process.parent.elf.go_imports_names_var_entropy:
   original_fieldset: elf
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.parent.elf.go_stripped:
-  dashed_name: process-parent-elf-go-stripped
+process.session_leader.parent.session_leader.elf.go_stripped:
+  dashed_name: process-session-leader-parent-session-leader-elf-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.elf.go_stripped
+  flat_name: process.session_leader.parent.session_leader.elf.go_stripped
   level: extended
   name: go_stripped
   normalize: []
   original_fieldset: elf
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.parent.elf.header.abi_version:
-  dashed_name: process-parent-elf-header-abi-version
+process.session_leader.parent.session_leader.elf.header.abi_version:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-abi-version
   description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.parent.elf.header.abi_version
+  flat_name: process.session_leader.parent.session_leader.elf.header.abi_version
   ignore_above: 1024
   level: extended
   name: header.abi_version
@@ -11583,10 +41867,10 @@ process.parent.elf.header.abi_version:
   original_fieldset: elf
   short: Version of the ELF Application Binary Interface (ABI).
   type: keyword
-process.parent.elf.header.class:
-  dashed_name: process-parent-elf-header-class
+process.session_leader.parent.session_leader.elf.header.class:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-class
   description: Header class of the ELF file.
-  flat_name: process.parent.elf.header.class
+  flat_name: process.session_leader.parent.session_leader.elf.header.class
   ignore_above: 1024
   level: extended
   name: header.class
@@ -11594,10 +41878,10 @@ process.parent.elf.header.class:
   original_fieldset: elf
   short: Header class of the ELF file.
   type: keyword
-process.parent.elf.header.data:
-  dashed_name: process-parent-elf-header-data
+process.session_leader.parent.session_leader.elf.header.data:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-data
   description: Data table of the ELF header.
-  flat_name: process.parent.elf.header.data
+  flat_name: process.session_leader.parent.session_leader.elf.header.data
   ignore_above: 1024
   level: extended
   name: header.data
@@ -11605,10 +41889,10 @@ process.parent.elf.header.data:
   original_fieldset: elf
   short: Data table of the ELF header.
   type: keyword
-process.parent.elf.header.entrypoint:
-  dashed_name: process-parent-elf-header-entrypoint
+process.session_leader.parent.session_leader.elf.header.entrypoint:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-entrypoint
   description: Header entrypoint of the ELF file.
-  flat_name: process.parent.elf.header.entrypoint
+  flat_name: process.session_leader.parent.session_leader.elf.header.entrypoint
   format: string
   level: extended
   name: header.entrypoint
@@ -11616,10 +41900,10 @@ process.parent.elf.header.entrypoint:
   original_fieldset: elf
   short: Header entrypoint of the ELF file.
   type: long
-process.parent.elf.header.object_version:
-  dashed_name: process-parent-elf-header-object-version
+process.session_leader.parent.session_leader.elf.header.object_version:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-object-version
   description: '"0x1" for original ELF files.'
-  flat_name: process.parent.elf.header.object_version
+  flat_name: process.session_leader.parent.session_leader.elf.header.object_version
   ignore_above: 1024
   level: extended
   name: header.object_version
@@ -11627,10 +41911,10 @@ process.parent.elf.header.object_version:
   original_fieldset: elf
   short: '"0x1" for original ELF files.'
   type: keyword
-process.parent.elf.header.os_abi:
-  dashed_name: process-parent-elf-header-os-abi
+process.session_leader.parent.session_leader.elf.header.os_abi:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-os-abi
   description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.parent.elf.header.os_abi
+  flat_name: process.session_leader.parent.session_leader.elf.header.os_abi
   ignore_above: 1024
   level: extended
   name: header.os_abi
@@ -11638,10 +41922,10 @@ process.parent.elf.header.os_abi:
   original_fieldset: elf
   short: Application Binary Interface (ABI) of the Linux OS.
   type: keyword
-process.parent.elf.header.type:
-  dashed_name: process-parent-elf-header-type
+process.session_leader.parent.session_leader.elf.header.type:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-type
   description: Header type of the ELF file.
-  flat_name: process.parent.elf.header.type
+  flat_name: process.session_leader.parent.session_leader.elf.header.type
   ignore_above: 1024
   level: extended
   name: header.type
@@ -11649,10 +41933,10 @@ process.parent.elf.header.type:
   original_fieldset: elf
   short: Header type of the ELF file.
   type: keyword
-process.parent.elf.header.version:
-  dashed_name: process-parent-elf-header-version
+process.session_leader.parent.session_leader.elf.header.version:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-version
   description: Version of the ELF header.
-  flat_name: process.parent.elf.header.version
+  flat_name: process.session_leader.parent.session_leader.elf.header.version
   ignore_above: 1024
   level: extended
   name: header.version
@@ -11660,15 +41944,15 @@ process.parent.elf.header.version:
   original_fieldset: elf
   short: Version of the ELF header.
   type: keyword
-process.parent.elf.import_hash:
-  dashed_name: process-parent-elf-import-hash
+process.session_leader.parent.session_leader.elf.import_hash:
+  dashed_name: process-session-leader-parent-session-leader-elf-import-hash
   description: 'A hash of the imports in an ELF file. An import hash can be used to
     fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is an ELF implementation of the Windows PE imphash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.elf.import_hash
+  flat_name: process.session_leader.parent.session_leader.elf.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
@@ -11676,10 +41960,10 @@ process.parent.elf.import_hash:
   original_fieldset: elf
   short: A hash of the imports in an ELF file.
   type: keyword
-process.parent.elf.imports:
-  dashed_name: process-parent-elf-imports
+process.session_leader.parent.session_leader.elf.imports:
+  dashed_name: process-session-leader-parent-session-leader-elf-imports
   description: List of imported element names and types.
-  flat_name: process.parent.elf.imports
+  flat_name: process.session_leader.parent.session_leader.elf.imports
   level: extended
   name: imports
   normalize:
@@ -11687,11 +41971,11 @@ process.parent.elf.imports:
   original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
-process.parent.elf.imports_names_entropy:
-  dashed_name: process-parent-elf-imports-names-entropy
+process.session_leader.parent.session_leader.elf.imports_names_entropy:
+  dashed_name: process-session-leader-parent-session-leader-elf-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.parent.elf.imports_names_entropy
+  flat_name: process.session_leader.parent.session_leader.elf.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
@@ -11699,11 +41983,11 @@ process.parent.elf.imports_names_entropy:
   original_fieldset: elf
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.parent.elf.imports_names_var_entropy:
-  dashed_name: process-parent-elf-imports-names-var-entropy
+process.session_leader.parent.session_leader.elf.imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-elf-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.parent.elf.imports_names_var_entropy
+  flat_name: process.session_leader.parent.session_leader.elf.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
@@ -11712,13 +41996,13 @@ process.parent.elf.imports_names_var_entropy:
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.parent.elf.sections:
-  dashed_name: process-parent-elf-sections
+process.session_leader.parent.session_leader.elf.sections:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections
   description: 'An array containing an object for each section of the ELF file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `elf.sections.*`.'
-  flat_name: process.parent.elf.sections
+  flat_name: process.session_leader.parent.session_leader.elf.sections
   level: extended
   name: sections
   normalize:
@@ -11726,10 +42010,10 @@ process.parent.elf.sections:
   original_fieldset: elf
   short: Section information of the ELF file.
   type: nested
-process.parent.elf.sections.chi2:
-  dashed_name: process-parent-elf-sections-chi2
+process.session_leader.parent.session_leader.elf.sections.chi2:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-chi2
   description: Chi-square probability distribution of the section.
-  flat_name: process.parent.elf.sections.chi2
+  flat_name: process.session_leader.parent.session_leader.elf.sections.chi2
   format: number
   level: extended
   name: sections.chi2
@@ -11737,10 +42021,10 @@ process.parent.elf.sections.chi2:
   original_fieldset: elf
   short: Chi-square probability distribution of the section.
   type: long
-process.parent.elf.sections.entropy:
-  dashed_name: process-parent-elf-sections-entropy
+process.session_leader.parent.session_leader.elf.sections.entropy:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.parent.elf.sections.entropy
+  flat_name: process.session_leader.parent.session_leader.elf.sections.entropy
   format: number
   level: extended
   name: sections.entropy
@@ -11748,10 +42032,10 @@ process.parent.elf.sections.entropy:
   original_fieldset: elf
   short: Shannon entropy calculation from the section.
   type: long
-process.parent.elf.sections.flags:
-  dashed_name: process-parent-elf-sections-flags
+process.session_leader.parent.session_leader.elf.sections.flags:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-flags
   description: ELF Section List flags.
-  flat_name: process.parent.elf.sections.flags
+  flat_name: process.session_leader.parent.session_leader.elf.sections.flags
   ignore_above: 1024
   level: extended
   name: sections.flags
@@ -11759,10 +42043,10 @@ process.parent.elf.sections.flags:
   original_fieldset: elf
   short: ELF Section List flags.
   type: keyword
-process.parent.elf.sections.name:
-  dashed_name: process-parent-elf-sections-name
+process.session_leader.parent.session_leader.elf.sections.name:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-name
   description: ELF Section List name.
-  flat_name: process.parent.elf.sections.name
+  flat_name: process.session_leader.parent.session_leader.elf.sections.name
   ignore_above: 1024
   level: extended
   name: sections.name
@@ -11770,10 +42054,10 @@ process.parent.elf.sections.name:
   original_fieldset: elf
   short: ELF Section List name.
   type: keyword
-process.parent.elf.sections.physical_offset:
-  dashed_name: process-parent-elf-sections-physical-offset
+process.session_leader.parent.session_leader.elf.sections.physical_offset:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-offset
   description: ELF Section List offset.
-  flat_name: process.parent.elf.sections.physical_offset
+  flat_name: process.session_leader.parent.session_leader.elf.sections.physical_offset
   ignore_above: 1024
   level: extended
   name: sections.physical_offset
@@ -11781,10 +42065,10 @@ process.parent.elf.sections.physical_offset:
   original_fieldset: elf
   short: ELF Section List offset.
   type: keyword
-process.parent.elf.sections.physical_size:
-  dashed_name: process-parent-elf-sections-physical-size
+process.session_leader.parent.session_leader.elf.sections.physical_size:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-size
   description: ELF Section List physical size.
-  flat_name: process.parent.elf.sections.physical_size
+  flat_name: process.session_leader.parent.session_leader.elf.sections.physical_size
   format: bytes
   level: extended
   name: sections.physical_size
@@ -11792,10 +42076,10 @@ process.parent.elf.sections.physical_size:
   original_fieldset: elf
   short: ELF Section List physical size.
   type: long
-process.parent.elf.sections.type:
-  dashed_name: process-parent-elf-sections-type
+process.session_leader.parent.session_leader.elf.sections.type:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-type
   description: ELF Section List type.
-  flat_name: process.parent.elf.sections.type
+  flat_name: process.session_leader.parent.session_leader.elf.sections.type
   ignore_above: 1024
   level: extended
   name: sections.type
@@ -11803,10 +42087,10 @@ process.parent.elf.sections.type:
   original_fieldset: elf
   short: ELF Section List type.
   type: keyword
-process.parent.elf.sections.var_entropy:
-  dashed_name: process-parent-elf-sections-var-entropy
+process.session_leader.parent.session_leader.elf.sections.var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-var-entropy
   description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.elf.sections.var_entropy
+  flat_name: process.session_leader.parent.session_leader.elf.sections.var_entropy
   format: number
   level: extended
   name: sections.var_entropy
@@ -11814,10 +42098,10 @@ process.parent.elf.sections.var_entropy:
   original_fieldset: elf
   short: Variance for Shannon entropy calculation from the section.
   type: long
-process.parent.elf.sections.virtual_address:
-  dashed_name: process-parent-elf-sections-virtual-address
+process.session_leader.parent.session_leader.elf.sections.virtual_address:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-address
   description: ELF Section List virtual address.
-  flat_name: process.parent.elf.sections.virtual_address
+  flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_address
   format: string
   level: extended
   name: sections.virtual_address
@@ -11825,10 +42109,10 @@ process.parent.elf.sections.virtual_address:
   original_fieldset: elf
   short: ELF Section List virtual address.
   type: long
-process.parent.elf.sections.virtual_size:
-  dashed_name: process-parent-elf-sections-virtual-size
+process.session_leader.parent.session_leader.elf.sections.virtual_size:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-size
   description: ELF Section List virtual size.
-  flat_name: process.parent.elf.sections.virtual_size
+  flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_size
   format: string
   level: extended
   name: sections.virtual_size
@@ -11836,13 +42120,13 @@ process.parent.elf.sections.virtual_size:
   original_fieldset: elf
   short: ELF Section List virtual size.
   type: long
-process.parent.elf.segments:
-  dashed_name: process-parent-elf-segments
+process.session_leader.parent.session_leader.elf.segments:
+  dashed_name: process-session-leader-parent-session-leader-elf-segments
   description: 'An array containing an object for each segment of the ELF file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `elf.segments.*`.'
-  flat_name: process.parent.elf.segments
+  flat_name: process.session_leader.parent.session_leader.elf.segments
   level: extended
   name: segments
   normalize:
@@ -11850,10 +42134,10 @@ process.parent.elf.segments:
   original_fieldset: elf
   short: ELF object segment list.
   type: nested
-process.parent.elf.segments.sections:
-  dashed_name: process-parent-elf-segments-sections
+process.session_leader.parent.session_leader.elf.segments.sections:
+  dashed_name: process-session-leader-parent-session-leader-elf-segments-sections
   description: ELF object segment sections.
-  flat_name: process.parent.elf.segments.sections
+  flat_name: process.session_leader.parent.session_leader.elf.segments.sections
   ignore_above: 1024
   level: extended
   name: segments.sections
@@ -11861,10 +42145,10 @@ process.parent.elf.segments.sections:
   original_fieldset: elf
   short: ELF object segment sections.
   type: keyword
-process.parent.elf.segments.type:
-  dashed_name: process-parent-elf-segments-type
+process.session_leader.parent.session_leader.elf.segments.type:
+  dashed_name: process-session-leader-parent-session-leader-elf-segments-type
   description: ELF object segment type.
-  flat_name: process.parent.elf.segments.type
+  flat_name: process.session_leader.parent.session_leader.elf.segments.type
   ignore_above: 1024
   level: extended
   name: segments.type
@@ -11872,10 +42156,10 @@ process.parent.elf.segments.type:
   original_fieldset: elf
   short: ELF object segment type.
   type: keyword
-process.parent.elf.shared_libraries:
-  dashed_name: process-parent-elf-shared-libraries
+process.session_leader.parent.session_leader.elf.shared_libraries:
+  dashed_name: process-session-leader-parent-session-leader-elf-shared-libraries
   description: List of shared libraries used by this ELF object.
-  flat_name: process.parent.elf.shared_libraries
+  flat_name: process.session_leader.parent.session_leader.elf.shared_libraries
   ignore_above: 1024
   level: extended
   name: shared_libraries
@@ -11884,10 +42168,10 @@ process.parent.elf.shared_libraries:
   original_fieldset: elf
   short: List of shared libraries used by this ELF object.
   type: keyword
-process.parent.elf.telfhash:
-  dashed_name: process-parent-elf-telfhash
+process.session_leader.parent.session_leader.elf.telfhash:
+  dashed_name: process-session-leader-parent-session-leader-elf-telfhash
   description: telfhash symbol hash for ELF file.
-  flat_name: process.parent.elf.telfhash
+  flat_name: process.session_leader.parent.session_leader.elf.telfhash
   ignore_above: 1024
   level: extended
   name: telfhash
@@ -11895,19 +42179,31 @@ process.parent.elf.telfhash:
   original_fieldset: elf
   short: telfhash hash for ELF file.
   type: keyword
-process.parent.end:
-  dashed_name: process-parent-end
+process.session_leader.parent.session_leader.end:
+  dashed_name: process-session-leader-parent-session-leader-end
   description: The time the process ended.
   example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.end
+  flat_name: process.session_leader.parent.session_leader.end
   level: extended
   name: end
   normalize: []
   original_fieldset: process
   short: The time the process ended.
   type: date
-process.parent.entity_id:
-  dashed_name: process-parent-entity-id
+process.session_leader.parent.session_leader.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.session_leader.parent.session_leader.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.session_leader.parent.session_leader.entity_id:
+  dashed_name: process-session-leader-parent-session-leader-entity-id
   description: 'Unique identifier for the process.
 
     The implementation of this is specified by the data source, but some examples
@@ -11918,7 +42214,7 @@ process.parent.entity_id:
     reuse as well as to identify a specific process over time, across multiple monitored
     hosts.'
   example: c2c455d9f99375d
-  flat_name: process.parent.entity_id
+  flat_name: process.session_leader.parent.session_leader.entity_id
   ignore_above: 1024
   level: extended
   name: entity_id
@@ -11926,15 +42222,388 @@ process.parent.entity_id:
   original_fieldset: process
   short: Unique identifier for the process.
   type: keyword
-process.parent.executable:
-  dashed_name: process-parent-executable
+process.session_leader.parent.session_leader.entry_meta.source.address:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.as.number:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.session_leader.parent.session_leader.entry_meta.source.as.organization.name:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.bytes:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.session_leader.parent.session_leader.entry_meta.source.domain:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.city_name:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.country_name:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.location:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.session_leader.parent.session_leader.entry_meta.source.geo.name:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.region_name:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.timezone:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.ip:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.session_leader.parent.session_leader.entry_meta.source.mac:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.nat.ip:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.session_leader.parent.session_leader.entry_meta.source.nat.port:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.session_leader.parent.session_leader.entry_meta.source.packets:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.session_leader.parent.session_leader.entry_meta.source.port:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.session_leader.parent.session_leader.entry_meta.source.registered_domain:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.subdomain:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.top_level_domain:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.type:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.session_leader.parent.session_leader.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.session_leader.parent.session_leader.env_vars:
+  dashed_name: process-session-leader-parent-session-leader-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.session_leader.parent.session_leader.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.session_leader.executable:
+  dashed_name: process-session-leader-parent-session-leader-executable
   description: Absolute path to the process executable.
   example: /usr/bin/ssh
-  flat_name: process.parent.executable
+  flat_name: process.session_leader.parent.session_leader.executable
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.parent.executable.text
+  - flat_name: process.session_leader.parent.session_leader.executable.text
     name: text
     type: match_only_text
   name: executable
@@ -11942,24 +42611,37 @@ process.parent.executable:
   original_fieldset: process
   short: Absolute path to the process executable.
   type: keyword
-process.parent.exit_code:
-  dashed_name: process-parent-exit-code
+process.session_leader.parent.session_leader.exit_code:
+  dashed_name: process-session-leader-parent-session-leader-exit-code
   description: 'The exit code of the process, if this is a termination event.
 
     The field should be absent if there is no exit code for the event (e.g. process
     start).'
   example: 137
-  flat_name: process.parent.exit_code
+  flat_name: process.session_leader.parent.session_leader.exit_code
   level: extended
   name: exit_code
   normalize: []
   original_fieldset: process
   short: The exit code of the process.
   type: long
-process.parent.group.id:
-  dashed_name: process-parent-group-id
+process.session_leader.parent.session_leader.group.domain:
+  dashed_name: process-session-leader-parent-session-leader-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.group.id:
+  dashed_name: process-session-leader-parent-session-leader-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group.id
+  flat_name: process.session_leader.parent.session_leader.group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -11967,10 +42649,10 @@ process.parent.group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.parent.group.name:
-  dashed_name: process-parent-group-name
+process.session_leader.parent.session_leader.group.name:
+  dashed_name: process-session-leader-parent-session-leader-group-name
   description: Name of the group.
-  flat_name: process.parent.group.name
+  flat_name: process.session_leader.parent.session_leader.group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -11978,72 +42660,13 @@ process.parent.group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.parent.group_leader.entity_id:
-  dashed_name: process-parent-group-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.parent.group_leader.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.parent.group_leader.pid:
-  dashed_name: process-parent-group-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.parent.group_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.parent.group_leader.start:
-  dashed_name: process-parent-group-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.group_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.parent.group_leader.vpid:
-  dashed_name: process-parent-group-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.parent.group_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.parent.hash.cdhash:
+process.session_leader.parent.session_leader.hash.cdhash:
   beta: This field is beta and subject to change.
-  dashed_name: process-parent-hash-cdhash
+  dashed_name: process-session-leader-parent-session-leader-hash-cdhash
   description: Code directory hash, utilized to uniquely identify and authenticate
     the integrity of the executable code.
   example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.parent.hash.cdhash
+  flat_name: process.session_leader.parent.session_leader.hash.cdhash
   ignore_above: 1024
   level: extended
   name: cdhash
@@ -12051,10 +42674,10 @@ process.parent.hash.cdhash:
   original_fieldset: hash
   short: The Code Directory (CD) hash of an executable.
   type: keyword
-process.parent.hash.md5:
-  dashed_name: process-parent-hash-md5
+process.session_leader.parent.session_leader.hash.md5:
+  dashed_name: process-session-leader-parent-session-leader-hash-md5
   description: MD5 hash.
-  flat_name: process.parent.hash.md5
+  flat_name: process.session_leader.parent.session_leader.hash.md5
   ignore_above: 1024
   level: extended
   name: md5
@@ -12062,10 +42685,10 @@ process.parent.hash.md5:
   original_fieldset: hash
   short: MD5 hash.
   type: keyword
-process.parent.hash.sha1:
-  dashed_name: process-parent-hash-sha1
+process.session_leader.parent.session_leader.hash.sha1:
+  dashed_name: process-session-leader-parent-session-leader-hash-sha1
   description: SHA1 hash.
-  flat_name: process.parent.hash.sha1
+  flat_name: process.session_leader.parent.session_leader.hash.sha1
   ignore_above: 1024
   level: extended
   name: sha1
@@ -12073,10 +42696,10 @@ process.parent.hash.sha1:
   original_fieldset: hash
   short: SHA1 hash.
   type: keyword
-process.parent.hash.sha256:
-  dashed_name: process-parent-hash-sha256
+process.session_leader.parent.session_leader.hash.sha256:
+  dashed_name: process-session-leader-parent-session-leader-hash-sha256
   description: SHA256 hash.
-  flat_name: process.parent.hash.sha256
+  flat_name: process.session_leader.parent.session_leader.hash.sha256
   ignore_above: 1024
   level: extended
   name: sha256
@@ -12084,10 +42707,10 @@ process.parent.hash.sha256:
   original_fieldset: hash
   short: SHA256 hash.
   type: keyword
-process.parent.hash.sha384:
-  dashed_name: process-parent-hash-sha384
+process.session_leader.parent.session_leader.hash.sha384:
+  dashed_name: process-session-leader-parent-session-leader-hash-sha384
   description: SHA384 hash.
-  flat_name: process.parent.hash.sha384
+  flat_name: process.session_leader.parent.session_leader.hash.sha384
   ignore_above: 1024
   level: extended
   name: sha384
@@ -12095,10 +42718,10 @@ process.parent.hash.sha384:
   original_fieldset: hash
   short: SHA384 hash.
   type: keyword
-process.parent.hash.sha512:
-  dashed_name: process-parent-hash-sha512
+process.session_leader.parent.session_leader.hash.sha512:
+  dashed_name: process-session-leader-parent-session-leader-hash-sha512
   description: SHA512 hash.
-  flat_name: process.parent.hash.sha512
+  flat_name: process.session_leader.parent.session_leader.hash.sha512
   ignore_above: 1024
   level: extended
   name: sha512
@@ -12106,10 +42729,10 @@ process.parent.hash.sha512:
   original_fieldset: hash
   short: SHA512 hash.
   type: keyword
-process.parent.hash.ssdeep:
-  dashed_name: process-parent-hash-ssdeep
+process.session_leader.parent.session_leader.hash.ssdeep:
+  dashed_name: process-session-leader-parent-session-leader-hash-ssdeep
   description: SSDEEP hash.
-  flat_name: process.parent.hash.ssdeep
+  flat_name: process.session_leader.parent.session_leader.hash.ssdeep
   ignore_above: 1024
   level: extended
   name: ssdeep
@@ -12117,10 +42740,10 @@ process.parent.hash.ssdeep:
   original_fieldset: hash
   short: SSDEEP hash.
   type: keyword
-process.parent.hash.tlsh:
-  dashed_name: process-parent-hash-tlsh
+process.session_leader.parent.session_leader.hash.tlsh:
+  dashed_name: process-session-leader-parent-session-leader-hash-tlsh
   description: TLSH hash.
-  flat_name: process.parent.hash.tlsh
+  flat_name: process.session_leader.parent.session_leader.hash.tlsh
   ignore_above: 1024
   level: extended
   name: tlsh
@@ -12128,8 +42751,8 @@ process.parent.hash.tlsh:
   original_fieldset: hash
   short: TLSH hash.
   type: keyword
-process.parent.interactive:
-  dashed_name: process-parent-interactive
+process.session_leader.parent.session_leader.interactive:
+  dashed_name: process-session-leader-parent-session-leader-interactive
   description: 'Whether the process is connected to an interactive shell.
 
     Process interactivity is inferred from the processes file descriptors. If the
@@ -12142,15 +42765,126 @@ process.parent.interactive:
     is still considered interactive if stdin and stderr are connected to the controlling
     TTY.'
   example: true
-  flat_name: process.parent.interactive
+  flat_name: process.session_leader.parent.session_leader.interactive
   level: extended
   name: interactive
   normalize: []
   original_fieldset: process
   short: Whether the process is connected to an interactive shell.
   type: boolean
-process.parent.macho.go_import_hash:
-  dashed_name: process-parent-macho-go-import-hash
+process.session_leader.parent.session_leader.io:
+  dashed_name: process-session-leader-parent-session-leader-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.session_leader.parent.session_leader.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.session_leader.parent.session_leader.io.bytes_skipped:
+  dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.session_leader.parent.session_leader.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.session_leader.parent.session_leader.io.bytes_skipped.length:
+  dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.session_leader.parent.session_leader.io.bytes_skipped.offset:
+  dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
+  dashed_name: process-session-leader-parent-session-leader-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.session_leader.parent.session_leader.io.text:
+  dashed_name: process-session-leader-parent-session-leader-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.session_leader.parent.session_leader.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.session_leader.parent.session_leader.io.total_bytes_captured:
+  dashed_name: process-session-leader-parent-session-leader-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.session_leader.parent.session_leader.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.session_leader.parent.session_leader.io.total_bytes_skipped:
+  dashed_name: process-session-leader-parent-session-leader-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.session_leader.parent.session_leader.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.session_leader.parent.session_leader.io.type:
+  dashed_name: process-session-leader-parent-session-leader-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.session_leader.parent.session_leader.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.session_leader.parent.session_leader.macho.go_import_hash:
+  dashed_name: process-session-leader-parent-session-leader-macho-go-import-hash
   description: 'A hash of the Go language imports in a Mach-O file excluding standard
     library imports. An import hash can be used to fingerprint binaries even after
     recompilation or other code-level transformations have occurred, which would change
@@ -12159,7 +42893,7 @@ process.parent.macho.go_import_hash:
     The algorithm used to calculate the Go symbol hash and a reference implementation
     are available here: https://github.com/elastic/toutoumomoma'
   example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.macho.go_import_hash
+  flat_name: process.session_leader.parent.session_leader.macho.go_import_hash
   ignore_above: 1024
   level: extended
   name: go_import_hash
@@ -12167,20 +42901,20 @@ process.parent.macho.go_import_hash:
   original_fieldset: macho
   short: A hash of the Go language imports in a Mach-O file.
   type: keyword
-process.parent.macho.go_imports:
-  dashed_name: process-parent-macho-go-imports
+process.session_leader.parent.session_leader.macho.go_imports:
+  dashed_name: process-session-leader-parent-session-leader-macho-go-imports
   description: List of imported Go language element names and types.
-  flat_name: process.parent.macho.go_imports
+  flat_name: process.session_leader.parent.session_leader.macho.go_imports
   level: extended
   name: go_imports
   normalize: []
   original_fieldset: macho
   short: List of imported Go language element names and types.
   type: flattened
-process.parent.macho.go_imports_names_entropy:
-  dashed_name: process-parent-macho-go-imports-names-entropy
+process.session_leader.parent.session_leader.macho.go_imports_names_entropy:
+  dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-entropy
   description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.macho.go_imports_names_entropy
+  flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_entropy
   format: number
   level: extended
   name: go_imports_names_entropy
@@ -12188,10 +42922,10 @@ process.parent.macho.go_imports_names_entropy:
   original_fieldset: macho
   short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.parent.macho.go_imports_names_var_entropy:
-  dashed_name: process-parent-macho-go-imports-names-var-entropy
+process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.macho.go_imports_names_var_entropy
+  flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
@@ -12199,26 +42933,26 @@ process.parent.macho.go_imports_names_var_entropy:
   original_fieldset: macho
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.parent.macho.go_stripped:
-  dashed_name: process-parent-macho-go-stripped
+process.session_leader.parent.session_leader.macho.go_stripped:
+  dashed_name: process-session-leader-parent-session-leader-macho-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.macho.go_stripped
+  flat_name: process.session_leader.parent.session_leader.macho.go_stripped
   level: extended
   name: go_stripped
   normalize: []
   original_fieldset: macho
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.parent.macho.import_hash:
-  dashed_name: process-parent-macho-import-hash
+process.session_leader.parent.session_leader.macho.import_hash:
+  dashed_name: process-session-leader-parent-session-leader-macho-import-hash
   description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a synonym for symhash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.macho.import_hash
+  flat_name: process.session_leader.parent.session_leader.macho.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
@@ -12226,10 +42960,10 @@ process.parent.macho.import_hash:
   original_fieldset: macho
   short: A hash of the imports in a Mach-O file.
   type: keyword
-process.parent.macho.imports:
-  dashed_name: process-parent-macho-imports
+process.session_leader.parent.session_leader.macho.imports:
+  dashed_name: process-session-leader-parent-session-leader-macho-imports
   description: List of imported element names and types.
-  flat_name: process.parent.macho.imports
+  flat_name: process.session_leader.parent.session_leader.macho.imports
   level: extended
   name: imports
   normalize:
@@ -12237,11 +42971,11 @@ process.parent.macho.imports:
   original_fieldset: macho
   short: List of imported element names and types.
   type: flattened
-process.parent.macho.imports_names_entropy:
-  dashed_name: process-parent-macho-imports-names-entropy
+process.session_leader.parent.session_leader.macho.imports_names_entropy:
+  dashed_name: process-session-leader-parent-session-leader-macho-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.parent.macho.imports_names_entropy
+  flat_name: process.session_leader.parent.session_leader.macho.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
@@ -12249,11 +42983,11 @@ process.parent.macho.imports_names_entropy:
   original_fieldset: macho
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.parent.macho.imports_names_var_entropy:
-  dashed_name: process-parent-macho-imports-names-var-entropy
+process.session_leader.parent.session_leader.macho.imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-macho-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.parent.macho.imports_names_var_entropy
+  flat_name: process.session_leader.parent.session_leader.macho.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
@@ -12262,13 +42996,13 @@ process.parent.macho.imports_names_var_entropy:
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.parent.macho.sections:
-  dashed_name: process-parent-macho-sections
+process.session_leader.parent.session_leader.macho.sections:
+  dashed_name: process-session-leader-parent-session-leader-macho-sections
   description: 'An array containing an object for each section of the Mach-O file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `macho.sections.*`.'
-  flat_name: process.parent.macho.sections
+  flat_name: process.session_leader.parent.session_leader.macho.sections
   level: extended
   name: sections
   normalize:
@@ -12276,10 +43010,10 @@ process.parent.macho.sections:
   original_fieldset: macho
   short: Section information of the Mach-O file.
   type: nested
-process.parent.macho.sections.entropy:
-  dashed_name: process-parent-macho-sections-entropy
+process.session_leader.parent.session_leader.macho.sections.entropy:
+  dashed_name: process-session-leader-parent-session-leader-macho-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.parent.macho.sections.entropy
+  flat_name: process.session_leader.parent.session_leader.macho.sections.entropy
   format: number
   level: extended
   name: sections.entropy
@@ -12287,10 +43021,10 @@ process.parent.macho.sections.entropy:
   original_fieldset: macho
   short: Shannon entropy calculation from the section.
   type: long
-process.parent.macho.sections.name:
-  dashed_name: process-parent-macho-sections-name
+process.session_leader.parent.session_leader.macho.sections.name:
+  dashed_name: process-session-leader-parent-session-leader-macho-sections-name
   description: Mach-O Section List name.
-  flat_name: process.parent.macho.sections.name
+  flat_name: process.session_leader.parent.session_leader.macho.sections.name
   ignore_above: 1024
   level: extended
   name: sections.name
@@ -12298,10 +43032,10 @@ process.parent.macho.sections.name:
   original_fieldset: macho
   short: Mach-O Section List name.
   type: keyword
-process.parent.macho.sections.physical_size:
-  dashed_name: process-parent-macho-sections-physical-size
+process.session_leader.parent.session_leader.macho.sections.physical_size:
+  dashed_name: process-session-leader-parent-session-leader-macho-sections-physical-size
   description: Mach-O Section List physical size.
-  flat_name: process.parent.macho.sections.physical_size
+  flat_name: process.session_leader.parent.session_leader.macho.sections.physical_size
   format: bytes
   level: extended
   name: sections.physical_size
@@ -12309,10 +43043,10 @@ process.parent.macho.sections.physical_size:
   original_fieldset: macho
   short: Mach-O Section List physical size.
   type: long
-process.parent.macho.sections.var_entropy:
-  dashed_name: process-parent-macho-sections-var-entropy
+process.session_leader.parent.session_leader.macho.sections.var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-macho-sections-var-entropy
   description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.macho.sections.var_entropy
+  flat_name: process.session_leader.parent.session_leader.macho.sections.var_entropy
   format: number
   level: extended
   name: sections.var_entropy
@@ -12320,10 +43054,10 @@ process.parent.macho.sections.var_entropy:
   original_fieldset: macho
   short: Variance for Shannon entropy calculation from the section.
   type: long
-process.parent.macho.sections.virtual_size:
-  dashed_name: process-parent-macho-sections-virtual-size
+process.session_leader.parent.session_leader.macho.sections.virtual_size:
+  dashed_name: process-session-leader-parent-session-leader-macho-sections-virtual-size
   description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.parent.macho.sections.virtual_size
+  flat_name: process.session_leader.parent.session_leader.macho.sections.virtual_size
   format: string
   level: extended
   name: sections.virtual_size
@@ -12331,15 +43065,15 @@ process.parent.macho.sections.virtual_size:
   original_fieldset: macho
   short: Mach-O Section List virtual size. This is always the same as `physical_size`.
   type: long
-process.parent.macho.symhash:
-  dashed_name: process-parent-macho-symhash
+process.session_leader.parent.session_leader.macho.symhash:
+  dashed_name: process-session-leader-parent-session-leader-macho-symhash
   description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a Mach-O implementation of the Windows PE imphash'
   example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.parent.macho.symhash
+  flat_name: process.session_leader.parent.session_leader.macho.symhash
   ignore_above: 1024
   level: extended
   name: symhash
@@ -12347,17 +43081,17 @@ process.parent.macho.symhash:
   original_fieldset: macho
   short: A hash of the imports in a Mach-O file.
   type: keyword
-process.parent.name:
-  dashed_name: process-parent-name
+process.session_leader.parent.session_leader.name:
+  dashed_name: process-session-leader-parent-session-leader-name
   description: 'Process name.
 
     Sometimes called program name or similar.'
   example: ssh
-  flat_name: process.parent.name
+  flat_name: process.session_leader.parent.session_leader.name
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.parent.name.text
+  - flat_name: process.session_leader.parent.session_leader.name.text
     name: text
     type: match_only_text
   name: name
@@ -12365,11 +43099,37 @@ process.parent.name:
   original_fieldset: process
   short: Process name.
   type: keyword
-process.parent.pe.architecture:
-  dashed_name: process-parent-pe-architecture
+process.session_leader.parent.session_leader.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.session_leader.parent.session_leader.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.session_leader.parent.session_leader.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.session_leader.parent.session_leader.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.session_leader.parent.session_leader.pe.architecture:
+  dashed_name: process-session-leader-parent-session-leader-pe-architecture
   description: CPU architecture target for the file.
   example: x64
-  flat_name: process.parent.pe.architecture
+  flat_name: process.session_leader.parent.session_leader.pe.architecture
   ignore_above: 1024
   level: extended
   name: architecture
@@ -12377,11 +43137,11 @@ process.parent.pe.architecture:
   original_fieldset: pe
   short: CPU architecture target for the file.
   type: keyword
-process.parent.pe.company:
-  dashed_name: process-parent-pe-company
+process.session_leader.parent.session_leader.pe.company:
+  dashed_name: process-session-leader-parent-session-leader-pe-company
   description: Internal company name of the file, provided at compile-time.
   example: Microsoft Corporation
-  flat_name: process.parent.pe.company
+  flat_name: process.session_leader.parent.session_leader.pe.company
   ignore_above: 1024
   level: extended
   name: company
@@ -12389,11 +43149,11 @@ process.parent.pe.company:
   original_fieldset: pe
   short: Internal company name of the file, provided at compile-time.
   type: keyword
-process.parent.pe.description:
-  dashed_name: process-parent-pe-description
+process.session_leader.parent.session_leader.pe.description:
+  dashed_name: process-session-leader-parent-session-leader-pe-description
   description: Internal description of the file, provided at compile-time.
   example: Paint
-  flat_name: process.parent.pe.description
+  flat_name: process.session_leader.parent.session_leader.pe.description
   ignore_above: 1024
   level: extended
   name: description
@@ -12401,11 +43161,11 @@ process.parent.pe.description:
   original_fieldset: pe
   short: Internal description of the file, provided at compile-time.
   type: keyword
-process.parent.pe.file_version:
-  dashed_name: process-parent-pe-file-version
+process.session_leader.parent.session_leader.pe.file_version:
+  dashed_name: process-session-leader-parent-session-leader-pe-file-version
   description: Internal version of the file, provided at compile-time.
   example: 6.3.9600.17415
-  flat_name: process.parent.pe.file_version
+  flat_name: process.session_leader.parent.session_leader.pe.file_version
   ignore_above: 1024
   level: extended
   name: file_version
@@ -12413,8 +43173,8 @@ process.parent.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
-process.parent.pe.go_import_hash:
-  dashed_name: process-parent-pe-go-import-hash
+process.session_leader.parent.session_leader.pe.go_import_hash:
+  dashed_name: process-session-leader-parent-session-leader-pe-go-import-hash
   description: 'A hash of the Go language imports in a PE file excluding standard
     library imports. An import hash can be used to fingerprint binaries even after
     recompilation or other code-level transformations have occurred, which would change
@@ -12423,7 +43183,7 @@ process.parent.pe.go_import_hash:
     The algorithm used to calculate the Go symbol hash and a reference implementation
     are available here: https://github.com/elastic/toutoumomoma'
   example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.pe.go_import_hash
+  flat_name: process.session_leader.parent.session_leader.pe.go_import_hash
   ignore_above: 1024
   level: extended
   name: go_import_hash
@@ -12431,20 +43191,20 @@ process.parent.pe.go_import_hash:
   original_fieldset: pe
   short: A hash of the Go language imports in a PE file.
   type: keyword
-process.parent.pe.go_imports:
-  dashed_name: process-parent-pe-go-imports
+process.session_leader.parent.session_leader.pe.go_imports:
+  dashed_name: process-session-leader-parent-session-leader-pe-go-imports
   description: List of imported Go language element names and types.
-  flat_name: process.parent.pe.go_imports
+  flat_name: process.session_leader.parent.session_leader.pe.go_imports
   level: extended
   name: go_imports
   normalize: []
   original_fieldset: pe
   short: List of imported Go language element names and types.
   type: flattened
-process.parent.pe.go_imports_names_entropy:
-  dashed_name: process-parent-pe-go-imports-names-entropy
+process.session_leader.parent.session_leader.pe.go_imports_names_entropy:
+  dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-entropy
   description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.pe.go_imports_names_entropy
+  flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_entropy
   format: number
   level: extended
   name: go_imports_names_entropy
@@ -12452,10 +43212,10 @@ process.parent.pe.go_imports_names_entropy:
   original_fieldset: pe
   short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.parent.pe.go_imports_names_var_entropy:
-  dashed_name: process-parent-pe-go-imports-names-var-entropy
+process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.pe.go_imports_names_var_entropy
+  flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
@@ -12463,26 +43223,26 @@ process.parent.pe.go_imports_names_var_entropy:
   original_fieldset: pe
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.parent.pe.go_stripped:
-  dashed_name: process-parent-pe-go-stripped
+process.session_leader.parent.session_leader.pe.go_stripped:
+  dashed_name: process-session-leader-parent-session-leader-pe-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.pe.go_stripped
+  flat_name: process.session_leader.parent.session_leader.pe.go_stripped
   level: extended
   name: go_stripped
   normalize: []
   original_fieldset: pe
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.parent.pe.imphash:
-  dashed_name: process-parent-pe-imphash
+process.session_leader.parent.session_leader.pe.imphash:
+  dashed_name: process-session-leader-parent-session-leader-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
     can be used to fingerprint binaries even after recompilation or other code-level
     transformations have occurred, which would change more traditional hash values.
 
     Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
   example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.parent.pe.imphash
+  flat_name: process.session_leader.parent.session_leader.pe.imphash
   ignore_above: 1024
   level: extended
   name: imphash
@@ -12490,15 +43250,15 @@ process.parent.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
-process.parent.pe.import_hash:
-  dashed_name: process-parent-pe-import-hash
+process.session_leader.parent.session_leader.pe.import_hash:
+  dashed_name: process-session-leader-parent-session-leader-pe-import-hash
   description: 'A hash of the imports in a PE file. An import hash can be used to
     fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a synonym for imphash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.pe.import_hash
+  flat_name: process.session_leader.parent.session_leader.pe.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
@@ -12506,10 +43266,10 @@ process.parent.pe.import_hash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
-process.parent.pe.imports:
-  dashed_name: process-parent-pe-imports
+process.session_leader.parent.session_leader.pe.imports:
+  dashed_name: process-session-leader-parent-session-leader-pe-imports
   description: List of imported element names and types.
-  flat_name: process.parent.pe.imports
+  flat_name: process.session_leader.parent.session_leader.pe.imports
   level: extended
   name: imports
   normalize:
@@ -12517,11 +43277,11 @@ process.parent.pe.imports:
   original_fieldset: pe
   short: List of imported element names and types.
   type: flattened
-process.parent.pe.imports_names_entropy:
-  dashed_name: process-parent-pe-imports-names-entropy
+process.session_leader.parent.session_leader.pe.imports_names_entropy:
+  dashed_name: process-session-leader-parent-session-leader-pe-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.parent.pe.imports_names_entropy
+  flat_name: process.session_leader.parent.session_leader.pe.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
@@ -12529,11 +43289,11 @@ process.parent.pe.imports_names_entropy:
   original_fieldset: pe
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.parent.pe.imports_names_var_entropy:
-  dashed_name: process-parent-pe-imports-names-var-entropy
+process.session_leader.parent.session_leader.pe.imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-pe-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.parent.pe.imports_names_var_entropy
+  flat_name: process.session_leader.parent.session_leader.pe.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
@@ -12542,11 +43302,11 @@ process.parent.pe.imports_names_var_entropy:
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.parent.pe.original_file_name:
-  dashed_name: process-parent-pe-original-file-name
+process.session_leader.parent.session_leader.pe.original_file_name:
+  dashed_name: process-session-leader-parent-session-leader-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
-  flat_name: process.parent.pe.original_file_name
+  flat_name: process.session_leader.parent.session_leader.pe.original_file_name
   ignore_above: 1024
   level: extended
   name: original_file_name
@@ -12554,15 +43314,15 @@ process.parent.pe.original_file_name:
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
   type: keyword
-process.parent.pe.pehash:
-  dashed_name: process-parent-pe-pehash
+process.session_leader.parent.session_leader.pe.pehash:
+  dashed_name: process-session-leader-parent-session-leader-pe-pehash
   description: 'A hash of the PE header and data from one or more PE sections. An
     pehash can be used to cluster files by transforming structural information about
     a file into a hash value.
 
     Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
   example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.parent.pe.pehash
+  flat_name: process.session_leader.parent.session_leader.pe.pehash
   ignore_above: 1024
   level: extended
   name: pehash
@@ -12570,11 +43330,11 @@ process.parent.pe.pehash:
   original_fieldset: pe
   short: A hash of the PE header and data from one or more PE sections.
   type: keyword
-process.parent.pe.product:
-  dashed_name: process-parent-pe-product
+process.session_leader.parent.session_leader.pe.product:
+  dashed_name: process-session-leader-parent-session-leader-pe-product
   description: Internal product name of the file, provided at compile-time.
   example: Microsoft® Windows® Operating System
-  flat_name: process.parent.pe.product
+  flat_name: process.session_leader.parent.session_leader.pe.product
   ignore_above: 1024
   level: extended
   name: product
@@ -12582,13 +43342,13 @@ process.parent.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
-process.parent.pe.sections:
-  dashed_name: process-parent-pe-sections
+process.session_leader.parent.session_leader.pe.sections:
+  dashed_name: process-session-leader-parent-session-leader-pe-sections
   description: 'An array containing an object for each section of the PE file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `pe.sections.*`.'
-  flat_name: process.parent.pe.sections
+  flat_name: process.session_leader.parent.session_leader.pe.sections
   level: extended
   name: sections
   normalize:
@@ -12596,10 +43356,10 @@ process.parent.pe.sections:
   original_fieldset: pe
   short: Section information of the PE file.
   type: nested
-process.parent.pe.sections.entropy:
-  dashed_name: process-parent-pe-sections-entropy
+process.session_leader.parent.session_leader.pe.sections.entropy:
+  dashed_name: process-session-leader-parent-session-leader-pe-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.parent.pe.sections.entropy
+  flat_name: process.session_leader.parent.session_leader.pe.sections.entropy
   format: number
   level: extended
   name: sections.entropy
@@ -12607,10 +43367,10 @@ process.parent.pe.sections.entropy:
   original_fieldset: pe
   short: Shannon entropy calculation from the section.
   type: long
-process.parent.pe.sections.name:
-  dashed_name: process-parent-pe-sections-name
+process.session_leader.parent.session_leader.pe.sections.name:
+  dashed_name: process-session-leader-parent-session-leader-pe-sections-name
   description: PE Section List name.
-  flat_name: process.parent.pe.sections.name
+  flat_name: process.session_leader.parent.session_leader.pe.sections.name
   ignore_above: 1024
   level: extended
   name: sections.name
@@ -12618,10 +43378,10 @@ process.parent.pe.sections.name:
   original_fieldset: pe
   short: PE Section List name.
   type: keyword
-process.parent.pe.sections.physical_size:
-  dashed_name: process-parent-pe-sections-physical-size
+process.session_leader.parent.session_leader.pe.sections.physical_size:
+  dashed_name: process-session-leader-parent-session-leader-pe-sections-physical-size
   description: PE Section List physical size.
-  flat_name: process.parent.pe.sections.physical_size
+  flat_name: process.session_leader.parent.session_leader.pe.sections.physical_size
   format: bytes
   level: extended
   name: sections.physical_size
@@ -12629,10 +43389,10 @@ process.parent.pe.sections.physical_size:
   original_fieldset: pe
   short: PE Section List physical size.
   type: long
-process.parent.pe.sections.var_entropy:
-  dashed_name: process-parent-pe-sections-var-entropy
+process.session_leader.parent.session_leader.pe.sections.var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-pe-sections-var-entropy
   description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.pe.sections.var_entropy
+  flat_name: process.session_leader.parent.session_leader.pe.sections.var_entropy
   format: number
   level: extended
   name: sections.var_entropy
@@ -12640,10 +43400,10 @@ process.parent.pe.sections.var_entropy:
   original_fieldset: pe
   short: Variance for Shannon entropy calculation from the section.
   type: long
-process.parent.pe.sections.virtual_size:
-  dashed_name: process-parent-pe-sections-virtual-size
+process.session_leader.parent.session_leader.pe.sections.virtual_size:
+  dashed_name: process-session-leader-parent-session-leader-pe-sections-virtual-size
   description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.parent.pe.sections.virtual_size
+  flat_name: process.session_leader.parent.session_leader.pe.sections.virtual_size
   format: string
   level: extended
   name: sections.virtual_size
@@ -12651,22 +43411,400 @@ process.parent.pe.sections.virtual_size:
   original_fieldset: pe
   short: PE Section List virtual size. This is always the same as `physical_size`.
   type: long
-process.parent.pid:
-  dashed_name: process-parent-pid
+process.session_leader.parent.session_leader.pid:
+  dashed_name: process-session-leader-parent-session-leader-pid
   description: Process id.
   example: 4242
-  flat_name: process.parent.pid
+  flat_name: process.session_leader.parent.session_leader.pid
   format: string
   level: core
   name: pid
   normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.parent.real_group.id:
-  dashed_name: process-parent-real-group-id
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.session_leader.parent.session_leader.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.session_leader.parent.session_leader.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.session_leader.parent.session_leader.real_group.domain:
+  dashed_name: process-session-leader-parent-session-leader-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.real_group.id:
+  dashed_name: process-session-leader-parent-session-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.session_leader.real_group.name:
+  dashed_name: process-session-leader-parent-session-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.domain:
+  dashed_name: process-session-leader-parent-session-leader-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.email:
+  dashed_name: process-session-leader-parent-session-leader-real-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.session_leader.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.full_name:
+  dashed_name: process-session-leader-parent-session-leader-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.session_leader.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.group.domain:
+  dashed_name: process-session-leader-parent-session-leader-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.group.id:
+  dashed_name: process-session-leader-parent-session-leader-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.group.name:
+  dashed_name: process-session-leader-parent-session-leader-real-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.hash:
+  dashed_name: process-session-leader-parent-session-leader-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.session_leader.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.id:
+  dashed_name: process-session-leader-parent-session-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.parent.session_leader.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.name:
+  dashed_name: process-session-leader-parent-session-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.parent.session_leader.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.session_leader.real_user.risk.static_level:
+  dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.risk.static_score:
+  dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.session_leader.real_user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.session_leader.real_user.roles:
+  dashed_name: process-session-leader-parent-session-leader-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.session_leader.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.session_leader.same_as_process:
+  dashed_name: process-session-leader-parent-session-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.session_leader.parent.session_leader.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.session_leader.parent.session_leader.saved_group.domain:
+  dashed_name: process-session-leader-parent-session-leader-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.saved_group.id:
+  dashed_name: process-session-leader-parent-session-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.session_leader.saved_group.name:
+  dashed_name: process-session-leader-parent-session-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.domain:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.email:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.session_leader.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.full_name:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.session_leader.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.group.domain:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.group.id:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.real_group.id
+  flat_name: process.session_leader.parent.session_leader.saved_user.group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -12674,10 +43812,10 @@ process.parent.real_group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.parent.real_group.name:
-  dashed_name: process-parent-real-group-name
+process.session_leader.parent.session_leader.saved_user.group.name:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-group-name
   description: Name of the group.
-  flat_name: process.parent.real_group.name
+  flat_name: process.session_leader.parent.session_leader.saved_user.group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -12685,11 +43823,26 @@ process.parent.real_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.parent.real_user.id:
-  dashed_name: process-parent-real-user-id
+process.session_leader.parent.session_leader.saved_user.hash:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.session_leader.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.id:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.real_user.id
+  flat_name: process.session_leader.parent.session_leader.saved_user.id
   ignore_above: 1024
   level: core
   name: id
@@ -12697,15 +43850,15 @@ process.parent.real_user.id:
   original_fieldset: user
   short: Unique identifier of the user.
   type: keyword
-process.parent.real_user.name:
-  dashed_name: process-parent-real-user-name
+process.session_leader.parent.session_leader.saved_user.name:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.parent.real_user.name
+  flat_name: process.session_leader.parent.session_leader.saved_user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.parent.real_user.name.text
+  - flat_name: process.session_leader.parent.session_leader.saved_user.name.text
     name: text
     type: match_only_text
   name: name
@@ -12713,71 +43866,128 @@ process.parent.real_user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.parent.saved_group.id:
-  dashed_name: process-parent-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.saved_group.id
+process.session_leader.parent.session_leader.saved_user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_level
   ignore_above: 1024
   level: extended
-  name: id
+  name: calculated_level
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
   type: keyword
-process.parent.saved_group.name:
-  dashed_name: process-parent-saved-group-name
-  description: Name of the group.
-  flat_name: process.parent.saved_group.name
-  ignore_above: 1024
+process.session_leader.parent.session_leader.saved_user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score
   level: extended
-  name: name
+  name: calculated_score
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.saved_user.id:
-  dashed_name: process-parent-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.saved_user.id
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.session_leader.saved_user.risk.static_level:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_level
   ignore_above: 1024
-  level: core
-  name: id
+  level: extended
+  name: static_level
   normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
   type: keyword
-process.parent.saved_user.name:
-  dashed_name: process-parent-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
+process.session_leader.parent.session_leader.saved_user.risk.static_score:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.session_leader.saved_user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
   normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.session_leader.saved_user.roles:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.session_leader.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
   original_fieldset: user
-  short: Short name or login of the user.
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
   type: keyword
-process.parent.start:
-  dashed_name: process-parent-start
+process.session_leader.parent.session_leader.start:
+  dashed_name: process-session-leader-parent-session-leader-start
   description: The time the process started.
   example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.start
+  flat_name: process.session_leader.parent.session_leader.start
   level: extended
   name: start
   normalize: []
   original_fieldset: process
   short: The time the process started.
   type: date
-process.parent.supplemental_groups.id:
-  dashed_name: process-parent-supplemental-groups-id
+process.session_leader.parent.session_leader.supplemental_groups.domain:
+  dashed_name: process-session-leader-parent-session-leader-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.supplemental_groups.id:
+  dashed_name: process-session-leader-parent-session-leader-supplemental-groups-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.supplemental_groups.id
+  flat_name: process.session_leader.parent.session_leader.supplemental_groups.id
   ignore_above: 1024
   level: extended
   name: id
@@ -12785,10 +43995,10 @@ process.parent.supplemental_groups.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.parent.supplemental_groups.name:
-  dashed_name: process-parent-supplemental-groups-name
+process.session_leader.parent.session_leader.supplemental_groups.name:
+  dashed_name: process-session-leader-parent-session-leader-supplemental-groups-name
   description: Name of the group.
-  flat_name: process.parent.supplemental_groups.name
+  flat_name: process.session_leader.parent.session_leader.supplemental_groups.name
   ignore_above: 1024
   level: extended
   name: name
@@ -12796,12 +44006,12 @@ process.parent.supplemental_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.parent.thread.capabilities.effective:
-  dashed_name: process-parent-thread-capabilities-effective
+process.session_leader.parent.session_leader.thread.capabilities.effective:
+  dashed_name: process-session-leader-parent-session-leader-thread-capabilities-effective
   description: This is the set of capabilities used by the kernel to perform permission
     checks for the thread.
   example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.parent.thread.capabilities.effective
+  flat_name: process.session_leader.parent.session_leader.thread.capabilities.effective
   ignore_above: 1024
   level: extended
   name: thread.capabilities.effective
@@ -12812,12 +44022,12 @@ process.parent.thread.capabilities.effective:
   short: Array of capabilities used for permission checks.
   synthetic_source_keep: none
   type: keyword
-process.parent.thread.capabilities.permitted:
-  dashed_name: process-parent-thread-capabilities-permitted
+process.session_leader.parent.session_leader.thread.capabilities.permitted:
+  dashed_name: process-session-leader-parent-session-leader-thread-capabilities-permitted
   description: This is a limiting superset for the effective capabilities that the
     thread may assume.
   example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.parent.thread.capabilities.permitted
+  flat_name: process.session_leader.parent.session_leader.thread.capabilities.permitted
   ignore_above: 1024
   level: extended
   name: thread.capabilities.permitted
@@ -12828,11 +44038,11 @@ process.parent.thread.capabilities.permitted:
   short: Array of capabilities a thread could assume.
   synthetic_source_keep: none
   type: keyword
-process.parent.thread.id:
-  dashed_name: process-parent-thread-id
+process.session_leader.parent.session_leader.thread.id:
+  dashed_name: process-session-leader-parent-session-leader-thread-id
   description: Thread ID.
   example: 4242
-  flat_name: process.parent.thread.id
+  flat_name: process.session_leader.parent.session_leader.thread.id
   format: string
   level: extended
   name: thread.id
@@ -12840,11 +44050,11 @@ process.parent.thread.id:
   original_fieldset: process
   short: Thread ID.
   type: long
-process.parent.thread.name:
-  dashed_name: process-parent-thread-name
+process.session_leader.parent.session_leader.thread.name:
+  dashed_name: process-session-leader-parent-session-leader-thread-name
   description: Thread name.
   example: thread-0
-  flat_name: process.parent.thread.name
+  flat_name: process.session_leader.parent.session_leader.thread.name
   ignore_above: 1024
   level: extended
   name: thread.name
@@ -12852,17 +44062,17 @@ process.parent.thread.name:
   original_fieldset: process
   short: Thread name.
   type: keyword
-process.parent.title:
-  dashed_name: process-parent-title
+process.session_leader.parent.session_leader.title:
+  dashed_name: process-session-leader-parent-session-leader-title
   description: 'Process title.
 
     The proctitle, some times the same as process name. Can also be different: for
     example a browser setting its title to the web page currently opened.'
-  flat_name: process.parent.title
+  flat_name: process.session_leader.parent.session_leader.title
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.parent.title.text
+  - flat_name: process.session_leader.parent.session_leader.title.text
     name: text
     type: match_only_text
   name: title
@@ -12870,523 +44080,583 @@ process.parent.title:
   original_fieldset: process
   short: Process title.
   type: keyword
-process.parent.tty:
-  dashed_name: process-parent-tty
+process.session_leader.parent.session_leader.tty:
+  dashed_name: process-session-leader-parent-session-leader-tty
   description: Information about the controlling TTY device. If set, the process belongs
     to an interactive session.
-  flat_name: process.parent.tty
+  flat_name: process.session_leader.parent.session_leader.tty
   level: extended
   name: tty
   normalize: []
   original_fieldset: process
   short: Information about the controlling TTY device.
   type: object
-process.parent.tty.char_device.major:
-  dashed_name: process-parent-tty-char-device-major
+process.session_leader.parent.session_leader.tty.char_device.major:
+  dashed_name: process-session-leader-parent-session-leader-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
     to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
     For more details, please refer to the Linux kernel documentation.
   example: 4
-  flat_name: process.parent.tty.char_device.major
+  flat_name: process.session_leader.parent.session_leader.tty.char_device.major
   level: extended
   name: tty.char_device.major
   normalize: []
   original_fieldset: process
   short: The TTY character device's major number.
   type: long
-process.parent.tty.char_device.minor:
-  dashed_name: process-parent-tty-char-device-minor
+process.session_leader.parent.session_leader.tty.char_device.minor:
+  dashed_name: process-session-leader-parent-session-leader-tty-char-device-minor
   description: The minor number is used only by the driver specified by the major
     number; other parts of the kernel don’t use it, and merely pass it along to the
     driver. It is common for a driver to control several devices; the minor number
     provides a way for the driver to differentiate among them.
   example: 1
-  flat_name: process.parent.tty.char_device.minor
+  flat_name: process.session_leader.parent.session_leader.tty.char_device.minor
   level: extended
   name: tty.char_device.minor
   normalize: []
   original_fieldset: process
   short: The TTY character device's minor number.
   type: long
-process.parent.uptime:
-  dashed_name: process-parent-uptime
+process.session_leader.parent.session_leader.tty.columns:
+  dashed_name: process-session-leader-parent-session-leader-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.session_leader.parent.session_leader.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.session_leader.parent.session_leader.tty.rows:
+  dashed_name: process-session-leader-parent-session-leader-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.session_leader.parent.session_leader.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.session_leader.parent.session_leader.uptime:
+  dashed_name: process-session-leader-parent-session-leader-uptime
   description: Seconds the process has been up.
   example: 1325
-  flat_name: process.parent.uptime
+  flat_name: process.session_leader.parent.session_leader.uptime
   level: extended
   name: uptime
   normalize: []
   original_fieldset: process
   short: Seconds the process has been up.
   type: long
-process.parent.user.id:
-  dashed_name: process-parent-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.user.id
+process.session_leader.parent.session_leader.user.domain:
+  dashed_name: process-session-leader-parent-session-leader-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.user.domain
   ignore_above: 1024
-  level: core
-  name: id
+  level: extended
+  name: domain
   normalize: []
   original_fieldset: user
-  short: Unique identifier of the user.
+  short: Name of the directory the user is a member of.
   type: keyword
-process.parent.user.name:
-  dashed_name: process-parent-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.user.name
+process.session_leader.parent.session_leader.user.email:
+  dashed_name: process-session-leader-parent-session-leader-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.session_leader.user.email
   ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.user.name.text
-    name: text
-    type: match_only_text
-  name: name
+  level: extended
+  name: email
   normalize: []
   original_fieldset: user
-  short: Short name or login of the user.
+  short: User email address.
   type: keyword
-process.parent.vpid:
-  dashed_name: process-parent-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.parent.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.parent.working_directory:
-  dashed_name: process-parent-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.parent.working_directory
+process.session_leader.parent.session_leader.user.full_name:
+  dashed_name: process-session-leader-parent-session-leader-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.session_leader.user.full_name
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.parent.working_directory.text
+  - flat_name: process.session_leader.parent.session_leader.user.full_name.text
     name: text
     type: match_only_text
-  name: working_directory
+  name: full_name
   normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
+  original_fieldset: user
+  short: User's full name, if available.
   type: keyword
-process.pe.architecture:
-  dashed_name: process-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.pe.architecture
+process.session_leader.parent.session_leader.user.group.domain:
+  dashed_name: process-session-leader-parent-session-leader-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.user.group.domain
   ignore_above: 1024
   level: extended
-  name: architecture
+  name: domain
   normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
   type: keyword
-process.pe.company:
-  dashed_name: process-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.pe.company
+process.session_leader.parent.session_leader.user.group.id:
+  dashed_name: process-session-leader-parent-session-leader-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.user.group.id
   ignore_above: 1024
   level: extended
-  name: company
+  name: id
   normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.pe.description:
-  dashed_name: process-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.pe.description
+process.session_leader.parent.session_leader.user.group.name:
+  dashed_name: process-session-leader-parent-session-leader-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.user.group.name
   ignore_above: 1024
   level: extended
-  name: description
+  name: name
   normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.pe.file_version:
-  dashed_name: process-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.pe.file_version
+process.session_leader.parent.session_leader.user.hash:
+  dashed_name: process-session-leader-parent-session-leader-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.session_leader.user.hash
   ignore_above: 1024
   level: extended
-  name: file_version
+  name: hash
   normalize: []
-  original_fieldset: pe
-  short: Process name.
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
   type: keyword
-process.pe.go_import_hash:
-  dashed_name: process-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.pe.go_import_hash
+process.session_leader.parent.session_leader.user.id:
+  dashed_name: process-session-leader-parent-session-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.parent.session_leader.user.id
   ignore_above: 1024
-  level: extended
-  name: go_import_hash
+  level: core
+  name: id
   normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.pe.go_imports:
-  dashed_name: process-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.pe.go_imports
-  level: extended
-  name: go_imports
+process.session_leader.parent.session_leader.user.name:
+  dashed_name: process-session-leader-parent-session-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.parent.session_leader.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.user.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.pe.go_imports_names_entropy:
-  dashed_name: process-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.pe.go_imports_names_entropy
-  format: number
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.parent.session_leader.user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.user.risk.calculated_level
+  ignore_above: 1024
   level: extended
-  name: go_imports_names_entropy
+  name: calculated_level
   normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.pe.go_imports_names_var_entropy:
-  dashed_name: process-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.pe.go_imports_names_var_entropy
-  format: number
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.session_leader.user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score
   level: extended
-  name: go_imports_names_var_entropy
+  name: calculated_score
   normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.pe.go_stripped:
-  dashed_name: process-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.pe.go_stripped
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.session_leader.user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score_norm
   level: extended
-  name: go_stripped
+  name: calculated_score_norm
   normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.pe.imphash:
-  dashed_name: process-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.pe.imphash
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.session_leader.user.risk.static_level:
+  dashed_name: process-session-leader-parent-session-leader-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.user.risk.static_level
   ignore_above: 1024
   level: extended
-  name: imphash
+  name: static_level
   normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
   type: keyword
-process.pe.import_hash:
-  dashed_name: process-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.pe.import_hash
-  ignore_above: 1024
+process.session_leader.parent.session_leader.user.risk.static_score:
+  dashed_name: process-session-leader-parent-session-leader-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.session_leader.user.risk.static_score
   level: extended
-  name: import_hash
+  name: static_score
   normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.pe.imports:
-  dashed_name: process-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.pe.imports_names_entropy:
-  dashed_name: process-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.pe.imports_names_entropy
-  format: number
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.session_leader.user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.session_leader.user.risk.static_score_norm
   level: extended
-  name: imports_names_entropy
+  name: static_score_norm
   normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.pe.imports_names_var_entropy:
-  dashed_name: process-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.pe.imports_names_var_entropy
-  format: number
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.session_leader.user.roles:
+  dashed_name: process-session-leader-parent-session-leader-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.session_leader.user.roles
+  ignore_above: 1024
   level: extended
-  name: imports_names_var_entropy
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.session_leader.vpid:
+  dashed_name: process-session-leader-parent-session-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.parent.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
   normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
+  original_fieldset: process
+  short: Virtual process id.
   type: long
-process.pe.original_file_name:
-  dashed_name: process-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.pe.original_file_name
+process.session_leader.parent.session_leader.working_directory:
+  dashed_name: process-session-leader-parent-session-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.session_leader.parent.session_leader.working_directory
   ignore_above: 1024
   level: extended
-  name: original_file_name
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
   normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
+  original_fieldset: process
+  short: The working directory of the process.
   type: keyword
-process.pe.pehash:
-  dashed_name: process-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
+process.session_leader.parent.start:
+  dashed_name: process-session-leader-parent-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.parent.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.session_leader.parent.supplemental_groups.domain:
+  dashed_name: process-session-leader-parent-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
 
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.pe.pehash
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.supplemental_groups.domain
   ignore_above: 1024
   level: extended
-  name: pehash
+  name: domain
   normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
   type: keyword
-process.pe.product:
-  dashed_name: process-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.pe.product
+process.session_leader.parent.supplemental_groups.id:
+  dashed_name: process-session-leader-parent-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.supplemental_groups.id
   ignore_above: 1024
   level: extended
-  name: product
+  name: id
   normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.pe.sections:
-  dashed_name: process-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.pe.sections
+process.session_leader.parent.supplemental_groups.name:
+  dashed_name: process-session-leader-parent-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.supplemental_groups.name
+  ignore_above: 1024
   level: extended
-  name: sections
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.thread.capabilities.effective:
+  dashed_name: process-session-leader-parent-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.session_leader.parent.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
   normalize:
   - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.pe.sections.entropy:
-  dashed_name: process-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.pe.sections.entropy
-  format: number
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.thread.capabilities.permitted:
+  dashed_name: process-session-leader-parent-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.session_leader.parent.thread.capabilities.permitted
+  ignore_above: 1024
   level: extended
-  name: sections.entropy
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.thread.id:
+  dashed_name: process-session-leader-parent-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.session_leader.parent.thread.id
+  format: string
+  level: extended
+  name: thread.id
   normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
+  original_fieldset: process
+  short: Thread ID.
   type: long
-process.pe.sections.name:
-  dashed_name: process-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.pe.sections.name
+process.session_leader.parent.thread.name:
+  dashed_name: process-session-leader-parent-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.session_leader.parent.thread.name
   ignore_above: 1024
   level: extended
-  name: sections.name
+  name: thread.name
   normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
+  original_fieldset: process
+  short: Thread name.
   type: keyword
-process.pe.sections.physical_size:
-  dashed_name: process-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.pe.sections.physical_size
-  format: bytes
+process.session_leader.parent.title:
+  dashed_name: process-session-leader-parent-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.session_leader.parent.title
+  ignore_above: 1024
   level: extended
-  name: sections.physical_size
+  multi_fields:
+  - flat_name: process.session_leader.parent.title.text
+    name: text
+    type: match_only_text
+  name: title
   normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.pe.sections.var_entropy:
-  dashed_name: process-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.pe.sections.var_entropy
-  format: number
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.session_leader.parent.tty:
+  dashed_name: process-session-leader-parent-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.session_leader.parent.tty
   level: extended
-  name: sections.var_entropy
+  name: tty
   normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.pe.sections.virtual_size:
-  dashed_name: process-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.pe.sections.virtual_size
-  format: string
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.session_leader.parent.tty.char_device.major:
+  dashed_name: process-session-leader-parent-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.session_leader.parent.tty.char_device.major
   level: extended
-  name: sections.virtual_size
+  name: tty.char_device.major
   normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
+  original_fieldset: process
+  short: The TTY character device's major number.
   type: long
-process.pid:
-  dashed_name: process-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.pid
-  format: string
-  level: core
-  name: pid
+process.session_leader.parent.tty.char_device.minor:
+  dashed_name: process-session-leader-parent-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.session_leader.parent.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
   normalize: []
-  otel:
-  - relation: match
-    stability: development
-  short: Process id.
+  original_fieldset: process
+  short: The TTY character device's minor number.
   type: long
-process.previous.args:
-  dashed_name: process-previous-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
+process.session_leader.parent.tty.columns:
+  dashed_name: process-session-leader-parent-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
 
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.previous.args
-  ignore_above: 1024
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.session_leader.parent.tty.columns
   level: extended
-  name: args
-  normalize:
-  - array
+  name: tty.columns
+  normalize: []
   original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.previous.args_count:
-  dashed_name: process-previous-args-count
-  description: 'Length of the process.args array.
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.session_leader.parent.tty.rows:
+  dashed_name: process-session-leader-parent-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
 
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.previous.args_count
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.session_leader.parent.tty.rows
   level: extended
-  name: args_count
+  name: tty.rows
   normalize: []
   original_fieldset: process
-  short: Length of the process.args array.
+  short: The number of character rows in the terminal. e.g terminal height
   type: long
-process.previous.executable:
-  dashed_name: process-previous-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.previous.executable
-  ignore_above: 1024
+process.session_leader.parent.uptime:
+  dashed_name: process-session-leader-parent-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.session_leader.parent.uptime
   level: extended
-  multi_fields:
-  - flat_name: process.previous.executable.text
-    name: text
-    type: match_only_text
-  name: executable
+  name: uptime
   normalize: []
   original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.real_group.id:
-  dashed_name: process-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.real_group.id
+  short: Seconds the process has been up.
+  type: long
+process.session_leader.parent.user.domain:
+  dashed_name: process-session-leader-parent-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.user.domain
   ignore_above: 1024
   level: extended
-  name: id
+  name: domain
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
   type: keyword
-process.real_group.name:
-  dashed_name: process-real-group-name
-  description: Name of the group.
-  flat_name: process.real_group.name
+process.session_leader.parent.user.email:
+  dashed_name: process-session-leader-parent-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.user.email
   ignore_above: 1024
   level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.real_user.id:
-  dashed_name: process-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
+  name: email
   normalize: []
   original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
-  short: Unique identifier of the user.
+  short: User email address.
   type: keyword
-process.real_user.name:
-  dashed_name: process-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.real_user.name
+process.session_leader.parent.user.full_name:
+  dashed_name: process-session-leader-parent-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.user.full_name
   ignore_above: 1024
-  level: core
+  level: extended
   multi_fields:
-  - flat_name: process.real_user.name.text
+  - flat_name: process.session_leader.parent.user.full_name.text
     name: text
     type: match_only_text
-  name: name
+  name: full_name
   normalize: []
   original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
-  short: Short name or login of the user.
+  short: User's full name, if available.
   type: keyword
-process.saved_group.id:
-  dashed_name: process-saved-group-id
+process.session_leader.parent.user.group.domain:
+  dashed_name: process-session-leader-parent-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.user.group.id:
+  dashed_name: process-session-leader-parent-user-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.saved_group.id
+  flat_name: process.session_leader.parent.user.group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -13394,10 +44664,10 @@ process.saved_group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.saved_group.name:
-  dashed_name: process-saved-group-name
+process.session_leader.parent.user.group.name:
+  dashed_name: process-session-leader-parent-user-group-name
   description: Name of the group.
-  flat_name: process.saved_group.name
+  flat_name: process.session_leader.parent.user.group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -13405,303 +44675,460 @@ process.saved_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.saved_user.id:
-  dashed_name: process-saved-user-id
+process.session_leader.parent.user.hash:
+  dashed_name: process-session-leader-parent-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.user.id:
+  dashed_name: process-session-leader-parent-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.saved_user.id
+  flat_name: process.session_leader.parent.user.id
   ignore_above: 1024
   level: core
   name: id
   normalize: []
   original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
   short: Unique identifier of the user.
   type: keyword
-process.saved_user.name:
-  dashed_name: process-saved-user-name
+process.session_leader.parent.user.name:
+  dashed_name: process-session-leader-parent-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.saved_user.name
+  flat_name: process.session_leader.parent.user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.saved_user.name.text
+  - flat_name: process.session_leader.parent.user.name.text
     name: text
     type: match_only_text
   name: name
   normalize: []
   original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
   short: Short name or login of the user.
   type: keyword
-process.session_leader.args:
-  dashed_name: process-session-leader-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.session_leader.args
+process.session_leader.parent.user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.user.risk.calculated_level
   ignore_above: 1024
   level: extended
-  name: args
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.user.risk.static_level:
+  dashed_name: process-session-leader-parent-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.parent.user.risk.static_score:
+  dashed_name: process-session-leader-parent-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.user.roles:
+  dashed_name: process-session-leader-parent-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
   normalize:
   - array
-  original_fieldset: process
-  short: Array of process arguments.
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
   type: keyword
-process.session_leader.args_count:
-  dashed_name: process-session-leader-args-count
-  description: 'Length of the process.args array.
+process.session_leader.parent.vpid:
+  dashed_name: process-session-leader-parent-vpid
+  description: 'Virtual process id.
 
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.session_leader.args_count
-  level: extended
-  name: args_count
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.parent.vpid
+  format: string
+  level: core
+  name: vpid
   normalize: []
   original_fieldset: process
-  short: Length of the process.args array.
+  short: Virtual process id.
   type: long
-process.session_leader.command_line:
-  dashed_name: process-session-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.session_leader.command_line
+process.session_leader.parent.working_directory:
+  dashed_name: process-session-leader-parent-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.session_leader.parent.working_directory
+  ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.session_leader.command_line.text
+  - flat_name: process.session_leader.parent.working_directory.text
     name: text
     type: match_only_text
-  name: command_line
+  name: working_directory
   normalize: []
   original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.session_leader.entity_id:
-  dashed_name: process-session-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.session_leader.entity_id
+  short: The working directory of the process.
+  type: keyword
+process.session_leader.pe.architecture:
+  dashed_name: process-session-leader-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.session_leader.pe.architecture
   ignore_above: 1024
   level: extended
-  name: entity_id
+  name: architecture
   normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
+  original_fieldset: pe
+  short: CPU architecture target for the file.
   type: keyword
-process.session_leader.executable:
-  dashed_name: process-session-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.session_leader.executable
+process.session_leader.pe.company:
+  dashed_name: process-session-leader-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.session_leader.pe.company
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.session_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.session_leader.pe.description:
+  dashed_name: process-session-leader-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.session_leader.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
   normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
   type: keyword
-process.session_leader.group.id:
-  dashed_name: process-session-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.group.id
+process.session_leader.pe.file_version:
+  dashed_name: process-session-leader-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.session_leader.pe.file_version
   ignore_above: 1024
   level: extended
-  name: id
+  name: file_version
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: pe
+  short: Process name.
   type: keyword
-process.session_leader.group.name:
-  dashed_name: process-session-leader-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.group.name
+process.session_leader.pe.go_import_hash:
+  dashed_name: process-session-leader-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.pe.go_import_hash
   ignore_above: 1024
   level: extended
-  name: name
+  name: go_import_hash
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
   type: keyword
-process.session_leader.interactive:
-  dashed_name: process-session-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.session_leader.interactive
+process.session_leader.pe.go_imports:
+  dashed_name: process-session-leader-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.pe.go_imports
   level: extended
-  name: interactive
+  name: go_imports
   normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.pe.go_imports_names_entropy:
+  dashed_name: process-session-leader-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.pe.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.pe.go_stripped:
+  dashed_name: process-session-leader-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.session_leader.name:
-  dashed_name: process-session-leader-name
-  description: 'Process name.
+process.session_leader.pe.imphash:
+  dashed_name: process-session-leader-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
 
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.session_leader.name
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.session_leader.pe.imphash
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.session_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
+  name: imphash
   normalize: []
-  original_fieldset: process
-  short: Process name.
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
   type: keyword
-process.session_leader.parent.entity_id:
-  dashed_name: process-session-leader-parent-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
+process.session_leader.pe.import_hash:
+  dashed_name: process-session-leader-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
 
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.session_leader.parent.entity_id
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.pe.import_hash
   ignore_above: 1024
   level: extended
-  name: entity_id
+  name: import_hash
   normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
   type: keyword
-process.session_leader.parent.pid:
-  dashed_name: process-session-leader-parent-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.session_leader.parent.pid
-  format: string
-  level: core
-  name: pid
+process.session_leader.pe.imports:
+  dashed_name: process-session-leader-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.pe.imports_names_entropy:
+  dashed_name: process-session-leader-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
   normalize: []
-  original_fieldset: process
-  short: Process id.
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.session_leader.parent.session_leader.entity_id:
-  dashed_name: process-session-leader-parent-session-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
+process.session_leader.pe.imports_names_var_entropy:
+  dashed_name: process-session-leader-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.pe.original_file_name:
+  dashed_name: process-session-leader-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.session_leader.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.session_leader.pe.pehash:
+  dashed_name: process-session-leader-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
 
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.session_leader.parent.session_leader.entity_id
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.session_leader.pe.pehash
   ignore_above: 1024
   level: extended
-  name: entity_id
+  name: pehash
   normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
   type: keyword
-process.session_leader.parent.session_leader.pid:
-  dashed_name: process-session-leader-parent-session-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.session_leader.parent.session_leader.pid
-  format: string
-  level: core
-  name: pid
+process.session_leader.pe.product:
+  dashed_name: process-session-leader-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.session_leader.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
   normalize: []
-  original_fieldset: process
-  short: Process id.
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.session_leader.pe.sections:
+  dashed_name: process-session-leader-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.session_leader.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.session_leader.pe.sections.entropy:
+  dashed_name: process-session-leader-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
   type: long
-process.session_leader.parent.session_leader.start:
-  dashed_name: process-session-leader-parent-session-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.parent.session_leader.start
+process.session_leader.pe.sections.name:
+  dashed_name: process-session-leader-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.session_leader.pe.sections.name
+  ignore_above: 1024
   level: extended
-  name: start
+  name: sections.name
   normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.session_leader.parent.session_leader.vpid:
-  dashed_name: process-session-leader-parent-session-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.session_leader.parent.session_leader.vpid
-  format: string
-  level: core
-  name: vpid
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.session_leader.pe.sections.physical_size:
+  dashed_name: process-session-leader-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.session_leader.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
   normalize: []
-  original_fieldset: process
-  short: Virtual process id.
+  original_fieldset: pe
+  short: PE Section List physical size.
   type: long
-process.session_leader.parent.start:
-  dashed_name: process-session-leader-parent-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.parent.start
+process.session_leader.pe.sections.var_entropy:
+  dashed_name: process-session-leader-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.pe.sections.var_entropy
+  format: number
   level: extended
-  name: start
+  name: sections.var_entropy
   normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.session_leader.parent.vpid:
-  dashed_name: process-session-leader-parent-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.session_leader.parent.vpid
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.pe.sections.virtual_size:
+  dashed_name: process-session-leader-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.session_leader.pe.sections.virtual_size
   format: string
-  level: core
-  name: vpid
+  level: extended
+  name: sections.virtual_size
   normalize: []
-  original_fieldset: process
-  short: Virtual process id.
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
   type: long
 process.session_leader.pid:
   dashed_name: process-session-leader-pid
@@ -13718,6 +45145,32 @@ process.session_leader.pid:
     stability: development
   short: Process id.
   type: long
+process.session_leader.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.session_leader.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.session_leader.real_group.domain:
+  dashed_name: process-session-leader-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
 process.session_leader.real_group.id:
   dashed_name: process-session-leader-real-group-id
   description: Unique identifier for the group on the system/platform.
@@ -13740,6 +45193,96 @@ process.session_leader.real_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
+process.session_leader.real_user.domain:
+  dashed_name: process-session-leader-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.real_user.email:
+  dashed_name: process-session-leader-real-user-email
+  description: User email address.
+  flat_name: process.session_leader.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.real_user.full_name:
+  dashed_name: process-session-leader-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.real_user.group.domain:
+  dashed_name: process-session-leader-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.real_user.group.id:
+  dashed_name: process-session-leader-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.real_user.group.name:
+  dashed_name: process-session-leader-real-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.real_user.hash:
+  dashed_name: process-session-leader-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
 process.session_leader.real_user.id:
   dashed_name: process-session-leader-real-user-id
   description: Unique identifier of the user.
@@ -13768,6 +45311,100 @@ process.session_leader.real_user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+process.session_leader.real_user.risk.calculated_level:
+  dashed_name: process-session-leader-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.real_user.risk.calculated_score:
+  dashed_name: process-session-leader-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.real_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.real_user.risk.static_level:
+  dashed_name: process-session-leader-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.real_user.risk.static_score:
+  dashed_name: process-session-leader-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.real_user.risk.static_score_norm:
+  dashed_name: process-session-leader-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.real_user.roles:
+  dashed_name: process-session-leader-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
 process.session_leader.same_as_process:
   dashed_name: process-session-leader-same-as-process
   description: 'This boolean is used to identify if a leader process is the same as
@@ -13787,21 +45424,109 @@ process.session_leader.same_as_process:
     Instead these rules could be written like: `process.group_leader.same_as_process:
     true` OR `process.entry_leader.same_as_process: true`
 
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.session_leader.same_as_process
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.session_leader.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.session_leader.saved_group.domain:
+  dashed_name: process-session-leader-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.saved_group.id:
+  dashed_name: process-session-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.saved_group.name:
+  dashed_name: process-session-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.saved_user.domain:
+  dashed_name: process-session-leader-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.saved_user.email:
+  dashed_name: process-session-leader-saved-user-email
+  description: User email address.
+  flat_name: process.session_leader.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.saved_user.full_name:
+  dashed_name: process-session-leader-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.saved_user.group.domain:
+  dashed_name: process-session-leader-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.saved_user.group.domain
+  ignore_above: 1024
   level: extended
-  name: same_as_process
+  name: domain
   normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.session_leader.saved_group.id:
-  dashed_name: process-session-leader-saved-group-id
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.saved_user.group.id:
+  dashed_name: process-session-leader-saved-user-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.saved_group.id
+  flat_name: process.session_leader.saved_user.group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -13809,10 +45534,10 @@ process.session_leader.saved_group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.saved_group.name:
-  dashed_name: process-session-leader-saved-group-name
+process.session_leader.saved_user.group.name:
+  dashed_name: process-session-leader-saved-user-group-name
   description: Name of the group.
-  flat_name: process.session_leader.saved_group.name
+  flat_name: process.session_leader.saved_user.group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -13820,6 +45545,21 @@ process.session_leader.saved_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
+process.session_leader.saved_user.hash:
+  dashed_name: process-session-leader-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
 process.session_leader.saved_user.id:
   dashed_name: process-session-leader-saved-user-id
   description: Unique identifier of the user.
@@ -13848,6 +45588,100 @@ process.session_leader.saved_user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+process.session_leader.saved_user.risk.calculated_level:
+  dashed_name: process-session-leader-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.saved_user.risk.calculated_score:
+  dashed_name: process-session-leader-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.saved_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.saved_user.risk.static_level:
+  dashed_name: process-session-leader-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.saved_user.risk.static_score:
+  dashed_name: process-session-leader-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.saved_user.risk.static_score_norm:
+  dashed_name: process-session-leader-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.saved_user.roles:
+  dashed_name: process-session-leader-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
 process.session_leader.start:
   dashed_name: process-session-leader-start
   description: The time the process started.
@@ -13859,6 +45693,19 @@ process.session_leader.start:
   original_fieldset: process
   short: The time the process started.
   type: date
+process.session_leader.supplemental_groups.domain:
+  dashed_name: process-session-leader-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
 process.session_leader.supplemental_groups.id:
   dashed_name: process-session-leader-supplemental-groups-id
   description: Unique identifier for the group on the system/platform.
@@ -13881,6 +45728,80 @@ process.session_leader.supplemental_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
+process.session_leader.thread.capabilities.effective:
+  dashed_name: process-session-leader-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.session_leader.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.thread.capabilities.permitted:
+  dashed_name: process-session-leader-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.session_leader.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.thread.id:
+  dashed_name: process-session-leader-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.session_leader.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.session_leader.thread.name:
+  dashed_name: process-session-leader-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.session_leader.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.session_leader.title:
+  dashed_name: process-session-leader-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.session_leader.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
 process.session_leader.tty:
   dashed_name: process-session-leader-tty
   description: Information about the controlling TTY device. If set, the process belongs
@@ -13920,6 +45841,135 @@ process.session_leader.tty.char_device.minor:
   original_fieldset: process
   short: The TTY character device's minor number.
   type: long
+process.session_leader.tty.columns:
+  dashed_name: process-session-leader-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.session_leader.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.session_leader.tty.rows:
+  dashed_name: process-session-leader-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.session_leader.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.session_leader.uptime:
+  dashed_name: process-session-leader-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.session_leader.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.session_leader.user.domain:
+  dashed_name: process-session-leader-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.user.email:
+  dashed_name: process-session-leader-user-email
+  description: User email address.
+  flat_name: process.session_leader.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.user.full_name:
+  dashed_name: process-session-leader-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.user.group.domain:
+  dashed_name: process-session-leader-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.user.group.id:
+  dashed_name: process-session-leader-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.user.group.name:
+  dashed_name: process-session-leader-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.user.hash:
+  dashed_name: process-session-leader-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
 process.session_leader.user.id:
   dashed_name: process-session-leader-user-id
   description: Unique identifier of the user.
@@ -13948,6 +45998,100 @@ process.session_leader.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+process.session_leader.user.risk.calculated_level:
+  dashed_name: process-session-leader-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.user.risk.calculated_score:
+  dashed_name: process-session-leader-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.user.risk.static_level:
+  dashed_name: process-session-leader-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.user.risk.static_score:
+  dashed_name: process-session-leader-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.user.risk.static_score_norm:
+  dashed_name: process-session-leader-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.user.roles:
+  dashed_name: process-session-leader-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
 process.session_leader.vpid:
   dashed_name: process-session-leader-vpid
   description: 'Virtual process id.
@@ -13990,6 +46134,19 @@ process.start:
   normalize: []
   short: The time the process started.
   type: date
+process.supplemental_groups.domain:
+  dashed_name: process-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
 process.supplemental_groups.id:
   dashed_name: process-supplemental-groups-id
   description: Unique identifier for the group on the system/platform.
@@ -14160,6 +46317,96 @@ process.uptime:
     stability: development
   short: Seconds the process has been up.
   type: long
+process.user.domain:
+  dashed_name: process-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.user.email:
+  dashed_name: process-user-email
+  description: User email address.
+  flat_name: process.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.user.full_name:
+  dashed_name: process-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.user.group.domain:
+  dashed_name: process-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.user.group.id:
+  dashed_name: process-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.user.group.name:
+  dashed_name: process-user-group-name
+  description: Name of the group.
+  flat_name: process.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.user.hash:
+  dashed_name: process-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
 process.user.id:
   dashed_name: process-user-id
   description: Unique identifier of the user.
@@ -14194,6 +46441,100 @@ process.user.name:
     stability: development
   short: Short name or login of the user.
   type: keyword
+process.user.risk.calculated_level:
+  dashed_name: process-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.user.risk.calculated_score:
+  dashed_name: process-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.user.risk.calculated_score_norm:
+  dashed_name: process-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.user.risk.static_level:
+  dashed_name: process-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.user.risk.static_score:
+  dashed_name: process-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.user.risk.static_score_norm:
+  dashed_name: process-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.user.roles:
+  dashed_name: process-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
 process.vpid:
   dashed_name: process-vpid
   description: 'Virtual process id.
@@ -14953,6 +47294,86 @@ server.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+server.user.risk.calculated_level:
+  dashed_name: server-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: server.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+server.user.risk.calculated_score:
+  dashed_name: server-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: server.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+server.user.risk.calculated_score_norm:
+  dashed_name: server-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: server.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+server.user.risk.static_level:
+  dashed_name: server-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: server.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+server.user.risk.static_score:
+  dashed_name: server-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: server.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+server.user.risk.static_score_norm:
+  dashed_name: server-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: server.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 server.user.roles:
   dashed_name: server-user-roles
   description: Array of user roles at the time of the event.
@@ -16274,6 +48695,86 @@ source.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+source.user.risk.calculated_level:
+  dashed_name: source-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: source.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+source.user.risk.calculated_score:
+  dashed_name: source-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: source.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+source.user.risk.calculated_score_norm:
+  dashed_name: source-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: source.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+source.user.risk.static_level:
+  dashed_name: source-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: source.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+source.user.risk.static_score:
+  dashed_name: source-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: source.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+source.user.risk.static_score_norm:
+  dashed_name: source-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: source.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 source.user.roles:
   dashed_name: source-user-roles
   description: Array of user roles at the time of the event.
@@ -23400,6 +55901,86 @@ user.changes.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+user.changes.risk.calculated_level:
+  dashed_name: user-changes-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.changes.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.changes.risk.calculated_score:
+  dashed_name: user-changes-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.changes.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.changes.risk.calculated_score_norm:
+  dashed_name: user-changes-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.changes.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+user.changes.risk.static_level:
+  dashed_name: user-changes-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.changes.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.changes.risk.static_score:
+  dashed_name: user-changes-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.changes.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.changes.risk.static_score_norm:
+  dashed_name: user-changes-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.changes.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 user.changes.roles:
   dashed_name: user-changes-roles
   description: Array of user roles at the time of the event.
@@ -23544,6 +56125,86 @@ user.effective.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+user.effective.risk.calculated_level:
+  dashed_name: user-effective-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.effective.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.effective.risk.calculated_score:
+  dashed_name: user-effective-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.effective.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.effective.risk.calculated_score_norm:
+  dashed_name: user-effective-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.effective.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+user.effective.risk.static_level:
+  dashed_name: user-effective-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.effective.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.effective.risk.static_score:
+  dashed_name: user-effective-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.effective.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.effective.risk.static_score_norm:
+  dashed_name: user-effective-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.effective.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 user.effective.roles:
   dashed_name: user-effective-roles
   description: Array of user roles at the time of the event.
@@ -24137,6 +56798,86 @@ user.target.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+user.target.risk.calculated_level:
+  dashed_name: user-target-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.target.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.target.risk.calculated_score:
+  dashed_name: user-target-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.target.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.target.risk.calculated_score_norm:
+  dashed_name: user-target-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.target.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+user.target.risk.static_level:
+  dashed_name: user-target-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.target.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.target.risk.static_score:
+  dashed_name: user-target-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.target.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.target.risk.static_score_norm:
+  dashed_name: user-target-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.target.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 user.target.roles:
   dashed_name: user-target-roles
   description: Array of user roles at the time of the event.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 749922c0a1..d17bf5383a 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -735,6 +735,86 @@ client:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    client.user.risk.calculated_level:
+      dashed_name: client-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: client.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    client.user.risk.calculated_score:
+      dashed_name: client-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: client.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    client.user.risk.calculated_score_norm:
+      dashed_name: client-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: client.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    client.user.risk.static_level:
+      dashed_name: client-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: client.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    client.user.risk.static_score:
+      dashed_name: client-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: client.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    client.user.risk.static_score_norm:
+      dashed_name: client-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: client.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     client.user.roles:
       dashed_name: client-user-roles
       description: Array of user roles at the time of the event.
@@ -2417,6 +2497,86 @@ destination:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    destination.user.risk.calculated_level:
+      dashed_name: destination-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: destination.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    destination.user.risk.calculated_score:
+      dashed_name: destination-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: destination.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    destination.user.risk.calculated_score_norm:
+      dashed_name: destination-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: destination.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    destination.user.risk.static_level:
+      dashed_name: destination-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: destination.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    destination.user.risk.static_score:
+      dashed_name: destination-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: destination.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    destination.user.risk.static_score_norm:
+      dashed_name: destination-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: destination.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     destination.user.roles:
       dashed_name: destination-user-roles
       description: Array of user roles at the time of the event.
@@ -11392,6 +11552,253 @@ process:
         stability: development
       short: Length of the process.args array.
       type: long
+    process.attested_groups.domain:
+      dashed_name: process-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.attested_groups.id:
+      dashed_name: process-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.attested_groups.name:
+      dashed_name: process-attested-groups-name
+      description: Name of the group.
+      flat_name: process.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.attested_user.domain:
+      dashed_name: process-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.attested_user.email:
+      dashed_name: process-attested-user-email
+      description: User email address.
+      flat_name: process.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.attested_user.full_name:
+      dashed_name: process-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.attested_user.group.domain:
+      dashed_name: process-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.attested_user.group.id:
+      dashed_name: process-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.attested_user.group.name:
+      dashed_name: process-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.attested_user.hash:
+      dashed_name: process-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.attested_user.id:
+      dashed_name: process-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.attested_user.name:
+      dashed_name: process-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.attested_user.risk.calculated_level:
+      dashed_name: process-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.attested_user.risk.calculated_score:
+      dashed_name: process-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.attested_user.risk.calculated_score_norm:
+      dashed_name: process-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.attested_user.risk.static_level:
+      dashed_name: process-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.attested_user.risk.static_score:
+      dashed_name: process-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.attested_user.risk.static_score_norm:
+      dashed_name: process-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.attested_user.roles:
+      dashed_name: process-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
     process.code_signature.digest_algorithm:
       dashed_name: process-code-signature-digest-algorithm
       description: 'The hashing algorithm used to sign the process.
@@ -12016,6 +12423,17 @@ process:
       normalize: []
       short: The time the process ended.
       type: date
+    process.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
     process.entity_id:
       dashed_name: process-entity-id
       description: 'Unique identifier for the process.
@@ -12066,6 +12484,30 @@ process:
       original_fieldset: process
       short: Length of the process.args array.
       type: long
+    process.entry_leader.attested_groups.domain:
+      dashed_name: process-entry-leader-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.attested_groups.id:
+      dashed_name: process-entry-leader-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
     process.entry_leader.attested_groups.name:
       dashed_name: process-entry-leader-attested-groups-name
       description: Name of the group.
@@ -12077,6 +12519,96 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
+    process.entry_leader.attested_user.domain:
+      dashed_name: process-entry-leader-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.attested_user.email:
+      dashed_name: process-entry-leader-attested-user-email
+      description: User email address.
+      flat_name: process.entry_leader.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.attested_user.full_name:
+      dashed_name: process-entry-leader-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.attested_user.group.domain:
+      dashed_name: process-entry-leader-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.attested_user.group.id:
+      dashed_name: process-entry-leader-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.attested_user.group.name:
+      dashed_name: process-entry-leader-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.attested_user.hash:
+      dashed_name: process-entry-leader-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
     process.entry_leader.attested_user.id:
       dashed_name: process-entry-leader-attested-user-id
       description: Unique identifier of the user.
@@ -12105,696 +12637,30556 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.entry_leader.command_line:
-      dashed_name: process-entry-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.entry_leader.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.entry_leader.entity_id:
-      dashed_name: process-entry-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.entry_leader.entity_id
+    process.entry_leader.attested_user.risk.calculated_level:
+      dashed_name: process-entry-leader-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.attested_user.risk.calculated_level
       ignore_above: 1024
       level: extended
-      name: entity_id
+      name: calculated_level
       normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
       type: keyword
-    process.entry_leader.entry_meta.source.ip:
-      dashed_name: process-entry-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.entry_leader.entry_meta.source.ip
-      level: core
-      name: ip
+    process.entry_leader.attested_user.risk.calculated_score:
+      dashed_name: process-entry-leader-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
       normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.entry_leader.entry_meta.type:
-      dashed_name: process-entry-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.entry_leader.entry_meta.type
-      ignore_above: 1024
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.attested_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.attested_user.risk.calculated_score_norm
       level: extended
-      name: entry_meta.type
+      name: calculated_score_norm
       normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.entry_leader.executable:
-      dashed_name: process-entry-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.entry_leader.executable
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.attested_user.risk.static_level:
+      dashed_name: process-entry-leader-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.attested_user.risk.static_level
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
+      name: static_level
       normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
       type: keyword
-    process.entry_leader.group.id:
-      dashed_name: process-entry-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.group.id
-      ignore_above: 1024
+    process.entry_leader.attested_user.risk.static_score:
+      dashed_name: process-entry-leader-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.attested_user.risk.static_score
       level: extended
-      name: id
+      name: static_score
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.group.name:
-      dashed_name: process-entry-leader-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.group.name
-      ignore_above: 1024
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.attested_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.attested_user.risk.static_score_norm
       level: extended
-      name: name
+      name: static_score_norm
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.attested_user.roles:
+      dashed_name: process-entry-leader-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
       type: keyword
-    process.entry_leader.interactive:
-      dashed_name: process-entry-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
+    process.entry_leader.code_signature.digest_algorithm:
+      dashed_name: process-entry-leader-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
 
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.entry_leader.interactive
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.entry_leader.code_signature.digest_algorithm
+      ignore_above: 1024
       level: extended
-      name: interactive
+      name: digest_algorithm
       normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.entry_leader.code_signature.exists:
+      dashed_name: process-entry-leader-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.entry_leader.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
       type: boolean
-    process.entry_leader.name:
-      dashed_name: process-entry-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.entry_leader.name
+    process.entry_leader.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.entry_leader.code_signature.flags
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
+      name: flags
       normalize: []
-      original_fieldset: process
-      short: Process name.
+      original_fieldset: code_signature
+      short: Code signing flags of the process
       type: keyword
-    process.entry_leader.parent.entity_id:
-      dashed_name: process-entry-leader-parent-entity-id
-      description: 'Unique identifier for the process.
+    process.entry_leader.code_signature.signing_id:
+      dashed_name: process-entry-leader-code-signature-signing-id
+      description: 'The identifier used to sign the process.
 
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.entry_leader.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.entry_leader.code_signature.status:
+      dashed_name: process-entry-leader-code-signature-status
+      description: 'Additional information about the certificate status.
 
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.entry_leader.parent.entity_id
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.entry_leader.code_signature.status
       ignore_above: 1024
       level: extended
-      name: entity_id
+      name: status
       normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
       type: keyword
-    process.entry_leader.parent.pid:
-      dashed_name: process-entry-leader-parent-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.entry_leader.parent.pid
-      format: string
+    process.entry_leader.code_signature.subject_name:
+      dashed_name: process-entry-leader-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.entry_leader.code_signature.subject_name
+      ignore_above: 1024
       level: core
-      name: pid
+      name: subject_name
       normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.entry_leader.parent.session_leader.entity_id:
-      dashed_name: process-entry-leader-parent-session-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.entry_leader.code_signature.team_id:
+      dashed_name: process-entry-leader-code-signature-team-id
+      description: 'The team identifier used to sign the process.
 
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.entry_leader.parent.session_leader.entity_id
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.entry_leader.code_signature.team_id
       ignore_above: 1024
       level: extended
-      name: entity_id
+      name: team_id
       normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
       type: keyword
-    process.entry_leader.parent.session_leader.pid:
-      dashed_name: process-entry-leader-parent-session-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.entry_leader.parent.session_leader.pid
-      format: string
-      level: core
-      name: pid
+    process.entry_leader.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.entry_leader.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
       normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.entry_leader.parent.session_leader.start:
-      dashed_name: process-entry-leader-parent-session-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.parent.session_leader.start
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.entry_leader.code_signature.timestamp:
+      dashed_name: process-entry-leader-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.entry_leader.code_signature.timestamp
       level: extended
-      name: start
+      name: timestamp
       normalize: []
-      original_fieldset: process
-      short: The time the process started.
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
       type: date
-    process.entry_leader.parent.session_leader.vpid:
-      dashed_name: process-entry-leader-parent-session-leader-vpid
-      description: 'Virtual process id.
+    process.entry_leader.code_signature.trusted:
+      dashed_name: process-entry-leader-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
 
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.entry_leader.parent.session_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.entry_leader.parent.start:
-      dashed_name: process-entry-leader-parent-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.parent.start
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.entry_leader.code_signature.trusted
       level: extended
-      name: start
+      name: trusted
       normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.entry_leader.parent.vpid:
-      dashed_name: process-entry-leader-parent-vpid
-      description: 'Virtual process id.
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.entry_leader.code_signature.valid:
+      dashed_name: process-entry-leader-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
 
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.entry_leader.parent.vpid
-      format: string
-      level: core
-      name: vpid
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.entry_leader.code_signature.valid
+      level: extended
+      name: valid
       normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.entry_leader.pid:
-      dashed_name: process-entry-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.entry_leader.pid
-      format: string
-      level: core
-      name: pid
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.entry_leader.command_line:
+      dashed_name: process-entry-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.entry_leader.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
       normalize: []
       original_fieldset: process
-      short: Process id.
-      type: long
-    process.entry_leader.real_group.id:
-      dashed_name: process-entry-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.real_group.id
+      short: Full command line that started the process.
+      type: wildcard
+    process.entry_leader.elf.architecture:
+      dashed_name: process-entry-leader-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.entry_leader.elf.architecture
       ignore_above: 1024
       level: extended
-      name: id
+      name: architecture
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
       type: keyword
-    process.entry_leader.real_group.name:
-      dashed_name: process-entry-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.real_group.name
+    process.entry_leader.elf.byte_order:
+      dashed_name: process-entry-leader-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.entry_leader.elf.byte_order
       ignore_above: 1024
       level: extended
-      name: name
+      name: byte_order
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
       type: keyword
-    process.entry_leader.real_user.id:
-      dashed_name: process-entry-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.real_user.id
+    process.entry_leader.elf.cpu_type:
+      dashed_name: process-entry-leader-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.entry_leader.elf.cpu_type
       ignore_above: 1024
-      level: core
-      name: id
+      level: extended
+      name: cpu_type
       normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
+      original_fieldset: elf
+      short: CPU type of the ELF file.
       type: keyword
-    process.entry_leader.real_user.name:
+    process.entry_leader.elf.creation_date:
+      dashed_name: process-entry-leader-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.entry_leader.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.entry_leader.elf.exports:
+      dashed_name: process-entry-leader-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.entry_leader.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.entry_leader.elf.go_import_hash:
+      dashed_name: process-entry-leader-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.entry_leader.elf.go_imports:
+      dashed_name: process-entry-leader-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.elf.go_imports_names_entropy:
+      dashed_name: process-entry-leader-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.elf.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.elf.go_stripped:
+      dashed_name: process-entry-leader-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.entry_leader.elf.header.abi_version:
+      dashed_name: process-entry-leader-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.entry_leader.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.entry_leader.elf.header.class:
+      dashed_name: process-entry-leader-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.entry_leader.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.entry_leader.elf.header.data:
+      dashed_name: process-entry-leader-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.entry_leader.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.entry_leader.elf.header.entrypoint:
+      dashed_name: process-entry-leader-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.entry_leader.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.entry_leader.elf.header.object_version:
+      dashed_name: process-entry-leader-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.entry_leader.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.entry_leader.elf.header.os_abi:
+      dashed_name: process-entry-leader-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.entry_leader.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.entry_leader.elf.header.type:
+      dashed_name: process-entry-leader-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.entry_leader.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.entry_leader.elf.header.version:
+      dashed_name: process-entry-leader-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.entry_leader.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.entry_leader.elf.import_hash:
+      dashed_name: process-entry-leader-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.entry_leader.elf.imports:
+      dashed_name: process-entry-leader-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.elf.imports_names_entropy:
+      dashed_name: process-entry-leader-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.elf.imports_names_var_entropy:
+      dashed_name: process-entry-leader-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.elf.sections:
+      dashed_name: process-entry-leader-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.entry_leader.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.entry_leader.elf.sections.chi2:
+      dashed_name: process-entry-leader-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.entry_leader.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.entry_leader.elf.sections.entropy:
+      dashed_name: process-entry-leader-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.elf.sections.flags:
+      dashed_name: process-entry-leader-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.entry_leader.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.entry_leader.elf.sections.name:
+      dashed_name: process-entry-leader-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.entry_leader.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.entry_leader.elf.sections.physical_offset:
+      dashed_name: process-entry-leader-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.entry_leader.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.entry_leader.elf.sections.physical_size:
+      dashed_name: process-entry-leader-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.entry_leader.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.entry_leader.elf.sections.type:
+      dashed_name: process-entry-leader-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.entry_leader.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.entry_leader.elf.sections.var_entropy:
+      dashed_name: process-entry-leader-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.elf.sections.virtual_address:
+      dashed_name: process-entry-leader-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.entry_leader.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.entry_leader.elf.sections.virtual_size:
+      dashed_name: process-entry-leader-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.entry_leader.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.entry_leader.elf.segments:
+      dashed_name: process-entry-leader-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.entry_leader.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.entry_leader.elf.segments.sections:
+      dashed_name: process-entry-leader-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.entry_leader.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.entry_leader.elf.segments.type:
+      dashed_name: process-entry-leader-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.entry_leader.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.entry_leader.elf.shared_libraries:
+      dashed_name: process-entry-leader-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.entry_leader.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.entry_leader.elf.telfhash:
+      dashed_name: process-entry-leader-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.entry_leader.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.entry_leader.end:
+      dashed_name: process-entry-leader-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.entry_leader.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.entry_leader.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.entry_leader.entity_id:
+      dashed_name: process-entry-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.entry_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.entry_leader.entry_meta.source.address:
+      dashed_name: process-entry-leader-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.entry_leader.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.entry_leader.entry_meta.source.as.number:
+      dashed_name: process-entry-leader-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.entry_leader.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.entry_leader.entry_meta.source.as.organization.name:
+      dashed_name: process-entry-leader-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.entry_leader.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.entry_leader.entry_meta.source.bytes:
+      dashed_name: process-entry-leader-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.entry_leader.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.entry_leader.entry_meta.source.domain:
+      dashed_name: process-entry-leader-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.entry_leader.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.entry_leader.entry_meta.source.geo.city_name:
+      dashed_name: process-entry-leader-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.entry_leader.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.entry_leader.entry_meta.source.geo.continent_code:
+      dashed_name: process-entry-leader-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.entry_leader.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.entry_leader.entry_meta.source.geo.continent_name:
+      dashed_name: process-entry-leader-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.entry_leader.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.entry_leader.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-entry-leader-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.entry_leader.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.entry_leader.entry_meta.source.geo.country_name:
+      dashed_name: process-entry-leader-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.entry_leader.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.entry_leader.entry_meta.source.geo.location:
+      dashed_name: process-entry-leader-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.entry_leader.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.entry_leader.entry_meta.source.geo.name:
+      dashed_name: process-entry-leader-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.entry_leader.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.entry_leader.entry_meta.source.geo.postal_code:
+      dashed_name: process-entry-leader-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.entry_leader.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.entry_leader.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-entry-leader-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.entry_leader.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.entry_leader.entry_meta.source.geo.region_name:
+      dashed_name: process-entry-leader-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.entry_leader.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.entry_leader.entry_meta.source.geo.timezone:
+      dashed_name: process-entry-leader-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.entry_leader.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.entry_leader.entry_meta.source.ip:
+      dashed_name: process-entry-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.entry_leader.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.entry_leader.entry_meta.source.mac:
+      dashed_name: process-entry-leader-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.entry_leader.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.entry_leader.entry_meta.source.nat.ip:
+      dashed_name: process-entry-leader-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.entry_leader.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.entry_leader.entry_meta.source.nat.port:
+      dashed_name: process-entry-leader-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.entry_leader.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.entry_leader.entry_meta.source.packets:
+      dashed_name: process-entry-leader-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.entry_leader.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.entry_leader.entry_meta.source.port:
+      dashed_name: process-entry-leader-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.entry_leader.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.entry_leader.entry_meta.source.registered_domain:
+      dashed_name: process-entry-leader-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.entry_leader.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.entry_leader.entry_meta.source.subdomain:
+      dashed_name: process-entry-leader-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.entry_leader.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.entry_leader.entry_meta.source.top_level_domain:
+      dashed_name: process-entry-leader-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.entry_leader.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.entry_leader.entry_meta.type:
+      dashed_name: process-entry-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.entry_leader.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.entry_leader.env_vars:
+      dashed_name: process-entry-leader-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.entry_leader.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.executable:
+      dashed_name: process-entry-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.entry_leader.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.entry_leader.exit_code:
+      dashed_name: process-entry-leader-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.entry_leader.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.entry_leader.group.domain:
+      dashed_name: process-entry-leader-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.group.id:
+      dashed_name: process-entry-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.group.name:
+      dashed_name: process-entry-leader-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.entry_leader.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.entry_leader.hash.md5:
+      dashed_name: process-entry-leader-hash-md5
+      description: MD5 hash.
+      flat_name: process.entry_leader.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.entry_leader.hash.sha1:
+      dashed_name: process-entry-leader-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.entry_leader.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.entry_leader.hash.sha256:
+      dashed_name: process-entry-leader-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.entry_leader.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.entry_leader.hash.sha384:
+      dashed_name: process-entry-leader-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.entry_leader.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.entry_leader.hash.sha512:
+      dashed_name: process-entry-leader-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.entry_leader.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.entry_leader.hash.ssdeep:
+      dashed_name: process-entry-leader-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.entry_leader.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.entry_leader.hash.tlsh:
+      dashed_name: process-entry-leader-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.entry_leader.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.entry_leader.interactive:
+      dashed_name: process-entry-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.entry_leader.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.entry_leader.io:
+      dashed_name: process-entry-leader-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.entry_leader.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.entry_leader.io.bytes_skipped:
+      dashed_name: process-entry-leader-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.entry_leader.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.entry_leader.io.bytes_skipped.length:
+      dashed_name: process-entry-leader-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.entry_leader.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.entry_leader.io.bytes_skipped.offset:
+      dashed_name: process-entry-leader-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.entry_leader.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.entry_leader.io.max_bytes_per_process_exceeded:
+      dashed_name: process-entry-leader-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.entry_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.entry_leader.io.text:
+      dashed_name: process-entry-leader-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.entry_leader.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.entry_leader.io.total_bytes_captured:
+      dashed_name: process-entry-leader-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.entry_leader.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.entry_leader.io.total_bytes_skipped:
+      dashed_name: process-entry-leader-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.entry_leader.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.entry_leader.io.type:
+      dashed_name: process-entry-leader-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.entry_leader.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.entry_leader.macho.go_import_hash:
+      dashed_name: process-entry-leader-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.entry_leader.macho.go_imports:
+      dashed_name: process-entry-leader-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.macho.go_imports_names_entropy:
+      dashed_name: process-entry-leader-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.macho.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.macho.go_stripped:
+      dashed_name: process-entry-leader-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.entry_leader.macho.import_hash:
+      dashed_name: process-entry-leader-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.entry_leader.macho.imports:
+      dashed_name: process-entry-leader-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.macho.imports_names_entropy:
+      dashed_name: process-entry-leader-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.macho.imports_names_var_entropy:
+      dashed_name: process-entry-leader-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.macho.sections:
+      dashed_name: process-entry-leader-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.entry_leader.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.entry_leader.macho.sections.entropy:
+      dashed_name: process-entry-leader-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.macho.sections.name:
+      dashed_name: process-entry-leader-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.entry_leader.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.entry_leader.macho.sections.physical_size:
+      dashed_name: process-entry-leader-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.entry_leader.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.entry_leader.macho.sections.var_entropy:
+      dashed_name: process-entry-leader-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.macho.sections.virtual_size:
+      dashed_name: process-entry-leader-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.entry_leader.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.entry_leader.macho.symhash:
+      dashed_name: process-entry-leader-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.entry_leader.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.entry_leader.name:
+      dashed_name: process-entry-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.entry_leader.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.entry_leader.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.entry_leader.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.entry_leader.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.entry_leader.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.entry_leader.parent.args:
+      dashed_name: process-entry-leader-parent-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.entry_leader.parent.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.entry_leader.parent.args_count:
+      dashed_name: process-entry-leader-parent-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.entry_leader.parent.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.entry_leader.parent.attested_groups.domain:
+      dashed_name: process-entry-leader-parent-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.attested_groups.id:
+      dashed_name: process-entry-leader-parent-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.attested_groups.name:
+      dashed_name: process-entry-leader-parent-attested-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.attested_user.domain:
+      dashed_name: process-entry-leader-parent-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.parent.attested_user.email:
+      dashed_name: process-entry-leader-parent-attested-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.parent.attested_user.full_name:
+      dashed_name: process-entry-leader-parent-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.attested_user.group.domain:
+      dashed_name: process-entry-leader-parent-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.attested_user.group.id:
+      dashed_name: process-entry-leader-parent-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.attested_user.group.name:
+      dashed_name: process-entry-leader-parent-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.attested_user.hash:
+      dashed_name: process-entry-leader-parent-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.attested_user.id:
+      dashed_name: process-entry-leader-parent-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.attested_user.name:
+      dashed_name: process-entry-leader-parent-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.attested_user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.attested_user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.attested_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.attested_user.risk.static_level:
+      dashed_name: process-entry-leader-parent-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.attested_user.risk.static_score:
+      dashed_name: process-entry-leader-parent-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.attested_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.attested_user.roles:
+      dashed_name: process-entry-leader-parent-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.code_signature.digest_algorithm:
+      dashed_name: process-entry-leader-parent-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.entry_leader.parent.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.entry_leader.parent.code_signature.exists:
+      dashed_name: process-entry-leader-parent-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.entry_leader.parent.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.entry_leader.parent.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.entry_leader.parent.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.entry_leader.parent.code_signature.signing_id:
+      dashed_name: process-entry-leader-parent-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.entry_leader.parent.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.entry_leader.parent.code_signature.status:
+      dashed_name: process-entry-leader-parent-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.entry_leader.parent.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.entry_leader.parent.code_signature.subject_name:
+      dashed_name: process-entry-leader-parent-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.entry_leader.parent.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.entry_leader.parent.code_signature.team_id:
+      dashed_name: process-entry-leader-parent-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.entry_leader.parent.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.entry_leader.parent.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.entry_leader.parent.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.entry_leader.parent.code_signature.timestamp:
+      dashed_name: process-entry-leader-parent-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.entry_leader.parent.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.entry_leader.parent.code_signature.trusted:
+      dashed_name: process-entry-leader-parent-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.entry_leader.parent.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.entry_leader.parent.code_signature.valid:
+      dashed_name: process-entry-leader-parent-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.entry_leader.parent.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.entry_leader.parent.command_line:
+      dashed_name: process-entry-leader-parent-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.entry_leader.parent.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.entry_leader.parent.elf.architecture:
+      dashed_name: process-entry-leader-parent-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.entry_leader.parent.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.entry_leader.parent.elf.byte_order:
+      dashed_name: process-entry-leader-parent-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.entry_leader.parent.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.entry_leader.parent.elf.cpu_type:
+      dashed_name: process-entry-leader-parent-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.entry_leader.parent.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.entry_leader.parent.elf.creation_date:
+      dashed_name: process-entry-leader-parent-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.entry_leader.parent.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.entry_leader.parent.elf.exports:
+      dashed_name: process-entry-leader-parent-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.entry_leader.parent.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.entry_leader.parent.elf.go_import_hash:
+      dashed_name: process-entry-leader-parent-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.parent.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.entry_leader.parent.elf.go_imports:
+      dashed_name: process-entry-leader-parent-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.parent.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.parent.elf.go_imports_names_entropy:
+      dashed_name: process-entry-leader-parent-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.elf.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.elf.go_stripped:
+      dashed_name: process-entry-leader-parent-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.parent.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.entry_leader.parent.elf.header.abi_version:
+      dashed_name: process-entry-leader-parent-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.entry_leader.parent.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.entry_leader.parent.elf.header.class:
+      dashed_name: process-entry-leader-parent-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.entry_leader.parent.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.entry_leader.parent.elf.header.data:
+      dashed_name: process-entry-leader-parent-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.entry_leader.parent.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.entry_leader.parent.elf.header.entrypoint:
+      dashed_name: process-entry-leader-parent-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.entry_leader.parent.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.entry_leader.parent.elf.header.object_version:
+      dashed_name: process-entry-leader-parent-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.entry_leader.parent.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.entry_leader.parent.elf.header.os_abi:
+      dashed_name: process-entry-leader-parent-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.entry_leader.parent.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.entry_leader.parent.elf.header.type:
+      dashed_name: process-entry-leader-parent-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.entry_leader.parent.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.entry_leader.parent.elf.header.version:
+      dashed_name: process-entry-leader-parent-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.entry_leader.parent.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.entry_leader.parent.elf.import_hash:
+      dashed_name: process-entry-leader-parent-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.parent.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.entry_leader.parent.elf.imports:
+      dashed_name: process-entry-leader-parent-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.parent.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.parent.elf.imports_names_entropy:
+      dashed_name: process-entry-leader-parent-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.parent.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.parent.elf.imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.parent.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.parent.elf.sections:
+      dashed_name: process-entry-leader-parent-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.entry_leader.parent.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.entry_leader.parent.elf.sections.chi2:
+      dashed_name: process-entry-leader-parent-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.entry_leader.parent.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.entry_leader.parent.elf.sections.entropy:
+      dashed_name: process-entry-leader-parent-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.elf.sections.flags:
+      dashed_name: process-entry-leader-parent-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.entry_leader.parent.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.entry_leader.parent.elf.sections.name:
+      dashed_name: process-entry-leader-parent-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.entry_leader.parent.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.entry_leader.parent.elf.sections.physical_offset:
+      dashed_name: process-entry-leader-parent-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.entry_leader.parent.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.entry_leader.parent.elf.sections.physical_size:
+      dashed_name: process-entry-leader-parent-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.entry_leader.parent.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.entry_leader.parent.elf.sections.type:
+      dashed_name: process-entry-leader-parent-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.entry_leader.parent.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.entry_leader.parent.elf.sections.var_entropy:
+      dashed_name: process-entry-leader-parent-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.elf.sections.virtual_address:
+      dashed_name: process-entry-leader-parent-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.entry_leader.parent.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.entry_leader.parent.elf.sections.virtual_size:
+      dashed_name: process-entry-leader-parent-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.entry_leader.parent.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.entry_leader.parent.elf.segments:
+      dashed_name: process-entry-leader-parent-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.entry_leader.parent.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.entry_leader.parent.elf.segments.sections:
+      dashed_name: process-entry-leader-parent-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.entry_leader.parent.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.entry_leader.parent.elf.segments.type:
+      dashed_name: process-entry-leader-parent-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.entry_leader.parent.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.entry_leader.parent.elf.shared_libraries:
+      dashed_name: process-entry-leader-parent-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.entry_leader.parent.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.entry_leader.parent.elf.telfhash:
+      dashed_name: process-entry-leader-parent-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.entry_leader.parent.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.entry_leader.parent.end:
+      dashed_name: process-entry-leader-parent-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.parent.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.entry_leader.parent.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.entry_leader.parent.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.entry_leader.parent.entity_id:
+      dashed_name: process-entry-leader-parent-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.entry_leader.parent.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.address:
+      dashed_name: process-entry-leader-parent-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.entry_leader.parent.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.as.number:
+      dashed_name: process-entry-leader-parent-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.entry_leader.parent.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.entry_leader.parent.entry_meta.source.as.organization.name:
+      dashed_name: process-entry-leader-parent-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.bytes:
+      dashed_name: process-entry-leader-parent-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.entry_leader.parent.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.entry_leader.parent.entry_meta.source.domain:
+      dashed_name: process-entry-leader-parent-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.entry_leader.parent.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.city_name:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.continent_code:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.continent_name:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.country_name:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.location:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.entry_leader.parent.entry_meta.source.geo.name:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.postal_code:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.region_name:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.timezone:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.ip:
+      dashed_name: process-entry-leader-parent-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.entry_leader.parent.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.entry_leader.parent.entry_meta.source.mac:
+      dashed_name: process-entry-leader-parent-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.entry_leader.parent.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.nat.ip:
+      dashed_name: process-entry-leader-parent-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.entry_leader.parent.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.entry_leader.parent.entry_meta.source.nat.port:
+      dashed_name: process-entry-leader-parent-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.entry_leader.parent.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.entry_leader.parent.entry_meta.source.packets:
+      dashed_name: process-entry-leader-parent-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.entry_leader.parent.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.entry_leader.parent.entry_meta.source.port:
+      dashed_name: process-entry-leader-parent-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.entry_leader.parent.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.entry_leader.parent.entry_meta.source.registered_domain:
+      dashed_name: process-entry-leader-parent-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.entry_leader.parent.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.subdomain:
+      dashed_name: process-entry-leader-parent-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.entry_leader.parent.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.top_level_domain:
+      dashed_name: process-entry-leader-parent-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.entry_leader.parent.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.entry_leader.parent.entry_meta.type:
+      dashed_name: process-entry-leader-parent-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.entry_leader.parent.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.entry_leader.parent.env_vars:
+      dashed_name: process-entry-leader-parent-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.entry_leader.parent.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.executable:
+      dashed_name: process-entry-leader-parent-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.entry_leader.parent.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.entry_leader.parent.exit_code:
+      dashed_name: process-entry-leader-parent-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.entry_leader.parent.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.entry_leader.parent.group.domain:
+      dashed_name: process-entry-leader-parent-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.group.id:
+      dashed_name: process-entry-leader-parent-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.group.name:
+      dashed_name: process-entry-leader-parent-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.entry_leader.parent.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.entry_leader.parent.hash.md5:
+      dashed_name: process-entry-leader-parent-hash-md5
+      description: MD5 hash.
+      flat_name: process.entry_leader.parent.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.entry_leader.parent.hash.sha1:
+      dashed_name: process-entry-leader-parent-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.entry_leader.parent.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.entry_leader.parent.hash.sha256:
+      dashed_name: process-entry-leader-parent-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.entry_leader.parent.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.entry_leader.parent.hash.sha384:
+      dashed_name: process-entry-leader-parent-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.entry_leader.parent.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.entry_leader.parent.hash.sha512:
+      dashed_name: process-entry-leader-parent-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.entry_leader.parent.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.entry_leader.parent.hash.ssdeep:
+      dashed_name: process-entry-leader-parent-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.entry_leader.parent.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.entry_leader.parent.hash.tlsh:
+      dashed_name: process-entry-leader-parent-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.entry_leader.parent.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.entry_leader.parent.interactive:
+      dashed_name: process-entry-leader-parent-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.entry_leader.parent.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.entry_leader.parent.io:
+      dashed_name: process-entry-leader-parent-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.entry_leader.parent.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.entry_leader.parent.io.bytes_skipped:
+      dashed_name: process-entry-leader-parent-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.entry_leader.parent.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.entry_leader.parent.io.bytes_skipped.length:
+      dashed_name: process-entry-leader-parent-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.entry_leader.parent.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.entry_leader.parent.io.bytes_skipped.offset:
+      dashed_name: process-entry-leader-parent-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.entry_leader.parent.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.entry_leader.parent.io.max_bytes_per_process_exceeded:
+      dashed_name: process-entry-leader-parent-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.entry_leader.parent.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.entry_leader.parent.io.text:
+      dashed_name: process-entry-leader-parent-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.entry_leader.parent.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.entry_leader.parent.io.total_bytes_captured:
+      dashed_name: process-entry-leader-parent-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.entry_leader.parent.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.entry_leader.parent.io.total_bytes_skipped:
+      dashed_name: process-entry-leader-parent-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.entry_leader.parent.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.entry_leader.parent.io.type:
+      dashed_name: process-entry-leader-parent-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.entry_leader.parent.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.entry_leader.parent.macho.go_import_hash:
+      dashed_name: process-entry-leader-parent-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.parent.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.entry_leader.parent.macho.go_imports:
+      dashed_name: process-entry-leader-parent-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.parent.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.parent.macho.go_imports_names_entropy:
+      dashed_name: process-entry-leader-parent-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.macho.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.macho.go_stripped:
+      dashed_name: process-entry-leader-parent-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.parent.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.entry_leader.parent.macho.import_hash:
+      dashed_name: process-entry-leader-parent-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.parent.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.entry_leader.parent.macho.imports:
+      dashed_name: process-entry-leader-parent-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.parent.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.parent.macho.imports_names_entropy:
+      dashed_name: process-entry-leader-parent-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.parent.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.parent.macho.imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.parent.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.parent.macho.sections:
+      dashed_name: process-entry-leader-parent-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.entry_leader.parent.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.entry_leader.parent.macho.sections.entropy:
+      dashed_name: process-entry-leader-parent-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.macho.sections.name:
+      dashed_name: process-entry-leader-parent-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.entry_leader.parent.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.entry_leader.parent.macho.sections.physical_size:
+      dashed_name: process-entry-leader-parent-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.entry_leader.parent.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.entry_leader.parent.macho.sections.var_entropy:
+      dashed_name: process-entry-leader-parent-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.macho.sections.virtual_size:
+      dashed_name: process-entry-leader-parent-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.entry_leader.parent.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.entry_leader.parent.macho.symhash:
+      dashed_name: process-entry-leader-parent-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.entry_leader.parent.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.entry_leader.parent.name:
+      dashed_name: process-entry-leader-parent-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.entry_leader.parent.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.entry_leader.parent.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.entry_leader.parent.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.entry_leader.parent.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.entry_leader.parent.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.entry_leader.parent.pe.architecture:
+      dashed_name: process-entry-leader-parent-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.entry_leader.parent.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.entry_leader.parent.pe.company:
+      dashed_name: process-entry-leader-parent-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.entry_leader.parent.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.parent.pe.description:
+      dashed_name: process-entry-leader-parent-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.entry_leader.parent.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.parent.pe.file_version:
+      dashed_name: process-entry-leader-parent-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.entry_leader.parent.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.entry_leader.parent.pe.go_import_hash:
+      dashed_name: process-entry-leader-parent-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.parent.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.entry_leader.parent.pe.go_imports:
+      dashed_name: process-entry-leader-parent-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.parent.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.parent.pe.go_imports_names_entropy:
+      dashed_name: process-entry-leader-parent-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.pe.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.pe.go_stripped:
+      dashed_name: process-entry-leader-parent-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.parent.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.entry_leader.parent.pe.imphash:
+      dashed_name: process-entry-leader-parent-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.entry_leader.parent.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.entry_leader.parent.pe.import_hash:
+      dashed_name: process-entry-leader-parent-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.parent.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.entry_leader.parent.pe.imports:
+      dashed_name: process-entry-leader-parent-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.parent.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.parent.pe.imports_names_entropy:
+      dashed_name: process-entry-leader-parent-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.parent.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.parent.pe.imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.parent.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.parent.pe.original_file_name:
+      dashed_name: process-entry-leader-parent-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.entry_leader.parent.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.parent.pe.pehash:
+      dashed_name: process-entry-leader-parent-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.entry_leader.parent.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.entry_leader.parent.pe.product:
+      dashed_name: process-entry-leader-parent-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.entry_leader.parent.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.parent.pe.sections:
+      dashed_name: process-entry-leader-parent-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.entry_leader.parent.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.entry_leader.parent.pe.sections.entropy:
+      dashed_name: process-entry-leader-parent-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.pe.sections.name:
+      dashed_name: process-entry-leader-parent-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.entry_leader.parent.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.entry_leader.parent.pe.sections.physical_size:
+      dashed_name: process-entry-leader-parent-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.entry_leader.parent.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.entry_leader.parent.pe.sections.var_entropy:
+      dashed_name: process-entry-leader-parent-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.pe.sections.virtual_size:
+      dashed_name: process-entry-leader-parent-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.entry_leader.parent.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.entry_leader.parent.pid:
+      dashed_name: process-entry-leader-parent-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.entry_leader.parent.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.entry_leader.parent.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.entry_leader.parent.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.entry_leader.parent.real_group.domain:
+      dashed_name: process-entry-leader-parent-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.real_group.id:
+      dashed_name: process-entry-leader-parent-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.real_group.name:
+      dashed_name: process-entry-leader-parent-real-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.real_user.domain:
+      dashed_name: process-entry-leader-parent-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.parent.real_user.email:
+      dashed_name: process-entry-leader-parent-real-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.parent.real_user.full_name:
+      dashed_name: process-entry-leader-parent-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.real_user.group.domain:
+      dashed_name: process-entry-leader-parent-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.real_user.group.id:
+      dashed_name: process-entry-leader-parent-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.real_user.group.name:
+      dashed_name: process-entry-leader-parent-real-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.real_user.hash:
+      dashed_name: process-entry-leader-parent-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.real_user.id:
+      dashed_name: process-entry-leader-parent-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.real_user.name:
+      dashed_name: process-entry-leader-parent-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.real_user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.real_user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.real_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.real_user.risk.static_level:
+      dashed_name: process-entry-leader-parent-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.real_user.risk.static_score:
+      dashed_name: process-entry-leader-parent-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.real_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.real_user.roles:
+      dashed_name: process-entry-leader-parent-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.same_as_process:
+      dashed_name: process-entry-leader-parent-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.entry_leader.parent.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.entry_leader.parent.saved_group.domain:
+      dashed_name: process-entry-leader-parent-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.saved_group.id:
+      dashed_name: process-entry-leader-parent-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.saved_group.name:
+      dashed_name: process-entry-leader-parent-saved-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.saved_user.domain:
+      dashed_name: process-entry-leader-parent-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.parent.saved_user.email:
+      dashed_name: process-entry-leader-parent-saved-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.parent.saved_user.full_name:
+      dashed_name: process-entry-leader-parent-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.saved_user.group.domain:
+      dashed_name: process-entry-leader-parent-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.saved_user.group.id:
+      dashed_name: process-entry-leader-parent-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.saved_user.group.name:
+      dashed_name: process-entry-leader-parent-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.saved_user.hash:
+      dashed_name: process-entry-leader-parent-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.saved_user.id:
+      dashed_name: process-entry-leader-parent-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.saved_user.name:
+      dashed_name: process-entry-leader-parent-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.saved_user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.saved_user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.saved_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.saved_user.risk.static_level:
+      dashed_name: process-entry-leader-parent-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.saved_user.risk.static_score:
+      dashed_name: process-entry-leader-parent-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.saved_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.saved_user.roles:
+      dashed_name: process-entry-leader-parent-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.args:
+      dashed_name: process-entry-leader-parent-session-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.entry_leader.parent.session_leader.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.entry_leader.parent.session_leader.args_count:
+      dashed_name: process-entry-leader-parent-session-leader-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.entry_leader.parent.session_leader.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.entry_leader.parent.session_leader.attested_groups.domain:
+      dashed_name: process-entry-leader-parent-session-leader-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_groups.id:
+      dashed_name: process-entry-leader-parent-session-leader-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_groups.name:
+      dashed_name: process-entry-leader-parent-session-leader-attested-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.domain:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.email:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.full_name:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.session_leader.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.group.id:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.group.name:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.hash:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.session_leader.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.id:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.session_leader.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.name:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.session_leader.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.session_leader.attested_user.risk.static_level:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.risk.static_score:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.session_leader.attested_user.roles:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.session_leader.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.digest_algorithm:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.entry_leader.parent.session_leader.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.exists:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.entry_leader.parent.session_leader.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.entry_leader.parent.session_leader.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.entry_leader.parent.session_leader.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.signing_id:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.entry_leader.parent.session_leader.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.status:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.entry_leader.parent.session_leader.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.subject_name:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.entry_leader.parent.session_leader.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.team_id:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.entry_leader.parent.session_leader.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.timestamp:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.entry_leader.parent.session_leader.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.entry_leader.parent.session_leader.code_signature.trusted:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.entry_leader.parent.session_leader.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.entry_leader.parent.session_leader.code_signature.valid:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.entry_leader.parent.session_leader.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.entry_leader.parent.session_leader.command_line:
+      dashed_name: process-entry-leader-parent-session-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.entry_leader.parent.session_leader.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.entry_leader.parent.session_leader.elf.architecture:
+      dashed_name: process-entry-leader-parent-session-leader-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.entry_leader.parent.session_leader.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.byte_order:
+      dashed_name: process-entry-leader-parent-session-leader-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.entry_leader.parent.session_leader.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.cpu_type:
+      dashed_name: process-entry-leader-parent-session-leader-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.entry_leader.parent.session_leader.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.creation_date:
+      dashed_name: process-entry-leader-parent-session-leader-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.entry_leader.parent.session_leader.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.entry_leader.parent.session_leader.elf.exports:
+      dashed_name: process-entry-leader-parent-session-leader-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.entry_leader.parent.session_leader.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.elf.go_import_hash:
+      dashed_name: process-entry-leader-parent-session-leader-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.parent.session_leader.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.go_imports:
+      dashed_name: process-entry-leader-parent-session-leader-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.parent.session_leader.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.elf.go_imports_names_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.session_leader.elf.go_stripped:
+      dashed_name: process-entry-leader-parent-session-leader-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.parent.session_leader.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.entry_leader.parent.session_leader.elf.header.abi_version:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.entry_leader.parent.session_leader.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.header.class:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.entry_leader.parent.session_leader.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.header.data:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.entry_leader.parent.session_leader.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.header.entrypoint:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.entry_leader.parent.session_leader.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.entry_leader.parent.session_leader.elf.header.object_version:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.entry_leader.parent.session_leader.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.header.os_abi:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.entry_leader.parent.session_leader.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.header.type:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.entry_leader.parent.session_leader.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.header.version:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.entry_leader.parent.session_leader.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.import_hash:
+      dashed_name: process-entry-leader-parent-session-leader-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.parent.session_leader.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.imports:
+      dashed_name: process-entry-leader-parent-session-leader-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.parent.session_leader.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.elf.imports_names_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.parent.session_leader.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.parent.session_leader.elf.imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.parent.session_leader.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.parent.session_leader.elf.sections:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.entry_leader.parent.session_leader.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.entry_leader.parent.session_leader.elf.sections.chi2:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.entry_leader.parent.session_leader.elf.sections.entropy:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.session_leader.elf.sections.flags:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.sections.name:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.sections.physical_offset:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.sections.physical_size:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.entry_leader.parent.session_leader.elf.sections.type:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.sections.var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.session_leader.elf.sections.virtual_address:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.entry_leader.parent.session_leader.elf.sections.virtual_size:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.entry_leader.parent.session_leader.elf.segments:
+      dashed_name: process-entry-leader-parent-session-leader-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.entry_leader.parent.session_leader.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.entry_leader.parent.session_leader.elf.segments.sections:
+      dashed_name: process-entry-leader-parent-session-leader-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.entry_leader.parent.session_leader.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.segments.type:
+      dashed_name: process-entry-leader-parent-session-leader-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.entry_leader.parent.session_leader.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.shared_libraries:
+      dashed_name: process-entry-leader-parent-session-leader-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.entry_leader.parent.session_leader.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.telfhash:
+      dashed_name: process-entry-leader-parent-session-leader-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.entry_leader.parent.session_leader.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.end:
+      dashed_name: process-entry-leader-parent-session-leader-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.parent.session_leader.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.entry_leader.parent.session_leader.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.entry_leader.parent.session_leader.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.entry_leader.parent.session_leader.entity_id:
+      dashed_name: process-entry-leader-parent-session-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.entry_leader.parent.session_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.address:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.as.number:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.bytes:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.entry_leader.parent.session_leader.entry_meta.source.domain:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.location:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.name:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.ip:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.entry_leader.parent.session_leader.entry_meta.source.mac:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.nat.ip:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.entry_leader.parent.session_leader.entry_meta.source.nat.port:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.entry_leader.parent.session_leader.entry_meta.source.packets:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.entry_leader.parent.session_leader.entry_meta.source.port:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.entry_leader.parent.session_leader.entry_meta.source.registered_domain:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.subdomain:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.type:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.entry_leader.parent.session_leader.env_vars:
+      dashed_name: process-entry-leader-parent-session-leader-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.entry_leader.parent.session_leader.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.executable:
+      dashed_name: process-entry-leader-parent-session-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.entry_leader.parent.session_leader.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.entry_leader.parent.session_leader.exit_code:
+      dashed_name: process-entry-leader-parent-session-leader-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.entry_leader.parent.session_leader.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.entry_leader.parent.session_leader.group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.group.id:
+      dashed_name: process-entry-leader-parent-session-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.group.name:
+      dashed_name: process-entry-leader-parent-session-leader-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.entry_leader.parent.session_leader.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.md5:
+      dashed_name: process-entry-leader-parent-session-leader-hash-md5
+      description: MD5 hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.sha1:
+      dashed_name: process-entry-leader-parent-session-leader-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.sha256:
+      dashed_name: process-entry-leader-parent-session-leader-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.sha384:
+      dashed_name: process-entry-leader-parent-session-leader-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.sha512:
+      dashed_name: process-entry-leader-parent-session-leader-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.ssdeep:
+      dashed_name: process-entry-leader-parent-session-leader-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.tlsh:
+      dashed_name: process-entry-leader-parent-session-leader-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.interactive:
+      dashed_name: process-entry-leader-parent-session-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.entry_leader.parent.session_leader.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.entry_leader.parent.session_leader.io:
+      dashed_name: process-entry-leader-parent-session-leader-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.entry_leader.parent.session_leader.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.entry_leader.parent.session_leader.io.bytes_skipped:
+      dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.entry_leader.parent.session_leader.io.bytes_skipped.length:
+      dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.entry_leader.parent.session_leader.io.bytes_skipped.offset:
+      dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
+      dashed_name: process-entry-leader-parent-session-leader-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.entry_leader.parent.session_leader.io.text:
+      dashed_name: process-entry-leader-parent-session-leader-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.entry_leader.parent.session_leader.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.entry_leader.parent.session_leader.io.total_bytes_captured:
+      dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.entry_leader.parent.session_leader.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.entry_leader.parent.session_leader.io.total_bytes_skipped:
+      dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.entry_leader.parent.session_leader.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.entry_leader.parent.session_leader.io.type:
+      dashed_name: process-entry-leader-parent-session-leader-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.entry_leader.parent.session_leader.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.entry_leader.parent.session_leader.macho.go_import_hash:
+      dashed_name: process-entry-leader-parent-session-leader-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.parent.session_leader.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.entry_leader.parent.session_leader.macho.go_imports:
+      dashed_name: process-entry-leader-parent-session-leader-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.parent.session_leader.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.macho.go_imports_names_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.session_leader.macho.go_stripped:
+      dashed_name: process-entry-leader-parent-session-leader-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.parent.session_leader.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.entry_leader.parent.session_leader.macho.import_hash:
+      dashed_name: process-entry-leader-parent-session-leader-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.parent.session_leader.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.entry_leader.parent.session_leader.macho.imports:
+      dashed_name: process-entry-leader-parent-session-leader-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.parent.session_leader.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.macho.imports_names_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.parent.session_leader.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.parent.session_leader.macho.imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.parent.session_leader.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.parent.session_leader.macho.sections:
+      dashed_name: process-entry-leader-parent-session-leader-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.entry_leader.parent.session_leader.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.entry_leader.parent.session_leader.macho.sections.entropy:
+      dashed_name: process-entry-leader-parent-session-leader-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.session_leader.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.session_leader.macho.sections.name:
+      dashed_name: process-entry-leader-parent-session-leader-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.entry_leader.parent.session_leader.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.entry_leader.parent.session_leader.macho.sections.physical_size:
+      dashed_name: process-entry-leader-parent-session-leader-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.entry_leader.parent.session_leader.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.entry_leader.parent.session_leader.macho.sections.var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.session_leader.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.session_leader.macho.sections.virtual_size:
+      dashed_name: process-entry-leader-parent-session-leader-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.entry_leader.parent.session_leader.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.entry_leader.parent.session_leader.macho.symhash:
+      dashed_name: process-entry-leader-parent-session-leader-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.entry_leader.parent.session_leader.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.entry_leader.parent.session_leader.name:
+      dashed_name: process-entry-leader-parent-session-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.entry_leader.parent.session_leader.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.entry_leader.parent.session_leader.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.entry_leader.parent.session_leader.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.entry_leader.parent.session_leader.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.entry_leader.parent.session_leader.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.architecture:
+      dashed_name: process-entry-leader-parent-session-leader-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.entry_leader.parent.session_leader.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.company:
+      dashed_name: process-entry-leader-parent-session-leader-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.entry_leader.parent.session_leader.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.description:
+      dashed_name: process-entry-leader-parent-session-leader-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.entry_leader.parent.session_leader.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.file_version:
+      dashed_name: process-entry-leader-parent-session-leader-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.entry_leader.parent.session_leader.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.go_import_hash:
+      dashed_name: process-entry-leader-parent-session-leader-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.parent.session_leader.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.go_imports:
+      dashed_name: process-entry-leader-parent-session-leader-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.parent.session_leader.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.pe.go_imports_names_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.session_leader.pe.go_stripped:
+      dashed_name: process-entry-leader-parent-session-leader-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.parent.session_leader.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.entry_leader.parent.session_leader.pe.imphash:
+      dashed_name: process-entry-leader-parent-session-leader-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.entry_leader.parent.session_leader.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.import_hash:
+      dashed_name: process-entry-leader-parent-session-leader-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.parent.session_leader.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.imports:
+      dashed_name: process-entry-leader-parent-session-leader-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.parent.session_leader.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.pe.imports_names_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.parent.session_leader.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.parent.session_leader.pe.imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.parent.session_leader.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.parent.session_leader.pe.original_file_name:
+      dashed_name: process-entry-leader-parent-session-leader-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.entry_leader.parent.session_leader.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.pehash:
+      dashed_name: process-entry-leader-parent-session-leader-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.entry_leader.parent.session_leader.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.product:
+      dashed_name: process-entry-leader-parent-session-leader-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.entry_leader.parent.session_leader.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.sections:
+      dashed_name: process-entry-leader-parent-session-leader-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.entry_leader.parent.session_leader.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.entry_leader.parent.session_leader.pe.sections.entropy:
+      dashed_name: process-entry-leader-parent-session-leader-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.session_leader.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.session_leader.pe.sections.name:
+      dashed_name: process-entry-leader-parent-session-leader-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.entry_leader.parent.session_leader.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.sections.physical_size:
+      dashed_name: process-entry-leader-parent-session-leader-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.entry_leader.parent.session_leader.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.entry_leader.parent.session_leader.pe.sections.var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.session_leader.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.session_leader.pe.sections.virtual_size:
+      dashed_name: process-entry-leader-parent-session-leader-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.entry_leader.parent.session_leader.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.entry_leader.parent.session_leader.pid:
+      dashed_name: process-entry-leader-parent-session-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.entry_leader.parent.session_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.entry_leader.parent.session_leader.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.entry_leader.parent.session_leader.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.entry_leader.parent.session_leader.real_group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_group.id:
+      dashed_name: process-entry-leader-parent-session-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_group.name:
+      dashed_name: process-entry-leader-parent-session-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.domain:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.email:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.session_leader.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.full_name:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.session_leader.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.group.id:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.group.name:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.hash:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.session_leader.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.id:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.session_leader.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.name:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.session_leader.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.session_leader.real_user.risk.static_level:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.risk.static_score:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.session_leader.real_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.session_leader.real_user.roles:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.session_leader.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.same_as_process:
+      dashed_name: process-entry-leader-parent-session-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.entry_leader.parent.session_leader.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.entry_leader.parent.session_leader.saved_group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_group.id:
+      dashed_name: process-entry-leader-parent-session-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_group.name:
+      dashed_name: process-entry-leader-parent-session-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.domain:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.email:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.full_name:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.session_leader.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.group.id:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.group.name:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.hash:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.session_leader.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.id:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.session_leader.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.name:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.session_leader.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.session_leader.saved_user.risk.static_level:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.risk.static_score:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.session_leader.saved_user.roles:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.session_leader.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.start:
+      dashed_name: process-entry-leader-parent-session-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.parent.session_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.entry_leader.parent.session_leader.supplemental_groups.domain:
+      dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.supplemental_groups.id:
+      dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.supplemental_groups.name:
+      dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.thread.capabilities.effective:
+      dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.entry_leader.parent.session_leader.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.thread.capabilities.permitted:
+      dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.entry_leader.parent.session_leader.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.thread.id:
+      dashed_name: process-entry-leader-parent-session-leader-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.entry_leader.parent.session_leader.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.entry_leader.parent.session_leader.thread.name:
+      dashed_name: process-entry-leader-parent-session-leader-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.entry_leader.parent.session_leader.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.entry_leader.parent.session_leader.title:
+      dashed_name: process-entry-leader-parent-session-leader-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.entry_leader.parent.session_leader.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.entry_leader.parent.session_leader.tty:
+      dashed_name: process-entry-leader-parent-session-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.entry_leader.parent.session_leader.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.entry_leader.parent.session_leader.tty.char_device.major:
+      dashed_name: process-entry-leader-parent-session-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.entry_leader.parent.session_leader.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.entry_leader.parent.session_leader.tty.char_device.minor:
+      dashed_name: process-entry-leader-parent-session-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.entry_leader.parent.session_leader.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.entry_leader.parent.session_leader.tty.columns:
+      dashed_name: process-entry-leader-parent-session-leader-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.entry_leader.parent.session_leader.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.entry_leader.parent.session_leader.tty.rows:
+      dashed_name: process-entry-leader-parent-session-leader-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.entry_leader.parent.session_leader.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.entry_leader.parent.session_leader.uptime:
+      dashed_name: process-entry-leader-parent-session-leader-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.entry_leader.parent.session_leader.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.entry_leader.parent.session_leader.user.domain:
+      dashed_name: process-entry-leader-parent-session-leader-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.email:
+      dashed_name: process-entry-leader-parent-session-leader-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.session_leader.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.full_name:
+      dashed_name: process-entry-leader-parent-session-leader-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.session_leader.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.group.id:
+      dashed_name: process-entry-leader-parent-session-leader-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.group.name:
+      dashed_name: process-entry-leader-parent-session-leader-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.hash:
+      dashed_name: process-entry-leader-parent-session-leader-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.session_leader.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.id:
+      dashed_name: process-entry-leader-parent-session-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.session_leader.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.name:
+      dashed_name: process-entry-leader-parent-session-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.session_leader.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.session_leader.user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.session_leader.user.risk.static_level:
+      dashed_name: process-entry-leader-parent-session-leader-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.risk.static_score:
+      dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.session_leader.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.session_leader.user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.session_leader.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.session_leader.user.roles:
+      dashed_name: process-entry-leader-parent-session-leader-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.session_leader.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.vpid:
+      dashed_name: process-entry-leader-parent-session-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.parent.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.entry_leader.parent.session_leader.working_directory:
+      dashed_name: process-entry-leader-parent-session-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.entry_leader.parent.session_leader.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.entry_leader.parent.start:
+      dashed_name: process-entry-leader-parent-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.parent.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.entry_leader.parent.supplemental_groups.domain:
+      dashed_name: process-entry-leader-parent-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.supplemental_groups.id:
+      dashed_name: process-entry-leader-parent-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.supplemental_groups.name:
+      dashed_name: process-entry-leader-parent-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.thread.capabilities.effective:
+      dashed_name: process-entry-leader-parent-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.entry_leader.parent.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.thread.capabilities.permitted:
+      dashed_name: process-entry-leader-parent-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.entry_leader.parent.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.thread.id:
+      dashed_name: process-entry-leader-parent-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.entry_leader.parent.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.entry_leader.parent.thread.name:
+      dashed_name: process-entry-leader-parent-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.entry_leader.parent.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.entry_leader.parent.title:
+      dashed_name: process-entry-leader-parent-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.entry_leader.parent.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.entry_leader.parent.tty:
+      dashed_name: process-entry-leader-parent-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.entry_leader.parent.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.entry_leader.parent.tty.char_device.major:
+      dashed_name: process-entry-leader-parent-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.entry_leader.parent.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.entry_leader.parent.tty.char_device.minor:
+      dashed_name: process-entry-leader-parent-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.entry_leader.parent.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.entry_leader.parent.tty.columns:
+      dashed_name: process-entry-leader-parent-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.entry_leader.parent.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.entry_leader.parent.tty.rows:
+      dashed_name: process-entry-leader-parent-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.entry_leader.parent.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.entry_leader.parent.uptime:
+      dashed_name: process-entry-leader-parent-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.entry_leader.parent.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.entry_leader.parent.user.domain:
+      dashed_name: process-entry-leader-parent-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.parent.user.email:
+      dashed_name: process-entry-leader-parent-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.parent.user.full_name:
+      dashed_name: process-entry-leader-parent-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.user.group.domain:
+      dashed_name: process-entry-leader-parent-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.user.group.id:
+      dashed_name: process-entry-leader-parent-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.user.group.name:
+      dashed_name: process-entry-leader-parent-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.user.hash:
+      dashed_name: process-entry-leader-parent-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.user.id:
+      dashed_name: process-entry-leader-parent-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.user.name:
+      dashed_name: process-entry-leader-parent-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.user.risk.static_level:
+      dashed_name: process-entry-leader-parent-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.user.risk.static_score:
+      dashed_name: process-entry-leader-parent-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.user.roles:
+      dashed_name: process-entry-leader-parent-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.vpid:
+      dashed_name: process-entry-leader-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.entry_leader.parent.working_directory:
+      dashed_name: process-entry-leader-parent-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.entry_leader.parent.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.entry_leader.pe.architecture:
+      dashed_name: process-entry-leader-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.entry_leader.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.entry_leader.pe.company:
+      dashed_name: process-entry-leader-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.entry_leader.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.pe.description:
+      dashed_name: process-entry-leader-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.entry_leader.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.pe.file_version:
+      dashed_name: process-entry-leader-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.entry_leader.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.entry_leader.pe.go_import_hash:
+      dashed_name: process-entry-leader-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.entry_leader.pe.go_imports:
+      dashed_name: process-entry-leader-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.pe.go_imports_names_entropy:
+      dashed_name: process-entry-leader-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.pe.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.pe.go_stripped:
+      dashed_name: process-entry-leader-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.entry_leader.pe.imphash:
+      dashed_name: process-entry-leader-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.entry_leader.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.entry_leader.pe.import_hash:
+      dashed_name: process-entry-leader-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.entry_leader.pe.imports:
+      dashed_name: process-entry-leader-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.pe.imports_names_entropy:
+      dashed_name: process-entry-leader-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.pe.imports_names_var_entropy:
+      dashed_name: process-entry-leader-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.pe.original_file_name:
+      dashed_name: process-entry-leader-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.entry_leader.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.pe.pehash:
+      dashed_name: process-entry-leader-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.entry_leader.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.entry_leader.pe.product:
+      dashed_name: process-entry-leader-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.entry_leader.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.pe.sections:
+      dashed_name: process-entry-leader-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.entry_leader.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.entry_leader.pe.sections.entropy:
+      dashed_name: process-entry-leader-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.pe.sections.name:
+      dashed_name: process-entry-leader-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.entry_leader.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.entry_leader.pe.sections.physical_size:
+      dashed_name: process-entry-leader-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.entry_leader.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.entry_leader.pe.sections.var_entropy:
+      dashed_name: process-entry-leader-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.pe.sections.virtual_size:
+      dashed_name: process-entry-leader-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.entry_leader.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.entry_leader.pid:
+      dashed_name: process-entry-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.entry_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.entry_leader.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.entry_leader.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.entry_leader.real_group.domain:
+      dashed_name: process-entry-leader-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.real_group.id:
+      dashed_name: process-entry-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.real_group.name:
+      dashed_name: process-entry-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.real_user.domain:
+      dashed_name: process-entry-leader-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.real_user.email:
+      dashed_name: process-entry-leader-real-user-email
+      description: User email address.
+      flat_name: process.entry_leader.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.real_user.full_name:
+      dashed_name: process-entry-leader-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.real_user.group.domain:
+      dashed_name: process-entry-leader-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.real_user.group.id:
+      dashed_name: process-entry-leader-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.real_user.group.name:
+      dashed_name: process-entry-leader-real-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.real_user.hash:
+      dashed_name: process-entry-leader-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.real_user.id:
+      dashed_name: process-entry-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.real_user.name:
       dashed_name: process-entry-leader-real-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.entry_leader.real_user.name
+      flat_name: process.entry_leader.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.real_user.risk.calculated_level:
+      dashed_name: process-entry-leader-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.real_user.risk.calculated_score:
+      dashed_name: process-entry-leader-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.real_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.real_user.risk.static_level:
+      dashed_name: process-entry-leader-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.real_user.risk.static_score:
+      dashed_name: process-entry-leader-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.real_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.real_user.roles:
+      dashed_name: process-entry-leader-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.same_as_process:
+      dashed_name: process-entry-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.entry_leader.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.entry_leader.saved_group.domain:
+      dashed_name: process-entry-leader-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.saved_group.id:
+      dashed_name: process-entry-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.saved_group.name:
+      dashed_name: process-entry-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.saved_user.domain:
+      dashed_name: process-entry-leader-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.saved_user.email:
+      dashed_name: process-entry-leader-saved-user-email
+      description: User email address.
+      flat_name: process.entry_leader.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.saved_user.full_name:
+      dashed_name: process-entry-leader-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.saved_user.group.domain:
+      dashed_name: process-entry-leader-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.saved_user.group.id:
+      dashed_name: process-entry-leader-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.saved_user.group.name:
+      dashed_name: process-entry-leader-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.saved_user.hash:
+      dashed_name: process-entry-leader-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.saved_user.id:
+      dashed_name: process-entry-leader-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.saved_user.name:
+      dashed_name: process-entry-leader-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.saved_user.risk.calculated_level:
+      dashed_name: process-entry-leader-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.saved_user.risk.calculated_score:
+      dashed_name: process-entry-leader-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.saved_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.saved_user.risk.static_level:
+      dashed_name: process-entry-leader-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.saved_user.risk.static_score:
+      dashed_name: process-entry-leader-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.saved_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.saved_user.roles:
+      dashed_name: process-entry-leader-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.start:
+      dashed_name: process-entry-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.entry_leader.supplemental_groups.domain:
+      dashed_name: process-entry-leader-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.supplemental_groups.id:
+      dashed_name: process-entry-leader-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.supplemental_groups.name:
+      dashed_name: process-entry-leader-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.thread.capabilities.effective:
+      dashed_name: process-entry-leader-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.entry_leader.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.thread.capabilities.permitted:
+      dashed_name: process-entry-leader-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.entry_leader.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.thread.id:
+      dashed_name: process-entry-leader-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.entry_leader.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.entry_leader.thread.name:
+      dashed_name: process-entry-leader-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.entry_leader.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.entry_leader.title:
+      dashed_name: process-entry-leader-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.entry_leader.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.entry_leader.tty:
+      dashed_name: process-entry-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.entry_leader.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.entry_leader.tty.char_device.major:
+      dashed_name: process-entry-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.entry_leader.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.entry_leader.tty.char_device.minor:
+      dashed_name: process-entry-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.entry_leader.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.entry_leader.tty.columns:
+      dashed_name: process-entry-leader-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.entry_leader.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.entry_leader.tty.rows:
+      dashed_name: process-entry-leader-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.entry_leader.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.entry_leader.uptime:
+      dashed_name: process-entry-leader-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.entry_leader.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.entry_leader.user.domain:
+      dashed_name: process-entry-leader-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.user.email:
+      dashed_name: process-entry-leader-user-email
+      description: User email address.
+      flat_name: process.entry_leader.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.user.full_name:
+      dashed_name: process-entry-leader-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.user.group.domain:
+      dashed_name: process-entry-leader-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.user.group.id:
+      dashed_name: process-entry-leader-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.user.group.name:
+      dashed_name: process-entry-leader-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.user.hash:
+      dashed_name: process-entry-leader-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.user.id:
+      dashed_name: process-entry-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.user.name:
+      dashed_name: process-entry-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.user.risk.calculated_level:
+      dashed_name: process-entry-leader-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.user.risk.calculated_score:
+      dashed_name: process-entry-leader-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.user.risk.static_level:
+      dashed_name: process-entry-leader-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.user.risk.static_score:
+      dashed_name: process-entry-leader-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.user.risk.static_score_norm:
+      dashed_name: process-entry-leader-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.user.roles:
+      dashed_name: process-entry-leader-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.vpid:
+      dashed_name: process-entry-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.entry_leader.working_directory:
+      dashed_name: process-entry-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.entry_leader.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.entry_meta.source.address:
+      dashed_name: process-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.entry_meta.source.as.number:
+      dashed_name: process-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.entry_meta.source.as.organization.name:
+      dashed_name: process-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.entry_meta.source.bytes:
+      dashed_name: process-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.entry_meta.source.domain:
+      dashed_name: process-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.entry_meta.source.geo.city_name:
+      dashed_name: process-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.entry_meta.source.geo.continent_code:
+      dashed_name: process-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.entry_meta.source.geo.continent_name:
+      dashed_name: process-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.entry_meta.source.geo.country_name:
+      dashed_name: process-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.entry_meta.source.geo.location:
+      dashed_name: process-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.entry_meta.source.geo.name:
+      dashed_name: process-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.entry_meta.source.geo.postal_code:
+      dashed_name: process-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.entry_meta.source.geo.region_name:
+      dashed_name: process-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.entry_meta.source.geo.timezone:
+      dashed_name: process-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.entry_meta.source.ip:
+      dashed_name: process-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.entry_meta.source.mac:
+      dashed_name: process-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.entry_meta.source.nat.ip:
+      dashed_name: process-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.entry_meta.source.nat.port:
+      dashed_name: process-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.entry_meta.source.packets:
+      dashed_name: process-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.entry_meta.source.port:
+      dashed_name: process-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.entry_meta.source.registered_domain:
+      dashed_name: process-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.entry_meta.source.subdomain:
+      dashed_name: process-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.entry_meta.source.top_level_domain:
+      dashed_name: process-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.entry_meta.type:
+      dashed_name: process-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.env_vars:
+      dashed_name: process-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.executable:
+      dashed_name: process-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      otel:
+      - attribute: process.executable.path
+        relation: equivalent
+        stability: development
+      short: Absolute path to the process executable.
+      type: keyword
+    process.exit_code:
+      dashed_name: process-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      short: The exit code of the process.
+      type: long
+    process.group.domain:
+      dashed_name: process-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group.id:
+      dashed_name: process-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group.name:
+      dashed_name: process-group-name
+      description: Name of the group.
+      flat_name: process.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.args:
+      dashed_name: process-group-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.group_leader.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.group_leader.args_count:
+      dashed_name: process-group-leader-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.group_leader.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.group_leader.attested_groups.domain:
+      dashed_name: process-group-leader-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.attested_groups.id:
+      dashed_name: process-group-leader-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.attested_groups.name:
+      dashed_name: process-group-leader-attested-groups-name
+      description: Name of the group.
+      flat_name: process.group_leader.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.attested_user.domain:
+      dashed_name: process-group-leader-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.group_leader.attested_user.email:
+      dashed_name: process-group-leader-attested-user-email
+      description: User email address.
+      flat_name: process.group_leader.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.group_leader.attested_user.full_name:
+      dashed_name: process-group-leader-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.group_leader.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.group_leader.attested_user.group.domain:
+      dashed_name: process-group-leader-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.attested_user.group.id:
+      dashed_name: process-group-leader-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.attested_user.group.name:
+      dashed_name: process-group-leader-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.attested_user.hash:
+      dashed_name: process-group-leader-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.group_leader.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.group_leader.attested_user.id:
+      dashed_name: process-group-leader-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.group_leader.attested_user.name:
+      dashed_name: process-group-leader-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.group_leader.attested_user.risk.calculated_level:
+      dashed_name: process-group-leader-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.group_leader.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.group_leader.attested_user.risk.calculated_score:
+      dashed_name: process-group-leader-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.group_leader.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.group_leader.attested_user.risk.calculated_score_norm:
+      dashed_name: process-group-leader-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.group_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.group_leader.attested_user.risk.static_level:
+      dashed_name: process-group-leader-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.group_leader.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.group_leader.attested_user.risk.static_score:
+      dashed_name: process-group-leader-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.group_leader.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.group_leader.attested_user.risk.static_score_norm:
+      dashed_name: process-group-leader-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.group_leader.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.group_leader.attested_user.roles:
+      dashed_name: process-group-leader-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.group_leader.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.code_signature.digest_algorithm:
+      dashed_name: process-group-leader-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.group_leader.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.group_leader.code_signature.exists:
+      dashed_name: process-group-leader-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.group_leader.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.group_leader.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.group_leader.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.group_leader.code_signature.signing_id:
+      dashed_name: process-group-leader-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.group_leader.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.group_leader.code_signature.status:
+      dashed_name: process-group-leader-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.group_leader.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.group_leader.code_signature.subject_name:
+      dashed_name: process-group-leader-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.group_leader.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.group_leader.code_signature.team_id:
+      dashed_name: process-group-leader-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.group_leader.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.group_leader.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.group_leader.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.group_leader.code_signature.timestamp:
+      dashed_name: process-group-leader-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.group_leader.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.group_leader.code_signature.trusted:
+      dashed_name: process-group-leader-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.group_leader.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.group_leader.code_signature.valid:
+      dashed_name: process-group-leader-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.group_leader.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.group_leader.command_line:
+      dashed_name: process-group-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.group_leader.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.group_leader.elf.architecture:
+      dashed_name: process-group-leader-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.group_leader.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.group_leader.elf.byte_order:
+      dashed_name: process-group-leader-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.group_leader.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.group_leader.elf.cpu_type:
+      dashed_name: process-group-leader-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.group_leader.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.group_leader.elf.creation_date:
+      dashed_name: process-group-leader-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.group_leader.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.group_leader.elf.exports:
+      dashed_name: process-group-leader-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.group_leader.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.group_leader.elf.go_import_hash:
+      dashed_name: process-group-leader-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.group_leader.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.group_leader.elf.go_imports:
+      dashed_name: process-group-leader-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.group_leader.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.group_leader.elf.go_imports_names_entropy:
+      dashed_name: process-group-leader-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.group_leader.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.group_leader.elf.go_imports_names_var_entropy:
+      dashed_name: process-group-leader-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.group_leader.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.group_leader.elf.go_stripped:
+      dashed_name: process-group-leader-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.group_leader.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.group_leader.elf.header.abi_version:
+      dashed_name: process-group-leader-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.group_leader.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.group_leader.elf.header.class:
+      dashed_name: process-group-leader-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.group_leader.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.group_leader.elf.header.data:
+      dashed_name: process-group-leader-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.group_leader.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.group_leader.elf.header.entrypoint:
+      dashed_name: process-group-leader-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.group_leader.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.group_leader.elf.header.object_version:
+      dashed_name: process-group-leader-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.group_leader.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.group_leader.elf.header.os_abi:
+      dashed_name: process-group-leader-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.group_leader.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.group_leader.elf.header.type:
+      dashed_name: process-group-leader-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.group_leader.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.group_leader.elf.header.version:
+      dashed_name: process-group-leader-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.group_leader.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.group_leader.elf.import_hash:
+      dashed_name: process-group-leader-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.group_leader.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.group_leader.elf.imports:
+      dashed_name: process-group-leader-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.group_leader.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.group_leader.elf.imports_names_entropy:
+      dashed_name: process-group-leader-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.group_leader.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.group_leader.elf.imports_names_var_entropy:
+      dashed_name: process-group-leader-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.group_leader.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.group_leader.elf.sections:
+      dashed_name: process-group-leader-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.group_leader.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.group_leader.elf.sections.chi2:
+      dashed_name: process-group-leader-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.group_leader.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.group_leader.elf.sections.entropy:
+      dashed_name: process-group-leader-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.group_leader.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.group_leader.elf.sections.flags:
+      dashed_name: process-group-leader-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.group_leader.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.group_leader.elf.sections.name:
+      dashed_name: process-group-leader-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.group_leader.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.group_leader.elf.sections.physical_offset:
+      dashed_name: process-group-leader-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.group_leader.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.group_leader.elf.sections.physical_size:
+      dashed_name: process-group-leader-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.group_leader.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.group_leader.elf.sections.type:
+      dashed_name: process-group-leader-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.group_leader.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.group_leader.elf.sections.var_entropy:
+      dashed_name: process-group-leader-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.group_leader.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.group_leader.elf.sections.virtual_address:
+      dashed_name: process-group-leader-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.group_leader.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.group_leader.elf.sections.virtual_size:
+      dashed_name: process-group-leader-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.group_leader.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.group_leader.elf.segments:
+      dashed_name: process-group-leader-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.group_leader.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.group_leader.elf.segments.sections:
+      dashed_name: process-group-leader-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.group_leader.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.group_leader.elf.segments.type:
+      dashed_name: process-group-leader-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.group_leader.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.group_leader.elf.shared_libraries:
+      dashed_name: process-group-leader-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.group_leader.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.group_leader.elf.telfhash:
+      dashed_name: process-group-leader-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.group_leader.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.group_leader.end:
+      dashed_name: process-group-leader-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.group_leader.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.group_leader.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.group_leader.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.group_leader.entity_id:
+      dashed_name: process-group-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.group_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.group_leader.entry_meta.source.address:
+      dashed_name: process-group-leader-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.group_leader.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.group_leader.entry_meta.source.as.number:
+      dashed_name: process-group-leader-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.group_leader.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.group_leader.entry_meta.source.as.organization.name:
+      dashed_name: process-group-leader-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.group_leader.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.group_leader.entry_meta.source.bytes:
+      dashed_name: process-group-leader-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.group_leader.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.group_leader.entry_meta.source.domain:
+      dashed_name: process-group-leader-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.group_leader.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.city_name:
+      dashed_name: process-group-leader-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.group_leader.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.continent_code:
+      dashed_name: process-group-leader-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.group_leader.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.continent_name:
+      dashed_name: process-group-leader-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.group_leader.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-group-leader-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.group_leader.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.country_name:
+      dashed_name: process-group-leader-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.group_leader.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.location:
+      dashed_name: process-group-leader-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.group_leader.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.group_leader.entry_meta.source.geo.name:
+      dashed_name: process-group-leader-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.group_leader.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.postal_code:
+      dashed_name: process-group-leader-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.group_leader.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-group-leader-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.group_leader.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.region_name:
+      dashed_name: process-group-leader-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.group_leader.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.timezone:
+      dashed_name: process-group-leader-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.group_leader.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.group_leader.entry_meta.source.ip:
+      dashed_name: process-group-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.group_leader.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.group_leader.entry_meta.source.mac:
+      dashed_name: process-group-leader-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.group_leader.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.group_leader.entry_meta.source.nat.ip:
+      dashed_name: process-group-leader-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.group_leader.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.group_leader.entry_meta.source.nat.port:
+      dashed_name: process-group-leader-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.group_leader.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.group_leader.entry_meta.source.packets:
+      dashed_name: process-group-leader-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.group_leader.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.group_leader.entry_meta.source.port:
+      dashed_name: process-group-leader-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.group_leader.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.group_leader.entry_meta.source.registered_domain:
+      dashed_name: process-group-leader-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.group_leader.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.group_leader.entry_meta.source.subdomain:
+      dashed_name: process-group-leader-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.group_leader.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.group_leader.entry_meta.source.top_level_domain:
+      dashed_name: process-group-leader-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.group_leader.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.group_leader.entry_meta.type:
+      dashed_name: process-group-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.group_leader.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.group_leader.env_vars:
+      dashed_name: process-group-leader-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.group_leader.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.executable:
+      dashed_name: process-group-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.group_leader.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.group_leader.exit_code:
+      dashed_name: process-group-leader-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.group_leader.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.group_leader.group.domain:
+      dashed_name: process-group-leader-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.group.id:
+      dashed_name: process-group-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.group.name:
+      dashed_name: process-group-leader-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.group_leader.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.group_leader.hash.md5:
+      dashed_name: process-group-leader-hash-md5
+      description: MD5 hash.
+      flat_name: process.group_leader.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.group_leader.hash.sha1:
+      dashed_name: process-group-leader-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.group_leader.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.group_leader.hash.sha256:
+      dashed_name: process-group-leader-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.group_leader.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.group_leader.hash.sha384:
+      dashed_name: process-group-leader-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.group_leader.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.group_leader.hash.sha512:
+      dashed_name: process-group-leader-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.group_leader.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.group_leader.hash.ssdeep:
+      dashed_name: process-group-leader-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.group_leader.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.group_leader.hash.tlsh:
+      dashed_name: process-group-leader-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.group_leader.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.group_leader.interactive:
+      dashed_name: process-group-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.group_leader.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.group_leader.io:
+      dashed_name: process-group-leader-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.group_leader.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.group_leader.io.bytes_skipped:
+      dashed_name: process-group-leader-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.group_leader.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.group_leader.io.bytes_skipped.length:
+      dashed_name: process-group-leader-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.group_leader.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.group_leader.io.bytes_skipped.offset:
+      dashed_name: process-group-leader-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.group_leader.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.group_leader.io.max_bytes_per_process_exceeded:
+      dashed_name: process-group-leader-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.group_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.group_leader.io.text:
+      dashed_name: process-group-leader-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.group_leader.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.group_leader.io.total_bytes_captured:
+      dashed_name: process-group-leader-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.group_leader.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.group_leader.io.total_bytes_skipped:
+      dashed_name: process-group-leader-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.group_leader.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.group_leader.io.type:
+      dashed_name: process-group-leader-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.group_leader.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.group_leader.macho.go_import_hash:
+      dashed_name: process-group-leader-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.group_leader.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.group_leader.macho.go_imports:
+      dashed_name: process-group-leader-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.group_leader.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.group_leader.macho.go_imports_names_entropy:
+      dashed_name: process-group-leader-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.group_leader.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.group_leader.macho.go_imports_names_var_entropy:
+      dashed_name: process-group-leader-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.group_leader.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.group_leader.macho.go_stripped:
+      dashed_name: process-group-leader-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.group_leader.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.group_leader.macho.import_hash:
+      dashed_name: process-group-leader-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.group_leader.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.group_leader.macho.imports:
+      dashed_name: process-group-leader-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.group_leader.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.group_leader.macho.imports_names_entropy:
+      dashed_name: process-group-leader-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.group_leader.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.group_leader.macho.imports_names_var_entropy:
+      dashed_name: process-group-leader-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.group_leader.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.group_leader.macho.sections:
+      dashed_name: process-group-leader-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.group_leader.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.group_leader.macho.sections.entropy:
+      dashed_name: process-group-leader-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.group_leader.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.group_leader.macho.sections.name:
+      dashed_name: process-group-leader-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.group_leader.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.group_leader.macho.sections.physical_size:
+      dashed_name: process-group-leader-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.group_leader.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.group_leader.macho.sections.var_entropy:
+      dashed_name: process-group-leader-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.group_leader.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.group_leader.macho.sections.virtual_size:
+      dashed_name: process-group-leader-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.group_leader.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.group_leader.macho.symhash:
+      dashed_name: process-group-leader-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.group_leader.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.group_leader.name:
+      dashed_name: process-group-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.group_leader.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.group_leader.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.group_leader.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.group_leader.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.group_leader.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.group_leader.pe.architecture:
+      dashed_name: process-group-leader-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.group_leader.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.group_leader.pe.company:
+      dashed_name: process-group-leader-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.group_leader.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.group_leader.pe.description:
+      dashed_name: process-group-leader-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.group_leader.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.group_leader.pe.file_version:
+      dashed_name: process-group-leader-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.group_leader.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.group_leader.pe.go_import_hash:
+      dashed_name: process-group-leader-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.group_leader.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.group_leader.pe.go_imports:
+      dashed_name: process-group-leader-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.group_leader.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.group_leader.pe.go_imports_names_entropy:
+      dashed_name: process-group-leader-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.group_leader.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.group_leader.pe.go_imports_names_var_entropy:
+      dashed_name: process-group-leader-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.group_leader.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.group_leader.pe.go_stripped:
+      dashed_name: process-group-leader-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.group_leader.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.group_leader.pe.imphash:
+      dashed_name: process-group-leader-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.group_leader.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.group_leader.pe.import_hash:
+      dashed_name: process-group-leader-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.group_leader.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.group_leader.pe.imports:
+      dashed_name: process-group-leader-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.group_leader.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.group_leader.pe.imports_names_entropy:
+      dashed_name: process-group-leader-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.group_leader.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.group_leader.pe.imports_names_var_entropy:
+      dashed_name: process-group-leader-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.group_leader.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.group_leader.pe.original_file_name:
+      dashed_name: process-group-leader-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.group_leader.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.group_leader.pe.pehash:
+      dashed_name: process-group-leader-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.group_leader.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.group_leader.pe.product:
+      dashed_name: process-group-leader-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.group_leader.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.group_leader.pe.sections:
+      dashed_name: process-group-leader-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.group_leader.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.group_leader.pe.sections.entropy:
+      dashed_name: process-group-leader-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.group_leader.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.group_leader.pe.sections.name:
+      dashed_name: process-group-leader-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.group_leader.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.group_leader.pe.sections.physical_size:
+      dashed_name: process-group-leader-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.group_leader.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.group_leader.pe.sections.var_entropy:
+      dashed_name: process-group-leader-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.group_leader.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.group_leader.pe.sections.virtual_size:
+      dashed_name: process-group-leader-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.group_leader.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.group_leader.pid:
+      dashed_name: process-group-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.group_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      otel:
+      - relation: match
+        stability: development
+      short: Process id.
+      type: long
+    process.group_leader.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.group_leader.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.group_leader.real_group.domain:
+      dashed_name: process-group-leader-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.real_group.id:
+      dashed_name: process-group-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.real_group.name:
+      dashed_name: process-group-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.real_user.domain:
+      dashed_name: process-group-leader-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.group_leader.real_user.email:
+      dashed_name: process-group-leader-real-user-email
+      description: User email address.
+      flat_name: process.group_leader.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.group_leader.real_user.full_name:
+      dashed_name: process-group-leader-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.group_leader.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.group_leader.real_user.group.domain:
+      dashed_name: process-group-leader-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.real_user.group.id:
+      dashed_name: process-group-leader-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.real_user.group.name:
+      dashed_name: process-group-leader-real-user-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.real_user.hash:
+      dashed_name: process-group-leader-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.group_leader.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.group_leader.real_user.id:
+      dashed_name: process-group-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.group_leader.real_user.name:
+      dashed_name: process-group-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.group_leader.real_user.risk.calculated_level:
+      dashed_name: process-group-leader-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.group_leader.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.group_leader.real_user.risk.calculated_score:
+      dashed_name: process-group-leader-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.group_leader.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.group_leader.real_user.risk.calculated_score_norm:
+      dashed_name: process-group-leader-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.group_leader.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.group_leader.real_user.risk.static_level:
+      dashed_name: process-group-leader-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.group_leader.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.group_leader.real_user.risk.static_score:
+      dashed_name: process-group-leader-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.group_leader.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.group_leader.real_user.risk.static_score_norm:
+      dashed_name: process-group-leader-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.group_leader.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.group_leader.real_user.roles:
+      dashed_name: process-group-leader-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.group_leader.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.same_as_process:
+      dashed_name: process-group-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.group_leader.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.group_leader.saved_group.domain:
+      dashed_name: process-group-leader-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.saved_group.id:
+      dashed_name: process-group-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.saved_group.name:
+      dashed_name: process-group-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.saved_user.domain:
+      dashed_name: process-group-leader-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.group_leader.saved_user.email:
+      dashed_name: process-group-leader-saved-user-email
+      description: User email address.
+      flat_name: process.group_leader.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.group_leader.saved_user.full_name:
+      dashed_name: process-group-leader-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.group_leader.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.group_leader.saved_user.group.domain:
+      dashed_name: process-group-leader-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.saved_user.group.id:
+      dashed_name: process-group-leader-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.saved_user.group.name:
+      dashed_name: process-group-leader-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.saved_user.hash:
+      dashed_name: process-group-leader-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.group_leader.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.group_leader.saved_user.id:
+      dashed_name: process-group-leader-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.group_leader.saved_user.name:
+      dashed_name: process-group-leader-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.group_leader.saved_user.risk.calculated_level:
+      dashed_name: process-group-leader-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.group_leader.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.group_leader.saved_user.risk.calculated_score:
+      dashed_name: process-group-leader-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.group_leader.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.group_leader.saved_user.risk.calculated_score_norm:
+      dashed_name: process-group-leader-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.group_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.group_leader.saved_user.risk.static_level:
+      dashed_name: process-group-leader-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.group_leader.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.group_leader.saved_user.risk.static_score:
+      dashed_name: process-group-leader-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.group_leader.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.group_leader.saved_user.risk.static_score_norm:
+      dashed_name: process-group-leader-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.group_leader.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.group_leader.saved_user.roles:
+      dashed_name: process-group-leader-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.group_leader.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.start:
+      dashed_name: process-group-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.group_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.group_leader.supplemental_groups.domain:
+      dashed_name: process-group-leader-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.supplemental_groups.id:
+      dashed_name: process-group-leader-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.supplemental_groups.name:
+      dashed_name: process-group-leader-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.group_leader.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.thread.capabilities.effective:
+      dashed_name: process-group-leader-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.group_leader.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.thread.capabilities.permitted:
+      dashed_name: process-group-leader-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.group_leader.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.thread.id:
+      dashed_name: process-group-leader-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.group_leader.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.group_leader.thread.name:
+      dashed_name: process-group-leader-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.group_leader.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.group_leader.title:
+      dashed_name: process-group-leader-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.group_leader.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.group_leader.tty:
+      dashed_name: process-group-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.group_leader.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.group_leader.tty.char_device.major:
+      dashed_name: process-group-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.group_leader.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.group_leader.tty.char_device.minor:
+      dashed_name: process-group-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.group_leader.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.group_leader.tty.columns:
+      dashed_name: process-group-leader-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.group_leader.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.group_leader.tty.rows:
+      dashed_name: process-group-leader-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.group_leader.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.group_leader.uptime:
+      dashed_name: process-group-leader-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.group_leader.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.group_leader.user.domain:
+      dashed_name: process-group-leader-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.group_leader.user.email:
+      dashed_name: process-group-leader-user-email
+      description: User email address.
+      flat_name: process.group_leader.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.group_leader.user.full_name:
+      dashed_name: process-group-leader-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.group_leader.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.group_leader.user.group.domain:
+      dashed_name: process-group-leader-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.user.group.id:
+      dashed_name: process-group-leader-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.user.group.name:
+      dashed_name: process-group-leader-user-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.user.hash:
+      dashed_name: process-group-leader-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.group_leader.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.group_leader.user.id:
+      dashed_name: process-group-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.group_leader.user.name:
+      dashed_name: process-group-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.group_leader.user.risk.calculated_level:
+      dashed_name: process-group-leader-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.group_leader.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.group_leader.user.risk.calculated_score:
+      dashed_name: process-group-leader-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.group_leader.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.group_leader.user.risk.calculated_score_norm:
+      dashed_name: process-group-leader-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.group_leader.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.group_leader.user.risk.static_level:
+      dashed_name: process-group-leader-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.group_leader.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.group_leader.user.risk.static_score:
+      dashed_name: process-group-leader-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.group_leader.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.group_leader.user.risk.static_score_norm:
+      dashed_name: process-group-leader-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.group_leader.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.group_leader.user.roles:
+      dashed_name: process-group-leader-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.group_leader.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.vpid:
+      dashed_name: process-group-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.group_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.group_leader.working_directory:
+      dashed_name: process-group-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.group_leader.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.hash.md5:
+      dashed_name: process-hash-md5
+      description: MD5 hash.
+      flat_name: process.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.hash.sha1:
+      dashed_name: process-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.hash.sha256:
+      dashed_name: process-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.hash.sha384:
+      dashed_name: process-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.hash.sha512:
+      dashed_name: process-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.hash.ssdeep:
+      dashed_name: process-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.hash.tlsh:
+      dashed_name: process-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.interactive:
+      dashed_name: process-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      otel:
+      - relation: match
+        stability: development
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.io:
+      dashed_name: process-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.io
+      level: extended
+      name: io
+      normalize: []
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.io.bytes_skipped:
+      dashed_name: process-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.io.bytes_skipped.length:
+      dashed_name: process-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      short: The length of bytes skipped.
+      type: long
+    process.io.bytes_skipped.offset:
+      dashed_name: process-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.io.max_bytes_per_process_exceeded:
+      dashed_name: process-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.io.text:
+      dashed_name: process-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.io.total_bytes_captured:
+      dashed_name: process-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      short: The total number of bytes captured in this event.
+      type: long
+    process.io.total_bytes_skipped:
+      dashed_name: process-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.io.type:
+      dashed_name: process-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.macho.go_import_hash:
+      dashed_name: process-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.macho.go_imports:
+      dashed_name: process-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.macho.go_imports_names_entropy:
+      dashed_name: process-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.macho.go_imports_names_var_entropy:
+      dashed_name: process-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.macho.go_stripped:
+      dashed_name: process-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.macho.import_hash:
+      dashed_name: process-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.macho.imports:
+      dashed_name: process-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.macho.imports_names_entropy:
+      dashed_name: process-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.macho.imports_names_var_entropy:
+      dashed_name: process-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.macho.sections:
+      dashed_name: process-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.macho.sections.entropy:
+      dashed_name: process-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.macho.sections.name:
+      dashed_name: process-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.macho.sections.physical_size:
+      dashed_name: process-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.macho.sections.var_entropy:
+      dashed_name: process-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.macho.sections.virtual_size:
+      dashed_name: process-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.macho.symhash:
+      dashed_name: process-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.name:
+      dashed_name: process-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      short: Process name.
+      type: keyword
+    process.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.parent.args:
+      dashed_name: process-parent-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.parent.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.parent.args_count:
+      dashed_name: process-parent-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.parent.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.parent.attested_groups.domain:
+      dashed_name: process-parent-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.attested_groups.id:
+      dashed_name: process-parent-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.attested_groups.name:
+      dashed_name: process-parent-attested-groups-name
+      description: Name of the group.
+      flat_name: process.parent.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.attested_user.domain:
+      dashed_name: process-parent-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.attested_user.email:
+      dashed_name: process-parent-attested-user-email
+      description: User email address.
+      flat_name: process.parent.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.attested_user.full_name:
+      dashed_name: process-parent-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.attested_user.group.domain:
+      dashed_name: process-parent-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.attested_user.group.id:
+      dashed_name: process-parent-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.attested_user.group.name:
+      dashed_name: process-parent-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.attested_user.hash:
+      dashed_name: process-parent-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.attested_user.id:
+      dashed_name: process-parent-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.attested_user.name:
+      dashed_name: process-parent-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.attested_user.risk.calculated_level:
+      dashed_name: process-parent-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.attested_user.risk.calculated_score:
+      dashed_name: process-parent-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.attested_user.risk.calculated_score_norm:
+      dashed_name: process-parent-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.attested_user.risk.static_level:
+      dashed_name: process-parent-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.attested_user.risk.static_score:
+      dashed_name: process-parent-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.attested_user.risk.static_score_norm:
+      dashed_name: process-parent-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.attested_user.roles:
+      dashed_name: process-parent-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.code_signature.digest_algorithm:
+      dashed_name: process-parent-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.parent.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.parent.code_signature.exists:
+      dashed_name: process-parent-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.parent.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.parent.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.parent.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.parent.code_signature.signing_id:
+      dashed_name: process-parent-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.parent.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.parent.code_signature.status:
+      dashed_name: process-parent-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.parent.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.parent.code_signature.subject_name:
+      dashed_name: process-parent-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.parent.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.parent.code_signature.team_id:
+      dashed_name: process-parent-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.parent.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.parent.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.parent.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.parent.code_signature.timestamp:
+      dashed_name: process-parent-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.parent.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.parent.code_signature.trusted:
+      dashed_name: process-parent-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.parent.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.parent.code_signature.valid:
+      dashed_name: process-parent-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.parent.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.parent.command_line:
+      dashed_name: process-parent-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.parent.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.parent.elf.architecture:
+      dashed_name: process-parent-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.parent.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.parent.elf.byte_order:
+      dashed_name: process-parent-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.parent.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.parent.elf.cpu_type:
+      dashed_name: process-parent-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.parent.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.parent.elf.creation_date:
+      dashed_name: process-parent-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.parent.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.parent.elf.exports:
+      dashed_name: process-parent-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.parent.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.parent.elf.go_import_hash:
+      dashed_name: process-parent-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.parent.elf.go_imports:
+      dashed_name: process-parent-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.elf.go_imports_names_entropy:
+      dashed_name: process-parent-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.elf.go_imports_names_var_entropy:
+      dashed_name: process-parent-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.elf.go_stripped:
+      dashed_name: process-parent-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.elf.header.abi_version:
+      dashed_name: process-parent-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.parent.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.parent.elf.header.class:
+      dashed_name: process-parent-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.parent.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.parent.elf.header.data:
+      dashed_name: process-parent-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.parent.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.parent.elf.header.entrypoint:
+      dashed_name: process-parent-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.parent.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.parent.elf.header.object_version:
+      dashed_name: process-parent-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.parent.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.parent.elf.header.os_abi:
+      dashed_name: process-parent-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.parent.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.parent.elf.header.type:
+      dashed_name: process-parent-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.parent.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.parent.elf.header.version:
+      dashed_name: process-parent-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.parent.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.parent.elf.import_hash:
+      dashed_name: process-parent-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.parent.elf.imports:
+      dashed_name: process-parent-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.elf.imports_names_entropy:
+      dashed_name: process-parent-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.elf.imports_names_var_entropy:
+      dashed_name: process-parent-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.elf.sections:
+      dashed_name: process-parent-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.parent.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.parent.elf.sections.chi2:
+      dashed_name: process-parent-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.parent.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.parent.elf.sections.entropy:
+      dashed_name: process-parent-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.elf.sections.flags:
+      dashed_name: process-parent-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.parent.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.parent.elf.sections.name:
+      dashed_name: process-parent-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.parent.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.parent.elf.sections.physical_offset:
+      dashed_name: process-parent-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.parent.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.parent.elf.sections.physical_size:
+      dashed_name: process-parent-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.parent.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.parent.elf.sections.type:
+      dashed_name: process-parent-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.parent.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.parent.elf.sections.var_entropy:
+      dashed_name: process-parent-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.elf.sections.virtual_address:
+      dashed_name: process-parent-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.parent.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.parent.elf.sections.virtual_size:
+      dashed_name: process-parent-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.parent.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.parent.elf.segments:
+      dashed_name: process-parent-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.parent.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.parent.elf.segments.sections:
+      dashed_name: process-parent-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.parent.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.parent.elf.segments.type:
+      dashed_name: process-parent-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.parent.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.parent.elf.shared_libraries:
+      dashed_name: process-parent-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.parent.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.parent.elf.telfhash:
+      dashed_name: process-parent-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.parent.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.parent.end:
+      dashed_name: process-parent-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.parent.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.parent.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.parent.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.parent.entity_id:
+      dashed_name: process-parent-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.parent.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.parent.entry_meta.source.address:
+      dashed_name: process-parent-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.parent.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.parent.entry_meta.source.as.number:
+      dashed_name: process-parent-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.parent.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.parent.entry_meta.source.as.organization.name:
+      dashed_name: process-parent-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.parent.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.parent.entry_meta.source.bytes:
+      dashed_name: process-parent-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.parent.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.parent.entry_meta.source.domain:
+      dashed_name: process-parent-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.parent.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.parent.entry_meta.source.geo.city_name:
+      dashed_name: process-parent-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.parent.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.parent.entry_meta.source.geo.continent_code:
+      dashed_name: process-parent-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.parent.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.parent.entry_meta.source.geo.continent_name:
+      dashed_name: process-parent-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.parent.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.parent.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-parent-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.parent.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.parent.entry_meta.source.geo.country_name:
+      dashed_name: process-parent-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.parent.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.parent.entry_meta.source.geo.location:
+      dashed_name: process-parent-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.parent.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.parent.entry_meta.source.geo.name:
+      dashed_name: process-parent-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.parent.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.parent.entry_meta.source.geo.postal_code:
+      dashed_name: process-parent-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.parent.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.parent.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-parent-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.parent.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.parent.entry_meta.source.geo.region_name:
+      dashed_name: process-parent-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.parent.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.parent.entry_meta.source.geo.timezone:
+      dashed_name: process-parent-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.parent.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.parent.entry_meta.source.ip:
+      dashed_name: process-parent-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.parent.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.parent.entry_meta.source.mac:
+      dashed_name: process-parent-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.parent.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.parent.entry_meta.source.nat.ip:
+      dashed_name: process-parent-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.parent.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.parent.entry_meta.source.nat.port:
+      dashed_name: process-parent-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.parent.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.parent.entry_meta.source.packets:
+      dashed_name: process-parent-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.parent.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.parent.entry_meta.source.port:
+      dashed_name: process-parent-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.parent.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.parent.entry_meta.source.registered_domain:
+      dashed_name: process-parent-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.parent.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.parent.entry_meta.source.subdomain:
+      dashed_name: process-parent-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.parent.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.parent.entry_meta.source.top_level_domain:
+      dashed_name: process-parent-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.parent.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.parent.entry_meta.type:
+      dashed_name: process-parent-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.parent.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.parent.env_vars:
+      dashed_name: process-parent-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.parent.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.executable:
+      dashed_name: process-parent-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.parent.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.parent.exit_code:
+      dashed_name: process-parent-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.parent.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.parent.group.domain:
+      dashed_name: process-parent-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group.id:
+      dashed_name: process-parent-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group.name:
+      dashed_name: process-parent-group-name
+      description: Name of the group.
+      flat_name: process.parent.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.args:
+      dashed_name: process-parent-group-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.parent.group_leader.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.parent.group_leader.args_count:
+      dashed_name: process-parent-group-leader-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.parent.group_leader.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.parent.group_leader.attested_groups.domain:
+      dashed_name: process-parent-group-leader-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.attested_groups.id:
+      dashed_name: process-parent-group-leader-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.attested_groups.name:
+      dashed_name: process-parent-group-leader-attested-groups-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.attested_user.domain:
+      dashed_name: process-parent-group-leader-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.group_leader.attested_user.email:
+      dashed_name: process-parent-group-leader-attested-user-email
+      description: User email address.
+      flat_name: process.parent.group_leader.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.group_leader.attested_user.full_name:
+      dashed_name: process-parent-group-leader-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.group_leader.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.group_leader.attested_user.group.domain:
+      dashed_name: process-parent-group-leader-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.attested_user.group.id:
+      dashed_name: process-parent-group-leader-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.attested_user.group.name:
+      dashed_name: process-parent-group-leader-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.attested_user.hash:
+      dashed_name: process-parent-group-leader-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.group_leader.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.group_leader.attested_user.id:
+      dashed_name: process-parent-group-leader-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.group_leader.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.group_leader.attested_user.name:
+      dashed_name: process-parent-group-leader-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.group_leader.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.group_leader.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.group_leader.attested_user.risk.calculated_level:
+      dashed_name: process-parent-group-leader-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.group_leader.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.group_leader.attested_user.risk.calculated_score:
+      dashed_name: process-parent-group-leader-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.group_leader.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.group_leader.attested_user.risk.calculated_score_norm:
+      dashed_name: process-parent-group-leader-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.group_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.group_leader.attested_user.risk.static_level:
+      dashed_name: process-parent-group-leader-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.group_leader.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.group_leader.attested_user.risk.static_score:
+      dashed_name: process-parent-group-leader-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.group_leader.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.group_leader.attested_user.risk.static_score_norm:
+      dashed_name: process-parent-group-leader-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.group_leader.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.group_leader.attested_user.roles:
+      dashed_name: process-parent-group-leader-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.group_leader.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.code_signature.digest_algorithm:
+      dashed_name: process-parent-group-leader-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.parent.group_leader.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.parent.group_leader.code_signature.exists:
+      dashed_name: process-parent-group-leader-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.parent.group_leader.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.parent.group_leader.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.parent.group_leader.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.parent.group_leader.code_signature.signing_id:
+      dashed_name: process-parent-group-leader-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.parent.group_leader.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.parent.group_leader.code_signature.status:
+      dashed_name: process-parent-group-leader-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.parent.group_leader.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.parent.group_leader.code_signature.subject_name:
+      dashed_name: process-parent-group-leader-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.parent.group_leader.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.parent.group_leader.code_signature.team_id:
+      dashed_name: process-parent-group-leader-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.parent.group_leader.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.parent.group_leader.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.parent.group_leader.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.parent.group_leader.code_signature.timestamp:
+      dashed_name: process-parent-group-leader-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.parent.group_leader.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.parent.group_leader.code_signature.trusted:
+      dashed_name: process-parent-group-leader-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.parent.group_leader.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.parent.group_leader.code_signature.valid:
+      dashed_name: process-parent-group-leader-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.parent.group_leader.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.parent.group_leader.command_line:
+      dashed_name: process-parent-group-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.parent.group_leader.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.parent.group_leader.elf.architecture:
+      dashed_name: process-parent-group-leader-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.parent.group_leader.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.parent.group_leader.elf.byte_order:
+      dashed_name: process-parent-group-leader-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.parent.group_leader.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.parent.group_leader.elf.cpu_type:
+      dashed_name: process-parent-group-leader-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.parent.group_leader.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.parent.group_leader.elf.creation_date:
+      dashed_name: process-parent-group-leader-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.parent.group_leader.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.parent.group_leader.elf.exports:
+      dashed_name: process-parent-group-leader-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.parent.group_leader.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.parent.group_leader.elf.go_import_hash:
+      dashed_name: process-parent-group-leader-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.group_leader.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.parent.group_leader.elf.go_imports:
+      dashed_name: process-parent-group-leader-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.group_leader.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.group_leader.elf.go_imports_names_entropy:
+      dashed_name: process-parent-group-leader-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.group_leader.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.group_leader.elf.go_imports_names_var_entropy:
+      dashed_name: process-parent-group-leader-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.group_leader.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.group_leader.elf.go_stripped:
+      dashed_name: process-parent-group-leader-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.group_leader.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.group_leader.elf.header.abi_version:
+      dashed_name: process-parent-group-leader-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.parent.group_leader.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.parent.group_leader.elf.header.class:
+      dashed_name: process-parent-group-leader-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.parent.group_leader.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.parent.group_leader.elf.header.data:
+      dashed_name: process-parent-group-leader-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.parent.group_leader.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.parent.group_leader.elf.header.entrypoint:
+      dashed_name: process-parent-group-leader-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.parent.group_leader.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.parent.group_leader.elf.header.object_version:
+      dashed_name: process-parent-group-leader-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.parent.group_leader.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.parent.group_leader.elf.header.os_abi:
+      dashed_name: process-parent-group-leader-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.parent.group_leader.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.parent.group_leader.elf.header.type:
+      dashed_name: process-parent-group-leader-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.parent.group_leader.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.parent.group_leader.elf.header.version:
+      dashed_name: process-parent-group-leader-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.parent.group_leader.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.parent.group_leader.elf.import_hash:
+      dashed_name: process-parent-group-leader-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.group_leader.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.parent.group_leader.elf.imports:
+      dashed_name: process-parent-group-leader-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.group_leader.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.group_leader.elf.imports_names_entropy:
+      dashed_name: process-parent-group-leader-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.group_leader.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.group_leader.elf.imports_names_var_entropy:
+      dashed_name: process-parent-group-leader-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.group_leader.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.group_leader.elf.sections:
+      dashed_name: process-parent-group-leader-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.parent.group_leader.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.parent.group_leader.elf.sections.chi2:
+      dashed_name: process-parent-group-leader-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.parent.group_leader.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.parent.group_leader.elf.sections.entropy:
+      dashed_name: process-parent-group-leader-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.group_leader.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.group_leader.elf.sections.flags:
+      dashed_name: process-parent-group-leader-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.parent.group_leader.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.parent.group_leader.elf.sections.name:
+      dashed_name: process-parent-group-leader-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.parent.group_leader.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.parent.group_leader.elf.sections.physical_offset:
+      dashed_name: process-parent-group-leader-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.parent.group_leader.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.parent.group_leader.elf.sections.physical_size:
+      dashed_name: process-parent-group-leader-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.parent.group_leader.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.parent.group_leader.elf.sections.type:
+      dashed_name: process-parent-group-leader-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.parent.group_leader.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.parent.group_leader.elf.sections.var_entropy:
+      dashed_name: process-parent-group-leader-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.group_leader.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.group_leader.elf.sections.virtual_address:
+      dashed_name: process-parent-group-leader-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.parent.group_leader.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.parent.group_leader.elf.sections.virtual_size:
+      dashed_name: process-parent-group-leader-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.parent.group_leader.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.parent.group_leader.elf.segments:
+      dashed_name: process-parent-group-leader-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.parent.group_leader.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.parent.group_leader.elf.segments.sections:
+      dashed_name: process-parent-group-leader-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.parent.group_leader.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.parent.group_leader.elf.segments.type:
+      dashed_name: process-parent-group-leader-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.parent.group_leader.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.parent.group_leader.elf.shared_libraries:
+      dashed_name: process-parent-group-leader-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.parent.group_leader.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.parent.group_leader.elf.telfhash:
+      dashed_name: process-parent-group-leader-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.parent.group_leader.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.parent.group_leader.end:
+      dashed_name: process-parent-group-leader-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.parent.group_leader.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.parent.group_leader.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.parent.group_leader.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.parent.group_leader.entity_id:
+      dashed_name: process-parent-group-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.parent.group_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.address:
+      dashed_name: process-parent-group-leader-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.parent.group_leader.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.as.number:
+      dashed_name: process-parent-group-leader-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.parent.group_leader.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.parent.group_leader.entry_meta.source.as.organization.name:
+      dashed_name: process-parent-group-leader-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.parent.group_leader.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.bytes:
+      dashed_name: process-parent-group-leader-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.parent.group_leader.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.parent.group_leader.entry_meta.source.domain:
+      dashed_name: process-parent-group-leader-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.parent.group_leader.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.city_name:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.parent.group_leader.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.continent_code:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.parent.group_leader.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.continent_name:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.parent.group_leader.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.parent.group_leader.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.country_name:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.parent.group_leader.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.location:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.parent.group_leader.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.parent.group_leader.entry_meta.source.geo.name:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.parent.group_leader.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.postal_code:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.parent.group_leader.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.parent.group_leader.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.region_name:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.parent.group_leader.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.timezone:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.parent.group_leader.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.ip:
+      dashed_name: process-parent-group-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.parent.group_leader.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.parent.group_leader.entry_meta.source.mac:
+      dashed_name: process-parent-group-leader-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.parent.group_leader.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.nat.ip:
+      dashed_name: process-parent-group-leader-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.parent.group_leader.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.parent.group_leader.entry_meta.source.nat.port:
+      dashed_name: process-parent-group-leader-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.parent.group_leader.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.parent.group_leader.entry_meta.source.packets:
+      dashed_name: process-parent-group-leader-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.parent.group_leader.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.parent.group_leader.entry_meta.source.port:
+      dashed_name: process-parent-group-leader-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.parent.group_leader.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.parent.group_leader.entry_meta.source.registered_domain:
+      dashed_name: process-parent-group-leader-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.parent.group_leader.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.subdomain:
+      dashed_name: process-parent-group-leader-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.parent.group_leader.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.top_level_domain:
+      dashed_name: process-parent-group-leader-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.parent.group_leader.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.parent.group_leader.entry_meta.type:
+      dashed_name: process-parent-group-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.parent.group_leader.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.parent.group_leader.env_vars:
+      dashed_name: process-parent-group-leader-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.parent.group_leader.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.executable:
+      dashed_name: process-parent-group-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.parent.group_leader.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.parent.group_leader.exit_code:
+      dashed_name: process-parent-group-leader-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.parent.group_leader.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.parent.group_leader.group.domain:
+      dashed_name: process-parent-group-leader-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.group.id:
+      dashed_name: process-parent-group-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.group.name:
+      dashed_name: process-parent-group-leader-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.parent.group_leader.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.parent.group_leader.hash.md5:
+      dashed_name: process-parent-group-leader-hash-md5
+      description: MD5 hash.
+      flat_name: process.parent.group_leader.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.parent.group_leader.hash.sha1:
+      dashed_name: process-parent-group-leader-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.parent.group_leader.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.parent.group_leader.hash.sha256:
+      dashed_name: process-parent-group-leader-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.parent.group_leader.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.parent.group_leader.hash.sha384:
+      dashed_name: process-parent-group-leader-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.parent.group_leader.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.parent.group_leader.hash.sha512:
+      dashed_name: process-parent-group-leader-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.parent.group_leader.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.parent.group_leader.hash.ssdeep:
+      dashed_name: process-parent-group-leader-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.parent.group_leader.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.parent.group_leader.hash.tlsh:
+      dashed_name: process-parent-group-leader-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.parent.group_leader.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.parent.group_leader.interactive:
+      dashed_name: process-parent-group-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.parent.group_leader.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.parent.group_leader.io:
+      dashed_name: process-parent-group-leader-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.parent.group_leader.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.parent.group_leader.io.bytes_skipped:
+      dashed_name: process-parent-group-leader-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.parent.group_leader.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.parent.group_leader.io.bytes_skipped.length:
+      dashed_name: process-parent-group-leader-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.parent.group_leader.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.parent.group_leader.io.bytes_skipped.offset:
+      dashed_name: process-parent-group-leader-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.parent.group_leader.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.parent.group_leader.io.max_bytes_per_process_exceeded:
+      dashed_name: process-parent-group-leader-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.parent.group_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.parent.group_leader.io.text:
+      dashed_name: process-parent-group-leader-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.parent.group_leader.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.parent.group_leader.io.total_bytes_captured:
+      dashed_name: process-parent-group-leader-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.parent.group_leader.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.parent.group_leader.io.total_bytes_skipped:
+      dashed_name: process-parent-group-leader-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.parent.group_leader.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.parent.group_leader.io.type:
+      dashed_name: process-parent-group-leader-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.parent.group_leader.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.parent.group_leader.macho.go_import_hash:
+      dashed_name: process-parent-group-leader-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.group_leader.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.parent.group_leader.macho.go_imports:
+      dashed_name: process-parent-group-leader-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.group_leader.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.group_leader.macho.go_imports_names_entropy:
+      dashed_name: process-parent-group-leader-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.group_leader.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.group_leader.macho.go_imports_names_var_entropy:
+      dashed_name: process-parent-group-leader-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.group_leader.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.group_leader.macho.go_stripped:
+      dashed_name: process-parent-group-leader-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.group_leader.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.group_leader.macho.import_hash:
+      dashed_name: process-parent-group-leader-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.group_leader.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.parent.group_leader.macho.imports:
+      dashed_name: process-parent-group-leader-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.group_leader.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.group_leader.macho.imports_names_entropy:
+      dashed_name: process-parent-group-leader-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.group_leader.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.group_leader.macho.imports_names_var_entropy:
+      dashed_name: process-parent-group-leader-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.group_leader.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.group_leader.macho.sections:
+      dashed_name: process-parent-group-leader-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.parent.group_leader.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.parent.group_leader.macho.sections.entropy:
+      dashed_name: process-parent-group-leader-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.group_leader.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.group_leader.macho.sections.name:
+      dashed_name: process-parent-group-leader-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.parent.group_leader.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.parent.group_leader.macho.sections.physical_size:
+      dashed_name: process-parent-group-leader-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.parent.group_leader.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.parent.group_leader.macho.sections.var_entropy:
+      dashed_name: process-parent-group-leader-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.group_leader.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.group_leader.macho.sections.virtual_size:
+      dashed_name: process-parent-group-leader-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.group_leader.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.parent.group_leader.macho.symhash:
+      dashed_name: process-parent-group-leader-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.parent.group_leader.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.parent.group_leader.name:
+      dashed_name: process-parent-group-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.parent.group_leader.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.parent.group_leader.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.parent.group_leader.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.parent.group_leader.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.parent.group_leader.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.parent.group_leader.pe.architecture:
+      dashed_name: process-parent-group-leader-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.parent.group_leader.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.parent.group_leader.pe.company:
+      dashed_name: process-parent-group-leader-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.parent.group_leader.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.parent.group_leader.pe.description:
+      dashed_name: process-parent-group-leader-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.parent.group_leader.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.parent.group_leader.pe.file_version:
+      dashed_name: process-parent-group-leader-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.parent.group_leader.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.parent.group_leader.pe.go_import_hash:
+      dashed_name: process-parent-group-leader-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.group_leader.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.parent.group_leader.pe.go_imports:
+      dashed_name: process-parent-group-leader-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.group_leader.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.group_leader.pe.go_imports_names_entropy:
+      dashed_name: process-parent-group-leader-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.group_leader.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.group_leader.pe.go_imports_names_var_entropy:
+      dashed_name: process-parent-group-leader-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.group_leader.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.group_leader.pe.go_stripped:
+      dashed_name: process-parent-group-leader-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.group_leader.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.group_leader.pe.imphash:
+      dashed_name: process-parent-group-leader-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.parent.group_leader.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.parent.group_leader.pe.import_hash:
+      dashed_name: process-parent-group-leader-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.group_leader.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.parent.group_leader.pe.imports:
+      dashed_name: process-parent-group-leader-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.group_leader.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.group_leader.pe.imports_names_entropy:
+      dashed_name: process-parent-group-leader-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.group_leader.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.group_leader.pe.imports_names_var_entropy:
+      dashed_name: process-parent-group-leader-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.group_leader.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.group_leader.pe.original_file_name:
+      dashed_name: process-parent-group-leader-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.parent.group_leader.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.parent.group_leader.pe.pehash:
+      dashed_name: process-parent-group-leader-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.parent.group_leader.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.parent.group_leader.pe.product:
+      dashed_name: process-parent-group-leader-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.parent.group_leader.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.parent.group_leader.pe.sections:
+      dashed_name: process-parent-group-leader-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.parent.group_leader.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.parent.group_leader.pe.sections.entropy:
+      dashed_name: process-parent-group-leader-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.group_leader.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.group_leader.pe.sections.name:
+      dashed_name: process-parent-group-leader-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.parent.group_leader.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.parent.group_leader.pe.sections.physical_size:
+      dashed_name: process-parent-group-leader-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.parent.group_leader.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.parent.group_leader.pe.sections.var_entropy:
+      dashed_name: process-parent-group-leader-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.group_leader.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.group_leader.pe.sections.virtual_size:
+      dashed_name: process-parent-group-leader-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.group_leader.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.parent.group_leader.pid:
+      dashed_name: process-parent-group-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.parent.group_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.parent.group_leader.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.parent.group_leader.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.parent.group_leader.real_group.domain:
+      dashed_name: process-parent-group-leader-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.real_group.id:
+      dashed_name: process-parent-group-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.real_group.name:
+      dashed_name: process-parent-group-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.real_user.domain:
+      dashed_name: process-parent-group-leader-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.group_leader.real_user.email:
+      dashed_name: process-parent-group-leader-real-user-email
+      description: User email address.
+      flat_name: process.parent.group_leader.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.group_leader.real_user.full_name:
+      dashed_name: process-parent-group-leader-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.group_leader.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.group_leader.real_user.group.domain:
+      dashed_name: process-parent-group-leader-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.real_user.group.id:
+      dashed_name: process-parent-group-leader-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.real_user.group.name:
+      dashed_name: process-parent-group-leader-real-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.real_user.hash:
+      dashed_name: process-parent-group-leader-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.group_leader.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.group_leader.real_user.id:
+      dashed_name: process-parent-group-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.group_leader.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.group_leader.real_user.name:
+      dashed_name: process-parent-group-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.group_leader.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.group_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.group_leader.real_user.risk.calculated_level:
+      dashed_name: process-parent-group-leader-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.group_leader.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.group_leader.real_user.risk.calculated_score:
+      dashed_name: process-parent-group-leader-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.group_leader.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.group_leader.real_user.risk.calculated_score_norm:
+      dashed_name: process-parent-group-leader-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.group_leader.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.group_leader.real_user.risk.static_level:
+      dashed_name: process-parent-group-leader-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.group_leader.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.group_leader.real_user.risk.static_score:
+      dashed_name: process-parent-group-leader-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.group_leader.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.group_leader.real_user.risk.static_score_norm:
+      dashed_name: process-parent-group-leader-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.group_leader.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.group_leader.real_user.roles:
+      dashed_name: process-parent-group-leader-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.group_leader.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.same_as_process:
+      dashed_name: process-parent-group-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.parent.group_leader.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.parent.group_leader.saved_group.domain:
+      dashed_name: process-parent-group-leader-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.saved_group.id:
+      dashed_name: process-parent-group-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.saved_group.name:
+      dashed_name: process-parent-group-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.saved_user.domain:
+      dashed_name: process-parent-group-leader-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.group_leader.saved_user.email:
+      dashed_name: process-parent-group-leader-saved-user-email
+      description: User email address.
+      flat_name: process.parent.group_leader.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.group_leader.saved_user.full_name:
+      dashed_name: process-parent-group-leader-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.group_leader.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.group_leader.saved_user.group.domain:
+      dashed_name: process-parent-group-leader-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.saved_user.group.id:
+      dashed_name: process-parent-group-leader-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.saved_user.group.name:
+      dashed_name: process-parent-group-leader-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.saved_user.hash:
+      dashed_name: process-parent-group-leader-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.group_leader.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.group_leader.saved_user.id:
+      dashed_name: process-parent-group-leader-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.group_leader.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.group_leader.saved_user.name:
+      dashed_name: process-parent-group-leader-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.group_leader.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.group_leader.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.group_leader.saved_user.risk.calculated_level:
+      dashed_name: process-parent-group-leader-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.group_leader.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.group_leader.saved_user.risk.calculated_score:
+      dashed_name: process-parent-group-leader-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.group_leader.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.group_leader.saved_user.risk.calculated_score_norm:
+      dashed_name: process-parent-group-leader-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.group_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.group_leader.saved_user.risk.static_level:
+      dashed_name: process-parent-group-leader-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.group_leader.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.group_leader.saved_user.risk.static_score:
+      dashed_name: process-parent-group-leader-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.group_leader.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.group_leader.saved_user.risk.static_score_norm:
+      dashed_name: process-parent-group-leader-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.group_leader.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.group_leader.saved_user.roles:
+      dashed_name: process-parent-group-leader-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.group_leader.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.start:
+      dashed_name: process-parent-group-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.parent.group_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.parent.group_leader.supplemental_groups.domain:
+      dashed_name: process-parent-group-leader-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.supplemental_groups.id:
+      dashed_name: process-parent-group-leader-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.supplemental_groups.name:
+      dashed_name: process-parent-group-leader-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.thread.capabilities.effective:
+      dashed_name: process-parent-group-leader-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.group_leader.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.thread.capabilities.permitted:
+      dashed_name: process-parent-group-leader-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.group_leader.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.thread.id:
+      dashed_name: process-parent-group-leader-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.parent.group_leader.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.parent.group_leader.thread.name:
+      dashed_name: process-parent-group-leader-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.parent.group_leader.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.parent.group_leader.title:
+      dashed_name: process-parent-group-leader-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.parent.group_leader.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.parent.group_leader.tty:
+      dashed_name: process-parent-group-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.parent.group_leader.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.parent.group_leader.tty.char_device.major:
+      dashed_name: process-parent-group-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.parent.group_leader.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.parent.group_leader.tty.char_device.minor:
+      dashed_name: process-parent-group-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.parent.group_leader.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.parent.group_leader.tty.columns:
+      dashed_name: process-parent-group-leader-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.parent.group_leader.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.parent.group_leader.tty.rows:
+      dashed_name: process-parent-group-leader-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.parent.group_leader.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.parent.group_leader.uptime:
+      dashed_name: process-parent-group-leader-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.parent.group_leader.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.parent.group_leader.user.domain:
+      dashed_name: process-parent-group-leader-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.group_leader.user.email:
+      dashed_name: process-parent-group-leader-user-email
+      description: User email address.
+      flat_name: process.parent.group_leader.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.group_leader.user.full_name:
+      dashed_name: process-parent-group-leader-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.group_leader.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.group_leader.user.group.domain:
+      dashed_name: process-parent-group-leader-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.user.group.id:
+      dashed_name: process-parent-group-leader-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.user.group.name:
+      dashed_name: process-parent-group-leader-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.user.hash:
+      dashed_name: process-parent-group-leader-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.group_leader.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.group_leader.user.id:
+      dashed_name: process-parent-group-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.group_leader.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.group_leader.user.name:
+      dashed_name: process-parent-group-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.group_leader.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.group_leader.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.group_leader.user.risk.calculated_level:
+      dashed_name: process-parent-group-leader-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.group_leader.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.group_leader.user.risk.calculated_score:
+      dashed_name: process-parent-group-leader-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.group_leader.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.group_leader.user.risk.calculated_score_norm:
+      dashed_name: process-parent-group-leader-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.group_leader.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.group_leader.user.risk.static_level:
+      dashed_name: process-parent-group-leader-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.group_leader.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.group_leader.user.risk.static_score:
+      dashed_name: process-parent-group-leader-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.group_leader.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.group_leader.user.risk.static_score_norm:
+      dashed_name: process-parent-group-leader-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.group_leader.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.group_leader.user.roles:
+      dashed_name: process-parent-group-leader-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.group_leader.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.vpid:
+      dashed_name: process-parent-group-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.parent.group_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.parent.group_leader.working_directory:
+      dashed_name: process-parent-group-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.parent.group_leader.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.parent.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.parent.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.parent.hash.md5:
+      dashed_name: process-parent-hash-md5
+      description: MD5 hash.
+      flat_name: process.parent.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.parent.hash.sha1:
+      dashed_name: process-parent-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.parent.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.parent.hash.sha256:
+      dashed_name: process-parent-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.parent.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.parent.hash.sha384:
+      dashed_name: process-parent-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.parent.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.parent.hash.sha512:
+      dashed_name: process-parent-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.parent.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.parent.hash.ssdeep:
+      dashed_name: process-parent-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.parent.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.parent.hash.tlsh:
+      dashed_name: process-parent-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.parent.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.parent.interactive:
+      dashed_name: process-parent-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.parent.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.parent.io:
+      dashed_name: process-parent-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.parent.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.parent.io.bytes_skipped:
+      dashed_name: process-parent-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.parent.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.parent.io.bytes_skipped.length:
+      dashed_name: process-parent-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.parent.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.parent.io.bytes_skipped.offset:
+      dashed_name: process-parent-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.parent.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.parent.io.max_bytes_per_process_exceeded:
+      dashed_name: process-parent-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.parent.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.parent.io.text:
+      dashed_name: process-parent-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.parent.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.parent.io.total_bytes_captured:
+      dashed_name: process-parent-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.parent.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.parent.io.total_bytes_skipped:
+      dashed_name: process-parent-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.parent.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.parent.io.type:
+      dashed_name: process-parent-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.parent.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.parent.macho.go_import_hash:
+      dashed_name: process-parent-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.parent.macho.go_imports:
+      dashed_name: process-parent-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.macho.go_imports_names_entropy:
+      dashed_name: process-parent-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.macho.go_imports_names_var_entropy:
+      dashed_name: process-parent-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.macho.go_stripped:
+      dashed_name: process-parent-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.macho.import_hash:
+      dashed_name: process-parent-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.parent.macho.imports:
+      dashed_name: process-parent-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.macho.imports_names_entropy:
+      dashed_name: process-parent-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.macho.imports_names_var_entropy:
+      dashed_name: process-parent-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.macho.sections:
+      dashed_name: process-parent-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.parent.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.parent.macho.sections.entropy:
+      dashed_name: process-parent-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.macho.sections.name:
+      dashed_name: process-parent-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.parent.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.parent.macho.sections.physical_size:
+      dashed_name: process-parent-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.parent.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.parent.macho.sections.var_entropy:
+      dashed_name: process-parent-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.macho.sections.virtual_size:
+      dashed_name: process-parent-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.parent.macho.symhash:
+      dashed_name: process-parent-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.parent.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.parent.name:
+      dashed_name: process-parent-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.parent.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.parent.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.parent.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.parent.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.parent.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.parent.pe.architecture:
+      dashed_name: process-parent-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.parent.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.parent.pe.company:
+      dashed_name: process-parent-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.parent.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.parent.pe.description:
+      dashed_name: process-parent-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.parent.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.parent.pe.file_version:
+      dashed_name: process-parent-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.parent.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.parent.pe.go_import_hash:
+      dashed_name: process-parent-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.parent.pe.go_imports:
+      dashed_name: process-parent-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.pe.go_imports_names_entropy:
+      dashed_name: process-parent-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.pe.go_imports_names_var_entropy:
+      dashed_name: process-parent-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.pe.go_stripped:
+      dashed_name: process-parent-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.pe.imphash:
+      dashed_name: process-parent-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.parent.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.parent.pe.import_hash:
+      dashed_name: process-parent-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.parent.pe.imports:
+      dashed_name: process-parent-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.pe.imports_names_entropy:
+      dashed_name: process-parent-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.pe.imports_names_var_entropy:
+      dashed_name: process-parent-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.pe.original_file_name:
+      dashed_name: process-parent-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.parent.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.parent.pe.pehash:
+      dashed_name: process-parent-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.parent.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.parent.pe.product:
+      dashed_name: process-parent-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.parent.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.parent.pe.sections:
+      dashed_name: process-parent-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.parent.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.parent.pe.sections.entropy:
+      dashed_name: process-parent-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.pe.sections.name:
+      dashed_name: process-parent-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.parent.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.parent.pe.sections.physical_size:
+      dashed_name: process-parent-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.parent.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.parent.pe.sections.var_entropy:
+      dashed_name: process-parent-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.pe.sections.virtual_size:
+      dashed_name: process-parent-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.parent.pid:
+      dashed_name: process-parent-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.parent.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.parent.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.parent.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.parent.real_group.domain:
+      dashed_name: process-parent-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.real_group.id:
+      dashed_name: process-parent-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.real_group.name:
+      dashed_name: process-parent-real-group-name
+      description: Name of the group.
+      flat_name: process.parent.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.real_user.domain:
+      dashed_name: process-parent-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.real_user.email:
+      dashed_name: process-parent-real-user-email
+      description: User email address.
+      flat_name: process.parent.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.real_user.full_name:
+      dashed_name: process-parent-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.real_user.group.domain:
+      dashed_name: process-parent-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.real_user.group.id:
+      dashed_name: process-parent-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.real_user.group.name:
+      dashed_name: process-parent-real-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.real_user.hash:
+      dashed_name: process-parent-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.real_user.id:
+      dashed_name: process-parent-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.real_user.name:
+      dashed_name: process-parent-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.real_user.risk.calculated_level:
+      dashed_name: process-parent-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.real_user.risk.calculated_score:
+      dashed_name: process-parent-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.real_user.risk.calculated_score_norm:
+      dashed_name: process-parent-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.real_user.risk.static_level:
+      dashed_name: process-parent-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.real_user.risk.static_score:
+      dashed_name: process-parent-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.real_user.risk.static_score_norm:
+      dashed_name: process-parent-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.real_user.roles:
+      dashed_name: process-parent-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.same_as_process:
+      dashed_name: process-parent-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.parent.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.parent.saved_group.domain:
+      dashed_name: process-parent-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.saved_group.id:
+      dashed_name: process-parent-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.saved_group.name:
+      dashed_name: process-parent-saved-group-name
+      description: Name of the group.
+      flat_name: process.parent.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.saved_user.domain:
+      dashed_name: process-parent-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.saved_user.email:
+      dashed_name: process-parent-saved-user-email
+      description: User email address.
+      flat_name: process.parent.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.saved_user.full_name:
+      dashed_name: process-parent-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.saved_user.group.domain:
+      dashed_name: process-parent-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.saved_user.group.id:
+      dashed_name: process-parent-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.saved_user.group.name:
+      dashed_name: process-parent-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.saved_user.hash:
+      dashed_name: process-parent-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.saved_user.id:
+      dashed_name: process-parent-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.saved_user.name:
+      dashed_name: process-parent-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.saved_user.risk.calculated_level:
+      dashed_name: process-parent-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.saved_user.risk.calculated_score:
+      dashed_name: process-parent-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.saved_user.risk.calculated_score_norm:
+      dashed_name: process-parent-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.saved_user.risk.static_level:
+      dashed_name: process-parent-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.saved_user.risk.static_score:
+      dashed_name: process-parent-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.saved_user.risk.static_score_norm:
+      dashed_name: process-parent-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.saved_user.roles:
+      dashed_name: process-parent-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.start:
+      dashed_name: process-parent-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.parent.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.parent.supplemental_groups.domain:
+      dashed_name: process-parent-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.supplemental_groups.id:
+      dashed_name: process-parent-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.supplemental_groups.name:
+      dashed_name: process-parent-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.parent.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.thread.capabilities.effective:
+      dashed_name: process-parent-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.thread.capabilities.permitted:
+      dashed_name: process-parent-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.thread.id:
+      dashed_name: process-parent-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.parent.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.parent.thread.name:
+      dashed_name: process-parent-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.parent.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.parent.title:
+      dashed_name: process-parent-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.parent.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.parent.tty:
+      dashed_name: process-parent-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.parent.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.parent.tty.char_device.major:
+      dashed_name: process-parent-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.parent.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.parent.tty.char_device.minor:
+      dashed_name: process-parent-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.parent.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.parent.tty.columns:
+      dashed_name: process-parent-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.parent.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.parent.tty.rows:
+      dashed_name: process-parent-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.parent.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.parent.uptime:
+      dashed_name: process-parent-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.parent.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.parent.user.domain:
+      dashed_name: process-parent-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.user.email:
+      dashed_name: process-parent-user-email
+      description: User email address.
+      flat_name: process.parent.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.user.full_name:
+      dashed_name: process-parent-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.user.group.domain:
+      dashed_name: process-parent-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.user.group.id:
+      dashed_name: process-parent-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.user.group.name:
+      dashed_name: process-parent-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.user.hash:
+      dashed_name: process-parent-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.user.id:
+      dashed_name: process-parent-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.user.name:
+      dashed_name: process-parent-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.user.risk.calculated_level:
+      dashed_name: process-parent-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.user.risk.calculated_score:
+      dashed_name: process-parent-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.user.risk.calculated_score_norm:
+      dashed_name: process-parent-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.user.risk.static_level:
+      dashed_name: process-parent-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.user.risk.static_score:
+      dashed_name: process-parent-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.user.risk.static_score_norm:
+      dashed_name: process-parent-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.user.roles:
+      dashed_name: process-parent-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.vpid:
+      dashed_name: process-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.parent.working_directory:
+      dashed_name: process-parent-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.parent.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.pe.architecture:
+      dashed_name: process-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.pe.company:
+      dashed_name: process-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.pe.description:
+      dashed_name: process-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.pe.file_version:
+      dashed_name: process-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.pe.go_import_hash:
+      dashed_name: process-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.pe.go_imports:
+      dashed_name: process-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.pe.go_imports_names_entropy:
+      dashed_name: process-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.pe.go_imports_names_var_entropy:
+      dashed_name: process-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.pe.go_stripped:
+      dashed_name: process-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.pe.imphash:
+      dashed_name: process-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.pe.import_hash:
+      dashed_name: process-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.pe.imports:
+      dashed_name: process-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.pe.imports_names_entropy:
+      dashed_name: process-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.pe.imports_names_var_entropy:
+      dashed_name: process-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.pe.original_file_name:
+      dashed_name: process-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.pe.pehash:
+      dashed_name: process-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.pe.product:
+      dashed_name: process-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.pe.sections:
+      dashed_name: process-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.pe.sections.entropy:
+      dashed_name: process-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.pe.sections.name:
+      dashed_name: process-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.pe.sections.physical_size:
+      dashed_name: process-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.pe.sections.var_entropy:
+      dashed_name: process-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.pe.sections.virtual_size:
+      dashed_name: process-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.pid:
+      dashed_name: process-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      otel:
+      - relation: match
+        stability: development
+      short: Process id.
+      type: long
+    process.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.previous.args:
+      dashed_name: process-previous-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.previous.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.previous.args_count:
+      dashed_name: process-previous-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.previous.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.previous.attested_groups.domain:
+      dashed_name: process-previous-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.attested_groups.id:
+      dashed_name: process-previous-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.attested_groups.name:
+      dashed_name: process-previous-attested-groups-name
+      description: Name of the group.
+      flat_name: process.previous.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.attested_user.domain:
+      dashed_name: process-previous-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.previous.attested_user.email:
+      dashed_name: process-previous-attested-user-email
+      description: User email address.
+      flat_name: process.previous.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.previous.attested_user.full_name:
+      dashed_name: process-previous-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.previous.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.previous.attested_user.group.domain:
+      dashed_name: process-previous-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.attested_user.group.id:
+      dashed_name: process-previous-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.attested_user.group.name:
+      dashed_name: process-previous-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.previous.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.attested_user.hash:
+      dashed_name: process-previous-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.previous.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.previous.attested_user.id:
+      dashed_name: process-previous-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.previous.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.previous.attested_user.name:
+      dashed_name: process-previous-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.previous.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.previous.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.previous.attested_user.risk.calculated_level:
+      dashed_name: process-previous-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.previous.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.previous.attested_user.risk.calculated_score:
+      dashed_name: process-previous-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.previous.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.previous.attested_user.risk.calculated_score_norm:
+      dashed_name: process-previous-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.previous.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.previous.attested_user.risk.static_level:
+      dashed_name: process-previous-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.previous.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.previous.attested_user.risk.static_score:
+      dashed_name: process-previous-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.previous.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.previous.attested_user.risk.static_score_norm:
+      dashed_name: process-previous-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.previous.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.previous.attested_user.roles:
+      dashed_name: process-previous-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.previous.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.code_signature.digest_algorithm:
+      dashed_name: process-previous-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.previous.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.previous.code_signature.exists:
+      dashed_name: process-previous-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.previous.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.previous.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.previous.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.previous.code_signature.signing_id:
+      dashed_name: process-previous-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.previous.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.previous.code_signature.status:
+      dashed_name: process-previous-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.previous.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.previous.code_signature.subject_name:
+      dashed_name: process-previous-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.previous.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.previous.code_signature.team_id:
+      dashed_name: process-previous-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.previous.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.previous.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.previous.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.previous.code_signature.timestamp:
+      dashed_name: process-previous-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.previous.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.previous.code_signature.trusted:
+      dashed_name: process-previous-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.previous.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.previous.code_signature.valid:
+      dashed_name: process-previous-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.previous.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.previous.command_line:
+      dashed_name: process-previous-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.previous.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.previous.elf.architecture:
+      dashed_name: process-previous-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.previous.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.previous.elf.byte_order:
+      dashed_name: process-previous-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.previous.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.previous.elf.cpu_type:
+      dashed_name: process-previous-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.previous.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.previous.elf.creation_date:
+      dashed_name: process-previous-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.previous.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.previous.elf.exports:
+      dashed_name: process-previous-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.previous.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.previous.elf.go_import_hash:
+      dashed_name: process-previous-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.previous.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.previous.elf.go_imports:
+      dashed_name: process-previous-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.previous.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.previous.elf.go_imports_names_entropy:
+      dashed_name: process-previous-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.previous.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.previous.elf.go_imports_names_var_entropy:
+      dashed_name: process-previous-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.previous.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.previous.elf.go_stripped:
+      dashed_name: process-previous-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.previous.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.previous.elf.header.abi_version:
+      dashed_name: process-previous-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.previous.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.previous.elf.header.class:
+      dashed_name: process-previous-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.previous.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.previous.elf.header.data:
+      dashed_name: process-previous-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.previous.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.previous.elf.header.entrypoint:
+      dashed_name: process-previous-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.previous.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.previous.elf.header.object_version:
+      dashed_name: process-previous-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.previous.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.previous.elf.header.os_abi:
+      dashed_name: process-previous-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.previous.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.previous.elf.header.type:
+      dashed_name: process-previous-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.previous.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.previous.elf.header.version:
+      dashed_name: process-previous-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.previous.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.previous.elf.import_hash:
+      dashed_name: process-previous-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.previous.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.previous.elf.imports:
+      dashed_name: process-previous-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.previous.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.previous.elf.imports_names_entropy:
+      dashed_name: process-previous-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.previous.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.previous.elf.imports_names_var_entropy:
+      dashed_name: process-previous-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.previous.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.previous.elf.sections:
+      dashed_name: process-previous-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.previous.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.previous.elf.sections.chi2:
+      dashed_name: process-previous-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.previous.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.previous.elf.sections.entropy:
+      dashed_name: process-previous-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.previous.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.previous.elf.sections.flags:
+      dashed_name: process-previous-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.previous.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.previous.elf.sections.name:
+      dashed_name: process-previous-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.previous.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.previous.elf.sections.physical_offset:
+      dashed_name: process-previous-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.previous.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.previous.elf.sections.physical_size:
+      dashed_name: process-previous-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.previous.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.previous.elf.sections.type:
+      dashed_name: process-previous-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.previous.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.previous.elf.sections.var_entropy:
+      dashed_name: process-previous-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.previous.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.previous.elf.sections.virtual_address:
+      dashed_name: process-previous-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.previous.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.previous.elf.sections.virtual_size:
+      dashed_name: process-previous-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.previous.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.previous.elf.segments:
+      dashed_name: process-previous-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.previous.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.previous.elf.segments.sections:
+      dashed_name: process-previous-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.previous.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.previous.elf.segments.type:
+      dashed_name: process-previous-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.previous.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.previous.elf.shared_libraries:
+      dashed_name: process-previous-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.previous.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.previous.elf.telfhash:
+      dashed_name: process-previous-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.previous.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.previous.end:
+      dashed_name: process-previous-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.previous.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.previous.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.previous.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.previous.entity_id:
+      dashed_name: process-previous-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.previous.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.previous.entry_meta.source.address:
+      dashed_name: process-previous-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.previous.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.previous.entry_meta.source.as.number:
+      dashed_name: process-previous-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.previous.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.previous.entry_meta.source.as.organization.name:
+      dashed_name: process-previous-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.previous.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.previous.entry_meta.source.bytes:
+      dashed_name: process-previous-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.previous.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.previous.entry_meta.source.domain:
+      dashed_name: process-previous-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.previous.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.previous.entry_meta.source.geo.city_name:
+      dashed_name: process-previous-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.previous.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.previous.entry_meta.source.geo.continent_code:
+      dashed_name: process-previous-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.previous.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.previous.entry_meta.source.geo.continent_name:
+      dashed_name: process-previous-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.previous.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.previous.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-previous-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.previous.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.previous.entry_meta.source.geo.country_name:
+      dashed_name: process-previous-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.previous.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.previous.entry_meta.source.geo.location:
+      dashed_name: process-previous-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.previous.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.previous.entry_meta.source.geo.name:
+      dashed_name: process-previous-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.previous.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.previous.entry_meta.source.geo.postal_code:
+      dashed_name: process-previous-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.previous.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.previous.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-previous-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.previous.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.previous.entry_meta.source.geo.region_name:
+      dashed_name: process-previous-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.previous.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.previous.entry_meta.source.geo.timezone:
+      dashed_name: process-previous-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.previous.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.previous.entry_meta.source.ip:
+      dashed_name: process-previous-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.previous.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.previous.entry_meta.source.mac:
+      dashed_name: process-previous-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.previous.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.previous.entry_meta.source.nat.ip:
+      dashed_name: process-previous-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.previous.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.previous.entry_meta.source.nat.port:
+      dashed_name: process-previous-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.previous.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.previous.entry_meta.source.packets:
+      dashed_name: process-previous-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.previous.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.previous.entry_meta.source.port:
+      dashed_name: process-previous-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.previous.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.previous.entry_meta.source.registered_domain:
+      dashed_name: process-previous-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.previous.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.previous.entry_meta.source.subdomain:
+      dashed_name: process-previous-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.previous.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.previous.entry_meta.source.top_level_domain:
+      dashed_name: process-previous-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.previous.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.previous.entry_meta.type:
+      dashed_name: process-previous-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.previous.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.previous.env_vars:
+      dashed_name: process-previous-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.previous.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.executable:
+      dashed_name: process-previous-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.previous.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.previous.exit_code:
+      dashed_name: process-previous-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.previous.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.previous.group.domain:
+      dashed_name: process-previous-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.group.id:
+      dashed_name: process-previous-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.group.name:
+      dashed_name: process-previous-group-name
+      description: Name of the group.
+      flat_name: process.previous.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.previous.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.previous.hash.md5:
+      dashed_name: process-previous-hash-md5
+      description: MD5 hash.
+      flat_name: process.previous.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.previous.hash.sha1:
+      dashed_name: process-previous-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.previous.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.previous.hash.sha256:
+      dashed_name: process-previous-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.previous.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.previous.hash.sha384:
+      dashed_name: process-previous-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.previous.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.previous.hash.sha512:
+      dashed_name: process-previous-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.previous.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.previous.hash.ssdeep:
+      dashed_name: process-previous-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.previous.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.previous.hash.tlsh:
+      dashed_name: process-previous-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.previous.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.previous.interactive:
+      dashed_name: process-previous-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.previous.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.previous.io:
+      dashed_name: process-previous-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.previous.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.previous.io.bytes_skipped:
+      dashed_name: process-previous-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.previous.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.previous.io.bytes_skipped.length:
+      dashed_name: process-previous-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.previous.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.previous.io.bytes_skipped.offset:
+      dashed_name: process-previous-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.previous.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.previous.io.max_bytes_per_process_exceeded:
+      dashed_name: process-previous-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.previous.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.previous.io.text:
+      dashed_name: process-previous-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.previous.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.previous.io.total_bytes_captured:
+      dashed_name: process-previous-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.previous.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.previous.io.total_bytes_skipped:
+      dashed_name: process-previous-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.previous.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.previous.io.type:
+      dashed_name: process-previous-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.previous.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.previous.macho.go_import_hash:
+      dashed_name: process-previous-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.previous.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.previous.macho.go_imports:
+      dashed_name: process-previous-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.previous.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.previous.macho.go_imports_names_entropy:
+      dashed_name: process-previous-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.previous.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.previous.macho.go_imports_names_var_entropy:
+      dashed_name: process-previous-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.previous.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.previous.macho.go_stripped:
+      dashed_name: process-previous-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.previous.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.previous.macho.import_hash:
+      dashed_name: process-previous-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.previous.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.previous.macho.imports:
+      dashed_name: process-previous-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.previous.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.previous.macho.imports_names_entropy:
+      dashed_name: process-previous-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.previous.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.previous.macho.imports_names_var_entropy:
+      dashed_name: process-previous-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.previous.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.previous.macho.sections:
+      dashed_name: process-previous-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.previous.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.previous.macho.sections.entropy:
+      dashed_name: process-previous-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.previous.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.previous.macho.sections.name:
+      dashed_name: process-previous-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.previous.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.previous.macho.sections.physical_size:
+      dashed_name: process-previous-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.previous.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.previous.macho.sections.var_entropy:
+      dashed_name: process-previous-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.previous.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.previous.macho.sections.virtual_size:
+      dashed_name: process-previous-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.previous.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.previous.macho.symhash:
+      dashed_name: process-previous-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.previous.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.previous.name:
+      dashed_name: process-previous-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.previous.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.previous.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.previous.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.previous.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.previous.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.previous.pe.architecture:
+      dashed_name: process-previous-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.previous.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.previous.pe.company:
+      dashed_name: process-previous-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.previous.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.previous.pe.description:
+      dashed_name: process-previous-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.previous.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.previous.pe.file_version:
+      dashed_name: process-previous-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.previous.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.previous.pe.go_import_hash:
+      dashed_name: process-previous-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.previous.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.previous.pe.go_imports:
+      dashed_name: process-previous-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.previous.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.previous.pe.go_imports_names_entropy:
+      dashed_name: process-previous-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.previous.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.previous.pe.go_imports_names_var_entropy:
+      dashed_name: process-previous-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.previous.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.previous.pe.go_stripped:
+      dashed_name: process-previous-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.previous.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.previous.pe.imphash:
+      dashed_name: process-previous-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.previous.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.previous.pe.import_hash:
+      dashed_name: process-previous-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.previous.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.previous.pe.imports:
+      dashed_name: process-previous-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.previous.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.previous.pe.imports_names_entropy:
+      dashed_name: process-previous-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.previous.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.previous.pe.imports_names_var_entropy:
+      dashed_name: process-previous-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.previous.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.previous.pe.original_file_name:
+      dashed_name: process-previous-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.previous.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.previous.pe.pehash:
+      dashed_name: process-previous-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.previous.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.previous.pe.product:
+      dashed_name: process-previous-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.previous.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.previous.pe.sections:
+      dashed_name: process-previous-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.previous.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.previous.pe.sections.entropy:
+      dashed_name: process-previous-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.previous.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.previous.pe.sections.name:
+      dashed_name: process-previous-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.previous.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.previous.pe.sections.physical_size:
+      dashed_name: process-previous-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.previous.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.previous.pe.sections.var_entropy:
+      dashed_name: process-previous-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.previous.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.previous.pe.sections.virtual_size:
+      dashed_name: process-previous-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.previous.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.previous.pid:
+      dashed_name: process-previous-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.previous.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.previous.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.previous.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.previous.real_group.domain:
+      dashed_name: process-previous-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.real_group.id:
+      dashed_name: process-previous-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.real_group.name:
+      dashed_name: process-previous-real-group-name
+      description: Name of the group.
+      flat_name: process.previous.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.real_user.domain:
+      dashed_name: process-previous-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.previous.real_user.email:
+      dashed_name: process-previous-real-user-email
+      description: User email address.
+      flat_name: process.previous.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.previous.real_user.full_name:
+      dashed_name: process-previous-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.previous.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.previous.real_user.group.domain:
+      dashed_name: process-previous-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.real_user.group.id:
+      dashed_name: process-previous-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.real_user.group.name:
+      dashed_name: process-previous-real-user-group-name
+      description: Name of the group.
+      flat_name: process.previous.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.real_user.hash:
+      dashed_name: process-previous-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.previous.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.previous.real_user.id:
+      dashed_name: process-previous-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.previous.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.previous.real_user.name:
+      dashed_name: process-previous-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.previous.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.previous.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.previous.real_user.risk.calculated_level:
+      dashed_name: process-previous-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.previous.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.previous.real_user.risk.calculated_score:
+      dashed_name: process-previous-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.previous.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.previous.real_user.risk.calculated_score_norm:
+      dashed_name: process-previous-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.previous.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.previous.real_user.risk.static_level:
+      dashed_name: process-previous-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.previous.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.previous.real_user.risk.static_score:
+      dashed_name: process-previous-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.previous.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.previous.real_user.risk.static_score_norm:
+      dashed_name: process-previous-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.previous.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.previous.real_user.roles:
+      dashed_name: process-previous-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.previous.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.same_as_process:
+      dashed_name: process-previous-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.previous.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.previous.saved_group.domain:
+      dashed_name: process-previous-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.saved_group.id:
+      dashed_name: process-previous-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.saved_group.name:
+      dashed_name: process-previous-saved-group-name
+      description: Name of the group.
+      flat_name: process.previous.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.saved_user.domain:
+      dashed_name: process-previous-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.previous.saved_user.email:
+      dashed_name: process-previous-saved-user-email
+      description: User email address.
+      flat_name: process.previous.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.previous.saved_user.full_name:
+      dashed_name: process-previous-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.previous.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.previous.saved_user.group.domain:
+      dashed_name: process-previous-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.saved_user.group.id:
+      dashed_name: process-previous-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.saved_user.group.name:
+      dashed_name: process-previous-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.previous.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.saved_user.hash:
+      dashed_name: process-previous-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.previous.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.previous.saved_user.id:
+      dashed_name: process-previous-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.previous.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.previous.saved_user.name:
+      dashed_name: process-previous-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.previous.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.previous.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.previous.saved_user.risk.calculated_level:
+      dashed_name: process-previous-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.previous.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.previous.saved_user.risk.calculated_score:
+      dashed_name: process-previous-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.previous.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.previous.saved_user.risk.calculated_score_norm:
+      dashed_name: process-previous-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.previous.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.previous.saved_user.risk.static_level:
+      dashed_name: process-previous-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.previous.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.previous.saved_user.risk.static_score:
+      dashed_name: process-previous-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.previous.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.previous.saved_user.risk.static_score_norm:
+      dashed_name: process-previous-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.previous.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.previous.saved_user.roles:
+      dashed_name: process-previous-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.previous.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.start:
+      dashed_name: process-previous-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.previous.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.previous.supplemental_groups.domain:
+      dashed_name: process-previous-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.supplemental_groups.id:
+      dashed_name: process-previous-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.supplemental_groups.name:
+      dashed_name: process-previous-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.previous.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.thread.capabilities.effective:
+      dashed_name: process-previous-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.previous.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.thread.capabilities.permitted:
+      dashed_name: process-previous-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.previous.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.thread.id:
+      dashed_name: process-previous-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.previous.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.previous.thread.name:
+      dashed_name: process-previous-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.previous.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.previous.title:
+      dashed_name: process-previous-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.previous.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.previous.tty:
+      dashed_name: process-previous-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.previous.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.previous.tty.char_device.major:
+      dashed_name: process-previous-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.previous.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.previous.tty.char_device.minor:
+      dashed_name: process-previous-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.previous.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.previous.tty.columns:
+      dashed_name: process-previous-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.previous.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.previous.tty.rows:
+      dashed_name: process-previous-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.previous.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.previous.uptime:
+      dashed_name: process-previous-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.previous.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.previous.user.domain:
+      dashed_name: process-previous-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.previous.user.email:
+      dashed_name: process-previous-user-email
+      description: User email address.
+      flat_name: process.previous.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.previous.user.full_name:
+      dashed_name: process-previous-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.previous.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.previous.user.group.domain:
+      dashed_name: process-previous-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.user.group.id:
+      dashed_name: process-previous-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.user.group.name:
+      dashed_name: process-previous-user-group-name
+      description: Name of the group.
+      flat_name: process.previous.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.user.hash:
+      dashed_name: process-previous-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.previous.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.previous.user.id:
+      dashed_name: process-previous-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.previous.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.previous.user.name:
+      dashed_name: process-previous-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.previous.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.previous.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.previous.user.risk.calculated_level:
+      dashed_name: process-previous-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.previous.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.previous.user.risk.calculated_score:
+      dashed_name: process-previous-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.previous.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.previous.user.risk.calculated_score_norm:
+      dashed_name: process-previous-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.previous.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.previous.user.risk.static_level:
+      dashed_name: process-previous-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.previous.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.previous.user.risk.static_score:
+      dashed_name: process-previous-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.previous.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.previous.user.risk.static_score_norm:
+      dashed_name: process-previous-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.previous.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.previous.user.roles:
+      dashed_name: process-previous-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.previous.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.vpid:
+      dashed_name: process-previous-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.previous.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.previous.working_directory:
+      dashed_name: process-previous-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.previous.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.real_group.domain:
+      dashed_name: process-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.real_group.id:
+      dashed_name: process-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.real_group.name:
+      dashed_name: process-real-group-name
+      description: Name of the group.
+      flat_name: process.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.real_user.domain:
+      dashed_name: process-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.real_user.email:
+      dashed_name: process-real-user-email
+      description: User email address.
+      flat_name: process.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.real_user.full_name:
+      dashed_name: process-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.real_user.group.domain:
+      dashed_name: process-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.real_user.group.id:
+      dashed_name: process-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.real_user.group.name:
+      dashed_name: process-real-user-group-name
+      description: Name of the group.
+      flat_name: process.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.real_user.hash:
+      dashed_name: process-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.real_user.id:
+      dashed_name: process-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      otel:
+      - relation: match
+        stability: development
+      short: Unique identifier of the user.
+      type: keyword
+    process.real_user.name:
+      dashed_name: process-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      otel:
+      - relation: match
+        stability: development
+      short: Short name or login of the user.
+      type: keyword
+    process.real_user.risk.calculated_level:
+      dashed_name: process-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.real_user.risk.calculated_score:
+      dashed_name: process-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.real_user.risk.calculated_score_norm:
+      dashed_name: process-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.real_user.risk.static_level:
+      dashed_name: process-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.real_user.risk.static_score:
+      dashed_name: process-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.real_user.risk.static_score_norm:
+      dashed_name: process-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.real_user.roles:
+      dashed_name: process-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.args:
+      dashed_name: process-responsible-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.responsible.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.responsible.args_count:
+      dashed_name: process-responsible-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.responsible.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.responsible.attested_groups.domain:
+      dashed_name: process-responsible-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.attested_groups.id:
+      dashed_name: process-responsible-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.attested_groups.name:
+      dashed_name: process-responsible-attested-groups-name
+      description: Name of the group.
+      flat_name: process.responsible.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.attested_user.domain:
+      dashed_name: process-responsible-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.responsible.attested_user.email:
+      dashed_name: process-responsible-attested-user-email
+      description: User email address.
+      flat_name: process.responsible.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.responsible.attested_user.full_name:
+      dashed_name: process-responsible-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.responsible.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.responsible.attested_user.group.domain:
+      dashed_name: process-responsible-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.attested_user.group.id:
+      dashed_name: process-responsible-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.attested_user.group.name:
+      dashed_name: process-responsible-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.responsible.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.attested_user.hash:
+      dashed_name: process-responsible-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.responsible.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.responsible.attested_user.id:
+      dashed_name: process-responsible-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.responsible.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.responsible.attested_user.name:
+      dashed_name: process-responsible-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.responsible.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.responsible.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.responsible.attested_user.risk.calculated_level:
+      dashed_name: process-responsible-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.responsible.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.responsible.attested_user.risk.calculated_score:
+      dashed_name: process-responsible-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.responsible.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.responsible.attested_user.risk.calculated_score_norm:
+      dashed_name: process-responsible-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.responsible.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.responsible.attested_user.risk.static_level:
+      dashed_name: process-responsible-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.responsible.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.responsible.attested_user.risk.static_score:
+      dashed_name: process-responsible-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.responsible.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.responsible.attested_user.risk.static_score_norm:
+      dashed_name: process-responsible-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.responsible.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.responsible.attested_user.roles:
+      dashed_name: process-responsible-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.responsible.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.code_signature.digest_algorithm:
+      dashed_name: process-responsible-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.responsible.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.responsible.code_signature.exists:
+      dashed_name: process-responsible-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.responsible.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.responsible.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.responsible.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.responsible.code_signature.signing_id:
+      dashed_name: process-responsible-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.responsible.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.responsible.code_signature.status:
+      dashed_name: process-responsible-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.responsible.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.responsible.code_signature.subject_name:
+      dashed_name: process-responsible-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.responsible.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.responsible.code_signature.team_id:
+      dashed_name: process-responsible-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.responsible.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.responsible.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.responsible.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.responsible.code_signature.timestamp:
+      dashed_name: process-responsible-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.responsible.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.responsible.code_signature.trusted:
+      dashed_name: process-responsible-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.responsible.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.responsible.code_signature.valid:
+      dashed_name: process-responsible-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.responsible.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.responsible.command_line:
+      dashed_name: process-responsible-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.responsible.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.responsible.elf.architecture:
+      dashed_name: process-responsible-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.responsible.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.responsible.elf.byte_order:
+      dashed_name: process-responsible-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.responsible.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.responsible.elf.cpu_type:
+      dashed_name: process-responsible-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.responsible.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.responsible.elf.creation_date:
+      dashed_name: process-responsible-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.responsible.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.responsible.elf.exports:
+      dashed_name: process-responsible-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.responsible.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.responsible.elf.go_import_hash:
+      dashed_name: process-responsible-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.responsible.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.responsible.elf.go_imports:
+      dashed_name: process-responsible-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.responsible.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.responsible.elf.go_imports_names_entropy:
+      dashed_name: process-responsible-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.responsible.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.responsible.elf.go_imports_names_var_entropy:
+      dashed_name: process-responsible-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.responsible.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.responsible.elf.go_stripped:
+      dashed_name: process-responsible-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.responsible.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.responsible.elf.header.abi_version:
+      dashed_name: process-responsible-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.responsible.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.responsible.elf.header.class:
+      dashed_name: process-responsible-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.responsible.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.responsible.elf.header.data:
+      dashed_name: process-responsible-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.responsible.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.responsible.elf.header.entrypoint:
+      dashed_name: process-responsible-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.responsible.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.responsible.elf.header.object_version:
+      dashed_name: process-responsible-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.responsible.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.responsible.elf.header.os_abi:
+      dashed_name: process-responsible-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.responsible.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.responsible.elf.header.type:
+      dashed_name: process-responsible-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.responsible.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.responsible.elf.header.version:
+      dashed_name: process-responsible-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.responsible.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.responsible.elf.import_hash:
+      dashed_name: process-responsible-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.responsible.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.responsible.elf.imports:
+      dashed_name: process-responsible-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.responsible.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.responsible.elf.imports_names_entropy:
+      dashed_name: process-responsible-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.responsible.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.responsible.elf.imports_names_var_entropy:
+      dashed_name: process-responsible-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.responsible.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.responsible.elf.sections:
+      dashed_name: process-responsible-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.responsible.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.responsible.elf.sections.chi2:
+      dashed_name: process-responsible-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.responsible.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.responsible.elf.sections.entropy:
+      dashed_name: process-responsible-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.responsible.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.responsible.elf.sections.flags:
+      dashed_name: process-responsible-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.responsible.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.responsible.elf.sections.name:
+      dashed_name: process-responsible-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.responsible.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.responsible.elf.sections.physical_offset:
+      dashed_name: process-responsible-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.responsible.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.responsible.elf.sections.physical_size:
+      dashed_name: process-responsible-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.responsible.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.responsible.elf.sections.type:
+      dashed_name: process-responsible-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.responsible.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.responsible.elf.sections.var_entropy:
+      dashed_name: process-responsible-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.responsible.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.responsible.elf.sections.virtual_address:
+      dashed_name: process-responsible-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.responsible.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.responsible.elf.sections.virtual_size:
+      dashed_name: process-responsible-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.responsible.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.responsible.elf.segments:
+      dashed_name: process-responsible-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.responsible.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.responsible.elf.segments.sections:
+      dashed_name: process-responsible-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.responsible.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.responsible.elf.segments.type:
+      dashed_name: process-responsible-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.responsible.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.responsible.elf.shared_libraries:
+      dashed_name: process-responsible-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.responsible.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.responsible.elf.telfhash:
+      dashed_name: process-responsible-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.responsible.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.responsible.end:
+      dashed_name: process-responsible-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.responsible.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.responsible.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.responsible.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.responsible.entity_id:
+      dashed_name: process-responsible-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.responsible.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.responsible.entry_meta.source.address:
+      dashed_name: process-responsible-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.responsible.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.responsible.entry_meta.source.as.number:
+      dashed_name: process-responsible-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.responsible.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.responsible.entry_meta.source.as.organization.name:
+      dashed_name: process-responsible-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.responsible.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.responsible.entry_meta.source.bytes:
+      dashed_name: process-responsible-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.responsible.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.responsible.entry_meta.source.domain:
+      dashed_name: process-responsible-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.responsible.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.responsible.entry_meta.source.geo.city_name:
+      dashed_name: process-responsible-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.responsible.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.responsible.entry_meta.source.geo.continent_code:
+      dashed_name: process-responsible-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.responsible.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.responsible.entry_meta.source.geo.continent_name:
+      dashed_name: process-responsible-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.responsible.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.responsible.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-responsible-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.responsible.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.responsible.entry_meta.source.geo.country_name:
+      dashed_name: process-responsible-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.responsible.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.responsible.entry_meta.source.geo.location:
+      dashed_name: process-responsible-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.responsible.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.responsible.entry_meta.source.geo.name:
+      dashed_name: process-responsible-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.responsible.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.responsible.entry_meta.source.geo.postal_code:
+      dashed_name: process-responsible-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.responsible.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.responsible.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-responsible-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.responsible.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.responsible.entry_meta.source.geo.region_name:
+      dashed_name: process-responsible-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.responsible.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.responsible.entry_meta.source.geo.timezone:
+      dashed_name: process-responsible-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.responsible.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.responsible.entry_meta.source.ip:
+      dashed_name: process-responsible-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.responsible.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.responsible.entry_meta.source.mac:
+      dashed_name: process-responsible-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.responsible.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.responsible.entry_meta.source.nat.ip:
+      dashed_name: process-responsible-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.responsible.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.responsible.entry_meta.source.nat.port:
+      dashed_name: process-responsible-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.responsible.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.responsible.entry_meta.source.packets:
+      dashed_name: process-responsible-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.responsible.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.responsible.entry_meta.source.port:
+      dashed_name: process-responsible-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.responsible.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.responsible.entry_meta.source.registered_domain:
+      dashed_name: process-responsible-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.responsible.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.responsible.entry_meta.source.subdomain:
+      dashed_name: process-responsible-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.responsible.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.responsible.entry_meta.source.top_level_domain:
+      dashed_name: process-responsible-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.responsible.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.responsible.entry_meta.type:
+      dashed_name: process-responsible-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.responsible.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.responsible.env_vars:
+      dashed_name: process-responsible-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.responsible.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.executable:
+      dashed_name: process-responsible-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.responsible.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.responsible.exit_code:
+      dashed_name: process-responsible-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.responsible.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.responsible.group.domain:
+      dashed_name: process-responsible-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.group.id:
+      dashed_name: process-responsible-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.group.name:
+      dashed_name: process-responsible-group-name
+      description: Name of the group.
+      flat_name: process.responsible.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.responsible.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.responsible.hash.md5:
+      dashed_name: process-responsible-hash-md5
+      description: MD5 hash.
+      flat_name: process.responsible.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.responsible.hash.sha1:
+      dashed_name: process-responsible-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.responsible.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.responsible.hash.sha256:
+      dashed_name: process-responsible-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.responsible.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.responsible.hash.sha384:
+      dashed_name: process-responsible-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.responsible.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.responsible.hash.sha512:
+      dashed_name: process-responsible-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.responsible.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.responsible.hash.ssdeep:
+      dashed_name: process-responsible-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.responsible.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.responsible.hash.tlsh:
+      dashed_name: process-responsible-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.responsible.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.responsible.interactive:
+      dashed_name: process-responsible-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.responsible.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.responsible.io:
+      dashed_name: process-responsible-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.responsible.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.responsible.io.bytes_skipped:
+      dashed_name: process-responsible-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.responsible.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.responsible.io.bytes_skipped.length:
+      dashed_name: process-responsible-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.responsible.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.responsible.io.bytes_skipped.offset:
+      dashed_name: process-responsible-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.responsible.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.responsible.io.max_bytes_per_process_exceeded:
+      dashed_name: process-responsible-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.responsible.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.responsible.io.text:
+      dashed_name: process-responsible-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.responsible.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.responsible.io.total_bytes_captured:
+      dashed_name: process-responsible-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.responsible.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.responsible.io.total_bytes_skipped:
+      dashed_name: process-responsible-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.responsible.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.responsible.io.type:
+      dashed_name: process-responsible-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.responsible.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.responsible.macho.go_import_hash:
+      dashed_name: process-responsible-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.responsible.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.responsible.macho.go_imports:
+      dashed_name: process-responsible-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.responsible.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.responsible.macho.go_imports_names_entropy:
+      dashed_name: process-responsible-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.responsible.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.responsible.macho.go_imports_names_var_entropy:
+      dashed_name: process-responsible-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.responsible.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.responsible.macho.go_stripped:
+      dashed_name: process-responsible-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.responsible.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.responsible.macho.import_hash:
+      dashed_name: process-responsible-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.responsible.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.responsible.macho.imports:
+      dashed_name: process-responsible-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.responsible.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.responsible.macho.imports_names_entropy:
+      dashed_name: process-responsible-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.responsible.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.responsible.macho.imports_names_var_entropy:
+      dashed_name: process-responsible-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.responsible.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.responsible.macho.sections:
+      dashed_name: process-responsible-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.responsible.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.responsible.macho.sections.entropy:
+      dashed_name: process-responsible-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.responsible.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.responsible.macho.sections.name:
+      dashed_name: process-responsible-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.responsible.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.responsible.macho.sections.physical_size:
+      dashed_name: process-responsible-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.responsible.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.responsible.macho.sections.var_entropy:
+      dashed_name: process-responsible-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.responsible.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.responsible.macho.sections.virtual_size:
+      dashed_name: process-responsible-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.responsible.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.responsible.macho.symhash:
+      dashed_name: process-responsible-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.responsible.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.responsible.name:
+      dashed_name: process-responsible-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.responsible.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.responsible.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.responsible.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.responsible.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.responsible.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.responsible.pe.architecture:
+      dashed_name: process-responsible-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.responsible.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.responsible.pe.company:
+      dashed_name: process-responsible-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.responsible.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.responsible.pe.description:
+      dashed_name: process-responsible-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.responsible.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.responsible.pe.file_version:
+      dashed_name: process-responsible-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.responsible.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.responsible.pe.go_import_hash:
+      dashed_name: process-responsible-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.responsible.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.responsible.pe.go_imports:
+      dashed_name: process-responsible-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.responsible.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.responsible.pe.go_imports_names_entropy:
+      dashed_name: process-responsible-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.responsible.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.responsible.pe.go_imports_names_var_entropy:
+      dashed_name: process-responsible-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.responsible.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.responsible.pe.go_stripped:
+      dashed_name: process-responsible-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.responsible.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.responsible.pe.imphash:
+      dashed_name: process-responsible-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.responsible.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.responsible.pe.import_hash:
+      dashed_name: process-responsible-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.responsible.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.responsible.pe.imports:
+      dashed_name: process-responsible-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.responsible.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.responsible.pe.imports_names_entropy:
+      dashed_name: process-responsible-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.responsible.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.responsible.pe.imports_names_var_entropy:
+      dashed_name: process-responsible-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.responsible.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.responsible.pe.original_file_name:
+      dashed_name: process-responsible-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.responsible.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.responsible.pe.pehash:
+      dashed_name: process-responsible-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.responsible.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.responsible.pe.product:
+      dashed_name: process-responsible-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.responsible.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.responsible.pe.sections:
+      dashed_name: process-responsible-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.responsible.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.responsible.pe.sections.entropy:
+      dashed_name: process-responsible-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.responsible.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.responsible.pe.sections.name:
+      dashed_name: process-responsible-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.responsible.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.responsible.pe.sections.physical_size:
+      dashed_name: process-responsible-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.responsible.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.responsible.pe.sections.var_entropy:
+      dashed_name: process-responsible-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.responsible.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.responsible.pe.sections.virtual_size:
+      dashed_name: process-responsible-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.responsible.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.responsible.pid:
+      dashed_name: process-responsible-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.responsible.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.responsible.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.responsible.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.responsible.real_group.domain:
+      dashed_name: process-responsible-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.real_group.id:
+      dashed_name: process-responsible-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.real_group.name:
+      dashed_name: process-responsible-real-group-name
+      description: Name of the group.
+      flat_name: process.responsible.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.real_user.domain:
+      dashed_name: process-responsible-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.responsible.real_user.email:
+      dashed_name: process-responsible-real-user-email
+      description: User email address.
+      flat_name: process.responsible.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.responsible.real_user.full_name:
+      dashed_name: process-responsible-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.responsible.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.responsible.real_user.group.domain:
+      dashed_name: process-responsible-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.real_user.group.id:
+      dashed_name: process-responsible-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.real_user.group.name:
+      dashed_name: process-responsible-real-user-group-name
+      description: Name of the group.
+      flat_name: process.responsible.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.real_user.hash:
+      dashed_name: process-responsible-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.responsible.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.responsible.real_user.id:
+      dashed_name: process-responsible-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.responsible.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.responsible.real_user.name:
+      dashed_name: process-responsible-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.responsible.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.responsible.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.responsible.real_user.risk.calculated_level:
+      dashed_name: process-responsible-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.responsible.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.responsible.real_user.risk.calculated_score:
+      dashed_name: process-responsible-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.responsible.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.responsible.real_user.risk.calculated_score_norm:
+      dashed_name: process-responsible-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.responsible.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.responsible.real_user.risk.static_level:
+      dashed_name: process-responsible-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.responsible.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.responsible.real_user.risk.static_score:
+      dashed_name: process-responsible-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.responsible.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.responsible.real_user.risk.static_score_norm:
+      dashed_name: process-responsible-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.responsible.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.responsible.real_user.roles:
+      dashed_name: process-responsible-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.responsible.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.same_as_process:
+      dashed_name: process-responsible-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.responsible.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.responsible.saved_group.domain:
+      dashed_name: process-responsible-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.saved_group.id:
+      dashed_name: process-responsible-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.saved_group.name:
+      dashed_name: process-responsible-saved-group-name
+      description: Name of the group.
+      flat_name: process.responsible.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.saved_user.domain:
+      dashed_name: process-responsible-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.responsible.saved_user.email:
+      dashed_name: process-responsible-saved-user-email
+      description: User email address.
+      flat_name: process.responsible.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.responsible.saved_user.full_name:
+      dashed_name: process-responsible-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.responsible.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.responsible.saved_user.group.domain:
+      dashed_name: process-responsible-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.saved_user.group.id:
+      dashed_name: process-responsible-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.saved_user.group.name:
+      dashed_name: process-responsible-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.responsible.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.saved_user.hash:
+      dashed_name: process-responsible-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.responsible.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.responsible.saved_user.id:
+      dashed_name: process-responsible-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.responsible.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.responsible.saved_user.name:
+      dashed_name: process-responsible-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.responsible.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.responsible.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.responsible.saved_user.risk.calculated_level:
+      dashed_name: process-responsible-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.responsible.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.responsible.saved_user.risk.calculated_score:
+      dashed_name: process-responsible-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.responsible.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.responsible.saved_user.risk.calculated_score_norm:
+      dashed_name: process-responsible-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.responsible.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.responsible.saved_user.risk.static_level:
+      dashed_name: process-responsible-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.responsible.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.responsible.saved_user.risk.static_score:
+      dashed_name: process-responsible-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.responsible.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.responsible.saved_user.risk.static_score_norm:
+      dashed_name: process-responsible-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.responsible.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.responsible.saved_user.roles:
+      dashed_name: process-responsible-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.responsible.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.start:
+      dashed_name: process-responsible-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.responsible.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.responsible.supplemental_groups.domain:
+      dashed_name: process-responsible-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.supplemental_groups.id:
+      dashed_name: process-responsible-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.supplemental_groups.name:
+      dashed_name: process-responsible-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.responsible.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.thread.capabilities.effective:
+      dashed_name: process-responsible-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.responsible.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.thread.capabilities.permitted:
+      dashed_name: process-responsible-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.responsible.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.thread.id:
+      dashed_name: process-responsible-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.responsible.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.responsible.thread.name:
+      dashed_name: process-responsible-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.responsible.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.responsible.title:
+      dashed_name: process-responsible-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.responsible.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.responsible.tty:
+      dashed_name: process-responsible-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.responsible.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.responsible.tty.char_device.major:
+      dashed_name: process-responsible-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.responsible.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.responsible.tty.char_device.minor:
+      dashed_name: process-responsible-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.responsible.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.responsible.tty.columns:
+      dashed_name: process-responsible-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.responsible.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.responsible.tty.rows:
+      dashed_name: process-responsible-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.responsible.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.responsible.uptime:
+      dashed_name: process-responsible-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.responsible.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.responsible.user.domain:
+      dashed_name: process-responsible-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.responsible.user.email:
+      dashed_name: process-responsible-user-email
+      description: User email address.
+      flat_name: process.responsible.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.responsible.user.full_name:
+      dashed_name: process-responsible-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.responsible.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.responsible.user.group.domain:
+      dashed_name: process-responsible-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.user.group.id:
+      dashed_name: process-responsible-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.user.group.name:
+      dashed_name: process-responsible-user-group-name
+      description: Name of the group.
+      flat_name: process.responsible.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.user.hash:
+      dashed_name: process-responsible-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.responsible.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.responsible.user.id:
+      dashed_name: process-responsible-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.responsible.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.responsible.user.name:
+      dashed_name: process-responsible-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.responsible.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.responsible.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.responsible.user.risk.calculated_level:
+      dashed_name: process-responsible-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.responsible.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.responsible.user.risk.calculated_score:
+      dashed_name: process-responsible-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.responsible.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.responsible.user.risk.calculated_score_norm:
+      dashed_name: process-responsible-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.responsible.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.responsible.user.risk.static_level:
+      dashed_name: process-responsible-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.responsible.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.responsible.user.risk.static_score:
+      dashed_name: process-responsible-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.responsible.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.responsible.user.risk.static_score_norm:
+      dashed_name: process-responsible-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.responsible.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.responsible.user.roles:
+      dashed_name: process-responsible-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.responsible.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.vpid:
+      dashed_name: process-responsible-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.responsible.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.responsible.working_directory:
+      dashed_name: process-responsible-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.responsible.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.same_as_process:
+      dashed_name: process-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.saved_group.domain:
+      dashed_name: process-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.saved_group.id:
+      dashed_name: process-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.saved_group.name:
+      dashed_name: process-saved-group-name
+      description: Name of the group.
+      flat_name: process.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.saved_user.domain:
+      dashed_name: process-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.saved_user.email:
+      dashed_name: process-saved-user-email
+      description: User email address.
+      flat_name: process.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.saved_user.full_name:
+      dashed_name: process-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.saved_user.group.domain:
+      dashed_name: process-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.saved_user.group.id:
+      dashed_name: process-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.saved_user.group.name:
+      dashed_name: process-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.saved_user.hash:
+      dashed_name: process-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.saved_user.id:
+      dashed_name: process-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      otel:
+      - relation: match
+        stability: development
+      short: Unique identifier of the user.
+      type: keyword
+    process.saved_user.name:
+      dashed_name: process-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      otel:
+      - relation: match
+        stability: development
+      short: Short name or login of the user.
+      type: keyword
+    process.saved_user.risk.calculated_level:
+      dashed_name: process-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.saved_user.risk.calculated_score:
+      dashed_name: process-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.saved_user.risk.calculated_score_norm:
+      dashed_name: process-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.saved_user.risk.static_level:
+      dashed_name: process-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.saved_user.risk.static_score:
+      dashed_name: process-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.saved_user.risk.static_score_norm:
+      dashed_name: process-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.saved_user.roles:
+      dashed_name: process-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.args:
+      dashed_name: process-session-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.session_leader.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.session_leader.args_count:
+      dashed_name: process-session-leader-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.session_leader.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.session_leader.attested_groups.domain:
+      dashed_name: process-session-leader-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.attested_groups.id:
+      dashed_name: process-session-leader-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.attested_groups.name:
+      dashed_name: process-session-leader-attested-groups-name
+      description: Name of the group.
+      flat_name: process.session_leader.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.attested_user.domain:
+      dashed_name: process-session-leader-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.attested_user.email:
+      dashed_name: process-session-leader-attested-user-email
+      description: User email address.
+      flat_name: process.session_leader.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.attested_user.full_name:
+      dashed_name: process-session-leader-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.attested_user.group.domain:
+      dashed_name: process-session-leader-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.attested_user.group.id:
+      dashed_name: process-session-leader-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.attested_user.group.name:
+      dashed_name: process-session-leader-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.attested_user.hash:
+      dashed_name: process-session-leader-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.attested_user.id:
+      dashed_name: process-session-leader-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.attested_user.name:
+      dashed_name: process-session-leader-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.attested_user.risk.calculated_level:
+      dashed_name: process-session-leader-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.attested_user.risk.calculated_score:
+      dashed_name: process-session-leader-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.attested_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.attested_user.risk.static_level:
+      dashed_name: process-session-leader-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.attested_user.risk.static_score:
+      dashed_name: process-session-leader-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.attested_user.risk.static_score_norm:
+      dashed_name: process-session-leader-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.attested_user.roles:
+      dashed_name: process-session-leader-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.code_signature.digest_algorithm:
+      dashed_name: process-session-leader-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.session_leader.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.session_leader.code_signature.exists:
+      dashed_name: process-session-leader-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.session_leader.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.session_leader.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.session_leader.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.session_leader.code_signature.signing_id:
+      dashed_name: process-session-leader-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.session_leader.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.session_leader.code_signature.status:
+      dashed_name: process-session-leader-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.session_leader.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.session_leader.code_signature.subject_name:
+      dashed_name: process-session-leader-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.session_leader.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.session_leader.code_signature.team_id:
+      dashed_name: process-session-leader-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.session_leader.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.session_leader.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.session_leader.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.session_leader.code_signature.timestamp:
+      dashed_name: process-session-leader-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.session_leader.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.session_leader.code_signature.trusted:
+      dashed_name: process-session-leader-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.session_leader.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.session_leader.code_signature.valid:
+      dashed_name: process-session-leader-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.session_leader.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.session_leader.command_line:
+      dashed_name: process-session-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.session_leader.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.session_leader.elf.architecture:
+      dashed_name: process-session-leader-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.session_leader.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.session_leader.elf.byte_order:
+      dashed_name: process-session-leader-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.session_leader.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.session_leader.elf.cpu_type:
+      dashed_name: process-session-leader-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.session_leader.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.session_leader.elf.creation_date:
+      dashed_name: process-session-leader-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.session_leader.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.session_leader.elf.exports:
+      dashed_name: process-session-leader-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.session_leader.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.session_leader.elf.go_import_hash:
+      dashed_name: process-session-leader-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.session_leader.elf.go_imports:
+      dashed_name: process-session-leader-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.elf.go_imports_names_entropy:
+      dashed_name: process-session-leader-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.elf.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.elf.go_stripped:
+      dashed_name: process-session-leader-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.elf.header.abi_version:
+      dashed_name: process-session-leader-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.session_leader.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.session_leader.elf.header.class:
+      dashed_name: process-session-leader-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.session_leader.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.session_leader.elf.header.data:
+      dashed_name: process-session-leader-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.session_leader.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.session_leader.elf.header.entrypoint:
+      dashed_name: process-session-leader-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.session_leader.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.session_leader.elf.header.object_version:
+      dashed_name: process-session-leader-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.session_leader.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.session_leader.elf.header.os_abi:
+      dashed_name: process-session-leader-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.session_leader.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.session_leader.elf.header.type:
+      dashed_name: process-session-leader-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.session_leader.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.session_leader.elf.header.version:
+      dashed_name: process-session-leader-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.session_leader.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.session_leader.elf.import_hash:
+      dashed_name: process-session-leader-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.session_leader.elf.imports:
+      dashed_name: process-session-leader-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.elf.imports_names_entropy:
+      dashed_name: process-session-leader-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.elf.imports_names_var_entropy:
+      dashed_name: process-session-leader-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.elf.sections:
+      dashed_name: process-session-leader-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.session_leader.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.session_leader.elf.sections.chi2:
+      dashed_name: process-session-leader-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.session_leader.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.session_leader.elf.sections.entropy:
+      dashed_name: process-session-leader-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.elf.sections.flags:
+      dashed_name: process-session-leader-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.session_leader.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.session_leader.elf.sections.name:
+      dashed_name: process-session-leader-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.session_leader.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.session_leader.elf.sections.physical_offset:
+      dashed_name: process-session-leader-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.session_leader.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.session_leader.elf.sections.physical_size:
+      dashed_name: process-session-leader-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.session_leader.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.session_leader.elf.sections.type:
+      dashed_name: process-session-leader-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.session_leader.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.session_leader.elf.sections.var_entropy:
+      dashed_name: process-session-leader-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.elf.sections.virtual_address:
+      dashed_name: process-session-leader-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.session_leader.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.session_leader.elf.sections.virtual_size:
+      dashed_name: process-session-leader-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.session_leader.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.session_leader.elf.segments:
+      dashed_name: process-session-leader-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.session_leader.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.session_leader.elf.segments.sections:
+      dashed_name: process-session-leader-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.session_leader.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.session_leader.elf.segments.type:
+      dashed_name: process-session-leader-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.session_leader.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.session_leader.elf.shared_libraries:
+      dashed_name: process-session-leader-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.session_leader.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.session_leader.elf.telfhash:
+      dashed_name: process-session-leader-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.session_leader.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.session_leader.end:
+      dashed_name: process-session-leader-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.session_leader.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.session_leader.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.session_leader.entity_id:
+      dashed_name: process-session-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.session_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.session_leader.entry_meta.source.address:
+      dashed_name: process-session-leader-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.session_leader.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.session_leader.entry_meta.source.as.number:
+      dashed_name: process-session-leader-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.session_leader.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.session_leader.entry_meta.source.as.organization.name:
+      dashed_name: process-session-leader-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.session_leader.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.session_leader.entry_meta.source.bytes:
+      dashed_name: process-session-leader-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.session_leader.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.session_leader.entry_meta.source.domain:
+      dashed_name: process-session-leader-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.session_leader.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.city_name:
+      dashed_name: process-session-leader-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.session_leader.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.continent_code:
+      dashed_name: process-session-leader-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.session_leader.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.continent_name:
+      dashed_name: process-session-leader-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.session_leader.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-session-leader-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.session_leader.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.country_name:
+      dashed_name: process-session-leader-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.session_leader.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.location:
+      dashed_name: process-session-leader-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.session_leader.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.session_leader.entry_meta.source.geo.name:
+      dashed_name: process-session-leader-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.session_leader.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.postal_code:
+      dashed_name: process-session-leader-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.session_leader.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-session-leader-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.session_leader.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.region_name:
+      dashed_name: process-session-leader-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.session_leader.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.timezone:
+      dashed_name: process-session-leader-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.session_leader.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.session_leader.entry_meta.source.ip:
+      dashed_name: process-session-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.session_leader.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.session_leader.entry_meta.source.mac:
+      dashed_name: process-session-leader-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.session_leader.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.session_leader.entry_meta.source.nat.ip:
+      dashed_name: process-session-leader-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.session_leader.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.session_leader.entry_meta.source.nat.port:
+      dashed_name: process-session-leader-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.session_leader.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.session_leader.entry_meta.source.packets:
+      dashed_name: process-session-leader-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.session_leader.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.session_leader.entry_meta.source.port:
+      dashed_name: process-session-leader-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.session_leader.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.session_leader.entry_meta.source.registered_domain:
+      dashed_name: process-session-leader-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.session_leader.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.session_leader.entry_meta.source.subdomain:
+      dashed_name: process-session-leader-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.session_leader.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.session_leader.entry_meta.source.top_level_domain:
+      dashed_name: process-session-leader-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.session_leader.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.session_leader.entry_meta.type:
+      dashed_name: process-session-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.session_leader.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.session_leader.env_vars:
+      dashed_name: process-session-leader-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.session_leader.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.executable:
+      dashed_name: process-session-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.session_leader.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.session_leader.exit_code:
+      dashed_name: process-session-leader-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.session_leader.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.session_leader.group.domain:
+      dashed_name: process-session-leader-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.group.id:
+      dashed_name: process-session-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.group.name:
+      dashed_name: process-session-leader-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.session_leader.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.session_leader.hash.md5:
+      dashed_name: process-session-leader-hash-md5
+      description: MD5 hash.
+      flat_name: process.session_leader.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.session_leader.hash.sha1:
+      dashed_name: process-session-leader-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.session_leader.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.session_leader.hash.sha256:
+      dashed_name: process-session-leader-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.session_leader.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.session_leader.hash.sha384:
+      dashed_name: process-session-leader-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.session_leader.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.session_leader.hash.sha512:
+      dashed_name: process-session-leader-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.session_leader.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.session_leader.hash.ssdeep:
+      dashed_name: process-session-leader-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.session_leader.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.session_leader.hash.tlsh:
+      dashed_name: process-session-leader-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.session_leader.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.session_leader.interactive:
+      dashed_name: process-session-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.session_leader.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.session_leader.io:
+      dashed_name: process-session-leader-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.session_leader.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.session_leader.io.bytes_skipped:
+      dashed_name: process-session-leader-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.session_leader.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.session_leader.io.bytes_skipped.length:
+      dashed_name: process-session-leader-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.session_leader.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.session_leader.io.bytes_skipped.offset:
+      dashed_name: process-session-leader-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.session_leader.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.session_leader.io.max_bytes_per_process_exceeded:
+      dashed_name: process-session-leader-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.session_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.session_leader.io.text:
+      dashed_name: process-session-leader-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.session_leader.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.session_leader.io.total_bytes_captured:
+      dashed_name: process-session-leader-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.session_leader.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.session_leader.io.total_bytes_skipped:
+      dashed_name: process-session-leader-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.session_leader.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.session_leader.io.type:
+      dashed_name: process-session-leader-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.session_leader.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.session_leader.macho.go_import_hash:
+      dashed_name: process-session-leader-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.session_leader.macho.go_imports:
+      dashed_name: process-session-leader-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.macho.go_imports_names_entropy:
+      dashed_name: process-session-leader-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.macho.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.macho.go_stripped:
+      dashed_name: process-session-leader-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.macho.import_hash:
+      dashed_name: process-session-leader-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.session_leader.macho.imports:
+      dashed_name: process-session-leader-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.macho.imports_names_entropy:
+      dashed_name: process-session-leader-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.macho.imports_names_var_entropy:
+      dashed_name: process-session-leader-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.macho.sections:
+      dashed_name: process-session-leader-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.session_leader.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.session_leader.macho.sections.entropy:
+      dashed_name: process-session-leader-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.macho.sections.name:
+      dashed_name: process-session-leader-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.session_leader.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.session_leader.macho.sections.physical_size:
+      dashed_name: process-session-leader-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.session_leader.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.session_leader.macho.sections.var_entropy:
+      dashed_name: process-session-leader-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.macho.sections.virtual_size:
+      dashed_name: process-session-leader-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.session_leader.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.session_leader.macho.symhash:
+      dashed_name: process-session-leader-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.session_leader.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.session_leader.name:
+      dashed_name: process-session-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.session_leader.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.session_leader.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.session_leader.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.session_leader.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.session_leader.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.session_leader.parent.args:
+      dashed_name: process-session-leader-parent-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.session_leader.parent.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.session_leader.parent.args_count:
+      dashed_name: process-session-leader-parent-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.session_leader.parent.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.session_leader.parent.attested_groups.domain:
+      dashed_name: process-session-leader-parent-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.attested_groups.id:
+      dashed_name: process-session-leader-parent-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.attested_groups.name:
+      dashed_name: process-session-leader-parent-attested-groups-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.attested_user.domain:
+      dashed_name: process-session-leader-parent-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.parent.attested_user.email:
+      dashed_name: process-session-leader-parent-attested-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.attested_user.full_name:
+      dashed_name: process-session-leader-parent-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.parent.attested_user.group.domain:
+      dashed_name: process-session-leader-parent-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.attested_user.group.id:
+      dashed_name: process-session-leader-parent-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.attested_user.group.name:
+      dashed_name: process-session-leader-parent-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.attested_user.hash:
+      dashed_name: process-session-leader-parent-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.attested_user.id:
+      dashed_name: process-session-leader-parent-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.parent.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.parent.attested_user.name:
+      dashed_name: process-session-leader-parent-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.parent.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.parent.attested_user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.parent.attested_user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.attested_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.attested_user.risk.static_level:
+      dashed_name: process-session-leader-parent-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.attested_user.risk.static_score:
+      dashed_name: process-session-leader-parent-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.attested_user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.attested_user.roles:
+      dashed_name: process-session-leader-parent-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.code_signature.digest_algorithm:
+      dashed_name: process-session-leader-parent-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.session_leader.parent.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.session_leader.parent.code_signature.exists:
+      dashed_name: process-session-leader-parent-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.session_leader.parent.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.session_leader.parent.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.session_leader.parent.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.session_leader.parent.code_signature.signing_id:
+      dashed_name: process-session-leader-parent-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.session_leader.parent.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.session_leader.parent.code_signature.status:
+      dashed_name: process-session-leader-parent-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.session_leader.parent.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.session_leader.parent.code_signature.subject_name:
+      dashed_name: process-session-leader-parent-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.session_leader.parent.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.session_leader.parent.code_signature.team_id:
+      dashed_name: process-session-leader-parent-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.session_leader.parent.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.session_leader.parent.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.session_leader.parent.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.session_leader.parent.code_signature.timestamp:
+      dashed_name: process-session-leader-parent-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.session_leader.parent.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.session_leader.parent.code_signature.trusted:
+      dashed_name: process-session-leader-parent-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.session_leader.parent.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.session_leader.parent.code_signature.valid:
+      dashed_name: process-session-leader-parent-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.session_leader.parent.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.session_leader.parent.command_line:
+      dashed_name: process-session-leader-parent-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.session_leader.parent.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.session_leader.parent.elf.architecture:
+      dashed_name: process-session-leader-parent-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.session_leader.parent.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.session_leader.parent.elf.byte_order:
+      dashed_name: process-session-leader-parent-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.session_leader.parent.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.session_leader.parent.elf.cpu_type:
+      dashed_name: process-session-leader-parent-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.session_leader.parent.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.session_leader.parent.elf.creation_date:
+      dashed_name: process-session-leader-parent-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.session_leader.parent.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.session_leader.parent.elf.exports:
+      dashed_name: process-session-leader-parent-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.session_leader.parent.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.session_leader.parent.elf.go_import_hash:
+      dashed_name: process-session-leader-parent-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.parent.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.session_leader.parent.elf.go_imports:
+      dashed_name: process-session-leader-parent-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.parent.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.parent.elf.go_imports_names_entropy:
+      dashed_name: process-session-leader-parent-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.elf.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.elf.go_stripped:
+      dashed_name: process-session-leader-parent-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.parent.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.parent.elf.header.abi_version:
+      dashed_name: process-session-leader-parent-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.session_leader.parent.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.session_leader.parent.elf.header.class:
+      dashed_name: process-session-leader-parent-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.session_leader.parent.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.session_leader.parent.elf.header.data:
+      dashed_name: process-session-leader-parent-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.session_leader.parent.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.session_leader.parent.elf.header.entrypoint:
+      dashed_name: process-session-leader-parent-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.session_leader.parent.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.session_leader.parent.elf.header.object_version:
+      dashed_name: process-session-leader-parent-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.session_leader.parent.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.session_leader.parent.elf.header.os_abi:
+      dashed_name: process-session-leader-parent-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.session_leader.parent.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.session_leader.parent.elf.header.type:
+      dashed_name: process-session-leader-parent-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.session_leader.parent.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.session_leader.parent.elf.header.version:
+      dashed_name: process-session-leader-parent-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.session_leader.parent.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.session_leader.parent.elf.import_hash:
+      dashed_name: process-session-leader-parent-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.parent.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.session_leader.parent.elf.imports:
+      dashed_name: process-session-leader-parent-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.parent.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.parent.elf.imports_names_entropy:
+      dashed_name: process-session-leader-parent-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.parent.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.parent.elf.imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.parent.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.parent.elf.sections:
+      dashed_name: process-session-leader-parent-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.session_leader.parent.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.session_leader.parent.elf.sections.chi2:
+      dashed_name: process-session-leader-parent-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.session_leader.parent.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.session_leader.parent.elf.sections.entropy:
+      dashed_name: process-session-leader-parent-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.elf.sections.flags:
+      dashed_name: process-session-leader-parent-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.session_leader.parent.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.session_leader.parent.elf.sections.name:
+      dashed_name: process-session-leader-parent-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.session_leader.parent.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.session_leader.parent.elf.sections.physical_offset:
+      dashed_name: process-session-leader-parent-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.session_leader.parent.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.session_leader.parent.elf.sections.physical_size:
+      dashed_name: process-session-leader-parent-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.session_leader.parent.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.session_leader.parent.elf.sections.type:
+      dashed_name: process-session-leader-parent-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.session_leader.parent.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.session_leader.parent.elf.sections.var_entropy:
+      dashed_name: process-session-leader-parent-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.elf.sections.virtual_address:
+      dashed_name: process-session-leader-parent-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.session_leader.parent.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.session_leader.parent.elf.sections.virtual_size:
+      dashed_name: process-session-leader-parent-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.session_leader.parent.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.session_leader.parent.elf.segments:
+      dashed_name: process-session-leader-parent-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.session_leader.parent.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.session_leader.parent.elf.segments.sections:
+      dashed_name: process-session-leader-parent-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.session_leader.parent.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.session_leader.parent.elf.segments.type:
+      dashed_name: process-session-leader-parent-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.session_leader.parent.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.session_leader.parent.elf.shared_libraries:
+      dashed_name: process-session-leader-parent-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.session_leader.parent.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.session_leader.parent.elf.telfhash:
+      dashed_name: process-session-leader-parent-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.session_leader.parent.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.session_leader.parent.end:
+      dashed_name: process-session-leader-parent-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.parent.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.session_leader.parent.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.session_leader.parent.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.session_leader.parent.entity_id:
+      dashed_name: process-session-leader-parent-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.session_leader.parent.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.address:
+      dashed_name: process-session-leader-parent-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.session_leader.parent.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.as.number:
+      dashed_name: process-session-leader-parent-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.session_leader.parent.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.session_leader.parent.entry_meta.source.as.organization.name:
+      dashed_name: process-session-leader-parent-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.session_leader.parent.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.bytes:
+      dashed_name: process-session-leader-parent-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.session_leader.parent.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.session_leader.parent.entry_meta.source.domain:
+      dashed_name: process-session-leader-parent-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.session_leader.parent.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.city_name:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.session_leader.parent.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.continent_code:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.session_leader.parent.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.continent_name:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.session_leader.parent.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.session_leader.parent.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.country_name:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.session_leader.parent.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.location:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.session_leader.parent.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.session_leader.parent.entry_meta.source.geo.name:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.session_leader.parent.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.postal_code:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.session_leader.parent.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.session_leader.parent.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.region_name:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.session_leader.parent.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.timezone:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.session_leader.parent.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.ip:
+      dashed_name: process-session-leader-parent-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.session_leader.parent.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.session_leader.parent.entry_meta.source.mac:
+      dashed_name: process-session-leader-parent-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.session_leader.parent.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.nat.ip:
+      dashed_name: process-session-leader-parent-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.session_leader.parent.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.session_leader.parent.entry_meta.source.nat.port:
+      dashed_name: process-session-leader-parent-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.session_leader.parent.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.session_leader.parent.entry_meta.source.packets:
+      dashed_name: process-session-leader-parent-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.session_leader.parent.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.session_leader.parent.entry_meta.source.port:
+      dashed_name: process-session-leader-parent-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.session_leader.parent.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.session_leader.parent.entry_meta.source.registered_domain:
+      dashed_name: process-session-leader-parent-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.session_leader.parent.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.subdomain:
+      dashed_name: process-session-leader-parent-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.session_leader.parent.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.top_level_domain:
+      dashed_name: process-session-leader-parent-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.session_leader.parent.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.session_leader.parent.entry_meta.type:
+      dashed_name: process-session-leader-parent-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.session_leader.parent.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.session_leader.parent.env_vars:
+      dashed_name: process-session-leader-parent-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.session_leader.parent.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.executable:
+      dashed_name: process-session-leader-parent-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.session_leader.parent.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.session_leader.parent.exit_code:
+      dashed_name: process-session-leader-parent-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.session_leader.parent.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.session_leader.parent.group.domain:
+      dashed_name: process-session-leader-parent-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.group.id:
+      dashed_name: process-session-leader-parent-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.group.name:
+      dashed_name: process-session-leader-parent-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.session_leader.parent.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.session_leader.parent.hash.md5:
+      dashed_name: process-session-leader-parent-hash-md5
+      description: MD5 hash.
+      flat_name: process.session_leader.parent.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.session_leader.parent.hash.sha1:
+      dashed_name: process-session-leader-parent-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.session_leader.parent.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.session_leader.parent.hash.sha256:
+      dashed_name: process-session-leader-parent-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.session_leader.parent.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.session_leader.parent.hash.sha384:
+      dashed_name: process-session-leader-parent-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.session_leader.parent.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.session_leader.parent.hash.sha512:
+      dashed_name: process-session-leader-parent-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.session_leader.parent.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.session_leader.parent.hash.ssdeep:
+      dashed_name: process-session-leader-parent-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.session_leader.parent.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.session_leader.parent.hash.tlsh:
+      dashed_name: process-session-leader-parent-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.session_leader.parent.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.session_leader.parent.interactive:
+      dashed_name: process-session-leader-parent-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.session_leader.parent.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.session_leader.parent.io:
+      dashed_name: process-session-leader-parent-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.session_leader.parent.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.session_leader.parent.io.bytes_skipped:
+      dashed_name: process-session-leader-parent-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.session_leader.parent.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.session_leader.parent.io.bytes_skipped.length:
+      dashed_name: process-session-leader-parent-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.session_leader.parent.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.session_leader.parent.io.bytes_skipped.offset:
+      dashed_name: process-session-leader-parent-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.session_leader.parent.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.session_leader.parent.io.max_bytes_per_process_exceeded:
+      dashed_name: process-session-leader-parent-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.session_leader.parent.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.session_leader.parent.io.text:
+      dashed_name: process-session-leader-parent-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.session_leader.parent.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.session_leader.parent.io.total_bytes_captured:
+      dashed_name: process-session-leader-parent-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.session_leader.parent.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.session_leader.parent.io.total_bytes_skipped:
+      dashed_name: process-session-leader-parent-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.session_leader.parent.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.session_leader.parent.io.type:
+      dashed_name: process-session-leader-parent-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.session_leader.parent.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.session_leader.parent.macho.go_import_hash:
+      dashed_name: process-session-leader-parent-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.parent.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.session_leader.parent.macho.go_imports:
+      dashed_name: process-session-leader-parent-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.parent.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.parent.macho.go_imports_names_entropy:
+      dashed_name: process-session-leader-parent-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.macho.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.macho.go_stripped:
+      dashed_name: process-session-leader-parent-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.parent.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.parent.macho.import_hash:
+      dashed_name: process-session-leader-parent-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.parent.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.session_leader.parent.macho.imports:
+      dashed_name: process-session-leader-parent-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.parent.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.parent.macho.imports_names_entropy:
+      dashed_name: process-session-leader-parent-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.parent.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.parent.macho.imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.parent.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.parent.macho.sections:
+      dashed_name: process-session-leader-parent-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.session_leader.parent.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.session_leader.parent.macho.sections.entropy:
+      dashed_name: process-session-leader-parent-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.macho.sections.name:
+      dashed_name: process-session-leader-parent-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.session_leader.parent.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.session_leader.parent.macho.sections.physical_size:
+      dashed_name: process-session-leader-parent-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.session_leader.parent.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.session_leader.parent.macho.sections.var_entropy:
+      dashed_name: process-session-leader-parent-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.macho.sections.virtual_size:
+      dashed_name: process-session-leader-parent-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.session_leader.parent.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.session_leader.parent.macho.symhash:
+      dashed_name: process-session-leader-parent-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.session_leader.parent.macho.symhash
       ignore_above: 1024
-      level: core
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.session_leader.parent.name:
+      dashed_name: process-session-leader-parent-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.session_leader.parent.name
+      ignore_above: 1024
+      level: extended
       multi_fields:
-      - flat_name: process.entry_leader.real_user.name.text
+      - flat_name: process.session_leader.parent.name.text
         name: text
         type: match_only_text
       name: name
       normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
+      original_fieldset: process
+      short: Process name.
       type: keyword
-    process.entry_leader.same_as_process:
-      dashed_name: process-entry-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.entry_leader.same_as_process
+    process.session_leader.parent.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.session_leader.parent.origin_referrer_url
+      ignore_above: 8192
       level: extended
-      name: same_as_process
+      name: origin_referrer_url
       normalize: []
       original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.entry_leader.saved_group.id:
-      dashed_name: process-entry-leader-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.saved_group.id
-      ignore_above: 1024
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.session_leader.parent.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.session_leader.parent.origin_url
+      ignore_above: 8192
       level: extended
-      name: id
+      name: origin_url
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
       type: keyword
-    process.entry_leader.saved_group.name:
-      dashed_name: process-entry-leader-saved-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.saved_group.name
+    process.session_leader.parent.pe.architecture:
+      dashed_name: process-session-leader-parent-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.session_leader.parent.pe.architecture
       ignore_above: 1024
       level: extended
-      name: name
+      name: architecture
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: pe
+      short: CPU architecture target for the file.
       type: keyword
-    process.entry_leader.saved_user.id:
-      dashed_name: process-entry-leader-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.saved_user.id
+    process.session_leader.parent.pe.company:
+      dashed_name: process-session-leader-parent-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.session_leader.parent.pe.company
       ignore_above: 1024
-      level: core
-      name: id
+      level: extended
+      name: company
       normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
       type: keyword
-    process.entry_leader.saved_user.name:
-      dashed_name: process-entry-leader-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.saved_user.name
+    process.session_leader.parent.pe.description:
+      dashed_name: process-session-leader-parent-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.session_leader.parent.pe.description
       ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.start:
-      dashed_name: process-entry-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.start
       level: extended
-      name: start
+      name: description
       normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.entry_leader.supplemental_groups.id:
-      dashed_name: process-entry-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.supplemental_groups.id
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.parent.pe.file_version:
+      dashed_name: process-session-leader-parent-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.session_leader.parent.pe.file_version
       ignore_above: 1024
       level: extended
-      name: id
+      name: file_version
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: pe
+      short: Process name.
       type: keyword
-    process.entry_leader.supplemental_groups.name:
-      dashed_name: process-entry-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.entry_leader.supplemental_groups.name
+    process.session_leader.parent.pe.go_import_hash:
+      dashed_name: process-session-leader-parent-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.parent.pe.go_import_hash
       ignore_above: 1024
       level: extended
-      name: name
+      name: go_import_hash
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
       type: keyword
-    process.entry_leader.tty:
-      dashed_name: process-entry-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.entry_leader.tty
+    process.session_leader.parent.pe.go_imports:
+      dashed_name: process-session-leader-parent-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.parent.pe.go_imports
       level: extended
-      name: tty
+      name: go_imports
       normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.entry_leader.tty.char_device.major:
-      dashed_name: process-entry-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.entry_leader.tty.char_device.major
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.parent.pe.go_imports_names_entropy:
+      dashed_name: process-session-leader-parent-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.pe.go_imports_names_entropy
+      format: number
       level: extended
-      name: tty.char_device.major
+      name: go_imports_names_entropy
       normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.entry_leader.tty.char_device.minor:
-      dashed_name: process-entry-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.entry_leader.tty.char_device.minor
+    process.session_leader.parent.pe.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.pe.go_imports_names_var_entropy
+      format: number
       level: extended
-      name: tty.char_device.minor
+      name: go_imports_names_var_entropy
       normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.entry_leader.user.id:
-      dashed_name: process-entry-leader-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.user.id
-      ignore_above: 1024
-      level: core
-      name: id
+    process.session_leader.parent.pe.go_stripped:
+      dashed_name: process-session-leader-parent-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.parent.pe.go_stripped
+      level: extended
+      name: go_stripped
       normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.user.name:
-      dashed_name: process-entry-leader-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.user.name
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.parent.pe.imphash:
+      dashed_name: process-session-leader-parent-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.session_leader.parent.pe.imphash
       ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.user.name.text
-        name: text
-        type: match_only_text
-      name: name
+      level: extended
+      name: imphash
       normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
       type: keyword
-    process.entry_leader.vpid:
-      dashed_name: process-entry-leader-vpid
-      description: 'Virtual process id.
+    process.session_leader.parent.pe.import_hash:
+      dashed_name: process-session-leader-parent-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
 
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.entry_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.entry_leader.working_directory:
-      dashed_name: process-entry-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.entry_leader.working_directory
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.parent.pe.import_hash
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
+      name: import_hash
       normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
       type: keyword
-    process.env_vars:
-      dashed_name: process-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.env_vars
-      ignore_above: 1024
+    process.session_leader.parent.pe.imports:
+      dashed_name: process-session-leader-parent-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.parent.pe.imports
       level: extended
-      name: env_vars
+      name: imports
       normalize:
       - array
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.executable:
-      dashed_name: process-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.executable
-      ignore_above: 1024
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.parent.pe.imports_names_entropy:
+      dashed_name: process-session-leader-parent-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.parent.pe.imports_names_entropy
+      format: number
       level: extended
-      multi_fields:
-      - flat_name: process.executable.text
-        name: text
-        type: match_only_text
-      name: executable
+      name: imports_names_entropy
       normalize: []
-      otel:
-      - attribute: process.executable.path
-        relation: equivalent
-        stability: development
-      short: Absolute path to the process executable.
-      type: keyword
-    process.exit_code:
-      dashed_name: process-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.exit_code
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.parent.pe.imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.parent.pe.imports_names_var_entropy
+      format: number
       level: extended
-      name: exit_code
+      name: imports_names_var_entropy
       normalize: []
-      short: The exit code of the process.
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
       type: long
-    process.group.id:
-      dashed_name: process-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group.id
+    process.session_leader.parent.pe.original_file_name:
+      dashed_name: process-session-leader-parent-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.session_leader.parent.pe.original_file_name
       ignore_above: 1024
       level: extended
-      name: id
+      name: original_file_name
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
       type: keyword
-    process.group.name:
-      dashed_name: process-group-name
-      description: Name of the group.
-      flat_name: process.group.name
+    process.session_leader.parent.pe.pehash:
+      dashed_name: process-session-leader-parent-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.session_leader.parent.pe.pehash
       ignore_above: 1024
       level: extended
-      name: name
+      name: pehash
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
       type: keyword
-    process.group_leader.args:
-      dashed_name: process-group-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.group_leader.args
+    process.session_leader.parent.pe.product:
+      dashed_name: process-session-leader-parent-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.session_leader.parent.pe.product
       ignore_above: 1024
       level: extended
-      name: args
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.parent.pe.sections:
+      dashed_name: process-session-leader-parent-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.session_leader.parent.pe.sections
+      level: extended
+      name: sections
       normalize:
       - array
-      original_fieldset: process
-      short: Array of process arguments.
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.session_leader.parent.pe.sections.entropy:
+      dashed_name: process-session-leader-parent-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.pe.sections.name:
+      dashed_name: process-session-leader-parent-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.session_leader.parent.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
       type: keyword
-    process.group_leader.args_count:
-      dashed_name: process-group-leader-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.group_leader.args_count
+    process.session_leader.parent.pe.sections.physical_size:
+      dashed_name: process-session-leader-parent-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.session_leader.parent.pe.sections.physical_size
+      format: bytes
       level: extended
-      name: args_count
+      name: sections.physical_size
       normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
+      original_fieldset: pe
+      short: PE Section List physical size.
       type: long
-    process.group_leader.command_line:
-      dashed_name: process-group-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.group_leader.command_line
+    process.session_leader.parent.pe.sections.var_entropy:
+      dashed_name: process-session-leader-parent-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.pe.sections.var_entropy
+      format: number
       level: extended
-      multi_fields:
-      - flat_name: process.group_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.pe.sections.virtual_size:
+      dashed_name: process-session-leader-parent-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.session_leader.parent.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.session_leader.parent.pid:
+      dashed_name: process-session-leader-parent-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.session_leader.parent.pid
+      format: string
+      level: core
+      name: pid
       normalize: []
       original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.group_leader.entity_id:
-      dashed_name: process-group-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.group_leader.entity_id
-      ignore_above: 1024
+      short: Process id.
+      type: long
+    process.session_leader.parent.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.session_leader.parent.platform_binary
       level: extended
-      name: entity_id
+      name: platform_binary
       normalize: []
       original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.group_leader.executable:
-      dashed_name: process-group-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.group_leader.executable
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.session_leader.parent.real_group.domain:
+      dashed_name: process-session-leader-parent-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.real_group.domain
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.group_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
+      name: domain
       normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
       type: keyword
-    process.group_leader.group.id:
-      dashed_name: process-group-leader-group-id
+    process.session_leader.parent.real_group.id:
+      dashed_name: process-session-leader-parent-real-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.group.id
+      flat_name: process.session_leader.parent.real_group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -12802,10 +43194,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.group_leader.group.name:
-      dashed_name: process-group-leader-group-name
+    process.session_leader.parent.real_group.name:
+      dashed_name: process-session-leader-parent-real-group-name
       description: Name of the group.
-      flat_name: process.group_leader.group.name
+      flat_name: process.session_leader.parent.real_group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -12813,64 +43205,63 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.group_leader.interactive:
-      dashed_name: process-group-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
+    process.session_leader.parent.real_user.domain:
+      dashed_name: process-session-leader-parent-real-user-domain
+      description: 'Name of the directory the user is a member of.
 
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.group_leader.interactive
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.real_user.domain
+      ignore_above: 1024
       level: extended
-      name: interactive
+      name: domain
       normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.group_leader.name:
-      dashed_name: process-group-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.group_leader.name
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.parent.real_user.email:
+      dashed_name: process-session-leader-parent-real-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.real_user.full_name:
+      dashed_name: process-session-leader-parent-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.real_user.full_name
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.group_leader.name.text
+      - flat_name: process.session_leader.parent.real_user.full_name.text
         name: text
         type: match_only_text
-      name: name
+      name: full_name
       normalize: []
-      original_fieldset: process
-      short: Process name.
+      original_fieldset: user
+      short: User's full name, if available.
       type: keyword
-    process.group_leader.pid:
-      dashed_name: process-group-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.group_leader.pid
-      format: string
-      level: core
-      name: pid
+    process.session_leader.parent.real_user.group.domain:
+      dashed_name: process-session-leader-parent-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
       normalize: []
-      original_fieldset: process
-      otel:
-      - relation: match
-        stability: development
-      short: Process id.
-      type: long
-    process.group_leader.real_group.id:
-      dashed_name: process-group-leader-real-group-id
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.real_user.group.id:
+      dashed_name: process-session-leader-parent-real-user-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.real_group.id
+      flat_name: process.session_leader.parent.real_user.group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -12878,10 +43269,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.group_leader.real_group.name:
-      dashed_name: process-group-leader-real-group-name
+    process.session_leader.parent.real_user.group.name:
+      dashed_name: process-session-leader-parent-real-user-group-name
       description: Name of the group.
-      flat_name: process.group_leader.real_group.name
+      flat_name: process.session_leader.parent.real_user.group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -12889,11 +43280,26 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.group_leader.real_user.id:
-      dashed_name: process-group-leader-real-user-id
+    process.session_leader.parent.real_user.hash:
+      dashed_name: process-session-leader-parent-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.real_user.id:
+      dashed_name: process-session-leader-parent-real-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.real_user.id
+      flat_name: process.session_leader.parent.real_user.id
       ignore_above: 1024
       level: core
       name: id
@@ -12901,15 +43307,15 @@ process:
       original_fieldset: user
       short: Unique identifier of the user.
       type: keyword
-    process.group_leader.real_user.name:
-      dashed_name: process-group-leader-real-user-name
+    process.session_leader.parent.real_user.name:
+      dashed_name: process-session-leader-parent-real-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.group_leader.real_user.name
+      flat_name: process.session_leader.parent.real_user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.group_leader.real_user.name.text
+      - flat_name: process.session_leader.parent.real_user.name.text
         name: text
         type: match_only_text
       name: name
@@ -12917,8 +43323,102 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.group_leader.same_as_process:
-      dashed_name: process-group-leader-same-as-process
+    process.session_leader.parent.real_user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.parent.real_user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.real_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.real_user.risk.static_level:
+      dashed_name: process-session-leader-parent-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.real_user.risk.static_score:
+      dashed_name: process-session-leader-parent-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.real_user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.real_user.roles:
+      dashed_name: process-session-leader-parent-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.same_as_process:
+      dashed_name: process-session-leader-parent-same-as-process
       description: 'This boolean is used to identify if a leader process is the same
         as the top level process.
 
@@ -12939,7 +43439,7 @@ process:
         Note: This field is only set on `process.entry_leader`, `process.session_leader`
         and `process.group_leader`.'
       example: true
-      flat_name: process.group_leader.same_as_process
+      flat_name: process.session_leader.parent.same_as_process
       level: extended
       name: same_as_process
       normalize: []
@@ -12947,10 +43447,23 @@ process:
       short: This boolean is used to identify if a leader process is the same as the
         top level process.
       type: boolean
-    process.group_leader.saved_group.id:
-      dashed_name: process-group-leader-saved-group-id
+    process.session_leader.parent.saved_group.domain:
+      dashed_name: process-session-leader-parent-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.saved_group.id:
+      dashed_name: process-session-leader-parent-saved-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.saved_group.id
+      flat_name: process.session_leader.parent.saved_group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -12958,10 +43471,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.group_leader.saved_group.name:
-      dashed_name: process-group-leader-saved-group-name
+    process.session_leader.parent.saved_group.name:
+      dashed_name: process-session-leader-parent-saved-group-name
       description: Name of the group.
-      flat_name: process.group_leader.saved_group.name
+      flat_name: process.session_leader.parent.saved_group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -12969,49 +43482,63 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.group_leader.saved_user.id:
-      dashed_name: process-group-leader-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.saved_user.id
+    process.session_leader.parent.saved_user.domain:
+      dashed_name: process-session-leader-parent-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.saved_user.domain
       ignore_above: 1024
-      level: core
-      name: id
+      level: extended
+      name: domain
       normalize: []
       original_fieldset: user
-      short: Unique identifier of the user.
+      short: Name of the directory the user is a member of.
       type: keyword
-    process.group_leader.saved_user.name:
-      dashed_name: process-group-leader-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.group_leader.saved_user.name
+    process.session_leader.parent.saved_user.email:
+      dashed_name: process-session-leader-parent-saved-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.saved_user.email
       ignore_above: 1024
-      level: core
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.saved_user.full_name:
+      dashed_name: process-session-leader-parent-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.saved_user.full_name
+      ignore_above: 1024
+      level: extended
       multi_fields:
-      - flat_name: process.group_leader.saved_user.name.text
+      - flat_name: process.session_leader.parent.saved_user.full_name.text
         name: text
         type: match_only_text
-      name: name
+      name: full_name
       normalize: []
       original_fieldset: user
-      short: Short name or login of the user.
+      short: User's full name, if available.
       type: keyword
-    process.group_leader.start:
-      dashed_name: process-group-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.group_leader.start
+    process.session_leader.parent.saved_user.group.domain:
+      dashed_name: process-session-leader-parent-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.saved_user.group.domain
+      ignore_above: 1024
       level: extended
-      name: start
+      name: domain
       normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.group_leader.supplemental_groups.id:
-      dashed_name: process-group-leader-supplemental-groups-id
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.saved_user.group.id:
+      dashed_name: process-session-leader-parent-saved-user-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.supplemental_groups.id
+      flat_name: process.session_leader.parent.saved_user.group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -13019,10 +43546,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.group_leader.supplemental_groups.name:
-      dashed_name: process-group-leader-supplemental-groups-name
+    process.session_leader.parent.saved_user.group.name:
+      dashed_name: process-session-leader-parent-saved-user-group-name
       description: Name of the group.
-      flat_name: process.group_leader.supplemental_groups.name
+      flat_name: process.session_leader.parent.saved_user.group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -13030,50 +43557,26 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.group_leader.tty:
-      dashed_name: process-group-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.group_leader.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.group_leader.tty.char_device.major:
-      dashed_name: process-group-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.group_leader.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.group_leader.tty.char_device.minor:
-      dashed_name: process-group-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.group_leader.tty.char_device.minor
+    process.session_leader.parent.saved_user.hash:
+      dashed_name: process-session-leader-parent-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.saved_user.hash
+      ignore_above: 1024
       level: extended
-      name: tty.char_device.minor
+      name: hash
       normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.group_leader.user.id:
-      dashed_name: process-group-leader-user-id
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.saved_user.id:
+      dashed_name: process-session-leader-parent-saved-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.user.id
+      flat_name: process.session_leader.parent.saved_user.id
       ignore_above: 1024
       level: core
       name: id
@@ -13081,15 +43584,15 @@ process:
       original_fieldset: user
       short: Unique identifier of the user.
       type: keyword
-    process.group_leader.user.name:
-      dashed_name: process-group-leader-user-name
+    process.session_leader.parent.saved_user.name:
+      dashed_name: process-session-leader-parent-saved-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.group_leader.user.name
+      flat_name: process.session_leader.parent.saved_user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.group_leader.user.name.text
+      - flat_name: process.session_leader.parent.saved_user.name.text
         name: text
         type: match_only_text
       name: name
@@ -13097,512 +43600,386 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.group_leader.vpid:
-      dashed_name: process-group-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.group_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.group_leader.working_directory:
-      dashed_name: process-group-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.group_leader.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.hash.md5:
-      dashed_name: process-hash-md5
-      description: MD5 hash.
-      flat_name: process.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.hash.sha1:
-      dashed_name: process-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.hash.sha256:
-      dashed_name: process-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.hash.sha384:
-      dashed_name: process-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.hash.sha512:
-      dashed_name: process-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.hash.ssdeep:
-      dashed_name: process-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.hash.tlsh:
-      dashed_name: process-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.hash.tlsh
+    process.session_leader.parent.saved_user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.saved_user.risk.calculated_level
       ignore_above: 1024
       level: extended
-      name: tlsh
+      name: calculated_level
       normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
       type: keyword
-    process.interactive:
-      dashed_name: process-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      otel:
-      - relation: match
-        stability: development
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.io:
-      dashed_name: process-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.io
-      level: extended
-      name: io
-      normalize: []
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.io.bytes_skipped:
-      dashed_name: process-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.io.bytes_skipped.length:
-      dashed_name: process-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.io.bytes_skipped.length
+    process.session_leader.parent.saved_user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.saved_user.risk.calculated_score
       level: extended
-      name: io.bytes_skipped.length
+      name: calculated_score
       normalize: []
-      short: The length of bytes skipped.
-      type: long
-    process.io.bytes_skipped.offset:
-      dashed_name: process-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.io.bytes_skipped.offset
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.saved_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.saved_user.risk.calculated_score_norm
       level: extended
-      name: io.bytes_skipped.offset
+      name: calculated_score_norm
       normalize: []
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.io.max_bytes_per_process_exceeded:
-      dashed_name: process-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.io.max_bytes_per_process_exceeded
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.saved_user.risk.static_level:
+      dashed_name: process-session-leader-parent-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.saved_user.risk.static_level
+      ignore_above: 1024
       level: extended
-      name: io.max_bytes_per_process_exceeded
+      name: static_level
       normalize: []
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.io.text:
-      dashed_name: process-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.io.text
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.saved_user.risk.static_score:
+      dashed_name: process-session-leader-parent-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.saved_user.risk.static_score
       level: extended
-      name: io.text
+      name: static_score
       normalize: []
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.io.total_bytes_captured:
-      dashed_name: process-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.io.total_bytes_captured
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.saved_user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.saved_user.risk.static_score_norm
       level: extended
-      name: io.total_bytes_captured
+      name: static_score_norm
       normalize: []
-      short: The total number of bytes captured in this event.
-      type: long
-    process.io.total_bytes_skipped:
-      dashed_name: process-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.io.total_bytes_skipped
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.saved_user.roles:
+      dashed_name: process-session-leader-parent-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.saved_user.roles
+      ignore_above: 1024
       level: extended
-      name: io.total_bytes_skipped
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.session_leader.args:
+      dashed_name: process-session-leader-parent-session-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.session_leader.parent.session_leader.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.session_leader.parent.session_leader.args_count:
+      dashed_name: process-session-leader-parent-session-leader-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.session_leader.parent.session_leader.args_count
+      level: extended
+      name: args_count
       normalize: []
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
+      original_fieldset: process
+      short: Length of the process.args array.
       type: long
-    process.io.type:
-      dashed_name: process-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
+    process.session_leader.parent.session_leader.attested_groups.domain:
+      dashed_name: process-session-leader-parent-session-leader-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
 
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.io.type
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.attested_groups.domain
       ignore_above: 1024
       level: extended
-      name: io.type
+      name: domain
       normalize: []
-      short: The type of object on which the IO action (read or write) was taken.
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
       type: keyword
-    process.macho.go_import_hash:
-      dashed_name: process-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.macho.go_import_hash
+    process.session_leader.parent.session_leader.attested_groups.id:
+      dashed_name: process-session-leader-parent-session-leader-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.attested_groups.id
       ignore_above: 1024
       level: extended
-      name: go_import_hash
+      name: id
       normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.macho.go_imports:
-      dashed_name: process-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.macho.go_imports
+    process.session_leader.parent.session_leader.attested_groups.name:
+      dashed_name: process-session-leader-parent-session-leader-attested-groups-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.attested_groups.name
+      ignore_above: 1024
       level: extended
-      name: go_imports
+      name: name
       normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.macho.go_imports_names_entropy:
-      dashed_name: process-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.macho.go_imports_names_entropy
-      format: number
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.domain:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.attested_user.domain
+      ignore_above: 1024
       level: extended
-      name: go_imports_names_entropy
+      name: domain
       normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.macho.go_imports_names_var_entropy:
-      dashed_name: process-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.macho.go_imports_names_var_entropy
-      format: number
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.email:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.session_leader.attested_user.email
+      ignore_above: 1024
       level: extended
-      name: go_imports_names_var_entropy
+      name: email
       normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.macho.go_stripped:
-      dashed_name: process-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.macho.go_stripped
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.full_name:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.session_leader.attested_user.full_name
+      ignore_above: 1024
       level: extended
-      name: go_stripped
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
       normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.macho.import_hash:
-      dashed_name: process-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.group.domain:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
 
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.macho.import_hash
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.attested_user.group.domain
       ignore_above: 1024
       level: extended
-      name: import_hash
+      name: domain
       normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
       type: keyword
-    process.macho.imports:
-      dashed_name: process-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.macho.imports_names_entropy:
-      dashed_name: process-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.macho.imports_names_entropy
-      format: number
+    process.session_leader.parent.session_leader.attested_user.group.id:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.attested_user.group.id
+      ignore_above: 1024
       level: extended
-      name: imports_names_entropy
+      name: id
       normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.macho.imports_names_var_entropy:
-      dashed_name: process-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.macho.imports_names_var_entropy
-      format: number
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.group.name:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.attested_user.group.name
+      ignore_above: 1024
       level: extended
-      name: imports_names_var_entropy
+      name: name
       normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.macho.sections:
-      dashed_name: process-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.hash:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.macho.sections.entropy:
-      dashed_name: process-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.macho.sections.entropy
-      format: number
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.session_leader.attested_user.hash
+      ignore_above: 1024
       level: extended
-      name: sections.entropy
+      name: hash
       normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.macho.sections.name:
-      dashed_name: process-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.macho.sections.name
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.id:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.parent.session_leader.attested_user.id
       ignore_above: 1024
-      level: extended
-      name: sections.name
+      level: core
+      name: id
       normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
+      original_fieldset: user
+      short: Unique identifier of the user.
       type: keyword
-    process.macho.sections.physical_size:
-      dashed_name: process-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.macho.sections.physical_size
-      format: bytes
+    process.session_leader.parent.session_leader.attested_user.name:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.parent.session_leader.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_level
+      ignore_above: 1024
       level: extended
-      name: sections.physical_size
+      name: calculated_level
       normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.macho.sections.var_entropy:
-      dashed_name: process-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.macho.sections.var_entropy
-      format: number
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score
       level: extended
-      name: sections.var_entropy
+      name: calculated_score
       normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.macho.sections.virtual_size:
-      dashed_name: process-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.macho.sections.virtual_size
-      format: string
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm
       level: extended
-      name: sections.virtual_size
+      name: calculated_score_norm
       normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.macho.symhash:
-      dashed_name: process-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.macho.symhash
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.session_leader.attested_user.risk.static_level:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_level
       ignore_above: 1024
       level: extended
-      name: symhash
+      name: static_level
       normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
       type: keyword
-    process.name:
-      dashed_name: process-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.name
-      ignore_above: 1024
+    process.session_leader.parent.session_leader.attested_user.risk.static_score:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score
       level: extended
-      multi_fields:
-      - flat_name: process.name.text
-        name: text
-        type: match_only_text
-      name: name
+      name: static_score
       normalize: []
-      short: Process name.
-      type: keyword
-    process.parent.args:
-      dashed_name: process-parent-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.parent.args
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.session_leader.attested_user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.session_leader.attested_user.roles:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.session_leader.attested_user.roles
       ignore_above: 1024
       level: extended
-      name: args
+      name: roles
       normalize:
       - array
-      original_fieldset: process
-      short: Array of process arguments.
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
       type: keyword
-    process.parent.args_count:
-      dashed_name: process-parent-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.parent.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.parent.code_signature.digest_algorithm:
-      dashed_name: process-parent-code-signature-digest-algorithm
+    process.session_leader.parent.session_leader.code_signature.digest_algorithm:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-digest-algorithm
       description: 'The hashing algorithm used to sign the process.
 
         This value can distinguish signatures when a file is signed multiple times
         by the same signer but with a different digest algorithm.'
       example: sha256
-      flat_name: process.parent.code_signature.digest_algorithm
+      flat_name: process.session_leader.parent.session_leader.code_signature.digest_algorithm
       ignore_above: 1024
       level: extended
       name: digest_algorithm
@@ -13610,23 +43987,23 @@ process:
       original_fieldset: code_signature
       short: Hashing algorithm used to sign the process.
       type: keyword
-    process.parent.code_signature.exists:
-      dashed_name: process-parent-code-signature-exists
+    process.session_leader.parent.session_leader.code_signature.exists:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-exists
       description: Boolean to capture if a signature is present.
       example: 'true'
-      flat_name: process.parent.code_signature.exists
+      flat_name: process.session_leader.parent.session_leader.code_signature.exists
       level: core
       name: exists
       normalize: []
       original_fieldset: code_signature
       short: Boolean to capture if a signature is present.
       type: boolean
-    process.parent.code_signature.flags:
+    process.session_leader.parent.session_leader.code_signature.flags:
       beta: This field is beta and subject to change.
-      dashed_name: process-parent-code-signature-flags
+      dashed_name: process-session-leader-parent-session-leader-code-signature-flags
       description: The flags used to sign the process.
       example: 570522385
-      flat_name: process.parent.code_signature.flags
+      flat_name: process.session_leader.parent.session_leader.code_signature.flags
       ignore_above: 1024
       level: extended
       name: flags
@@ -13634,14 +44011,14 @@ process:
       original_fieldset: code_signature
       short: Code signing flags of the process
       type: keyword
-    process.parent.code_signature.signing_id:
-      dashed_name: process-parent-code-signature-signing-id
+    process.session_leader.parent.session_leader.code_signature.signing_id:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-signing-id
       description: 'The identifier used to sign the process.
 
         This is used to identify the application manufactured by a software vendor.
         The field is relevant to Apple *OS only.'
       example: com.apple.xpc.proxy
-      flat_name: process.parent.code_signature.signing_id
+      flat_name: process.session_leader.parent.session_leader.code_signature.signing_id
       ignore_above: 1024
       level: extended
       name: signing_id
@@ -13649,15 +44026,15 @@ process:
       original_fieldset: code_signature
       short: The identifier used to sign the process.
       type: keyword
-    process.parent.code_signature.status:
-      dashed_name: process-parent-code-signature-status
+    process.session_leader.parent.session_leader.code_signature.status:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-status
       description: 'Additional information about the certificate status.
 
         This is useful for logging cryptographic errors with the certificate validity
         or trust status. Leave unpopulated if the validity or trust of the certificate
         was unchecked.'
       example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.parent.code_signature.status
+      flat_name: process.session_leader.parent.session_leader.code_signature.status
       ignore_above: 1024
       level: extended
       name: status
@@ -13665,11 +44042,11 @@ process:
       original_fieldset: code_signature
       short: Additional information about the certificate status.
       type: keyword
-    process.parent.code_signature.subject_name:
-      dashed_name: process-parent-code-signature-subject-name
+    process.session_leader.parent.session_leader.code_signature.subject_name:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-subject-name
       description: Subject name of the code signer
       example: Microsoft Corporation
-      flat_name: process.parent.code_signature.subject_name
+      flat_name: process.session_leader.parent.session_leader.code_signature.subject_name
       ignore_above: 1024
       level: core
       name: subject_name
@@ -13677,14 +44054,14 @@ process:
       original_fieldset: code_signature
       short: Subject name of the code signer
       type: keyword
-    process.parent.code_signature.team_id:
-      dashed_name: process-parent-code-signature-team-id
+    process.session_leader.parent.session_leader.code_signature.team_id:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-team-id
       description: 'The team identifier used to sign the process.
 
         This is used to identify the team or vendor of a software product. The field
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
-      flat_name: process.parent.code_signature.team_id
+      flat_name: process.session_leader.parent.session_leader.code_signature.team_id
       ignore_above: 1024
       level: extended
       name: team_id
@@ -13692,12 +44069,12 @@ process:
       original_fieldset: code_signature
       short: The team identifier used to sign the process.
       type: keyword
-    process.parent.code_signature.thumbprint_sha256:
+    process.session_leader.parent.session_leader.code_signature.thumbprint_sha256:
       beta: This field is beta and subject to change.
-      dashed_name: process-parent-code-signature-thumbprint-sha256
+      dashed_name: process-session-leader-parent-session-leader-code-signature-thumbprint-sha256
       description: Certificate SHA256 hash that uniquely identifies the code signer.
       example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.parent.code_signature.thumbprint_sha256
+      flat_name: process.session_leader.parent.session_leader.code_signature.thumbprint_sha256
       ignore_above: 64
       level: extended
       name: thumbprint_sha256
@@ -13706,39 +44083,39 @@ process:
       pattern: ^[0-9a-f]{64}$
       short: SHA256 hash of the certificate.
       type: keyword
-    process.parent.code_signature.timestamp:
-      dashed_name: process-parent-code-signature-timestamp
+    process.session_leader.parent.session_leader.code_signature.timestamp:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-timestamp
       description: Date and time when the code signature was generated and signed.
       example: '2021-01-01T12:10:30Z'
-      flat_name: process.parent.code_signature.timestamp
+      flat_name: process.session_leader.parent.session_leader.code_signature.timestamp
       level: extended
       name: timestamp
       normalize: []
       original_fieldset: code_signature
       short: When the signature was generated and signed.
       type: date
-    process.parent.code_signature.trusted:
-      dashed_name: process-parent-code-signature-trusted
+    process.session_leader.parent.session_leader.code_signature.trusted:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-trusted
       description: 'Stores the trust status of the certificate chain.
 
         Validating the trust of the certificate chain may be complicated, and this
         field should only be populated by tools that actively check the status.'
       example: 'true'
-      flat_name: process.parent.code_signature.trusted
+      flat_name: process.session_leader.parent.session_leader.code_signature.trusted
       level: extended
       name: trusted
       normalize: []
       original_fieldset: code_signature
       short: Stores the trust status of the certificate chain.
       type: boolean
-    process.parent.code_signature.valid:
-      dashed_name: process-parent-code-signature-valid
+    process.session_leader.parent.session_leader.code_signature.valid:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-valid
       description: 'Boolean to capture if the digital signature is verified against
         the binary content.
 
         Leave unpopulated if a certificate was unchecked.'
       example: 'true'
-      flat_name: process.parent.code_signature.valid
+      flat_name: process.session_leader.parent.session_leader.code_signature.valid
       level: extended
       name: valid
       normalize: []
@@ -13746,17 +44123,17 @@ process:
       short: Boolean to capture if the digital signature is verified against the binary
         content.
       type: boolean
-    process.parent.command_line:
-      dashed_name: process-parent-command-line
+    process.session_leader.parent.session_leader.command_line:
+      dashed_name: process-session-leader-parent-session-leader-command-line
       description: 'Full command line that started the process, including the absolute
         path to the executable, and all arguments.
 
         Some arguments may be filtered to protect sensitive information.'
       example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.parent.command_line
+      flat_name: process.session_leader.parent.session_leader.command_line
       level: extended
       multi_fields:
-      - flat_name: process.parent.command_line.text
+      - flat_name: process.session_leader.parent.session_leader.command_line.text
         name: text
         type: match_only_text
       name: command_line
@@ -13764,11 +44141,11 @@ process:
       original_fieldset: process
       short: Full command line that started the process.
       type: wildcard
-    process.parent.elf.architecture:
-      dashed_name: process-parent-elf-architecture
+    process.session_leader.parent.session_leader.elf.architecture:
+      dashed_name: process-session-leader-parent-session-leader-elf-architecture
       description: Machine architecture of the ELF file.
       example: x86-64
-      flat_name: process.parent.elf.architecture
+      flat_name: process.session_leader.parent.session_leader.elf.architecture
       ignore_above: 1024
       level: extended
       name: architecture
@@ -13776,11 +44153,11 @@ process:
       original_fieldset: elf
       short: Machine architecture of the ELF file.
       type: keyword
-    process.parent.elf.byte_order:
-      dashed_name: process-parent-elf-byte-order
+    process.session_leader.parent.session_leader.elf.byte_order:
+      dashed_name: process-session-leader-parent-session-leader-elf-byte-order
       description: Byte sequence of ELF file.
       example: Little Endian
-      flat_name: process.parent.elf.byte_order
+      flat_name: process.session_leader.parent.session_leader.elf.byte_order
       ignore_above: 1024
       level: extended
       name: byte_order
@@ -13788,11 +44165,11 @@ process:
       original_fieldset: elf
       short: Byte sequence of ELF file.
       type: keyword
-    process.parent.elf.cpu_type:
-      dashed_name: process-parent-elf-cpu-type
+    process.session_leader.parent.session_leader.elf.cpu_type:
+      dashed_name: process-session-leader-parent-session-leader-elf-cpu-type
       description: CPU type of the ELF file.
       example: Intel
-      flat_name: process.parent.elf.cpu_type
+      flat_name: process.session_leader.parent.session_leader.elf.cpu_type
       ignore_above: 1024
       level: extended
       name: cpu_type
@@ -13800,21 +44177,21 @@ process:
       original_fieldset: elf
       short: CPU type of the ELF file.
       type: keyword
-    process.parent.elf.creation_date:
-      dashed_name: process-parent-elf-creation-date
+    process.session_leader.parent.session_leader.elf.creation_date:
+      dashed_name: process-session-leader-parent-session-leader-elf-creation-date
       description: Extracted when possible from the file's metadata. Indicates when
         it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.parent.elf.creation_date
+      flat_name: process.session_leader.parent.session_leader.elf.creation_date
       level: extended
       name: creation_date
       normalize: []
       original_fieldset: elf
       short: Build or compile date.
       type: date
-    process.parent.elf.exports:
-      dashed_name: process-parent-elf-exports
+    process.session_leader.parent.session_leader.elf.exports:
+      dashed_name: process-session-leader-parent-session-leader-elf-exports
       description: List of exported element names and types.
-      flat_name: process.parent.elf.exports
+      flat_name: process.session_leader.parent.session_leader.elf.exports
       level: extended
       name: exports
       normalize:
@@ -13822,8 +44199,8 @@ process:
       original_fieldset: elf
       short: List of exported element names and types.
       type: flattened
-    process.parent.elf.go_import_hash:
-      dashed_name: process-parent-elf-go-import-hash
+    process.session_leader.parent.session_leader.elf.go_import_hash:
+      dashed_name: process-session-leader-parent-session-leader-elf-go-import-hash
       description: 'A hash of the Go language imports in an ELF file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
@@ -13832,7 +44209,7 @@ process:
         The algorithm used to calculate the Go symbol hash and a reference implementation
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.elf.go_import_hash
+      flat_name: process.session_leader.parent.session_leader.elf.go_import_hash
       ignore_above: 1024
       level: extended
       name: go_import_hash
@@ -13840,20 +44217,20 @@ process:
       original_fieldset: elf
       short: A hash of the Go language imports in an ELF file.
       type: keyword
-    process.parent.elf.go_imports:
-      dashed_name: process-parent-elf-go-imports
+    process.session_leader.parent.session_leader.elf.go_imports:
+      dashed_name: process-session-leader-parent-session-leader-elf-go-imports
       description: List of imported Go language element names and types.
-      flat_name: process.parent.elf.go_imports
+      flat_name: process.session_leader.parent.session_leader.elf.go_imports
       level: extended
       name: go_imports
       normalize: []
       original_fieldset: elf
       short: List of imported Go language element names and types.
       type: flattened
-    process.parent.elf.go_imports_names_entropy:
-      dashed_name: process-parent-elf-go-imports-names-entropy
+    process.session_leader.parent.session_leader.elf.go_imports_names_entropy:
+      dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-entropy
       description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.elf.go_imports_names_entropy
+      flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_entropy
       format: number
       level: extended
       name: go_imports_names_entropy
@@ -13861,10 +44238,10 @@ process:
       original_fieldset: elf
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.parent.elf.go_imports_names_var_entropy:
-      dashed_name: process-parent-elf-go-imports-names-var-entropy
+    process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.elf.go_imports_names_var_entropy
+      flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
@@ -13872,21 +44249,21 @@ process:
       original_fieldset: elf
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.parent.elf.go_stripped:
-      dashed_name: process-parent-elf-go-stripped
+    process.session_leader.parent.session_leader.elf.go_stripped:
+      dashed_name: process-session-leader-parent-session-leader-elf-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.elf.go_stripped
+      flat_name: process.session_leader.parent.session_leader.elf.go_stripped
       level: extended
       name: go_stripped
       normalize: []
       original_fieldset: elf
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.parent.elf.header.abi_version:
-      dashed_name: process-parent-elf-header-abi-version
+    process.session_leader.parent.session_leader.elf.header.abi_version:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.parent.elf.header.abi_version
+      flat_name: process.session_leader.parent.session_leader.elf.header.abi_version
       ignore_above: 1024
       level: extended
       name: header.abi_version
@@ -13894,10 +44271,10 @@ process:
       original_fieldset: elf
       short: Version of the ELF Application Binary Interface (ABI).
       type: keyword
-    process.parent.elf.header.class:
-      dashed_name: process-parent-elf-header-class
+    process.session_leader.parent.session_leader.elf.header.class:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-class
       description: Header class of the ELF file.
-      flat_name: process.parent.elf.header.class
+      flat_name: process.session_leader.parent.session_leader.elf.header.class
       ignore_above: 1024
       level: extended
       name: header.class
@@ -13905,10 +44282,10 @@ process:
       original_fieldset: elf
       short: Header class of the ELF file.
       type: keyword
-    process.parent.elf.header.data:
-      dashed_name: process-parent-elf-header-data
+    process.session_leader.parent.session_leader.elf.header.data:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-data
       description: Data table of the ELF header.
-      flat_name: process.parent.elf.header.data
+      flat_name: process.session_leader.parent.session_leader.elf.header.data
       ignore_above: 1024
       level: extended
       name: header.data
@@ -13916,10 +44293,10 @@ process:
       original_fieldset: elf
       short: Data table of the ELF header.
       type: keyword
-    process.parent.elf.header.entrypoint:
-      dashed_name: process-parent-elf-header-entrypoint
+    process.session_leader.parent.session_leader.elf.header.entrypoint:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-entrypoint
       description: Header entrypoint of the ELF file.
-      flat_name: process.parent.elf.header.entrypoint
+      flat_name: process.session_leader.parent.session_leader.elf.header.entrypoint
       format: string
       level: extended
       name: header.entrypoint
@@ -13927,10 +44304,10 @@ process:
       original_fieldset: elf
       short: Header entrypoint of the ELF file.
       type: long
-    process.parent.elf.header.object_version:
-      dashed_name: process-parent-elf-header-object-version
+    process.session_leader.parent.session_leader.elf.header.object_version:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-object-version
       description: '"0x1" for original ELF files.'
-      flat_name: process.parent.elf.header.object_version
+      flat_name: process.session_leader.parent.session_leader.elf.header.object_version
       ignore_above: 1024
       level: extended
       name: header.object_version
@@ -13938,10 +44315,10 @@ process:
       original_fieldset: elf
       short: '"0x1" for original ELF files.'
       type: keyword
-    process.parent.elf.header.os_abi:
-      dashed_name: process-parent-elf-header-os-abi
+    process.session_leader.parent.session_leader.elf.header.os_abi:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-os-abi
       description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.parent.elf.header.os_abi
+      flat_name: process.session_leader.parent.session_leader.elf.header.os_abi
       ignore_above: 1024
       level: extended
       name: header.os_abi
@@ -13949,10 +44326,10 @@ process:
       original_fieldset: elf
       short: Application Binary Interface (ABI) of the Linux OS.
       type: keyword
-    process.parent.elf.header.type:
-      dashed_name: process-parent-elf-header-type
+    process.session_leader.parent.session_leader.elf.header.type:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-type
       description: Header type of the ELF file.
-      flat_name: process.parent.elf.header.type
+      flat_name: process.session_leader.parent.session_leader.elf.header.type
       ignore_above: 1024
       level: extended
       name: header.type
@@ -13960,10 +44337,10 @@ process:
       original_fieldset: elf
       short: Header type of the ELF file.
       type: keyword
-    process.parent.elf.header.version:
-      dashed_name: process-parent-elf-header-version
+    process.session_leader.parent.session_leader.elf.header.version:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-version
       description: Version of the ELF header.
-      flat_name: process.parent.elf.header.version
+      flat_name: process.session_leader.parent.session_leader.elf.header.version
       ignore_above: 1024
       level: extended
       name: header.version
@@ -13971,15 +44348,15 @@ process:
       original_fieldset: elf
       short: Version of the ELF header.
       type: keyword
-    process.parent.elf.import_hash:
-      dashed_name: process-parent-elf-import-hash
+    process.session_leader.parent.session_leader.elf.import_hash:
+      dashed_name: process-session-leader-parent-session-leader-elf-import-hash
       description: 'A hash of the imports in an ELF file. An import hash can be used
         to fingerprint binaries even after recompilation or other code-level transformations
         have occurred, which would change more traditional hash values.
 
         This is an ELF implementation of the Windows PE imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.elf.import_hash
+      flat_name: process.session_leader.parent.session_leader.elf.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
@@ -13987,10 +44364,10 @@ process:
       original_fieldset: elf
       short: A hash of the imports in an ELF file.
       type: keyword
-    process.parent.elf.imports:
-      dashed_name: process-parent-elf-imports
+    process.session_leader.parent.session_leader.elf.imports:
+      dashed_name: process-session-leader-parent-session-leader-elf-imports
       description: List of imported element names and types.
-      flat_name: process.parent.elf.imports
+      flat_name: process.session_leader.parent.session_leader.elf.imports
       level: extended
       name: imports
       normalize:
@@ -13998,11 +44375,11 @@ process:
       original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
-    process.parent.elf.imports_names_entropy:
-      dashed_name: process-parent-elf-imports-names-entropy
+    process.session_leader.parent.session_leader.elf.imports_names_entropy:
+      dashed_name: process-session-leader-parent-session-leader-elf-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.parent.elf.imports_names_entropy
+      flat_name: process.session_leader.parent.session_leader.elf.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
@@ -14011,11 +44388,11 @@ process:
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.parent.elf.imports_names_var_entropy:
-      dashed_name: process-parent-elf-imports-names-var-entropy
+    process.session_leader.parent.session_leader.elf.imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-elf-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.parent.elf.imports_names_var_entropy
+      flat_name: process.session_leader.parent.session_leader.elf.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
@@ -14024,13 +44401,13 @@ process:
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.parent.elf.sections:
-      dashed_name: process-parent-elf-sections
+    process.session_leader.parent.session_leader.elf.sections:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections
       description: 'An array containing an object for each section of the ELF file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `elf.sections.*`.'
-      flat_name: process.parent.elf.sections
+      flat_name: process.session_leader.parent.session_leader.elf.sections
       level: extended
       name: sections
       normalize:
@@ -14038,10 +44415,10 @@ process:
       original_fieldset: elf
       short: Section information of the ELF file.
       type: nested
-    process.parent.elf.sections.chi2:
-      dashed_name: process-parent-elf-sections-chi2
+    process.session_leader.parent.session_leader.elf.sections.chi2:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-chi2
       description: Chi-square probability distribution of the section.
-      flat_name: process.parent.elf.sections.chi2
+      flat_name: process.session_leader.parent.session_leader.elf.sections.chi2
       format: number
       level: extended
       name: sections.chi2
@@ -14049,10 +44426,10 @@ process:
       original_fieldset: elf
       short: Chi-square probability distribution of the section.
       type: long
-    process.parent.elf.sections.entropy:
-      dashed_name: process-parent-elf-sections-entropy
+    process.session_leader.parent.session_leader.elf.sections.entropy:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.parent.elf.sections.entropy
+      flat_name: process.session_leader.parent.session_leader.elf.sections.entropy
       format: number
       level: extended
       name: sections.entropy
@@ -14060,10 +44437,10 @@ process:
       original_fieldset: elf
       short: Shannon entropy calculation from the section.
       type: long
-    process.parent.elf.sections.flags:
-      dashed_name: process-parent-elf-sections-flags
+    process.session_leader.parent.session_leader.elf.sections.flags:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-flags
       description: ELF Section List flags.
-      flat_name: process.parent.elf.sections.flags
+      flat_name: process.session_leader.parent.session_leader.elf.sections.flags
       ignore_above: 1024
       level: extended
       name: sections.flags
@@ -14071,10 +44448,10 @@ process:
       original_fieldset: elf
       short: ELF Section List flags.
       type: keyword
-    process.parent.elf.sections.name:
-      dashed_name: process-parent-elf-sections-name
+    process.session_leader.parent.session_leader.elf.sections.name:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-name
       description: ELF Section List name.
-      flat_name: process.parent.elf.sections.name
+      flat_name: process.session_leader.parent.session_leader.elf.sections.name
       ignore_above: 1024
       level: extended
       name: sections.name
@@ -14082,10 +44459,10 @@ process:
       original_fieldset: elf
       short: ELF Section List name.
       type: keyword
-    process.parent.elf.sections.physical_offset:
-      dashed_name: process-parent-elf-sections-physical-offset
+    process.session_leader.parent.session_leader.elf.sections.physical_offset:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-offset
       description: ELF Section List offset.
-      flat_name: process.parent.elf.sections.physical_offset
+      flat_name: process.session_leader.parent.session_leader.elf.sections.physical_offset
       ignore_above: 1024
       level: extended
       name: sections.physical_offset
@@ -14093,10 +44470,10 @@ process:
       original_fieldset: elf
       short: ELF Section List offset.
       type: keyword
-    process.parent.elf.sections.physical_size:
-      dashed_name: process-parent-elf-sections-physical-size
+    process.session_leader.parent.session_leader.elf.sections.physical_size:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-size
       description: ELF Section List physical size.
-      flat_name: process.parent.elf.sections.physical_size
+      flat_name: process.session_leader.parent.session_leader.elf.sections.physical_size
       format: bytes
       level: extended
       name: sections.physical_size
@@ -14104,10 +44481,10 @@ process:
       original_fieldset: elf
       short: ELF Section List physical size.
       type: long
-    process.parent.elf.sections.type:
-      dashed_name: process-parent-elf-sections-type
+    process.session_leader.parent.session_leader.elf.sections.type:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-type
       description: ELF Section List type.
-      flat_name: process.parent.elf.sections.type
+      flat_name: process.session_leader.parent.session_leader.elf.sections.type
       ignore_above: 1024
       level: extended
       name: sections.type
@@ -14115,10 +44492,10 @@ process:
       original_fieldset: elf
       short: ELF Section List type.
       type: keyword
-    process.parent.elf.sections.var_entropy:
-      dashed_name: process-parent-elf-sections-var-entropy
+    process.session_leader.parent.session_leader.elf.sections.var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-var-entropy
       description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.elf.sections.var_entropy
+      flat_name: process.session_leader.parent.session_leader.elf.sections.var_entropy
       format: number
       level: extended
       name: sections.var_entropy
@@ -14126,10 +44503,10 @@ process:
       original_fieldset: elf
       short: Variance for Shannon entropy calculation from the section.
       type: long
-    process.parent.elf.sections.virtual_address:
-      dashed_name: process-parent-elf-sections-virtual-address
+    process.session_leader.parent.session_leader.elf.sections.virtual_address:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-address
       description: ELF Section List virtual address.
-      flat_name: process.parent.elf.sections.virtual_address
+      flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_address
       format: string
       level: extended
       name: sections.virtual_address
@@ -14137,10 +44514,10 @@ process:
       original_fieldset: elf
       short: ELF Section List virtual address.
       type: long
-    process.parent.elf.sections.virtual_size:
-      dashed_name: process-parent-elf-sections-virtual-size
+    process.session_leader.parent.session_leader.elf.sections.virtual_size:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-size
       description: ELF Section List virtual size.
-      flat_name: process.parent.elf.sections.virtual_size
+      flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_size
       format: string
       level: extended
       name: sections.virtual_size
@@ -14148,13 +44525,13 @@ process:
       original_fieldset: elf
       short: ELF Section List virtual size.
       type: long
-    process.parent.elf.segments:
-      dashed_name: process-parent-elf-segments
+    process.session_leader.parent.session_leader.elf.segments:
+      dashed_name: process-session-leader-parent-session-leader-elf-segments
       description: 'An array containing an object for each segment of the ELF file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `elf.segments.*`.'
-      flat_name: process.parent.elf.segments
+      flat_name: process.session_leader.parent.session_leader.elf.segments
       level: extended
       name: segments
       normalize:
@@ -14162,10 +44539,10 @@ process:
       original_fieldset: elf
       short: ELF object segment list.
       type: nested
-    process.parent.elf.segments.sections:
-      dashed_name: process-parent-elf-segments-sections
+    process.session_leader.parent.session_leader.elf.segments.sections:
+      dashed_name: process-session-leader-parent-session-leader-elf-segments-sections
       description: ELF object segment sections.
-      flat_name: process.parent.elf.segments.sections
+      flat_name: process.session_leader.parent.session_leader.elf.segments.sections
       ignore_above: 1024
       level: extended
       name: segments.sections
@@ -14173,10 +44550,10 @@ process:
       original_fieldset: elf
       short: ELF object segment sections.
       type: keyword
-    process.parent.elf.segments.type:
-      dashed_name: process-parent-elf-segments-type
+    process.session_leader.parent.session_leader.elf.segments.type:
+      dashed_name: process-session-leader-parent-session-leader-elf-segments-type
       description: ELF object segment type.
-      flat_name: process.parent.elf.segments.type
+      flat_name: process.session_leader.parent.session_leader.elf.segments.type
       ignore_above: 1024
       level: extended
       name: segments.type
@@ -14184,10 +44561,10 @@ process:
       original_fieldset: elf
       short: ELF object segment type.
       type: keyword
-    process.parent.elf.shared_libraries:
-      dashed_name: process-parent-elf-shared-libraries
+    process.session_leader.parent.session_leader.elf.shared_libraries:
+      dashed_name: process-session-leader-parent-session-leader-elf-shared-libraries
       description: List of shared libraries used by this ELF object.
-      flat_name: process.parent.elf.shared_libraries
+      flat_name: process.session_leader.parent.session_leader.elf.shared_libraries
       ignore_above: 1024
       level: extended
       name: shared_libraries
@@ -14196,10 +44573,10 @@ process:
       original_fieldset: elf
       short: List of shared libraries used by this ELF object.
       type: keyword
-    process.parent.elf.telfhash:
-      dashed_name: process-parent-elf-telfhash
+    process.session_leader.parent.session_leader.elf.telfhash:
+      dashed_name: process-session-leader-parent-session-leader-elf-telfhash
       description: telfhash symbol hash for ELF file.
-      flat_name: process.parent.elf.telfhash
+      flat_name: process.session_leader.parent.session_leader.elf.telfhash
       ignore_above: 1024
       level: extended
       name: telfhash
@@ -14207,19 +44584,31 @@ process:
       original_fieldset: elf
       short: telfhash hash for ELF file.
       type: keyword
-    process.parent.end:
-      dashed_name: process-parent-end
+    process.session_leader.parent.session_leader.end:
+      dashed_name: process-session-leader-parent-session-leader-end
       description: The time the process ended.
       example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.end
+      flat_name: process.session_leader.parent.session_leader.end
       level: extended
       name: end
       normalize: []
       original_fieldset: process
       short: The time the process ended.
       type: date
-    process.parent.entity_id:
-      dashed_name: process-parent-entity-id
+    process.session_leader.parent.session_leader.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.session_leader.parent.session_leader.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.session_leader.parent.session_leader.entity_id:
+      dashed_name: process-session-leader-parent-session-leader-entity-id
       description: 'Unique identifier for the process.
 
         The implementation of this is specified by the data source, but some examples
@@ -14230,7 +44619,7 @@ process:
         PID reuse as well as to identify a specific process over time, across multiple
         monitored hosts.'
       example: c2c455d9f99375d
-      flat_name: process.parent.entity_id
+      flat_name: process.session_leader.parent.session_leader.entity_id
       ignore_above: 1024
       level: extended
       name: entity_id
@@ -14238,15 +44627,390 @@ process:
       original_fieldset: process
       short: Unique identifier for the process.
       type: keyword
-    process.parent.executable:
-      dashed_name: process-parent-executable
+    process.session_leader.parent.session_leader.entry_meta.source.address:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.as.number:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.session_leader.parent.session_leader.entry_meta.source.as.organization.name:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.bytes:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.session_leader.parent.session_leader.entry_meta.source.domain:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.city_name:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.country_name:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.location:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.session_leader.parent.session_leader.entry_meta.source.geo.name:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.region_name:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.timezone:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.ip:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.session_leader.parent.session_leader.entry_meta.source.mac:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.nat.ip:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.session_leader.parent.session_leader.entry_meta.source.nat.port:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.session_leader.parent.session_leader.entry_meta.source.packets:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.session_leader.parent.session_leader.entry_meta.source.port:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.session_leader.parent.session_leader.entry_meta.source.registered_domain:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.subdomain:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.top_level_domain:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.type:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.session_leader.parent.session_leader.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.session_leader.parent.session_leader.env_vars:
+      dashed_name: process-session-leader-parent-session-leader-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.session_leader.parent.session_leader.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.session_leader.executable:
+      dashed_name: process-session-leader-parent-session-leader-executable
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
-      flat_name: process.parent.executable
+      flat_name: process.session_leader.parent.session_leader.executable
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.parent.executable.text
+      - flat_name: process.session_leader.parent.session_leader.executable.text
         name: text
         type: match_only_text
       name: executable
@@ -14254,24 +45018,37 @@ process:
       original_fieldset: process
       short: Absolute path to the process executable.
       type: keyword
-    process.parent.exit_code:
-      dashed_name: process-parent-exit-code
+    process.session_leader.parent.session_leader.exit_code:
+      dashed_name: process-session-leader-parent-session-leader-exit-code
       description: 'The exit code of the process, if this is a termination event.
 
         The field should be absent if there is no exit code for the event (e.g. process
         start).'
       example: 137
-      flat_name: process.parent.exit_code
+      flat_name: process.session_leader.parent.session_leader.exit_code
       level: extended
       name: exit_code
       normalize: []
       original_fieldset: process
       short: The exit code of the process.
       type: long
-    process.parent.group.id:
-      dashed_name: process-parent-group-id
+    process.session_leader.parent.session_leader.group.domain:
+      dashed_name: process-session-leader-parent-session-leader-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.group.id:
+      dashed_name: process-session-leader-parent-session-leader-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group.id
+      flat_name: process.session_leader.parent.session_leader.group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -14279,10 +45056,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.parent.group.name:
-      dashed_name: process-parent-group-name
+    process.session_leader.parent.session_leader.group.name:
+      dashed_name: process-session-leader-parent-session-leader-group-name
       description: Name of the group.
-      flat_name: process.parent.group.name
+      flat_name: process.session_leader.parent.session_leader.group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -14290,72 +45067,13 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.parent.group_leader.entity_id:
-      dashed_name: process-parent-group-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.parent.group_leader.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.parent.group_leader.pid:
-      dashed_name: process-parent-group-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.parent.group_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.parent.group_leader.start:
-      dashed_name: process-parent-group-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.group_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.parent.group_leader.vpid:
-      dashed_name: process-parent-group-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.parent.group_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.parent.hash.cdhash:
+    process.session_leader.parent.session_leader.hash.cdhash:
       beta: This field is beta and subject to change.
-      dashed_name: process-parent-hash-cdhash
+      dashed_name: process-session-leader-parent-session-leader-hash-cdhash
       description: Code directory hash, utilized to uniquely identify and authenticate
         the integrity of the executable code.
       example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.parent.hash.cdhash
+      flat_name: process.session_leader.parent.session_leader.hash.cdhash
       ignore_above: 1024
       level: extended
       name: cdhash
@@ -14363,10 +45081,10 @@ process:
       original_fieldset: hash
       short: The Code Directory (CD) hash of an executable.
       type: keyword
-    process.parent.hash.md5:
-      dashed_name: process-parent-hash-md5
+    process.session_leader.parent.session_leader.hash.md5:
+      dashed_name: process-session-leader-parent-session-leader-hash-md5
       description: MD5 hash.
-      flat_name: process.parent.hash.md5
+      flat_name: process.session_leader.parent.session_leader.hash.md5
       ignore_above: 1024
       level: extended
       name: md5
@@ -14374,10 +45092,10 @@ process:
       original_fieldset: hash
       short: MD5 hash.
       type: keyword
-    process.parent.hash.sha1:
-      dashed_name: process-parent-hash-sha1
+    process.session_leader.parent.session_leader.hash.sha1:
+      dashed_name: process-session-leader-parent-session-leader-hash-sha1
       description: SHA1 hash.
-      flat_name: process.parent.hash.sha1
+      flat_name: process.session_leader.parent.session_leader.hash.sha1
       ignore_above: 1024
       level: extended
       name: sha1
@@ -14385,10 +45103,10 @@ process:
       original_fieldset: hash
       short: SHA1 hash.
       type: keyword
-    process.parent.hash.sha256:
-      dashed_name: process-parent-hash-sha256
+    process.session_leader.parent.session_leader.hash.sha256:
+      dashed_name: process-session-leader-parent-session-leader-hash-sha256
       description: SHA256 hash.
-      flat_name: process.parent.hash.sha256
+      flat_name: process.session_leader.parent.session_leader.hash.sha256
       ignore_above: 1024
       level: extended
       name: sha256
@@ -14396,10 +45114,10 @@ process:
       original_fieldset: hash
       short: SHA256 hash.
       type: keyword
-    process.parent.hash.sha384:
-      dashed_name: process-parent-hash-sha384
+    process.session_leader.parent.session_leader.hash.sha384:
+      dashed_name: process-session-leader-parent-session-leader-hash-sha384
       description: SHA384 hash.
-      flat_name: process.parent.hash.sha384
+      flat_name: process.session_leader.parent.session_leader.hash.sha384
       ignore_above: 1024
       level: extended
       name: sha384
@@ -14407,10 +45125,10 @@ process:
       original_fieldset: hash
       short: SHA384 hash.
       type: keyword
-    process.parent.hash.sha512:
-      dashed_name: process-parent-hash-sha512
+    process.session_leader.parent.session_leader.hash.sha512:
+      dashed_name: process-session-leader-parent-session-leader-hash-sha512
       description: SHA512 hash.
-      flat_name: process.parent.hash.sha512
+      flat_name: process.session_leader.parent.session_leader.hash.sha512
       ignore_above: 1024
       level: extended
       name: sha512
@@ -14418,10 +45136,10 @@ process:
       original_fieldset: hash
       short: SHA512 hash.
       type: keyword
-    process.parent.hash.ssdeep:
-      dashed_name: process-parent-hash-ssdeep
+    process.session_leader.parent.session_leader.hash.ssdeep:
+      dashed_name: process-session-leader-parent-session-leader-hash-ssdeep
       description: SSDEEP hash.
-      flat_name: process.parent.hash.ssdeep
+      flat_name: process.session_leader.parent.session_leader.hash.ssdeep
       ignore_above: 1024
       level: extended
       name: ssdeep
@@ -14429,10 +45147,10 @@ process:
       original_fieldset: hash
       short: SSDEEP hash.
       type: keyword
-    process.parent.hash.tlsh:
-      dashed_name: process-parent-hash-tlsh
+    process.session_leader.parent.session_leader.hash.tlsh:
+      dashed_name: process-session-leader-parent-session-leader-hash-tlsh
       description: TLSH hash.
-      flat_name: process.parent.hash.tlsh
+      flat_name: process.session_leader.parent.session_leader.hash.tlsh
       ignore_above: 1024
       level: extended
       name: tlsh
@@ -14440,8 +45158,8 @@ process:
       original_fieldset: hash
       short: TLSH hash.
       type: keyword
-    process.parent.interactive:
-      dashed_name: process-parent-interactive
+    process.session_leader.parent.session_leader.interactive:
+      dashed_name: process-session-leader-parent-session-leader-interactive
       description: 'Whether the process is connected to an interactive shell.
 
         Process interactivity is inferred from the processes file descriptors. If
@@ -14454,15 +45172,129 @@ process:
         backgrounded process is still considered interactive if stdin and stderr are
         connected to the controlling TTY.'
       example: true
-      flat_name: process.parent.interactive
+      flat_name: process.session_leader.parent.session_leader.interactive
       level: extended
       name: interactive
       normalize: []
       original_fieldset: process
       short: Whether the process is connected to an interactive shell.
       type: boolean
-    process.parent.macho.go_import_hash:
-      dashed_name: process-parent-macho-go-import-hash
+    process.session_leader.parent.session_leader.io:
+      dashed_name: process-session-leader-parent-session-leader-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.session_leader.parent.session_leader.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.session_leader.parent.session_leader.io.bytes_skipped:
+      dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.session_leader.parent.session_leader.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.session_leader.parent.session_leader.io.bytes_skipped.length:
+      dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.session_leader.parent.session_leader.io.bytes_skipped.offset:
+      dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
+      dashed_name: process-session-leader-parent-session-leader-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.session_leader.parent.session_leader.io.text:
+      dashed_name: process-session-leader-parent-session-leader-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.session_leader.parent.session_leader.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.session_leader.parent.session_leader.io.total_bytes_captured:
+      dashed_name: process-session-leader-parent-session-leader-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.session_leader.parent.session_leader.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.session_leader.parent.session_leader.io.total_bytes_skipped:
+      dashed_name: process-session-leader-parent-session-leader-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.session_leader.parent.session_leader.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.session_leader.parent.session_leader.io.type:
+      dashed_name: process-session-leader-parent-session-leader-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.session_leader.parent.session_leader.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.session_leader.parent.session_leader.macho.go_import_hash:
+      dashed_name: process-session-leader-parent-session-leader-macho-go-import-hash
       description: 'A hash of the Go language imports in a Mach-O file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
@@ -14471,7 +45303,7 @@ process:
         The algorithm used to calculate the Go symbol hash and a reference implementation
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.macho.go_import_hash
+      flat_name: process.session_leader.parent.session_leader.macho.go_import_hash
       ignore_above: 1024
       level: extended
       name: go_import_hash
@@ -14479,20 +45311,20 @@ process:
       original_fieldset: macho
       short: A hash of the Go language imports in a Mach-O file.
       type: keyword
-    process.parent.macho.go_imports:
-      dashed_name: process-parent-macho-go-imports
+    process.session_leader.parent.session_leader.macho.go_imports:
+      dashed_name: process-session-leader-parent-session-leader-macho-go-imports
       description: List of imported Go language element names and types.
-      flat_name: process.parent.macho.go_imports
+      flat_name: process.session_leader.parent.session_leader.macho.go_imports
       level: extended
       name: go_imports
       normalize: []
       original_fieldset: macho
       short: List of imported Go language element names and types.
       type: flattened
-    process.parent.macho.go_imports_names_entropy:
-      dashed_name: process-parent-macho-go-imports-names-entropy
+    process.session_leader.parent.session_leader.macho.go_imports_names_entropy:
+      dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-entropy
       description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.macho.go_imports_names_entropy
+      flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_entropy
       format: number
       level: extended
       name: go_imports_names_entropy
@@ -14500,10 +45332,10 @@ process:
       original_fieldset: macho
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.parent.macho.go_imports_names_var_entropy:
-      dashed_name: process-parent-macho-go-imports-names-var-entropy
+    process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.macho.go_imports_names_var_entropy
+      flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
@@ -14511,26 +45343,26 @@ process:
       original_fieldset: macho
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.parent.macho.go_stripped:
-      dashed_name: process-parent-macho-go-stripped
+    process.session_leader.parent.session_leader.macho.go_stripped:
+      dashed_name: process-session-leader-parent-session-leader-macho-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.macho.go_stripped
+      flat_name: process.session_leader.parent.session_leader.macho.go_stripped
       level: extended
       name: go_stripped
       normalize: []
       original_fieldset: macho
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.parent.macho.import_hash:
-      dashed_name: process-parent-macho-import-hash
+    process.session_leader.parent.session_leader.macho.import_hash:
+      dashed_name: process-session-leader-parent-session-leader-macho-import-hash
       description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         This is a synonym for symhash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.macho.import_hash
+      flat_name: process.session_leader.parent.session_leader.macho.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
@@ -14538,10 +45370,10 @@ process:
       original_fieldset: macho
       short: A hash of the imports in a Mach-O file.
       type: keyword
-    process.parent.macho.imports:
-      dashed_name: process-parent-macho-imports
+    process.session_leader.parent.session_leader.macho.imports:
+      dashed_name: process-session-leader-parent-session-leader-macho-imports
       description: List of imported element names and types.
-      flat_name: process.parent.macho.imports
+      flat_name: process.session_leader.parent.session_leader.macho.imports
       level: extended
       name: imports
       normalize:
@@ -14549,11 +45381,11 @@ process:
       original_fieldset: macho
       short: List of imported element names and types.
       type: flattened
-    process.parent.macho.imports_names_entropy:
-      dashed_name: process-parent-macho-imports-names-entropy
+    process.session_leader.parent.session_leader.macho.imports_names_entropy:
+      dashed_name: process-session-leader-parent-session-leader-macho-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.parent.macho.imports_names_entropy
+      flat_name: process.session_leader.parent.session_leader.macho.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
@@ -14562,11 +45394,11 @@ process:
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.parent.macho.imports_names_var_entropy:
-      dashed_name: process-parent-macho-imports-names-var-entropy
+    process.session_leader.parent.session_leader.macho.imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-macho-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.parent.macho.imports_names_var_entropy
+      flat_name: process.session_leader.parent.session_leader.macho.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
@@ -14575,13 +45407,13 @@ process:
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.parent.macho.sections:
-      dashed_name: process-parent-macho-sections
+    process.session_leader.parent.session_leader.macho.sections:
+      dashed_name: process-session-leader-parent-session-leader-macho-sections
       description: 'An array containing an object for each section of the Mach-O file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `macho.sections.*`.'
-      flat_name: process.parent.macho.sections
+      flat_name: process.session_leader.parent.session_leader.macho.sections
       level: extended
       name: sections
       normalize:
@@ -14589,10 +45421,10 @@ process:
       original_fieldset: macho
       short: Section information of the Mach-O file.
       type: nested
-    process.parent.macho.sections.entropy:
-      dashed_name: process-parent-macho-sections-entropy
+    process.session_leader.parent.session_leader.macho.sections.entropy:
+      dashed_name: process-session-leader-parent-session-leader-macho-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.parent.macho.sections.entropy
+      flat_name: process.session_leader.parent.session_leader.macho.sections.entropy
       format: number
       level: extended
       name: sections.entropy
@@ -14600,10 +45432,10 @@ process:
       original_fieldset: macho
       short: Shannon entropy calculation from the section.
       type: long
-    process.parent.macho.sections.name:
-      dashed_name: process-parent-macho-sections-name
+    process.session_leader.parent.session_leader.macho.sections.name:
+      dashed_name: process-session-leader-parent-session-leader-macho-sections-name
       description: Mach-O Section List name.
-      flat_name: process.parent.macho.sections.name
+      flat_name: process.session_leader.parent.session_leader.macho.sections.name
       ignore_above: 1024
       level: extended
       name: sections.name
@@ -14611,10 +45443,10 @@ process:
       original_fieldset: macho
       short: Mach-O Section List name.
       type: keyword
-    process.parent.macho.sections.physical_size:
-      dashed_name: process-parent-macho-sections-physical-size
+    process.session_leader.parent.session_leader.macho.sections.physical_size:
+      dashed_name: process-session-leader-parent-session-leader-macho-sections-physical-size
       description: Mach-O Section List physical size.
-      flat_name: process.parent.macho.sections.physical_size
+      flat_name: process.session_leader.parent.session_leader.macho.sections.physical_size
       format: bytes
       level: extended
       name: sections.physical_size
@@ -14622,10 +45454,10 @@ process:
       original_fieldset: macho
       short: Mach-O Section List physical size.
       type: long
-    process.parent.macho.sections.var_entropy:
-      dashed_name: process-parent-macho-sections-var-entropy
+    process.session_leader.parent.session_leader.macho.sections.var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-macho-sections-var-entropy
       description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.macho.sections.var_entropy
+      flat_name: process.session_leader.parent.session_leader.macho.sections.var_entropy
       format: number
       level: extended
       name: sections.var_entropy
@@ -14633,10 +45465,10 @@ process:
       original_fieldset: macho
       short: Variance for Shannon entropy calculation from the section.
       type: long
-    process.parent.macho.sections.virtual_size:
-      dashed_name: process-parent-macho-sections-virtual-size
+    process.session_leader.parent.session_leader.macho.sections.virtual_size:
+      dashed_name: process-session-leader-parent-session-leader-macho-sections-virtual-size
       description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.parent.macho.sections.virtual_size
+      flat_name: process.session_leader.parent.session_leader.macho.sections.virtual_size
       format: string
       level: extended
       name: sections.virtual_size
@@ -14644,15 +45476,15 @@ process:
       original_fieldset: macho
       short: Mach-O Section List virtual size. This is always the same as `physical_size`.
       type: long
-    process.parent.macho.symhash:
-      dashed_name: process-parent-macho-symhash
+    process.session_leader.parent.session_leader.macho.symhash:
+      dashed_name: process-session-leader-parent-session-leader-macho-symhash
       description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         This is a Mach-O implementation of the Windows PE imphash'
       example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.parent.macho.symhash
+      flat_name: process.session_leader.parent.session_leader.macho.symhash
       ignore_above: 1024
       level: extended
       name: symhash
@@ -14660,17 +45492,17 @@ process:
       original_fieldset: macho
       short: A hash of the imports in a Mach-O file.
       type: keyword
-    process.parent.name:
-      dashed_name: process-parent-name
+    process.session_leader.parent.session_leader.name:
+      dashed_name: process-session-leader-parent-session-leader-name
       description: 'Process name.
 
         Sometimes called program name or similar.'
       example: ssh
-      flat_name: process.parent.name
+      flat_name: process.session_leader.parent.session_leader.name
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.parent.name.text
+      - flat_name: process.session_leader.parent.session_leader.name.text
         name: text
         type: match_only_text
       name: name
@@ -14678,11 +45510,38 @@ process:
       original_fieldset: process
       short: Process name.
       type: keyword
-    process.parent.pe.architecture:
-      dashed_name: process-parent-pe-architecture
+    process.session_leader.parent.session_leader.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.session_leader.parent.session_leader.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.session_leader.parent.session_leader.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.session_leader.parent.session_leader.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.session_leader.parent.session_leader.pe.architecture:
+      dashed_name: process-session-leader-parent-session-leader-pe-architecture
       description: CPU architecture target for the file.
       example: x64
-      flat_name: process.parent.pe.architecture
+      flat_name: process.session_leader.parent.session_leader.pe.architecture
       ignore_above: 1024
       level: extended
       name: architecture
@@ -14690,11 +45549,11 @@ process:
       original_fieldset: pe
       short: CPU architecture target for the file.
       type: keyword
-    process.parent.pe.company:
-      dashed_name: process-parent-pe-company
+    process.session_leader.parent.session_leader.pe.company:
+      dashed_name: process-session-leader-parent-session-leader-pe-company
       description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
-      flat_name: process.parent.pe.company
+      flat_name: process.session_leader.parent.session_leader.pe.company
       ignore_above: 1024
       level: extended
       name: company
@@ -14702,11 +45561,11 @@ process:
       original_fieldset: pe
       short: Internal company name of the file, provided at compile-time.
       type: keyword
-    process.parent.pe.description:
-      dashed_name: process-parent-pe-description
+    process.session_leader.parent.session_leader.pe.description:
+      dashed_name: process-session-leader-parent-session-leader-pe-description
       description: Internal description of the file, provided at compile-time.
       example: Paint
-      flat_name: process.parent.pe.description
+      flat_name: process.session_leader.parent.session_leader.pe.description
       ignore_above: 1024
       level: extended
       name: description
@@ -14714,11 +45573,11 @@ process:
       original_fieldset: pe
       short: Internal description of the file, provided at compile-time.
       type: keyword
-    process.parent.pe.file_version:
-      dashed_name: process-parent-pe-file-version
+    process.session_leader.parent.session_leader.pe.file_version:
+      dashed_name: process-session-leader-parent-session-leader-pe-file-version
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
-      flat_name: process.parent.pe.file_version
+      flat_name: process.session_leader.parent.session_leader.pe.file_version
       ignore_above: 1024
       level: extended
       name: file_version
@@ -14726,8 +45585,8 @@ process:
       original_fieldset: pe
       short: Process name.
       type: keyword
-    process.parent.pe.go_import_hash:
-      dashed_name: process-parent-pe-go-import-hash
+    process.session_leader.parent.session_leader.pe.go_import_hash:
+      dashed_name: process-session-leader-parent-session-leader-pe-go-import-hash
       description: 'A hash of the Go language imports in a PE file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
@@ -14736,7 +45595,7 @@ process:
         The algorithm used to calculate the Go symbol hash and a reference implementation
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.pe.go_import_hash
+      flat_name: process.session_leader.parent.session_leader.pe.go_import_hash
       ignore_above: 1024
       level: extended
       name: go_import_hash
@@ -14744,20 +45603,20 @@ process:
       original_fieldset: pe
       short: A hash of the Go language imports in a PE file.
       type: keyword
-    process.parent.pe.go_imports:
-      dashed_name: process-parent-pe-go-imports
+    process.session_leader.parent.session_leader.pe.go_imports:
+      dashed_name: process-session-leader-parent-session-leader-pe-go-imports
       description: List of imported Go language element names and types.
-      flat_name: process.parent.pe.go_imports
+      flat_name: process.session_leader.parent.session_leader.pe.go_imports
       level: extended
       name: go_imports
       normalize: []
       original_fieldset: pe
       short: List of imported Go language element names and types.
       type: flattened
-    process.parent.pe.go_imports_names_entropy:
-      dashed_name: process-parent-pe-go-imports-names-entropy
+    process.session_leader.parent.session_leader.pe.go_imports_names_entropy:
+      dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-entropy
       description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.pe.go_imports_names_entropy
+      flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_entropy
       format: number
       level: extended
       name: go_imports_names_entropy
@@ -14765,10 +45624,10 @@ process:
       original_fieldset: pe
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.parent.pe.go_imports_names_var_entropy:
-      dashed_name: process-parent-pe-go-imports-names-var-entropy
+    process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.pe.go_imports_names_var_entropy
+      flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
@@ -14776,26 +45635,26 @@ process:
       original_fieldset: pe
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.parent.pe.go_stripped:
-      dashed_name: process-parent-pe-go-stripped
+    process.session_leader.parent.session_leader.pe.go_stripped:
+      dashed_name: process-session-leader-parent-session-leader-pe-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.pe.go_stripped
+      flat_name: process.session_leader.parent.session_leader.pe.go_stripped
       level: extended
       name: go_stripped
       normalize: []
       original_fieldset: pe
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.parent.pe.imphash:
-      dashed_name: process-parent-pe-imphash
+    process.session_leader.parent.session_leader.pe.imphash:
+      dashed_name: process-session-leader-parent-session-leader-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
         -- can be used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.parent.pe.imphash
+      flat_name: process.session_leader.parent.session_leader.pe.imphash
       ignore_above: 1024
       level: extended
       name: imphash
@@ -14803,15 +45662,15 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
-    process.parent.pe.import_hash:
-      dashed_name: process-parent-pe-import-hash
+    process.session_leader.parent.session_leader.pe.import_hash:
+      dashed_name: process-session-leader-parent-session-leader-pe-import-hash
       description: 'A hash of the imports in a PE file. An import hash can be used
         to fingerprint binaries even after recompilation or other code-level transformations
         have occurred, which would change more traditional hash values.
 
         This is a synonym for imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.pe.import_hash
+      flat_name: process.session_leader.parent.session_leader.pe.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
@@ -14819,10 +45678,10 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
-    process.parent.pe.imports:
-      dashed_name: process-parent-pe-imports
+    process.session_leader.parent.session_leader.pe.imports:
+      dashed_name: process-session-leader-parent-session-leader-pe-imports
       description: List of imported element names and types.
-      flat_name: process.parent.pe.imports
+      flat_name: process.session_leader.parent.session_leader.pe.imports
       level: extended
       name: imports
       normalize:
@@ -14830,11 +45689,11 @@ process:
       original_fieldset: pe
       short: List of imported element names and types.
       type: flattened
-    process.parent.pe.imports_names_entropy:
-      dashed_name: process-parent-pe-imports-names-entropy
+    process.session_leader.parent.session_leader.pe.imports_names_entropy:
+      dashed_name: process-session-leader-parent-session-leader-pe-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.parent.pe.imports_names_entropy
+      flat_name: process.session_leader.parent.session_leader.pe.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
@@ -14843,11 +45702,11 @@ process:
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.parent.pe.imports_names_var_entropy:
-      dashed_name: process-parent-pe-imports-names-var-entropy
+    process.session_leader.parent.session_leader.pe.imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-pe-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.parent.pe.imports_names_var_entropy
+      flat_name: process.session_leader.parent.session_leader.pe.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
@@ -14856,11 +45715,11 @@ process:
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.parent.pe.original_file_name:
-      dashed_name: process-parent-pe-original-file-name
+    process.session_leader.parent.session_leader.pe.original_file_name:
+      dashed_name: process-session-leader-parent-session-leader-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
-      flat_name: process.parent.pe.original_file_name
+      flat_name: process.session_leader.parent.session_leader.pe.original_file_name
       ignore_above: 1024
       level: extended
       name: original_file_name
@@ -14868,15 +45727,15 @@ process:
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
       type: keyword
-    process.parent.pe.pehash:
-      dashed_name: process-parent-pe-pehash
+    process.session_leader.parent.session_leader.pe.pehash:
+      dashed_name: process-session-leader-parent-session-leader-pe-pehash
       description: 'A hash of the PE header and data from one or more PE sections.
         An pehash can be used to cluster files by transforming structural information
         about a file into a hash value.
 
         Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
       example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.parent.pe.pehash
+      flat_name: process.session_leader.parent.session_leader.pe.pehash
       ignore_above: 1024
       level: extended
       name: pehash
@@ -14884,11 +45743,11 @@ process:
       original_fieldset: pe
       short: A hash of the PE header and data from one or more PE sections.
       type: keyword
-    process.parent.pe.product:
-      dashed_name: process-parent-pe-product
+    process.session_leader.parent.session_leader.pe.product:
+      dashed_name: process-session-leader-parent-session-leader-pe-product
       description: Internal product name of the file, provided at compile-time.
       example: Microsoft® Windows® Operating System
-      flat_name: process.parent.pe.product
+      flat_name: process.session_leader.parent.session_leader.pe.product
       ignore_above: 1024
       level: extended
       name: product
@@ -14896,13 +45755,13 @@ process:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
-    process.parent.pe.sections:
-      dashed_name: process-parent-pe-sections
+    process.session_leader.parent.session_leader.pe.sections:
+      dashed_name: process-session-leader-parent-session-leader-pe-sections
       description: 'An array containing an object for each section of the PE file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `pe.sections.*`.'
-      flat_name: process.parent.pe.sections
+      flat_name: process.session_leader.parent.session_leader.pe.sections
       level: extended
       name: sections
       normalize:
@@ -14910,10 +45769,10 @@ process:
       original_fieldset: pe
       short: Section information of the PE file.
       type: nested
-    process.parent.pe.sections.entropy:
-      dashed_name: process-parent-pe-sections-entropy
+    process.session_leader.parent.session_leader.pe.sections.entropy:
+      dashed_name: process-session-leader-parent-session-leader-pe-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.parent.pe.sections.entropy
+      flat_name: process.session_leader.parent.session_leader.pe.sections.entropy
       format: number
       level: extended
       name: sections.entropy
@@ -14921,10 +45780,10 @@ process:
       original_fieldset: pe
       short: Shannon entropy calculation from the section.
       type: long
-    process.parent.pe.sections.name:
-      dashed_name: process-parent-pe-sections-name
+    process.session_leader.parent.session_leader.pe.sections.name:
+      dashed_name: process-session-leader-parent-session-leader-pe-sections-name
       description: PE Section List name.
-      flat_name: process.parent.pe.sections.name
+      flat_name: process.session_leader.parent.session_leader.pe.sections.name
       ignore_above: 1024
       level: extended
       name: sections.name
@@ -14932,10 +45791,10 @@ process:
       original_fieldset: pe
       short: PE Section List name.
       type: keyword
-    process.parent.pe.sections.physical_size:
-      dashed_name: process-parent-pe-sections-physical-size
+    process.session_leader.parent.session_leader.pe.sections.physical_size:
+      dashed_name: process-session-leader-parent-session-leader-pe-sections-physical-size
       description: PE Section List physical size.
-      flat_name: process.parent.pe.sections.physical_size
+      flat_name: process.session_leader.parent.session_leader.pe.sections.physical_size
       format: bytes
       level: extended
       name: sections.physical_size
@@ -14943,10 +45802,10 @@ process:
       original_fieldset: pe
       short: PE Section List physical size.
       type: long
-    process.parent.pe.sections.var_entropy:
-      dashed_name: process-parent-pe-sections-var-entropy
+    process.session_leader.parent.session_leader.pe.sections.var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-pe-sections-var-entropy
       description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.pe.sections.var_entropy
+      flat_name: process.session_leader.parent.session_leader.pe.sections.var_entropy
       format: number
       level: extended
       name: sections.var_entropy
@@ -14954,10 +45813,10 @@ process:
       original_fieldset: pe
       short: Variance for Shannon entropy calculation from the section.
       type: long
-    process.parent.pe.sections.virtual_size:
-      dashed_name: process-parent-pe-sections-virtual-size
+    process.session_leader.parent.session_leader.pe.sections.virtual_size:
+      dashed_name: process-session-leader-parent-session-leader-pe-sections-virtual-size
       description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.parent.pe.sections.virtual_size
+      flat_name: process.session_leader.parent.session_leader.pe.sections.virtual_size
       format: string
       level: extended
       name: sections.virtual_size
@@ -14965,22 +45824,400 @@ process:
       original_fieldset: pe
       short: PE Section List virtual size. This is always the same as `physical_size`.
       type: long
-    process.parent.pid:
-      dashed_name: process-parent-pid
+    process.session_leader.parent.session_leader.pid:
+      dashed_name: process-session-leader-parent-session-leader-pid
       description: Process id.
       example: 4242
-      flat_name: process.parent.pid
+      flat_name: process.session_leader.parent.session_leader.pid
       format: string
       level: core
       name: pid
       normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.parent.real_group.id:
-      dashed_name: process-parent-real-group-id
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.session_leader.parent.session_leader.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.session_leader.parent.session_leader.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.session_leader.parent.session_leader.real_group.domain:
+      dashed_name: process-session-leader-parent-session-leader-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.real_group.id:
+      dashed_name: process-session-leader-parent-session-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.session_leader.real_group.name:
+      dashed_name: process-session-leader-parent-session-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.domain:
+      dashed_name: process-session-leader-parent-session-leader-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.email:
+      dashed_name: process-session-leader-parent-session-leader-real-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.session_leader.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.full_name:
+      dashed_name: process-session-leader-parent-session-leader-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.session_leader.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.group.domain:
+      dashed_name: process-session-leader-parent-session-leader-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.group.id:
+      dashed_name: process-session-leader-parent-session-leader-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.group.name:
+      dashed_name: process-session-leader-parent-session-leader-real-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.hash:
+      dashed_name: process-session-leader-parent-session-leader-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.session_leader.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.id:
+      dashed_name: process-session-leader-parent-session-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.parent.session_leader.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.name:
+      dashed_name: process-session-leader-parent-session-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.parent.session_leader.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.session_leader.real_user.risk.static_level:
+      dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.risk.static_score:
+      dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.session_leader.real_user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.session_leader.real_user.roles:
+      dashed_name: process-session-leader-parent-session-leader-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.session_leader.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.session_leader.same_as_process:
+      dashed_name: process-session-leader-parent-session-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.session_leader.parent.session_leader.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.session_leader.parent.session_leader.saved_group.domain:
+      dashed_name: process-session-leader-parent-session-leader-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_group.id:
+      dashed_name: process-session-leader-parent-session-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_group.name:
+      dashed_name: process-session-leader-parent-session-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.domain:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.email:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.session_leader.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.full_name:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.session_leader.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.group.domain:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.group.id:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.real_group.id
+      flat_name: process.session_leader.parent.session_leader.saved_user.group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -14988,10 +46225,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.parent.real_group.name:
-      dashed_name: process-parent-real-group-name
+    process.session_leader.parent.session_leader.saved_user.group.name:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-group-name
       description: Name of the group.
-      flat_name: process.parent.real_group.name
+      flat_name: process.session_leader.parent.session_leader.saved_user.group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -14999,11 +46236,26 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.parent.real_user.id:
-      dashed_name: process-parent-real-user-id
+    process.session_leader.parent.session_leader.saved_user.hash:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.session_leader.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.id:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.real_user.id
+      flat_name: process.session_leader.parent.session_leader.saved_user.id
       ignore_above: 1024
       level: core
       name: id
@@ -15011,15 +46263,15 @@ process:
       original_fieldset: user
       short: Unique identifier of the user.
       type: keyword
-    process.parent.real_user.name:
-      dashed_name: process-parent-real-user-name
+    process.session_leader.parent.session_leader.saved_user.name:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.parent.real_user.name
+      flat_name: process.session_leader.parent.session_leader.saved_user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.parent.real_user.name.text
+      - flat_name: process.session_leader.parent.session_leader.saved_user.name.text
         name: text
         type: match_only_text
       name: name
@@ -15027,71 +46279,128 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.parent.saved_group.id:
-      dashed_name: process-parent-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.saved_group.id
+    process.session_leader.parent.session_leader.saved_user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_level
       ignore_above: 1024
       level: extended
-      name: id
+      name: calculated_level
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
       type: keyword
-    process.parent.saved_group.name:
-      dashed_name: process-parent-saved-group-name
-      description: Name of the group.
-      flat_name: process.parent.saved_group.name
-      ignore_above: 1024
+    process.session_leader.parent.session_leader.saved_user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score
       level: extended
-      name: name
+      name: calculated_score
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.saved_user.id:
-      dashed_name: process-parent-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.saved_user.id
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.session_leader.saved_user.risk.static_level:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_level
       ignore_above: 1024
-      level: core
-      name: id
+      level: extended
+      name: static_level
       normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
       type: keyword
-    process.parent.saved_user.name:
-      dashed_name: process-parent-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
+    process.session_leader.parent.session_leader.saved_user.risk.static_score:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.session_leader.saved_user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
       normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.session_leader.saved_user.roles:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.session_leader.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
       original_fieldset: user
-      short: Short name or login of the user.
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
       type: keyword
-    process.parent.start:
-      dashed_name: process-parent-start
+    process.session_leader.parent.session_leader.start:
+      dashed_name: process-session-leader-parent-session-leader-start
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.start
+      flat_name: process.session_leader.parent.session_leader.start
       level: extended
       name: start
       normalize: []
       original_fieldset: process
       short: The time the process started.
       type: date
-    process.parent.supplemental_groups.id:
-      dashed_name: process-parent-supplemental-groups-id
+    process.session_leader.parent.session_leader.supplemental_groups.domain:
+      dashed_name: process-session-leader-parent-session-leader-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.supplemental_groups.id:
+      dashed_name: process-session-leader-parent-session-leader-supplemental-groups-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.supplemental_groups.id
+      flat_name: process.session_leader.parent.session_leader.supplemental_groups.id
       ignore_above: 1024
       level: extended
       name: id
@@ -15099,10 +46408,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.parent.supplemental_groups.name:
-      dashed_name: process-parent-supplemental-groups-name
+    process.session_leader.parent.session_leader.supplemental_groups.name:
+      dashed_name: process-session-leader-parent-session-leader-supplemental-groups-name
       description: Name of the group.
-      flat_name: process.parent.supplemental_groups.name
+      flat_name: process.session_leader.parent.session_leader.supplemental_groups.name
       ignore_above: 1024
       level: extended
       name: name
@@ -15110,12 +46419,12 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.parent.thread.capabilities.effective:
-      dashed_name: process-parent-thread-capabilities-effective
+    process.session_leader.parent.session_leader.thread.capabilities.effective:
+      dashed_name: process-session-leader-parent-session-leader-thread-capabilities-effective
       description: This is the set of capabilities used by the kernel to perform permission
         checks for the thread.
       example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.parent.thread.capabilities.effective
+      flat_name: process.session_leader.parent.session_leader.thread.capabilities.effective
       ignore_above: 1024
       level: extended
       name: thread.capabilities.effective
@@ -15126,12 +46435,12 @@ process:
       short: Array of capabilities used for permission checks.
       synthetic_source_keep: none
       type: keyword
-    process.parent.thread.capabilities.permitted:
-      dashed_name: process-parent-thread-capabilities-permitted
+    process.session_leader.parent.session_leader.thread.capabilities.permitted:
+      dashed_name: process-session-leader-parent-session-leader-thread-capabilities-permitted
       description: This is a limiting superset for the effective capabilities that
         the thread may assume.
       example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.parent.thread.capabilities.permitted
+      flat_name: process.session_leader.parent.session_leader.thread.capabilities.permitted
       ignore_above: 1024
       level: extended
       name: thread.capabilities.permitted
@@ -15142,11 +46451,11 @@ process:
       short: Array of capabilities a thread could assume.
       synthetic_source_keep: none
       type: keyword
-    process.parent.thread.id:
-      dashed_name: process-parent-thread-id
+    process.session_leader.parent.session_leader.thread.id:
+      dashed_name: process-session-leader-parent-session-leader-thread-id
       description: Thread ID.
       example: 4242
-      flat_name: process.parent.thread.id
+      flat_name: process.session_leader.parent.session_leader.thread.id
       format: string
       level: extended
       name: thread.id
@@ -15154,11 +46463,11 @@ process:
       original_fieldset: process
       short: Thread ID.
       type: long
-    process.parent.thread.name:
-      dashed_name: process-parent-thread-name
+    process.session_leader.parent.session_leader.thread.name:
+      dashed_name: process-session-leader-parent-session-leader-thread-name
       description: Thread name.
       example: thread-0
-      flat_name: process.parent.thread.name
+      flat_name: process.session_leader.parent.session_leader.thread.name
       ignore_above: 1024
       level: extended
       name: thread.name
@@ -15166,17 +46475,17 @@ process:
       original_fieldset: process
       short: Thread name.
       type: keyword
-    process.parent.title:
-      dashed_name: process-parent-title
+    process.session_leader.parent.session_leader.title:
+      dashed_name: process-session-leader-parent-session-leader-title
       description: 'Process title.
 
         The proctitle, some times the same as process name. Can also be different:
         for example a browser setting its title to the web page currently opened.'
-      flat_name: process.parent.title
+      flat_name: process.session_leader.parent.session_leader.title
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.parent.title.text
+      - flat_name: process.session_leader.parent.session_leader.title.text
         name: text
         type: match_only_text
       name: title
@@ -15184,524 +46493,583 @@ process:
       original_fieldset: process
       short: Process title.
       type: keyword
-    process.parent.tty:
-      dashed_name: process-parent-tty
+    process.session_leader.parent.session_leader.tty:
+      dashed_name: process-session-leader-parent-session-leader-tty
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
-      flat_name: process.parent.tty
+      flat_name: process.session_leader.parent.session_leader.tty
       level: extended
       name: tty
       normalize: []
       original_fieldset: process
       short: Information about the controlling TTY device.
       type: object
-    process.parent.tty.char_device.major:
-      dashed_name: process-parent-tty-char-device-major
+    process.session_leader.parent.session_leader.tty.char_device.major:
+      dashed_name: process-session-leader-parent-session-leader-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
         to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
       example: 4
-      flat_name: process.parent.tty.char_device.major
+      flat_name: process.session_leader.parent.session_leader.tty.char_device.major
       level: extended
       name: tty.char_device.major
       normalize: []
       original_fieldset: process
       short: The TTY character device's major number.
       type: long
-    process.parent.tty.char_device.minor:
-      dashed_name: process-parent-tty-char-device-minor
+    process.session_leader.parent.session_leader.tty.char_device.minor:
+      dashed_name: process-session-leader-parent-session-leader-tty-char-device-minor
       description: The minor number is used only by the driver specified by the major
         number; other parts of the kernel don’t use it, and merely pass it along to
         the driver. It is common for a driver to control several devices; the minor
         number provides a way for the driver to differentiate among them.
       example: 1
-      flat_name: process.parent.tty.char_device.minor
+      flat_name: process.session_leader.parent.session_leader.tty.char_device.minor
       level: extended
       name: tty.char_device.minor
       normalize: []
       original_fieldset: process
       short: The TTY character device's minor number.
       type: long
-    process.parent.uptime:
-      dashed_name: process-parent-uptime
+    process.session_leader.parent.session_leader.tty.columns:
+      dashed_name: process-session-leader-parent-session-leader-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.session_leader.parent.session_leader.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.session_leader.parent.session_leader.tty.rows:
+      dashed_name: process-session-leader-parent-session-leader-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.session_leader.parent.session_leader.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.session_leader.parent.session_leader.uptime:
+      dashed_name: process-session-leader-parent-session-leader-uptime
       description: Seconds the process has been up.
       example: 1325
-      flat_name: process.parent.uptime
+      flat_name: process.session_leader.parent.session_leader.uptime
       level: extended
       name: uptime
       normalize: []
       original_fieldset: process
       short: Seconds the process has been up.
       type: long
-    process.parent.user.id:
-      dashed_name: process-parent-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.user.id
+    process.session_leader.parent.session_leader.user.domain:
+      dashed_name: process-session-leader-parent-session-leader-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.user.domain
       ignore_above: 1024
-      level: core
-      name: id
+      level: extended
+      name: domain
       normalize: []
       original_fieldset: user
-      short: Unique identifier of the user.
+      short: Name of the directory the user is a member of.
       type: keyword
-    process.parent.user.name:
-      dashed_name: process-parent-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.user.name
+    process.session_leader.parent.session_leader.user.email:
+      dashed_name: process-session-leader-parent-session-leader-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.session_leader.user.email
       ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.user.name.text
-        name: text
-        type: match_only_text
-      name: name
+      level: extended
+      name: email
       normalize: []
       original_fieldset: user
-      short: Short name or login of the user.
+      short: User email address.
       type: keyword
-    process.parent.vpid:
-      dashed_name: process-parent-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.parent.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.parent.working_directory:
-      dashed_name: process-parent-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.parent.working_directory
+    process.session_leader.parent.session_leader.user.full_name:
+      dashed_name: process-session-leader-parent-session-leader-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.session_leader.user.full_name
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.parent.working_directory.text
+      - flat_name: process.session_leader.parent.session_leader.user.full_name.text
         name: text
         type: match_only_text
-      name: working_directory
+      name: full_name
       normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
+      original_fieldset: user
+      short: User's full name, if available.
       type: keyword
-    process.pe.architecture:
-      dashed_name: process-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.pe.architecture
+    process.session_leader.parent.session_leader.user.group.domain:
+      dashed_name: process-session-leader-parent-session-leader-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.user.group.domain
       ignore_above: 1024
       level: extended
-      name: architecture
+      name: domain
       normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
       type: keyword
-    process.pe.company:
-      dashed_name: process-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.pe.company
+    process.session_leader.parent.session_leader.user.group.id:
+      dashed_name: process-session-leader-parent-session-leader-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.user.group.id
       ignore_above: 1024
       level: extended
-      name: company
+      name: id
       normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.pe.description:
-      dashed_name: process-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.pe.description
+    process.session_leader.parent.session_leader.user.group.name:
+      dashed_name: process-session-leader-parent-session-leader-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.user.group.name
       ignore_above: 1024
       level: extended
-      name: description
+      name: name
       normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.pe.file_version:
-      dashed_name: process-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.pe.file_version
+    process.session_leader.parent.session_leader.user.hash:
+      dashed_name: process-session-leader-parent-session-leader-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.session_leader.user.hash
       ignore_above: 1024
       level: extended
-      name: file_version
+      name: hash
       normalize: []
-      original_fieldset: pe
-      short: Process name.
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
       type: keyword
-    process.pe.go_import_hash:
-      dashed_name: process-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.pe.go_import_hash
+    process.session_leader.parent.session_leader.user.id:
+      dashed_name: process-session-leader-parent-session-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.parent.session_leader.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.parent.session_leader.user.name:
+      dashed_name: process-session-leader-parent-session-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.parent.session_leader.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.parent.session_leader.user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.user.risk.calculated_level
       ignore_above: 1024
       level: extended
-      name: go_import_hash
+      name: calculated_level
       normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
       type: keyword
-    process.pe.go_imports:
-      dashed_name: process-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.pe.go_imports
+    process.session_leader.parent.session_leader.user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score
       level: extended
-      name: go_imports
+      name: calculated_score
       normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.pe.go_imports_names_entropy:
-      dashed_name: process-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.pe.go_imports_names_entropy
-      format: number
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.session_leader.user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score_norm
       level: extended
-      name: go_imports_names_entropy
+      name: calculated_score_norm
       normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.pe.go_imports_names_var_entropy:
-      dashed_name: process-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.pe.go_imports_names_var_entropy
-      format: number
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.session_leader.user.risk.static_level:
+      dashed_name: process-session-leader-parent-session-leader-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.user.risk.static_level
+      ignore_above: 1024
       level: extended
-      name: go_imports_names_var_entropy
+      name: static_level
       normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.pe.go_stripped:
-      dashed_name: process-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.pe.go_stripped
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.session_leader.user.risk.static_score:
+      dashed_name: process-session-leader-parent-session-leader-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.session_leader.user.risk.static_score
       level: extended
-      name: go_stripped
+      name: static_score
       normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.pe.imphash:
-      dashed_name: process-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.pe.imphash
-      ignore_above: 1024
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.session_leader.user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.session_leader.user.risk.static_score_norm
       level: extended
-      name: imphash
+      name: static_score_norm
       normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.session_leader.user.roles:
+      dashed_name: process-session-leader-parent-session-leader-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.session_leader.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
       type: keyword
-    process.pe.import_hash:
-      dashed_name: process-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
+    process.session_leader.parent.session_leader.vpid:
+      dashed_name: process-session-leader-parent-session-leader-vpid
+      description: 'Virtual process id.
 
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.pe.import_hash
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.parent.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.session_leader.parent.session_leader.working_directory:
+      dashed_name: process-session-leader-parent-session-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.session_leader.parent.session_leader.working_directory
       ignore_above: 1024
       level: extended
-      name: import_hash
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
       normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
+      original_fieldset: process
+      short: The working directory of the process.
       type: keyword
-    process.pe.imports:
-      dashed_name: process-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.pe.imports_names_entropy:
-      dashed_name: process-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.pe.imports_names_entropy
-      format: number
+    process.session_leader.parent.start:
+      dashed_name: process-session-leader-parent-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.parent.start
       level: extended
-      name: imports_names_entropy
+      name: start
       normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.pe.imports_names_var_entropy:
-      dashed_name: process-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.pe.imports_names_var_entropy
-      format: number
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.session_leader.parent.supplemental_groups.domain:
+      dashed_name: process-session-leader-parent-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.supplemental_groups.domain
+      ignore_above: 1024
       level: extended
-      name: imports_names_var_entropy
+      name: domain
       normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.pe.original_file_name:
-      dashed_name: process-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.pe.original_file_name
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.supplemental_groups.id:
+      dashed_name: process-session-leader-parent-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.supplemental_groups.id
       ignore_above: 1024
       level: extended
-      name: original_file_name
+      name: id
       normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.pe.pehash:
-      dashed_name: process-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.pe.pehash
+    process.session_leader.parent.supplemental_groups.name:
+      dashed_name: process-session-leader-parent-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.supplemental_groups.name
       ignore_above: 1024
       level: extended
-      name: pehash
+      name: name
       normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.pe.product:
-      dashed_name: process-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.pe.product
+    process.session_leader.parent.thread.capabilities.effective:
+      dashed_name: process-session-leader-parent-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.session_leader.parent.thread.capabilities.effective
       ignore_above: 1024
       level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
       type: keyword
-    process.pe.sections:
-      dashed_name: process-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.pe.sections
+    process.session_leader.parent.thread.capabilities.permitted:
+      dashed_name: process-session-leader-parent-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.session_leader.parent.thread.capabilities.permitted
+      ignore_above: 1024
       level: extended
-      name: sections
+      name: thread.capabilities.permitted
       normalize:
       - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.pe.sections.entropy:
-      dashed_name: process-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.pe.sections.entropy
-      format: number
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.thread.id:
+      dashed_name: process-session-leader-parent-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.session_leader.parent.thread.id
+      format: string
       level: extended
-      name: sections.entropy
+      name: thread.id
       normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
+      original_fieldset: process
+      short: Thread ID.
       type: long
-    process.pe.sections.name:
-      dashed_name: process-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.pe.sections.name
+    process.session_leader.parent.thread.name:
+      dashed_name: process-session-leader-parent-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.session_leader.parent.thread.name
       ignore_above: 1024
       level: extended
-      name: sections.name
+      name: thread.name
       normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
+      original_fieldset: process
+      short: Thread name.
       type: keyword
-    process.pe.sections.physical_size:
-      dashed_name: process-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.pe.sections.physical_size
-      format: bytes
+    process.session_leader.parent.title:
+      dashed_name: process-session-leader-parent-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.session_leader.parent.title
+      ignore_above: 1024
       level: extended
-      name: sections.physical_size
+      multi_fields:
+      - flat_name: process.session_leader.parent.title.text
+        name: text
+        type: match_only_text
+      name: title
       normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.pe.sections.var_entropy:
-      dashed_name: process-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.pe.sections.var_entropy
-      format: number
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.session_leader.parent.tty:
+      dashed_name: process-session-leader-parent-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.session_leader.parent.tty
       level: extended
-      name: sections.var_entropy
+      name: tty
       normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.pe.sections.virtual_size:
-      dashed_name: process-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.pe.sections.virtual_size
-      format: string
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.session_leader.parent.tty.char_device.major:
+      dashed_name: process-session-leader-parent-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.session_leader.parent.tty.char_device.major
       level: extended
-      name: sections.virtual_size
+      name: tty.char_device.major
       normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
+      original_fieldset: process
+      short: The TTY character device's major number.
       type: long
-    process.pid:
-      dashed_name: process-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.pid
-      format: string
-      level: core
-      name: pid
+    process.session_leader.parent.tty.char_device.minor:
+      dashed_name: process-session-leader-parent-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.session_leader.parent.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
       normalize: []
-      otel:
-      - relation: match
-        stability: development
-      short: Process id.
+      original_fieldset: process
+      short: The TTY character device's minor number.
       type: long
-    process.previous.args:
-      dashed_name: process-previous-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
+    process.session_leader.parent.tty.columns:
+      dashed_name: process-session-leader-parent-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
 
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.previous.args
-      ignore_above: 1024
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.session_leader.parent.tty.columns
       level: extended
-      name: args
-      normalize:
-      - array
+      name: tty.columns
+      normalize: []
       original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.previous.args_count:
-      dashed_name: process-previous-args-count
-      description: 'Length of the process.args array.
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.session_leader.parent.tty.rows:
+      dashed_name: process-session-leader-parent-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
 
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.previous.args_count
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.session_leader.parent.tty.rows
       level: extended
-      name: args_count
+      name: tty.rows
       normalize: []
       original_fieldset: process
-      short: Length of the process.args array.
+      short: The number of character rows in the terminal. e.g terminal height
       type: long
-    process.previous.executable:
-      dashed_name: process-previous-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.previous.executable
-      ignore_above: 1024
+    process.session_leader.parent.uptime:
+      dashed_name: process-session-leader-parent-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.session_leader.parent.uptime
       level: extended
-      multi_fields:
-      - flat_name: process.previous.executable.text
-        name: text
-        type: match_only_text
-      name: executable
+      name: uptime
       normalize: []
       original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.real_group.id:
-      dashed_name: process-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.real_group.id
+      short: Seconds the process has been up.
+      type: long
+    process.session_leader.parent.user.domain:
+      dashed_name: process-session-leader-parent-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.user.domain
       ignore_above: 1024
       level: extended
-      name: id
+      name: domain
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
       type: keyword
-    process.real_group.name:
-      dashed_name: process-real-group-name
-      description: Name of the group.
-      flat_name: process.real_group.name
+    process.session_leader.parent.user.email:
+      dashed_name: process-session-leader-parent-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.user.email
       ignore_above: 1024
       level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.real_user.id:
-      dashed_name: process-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
+      name: email
       normalize: []
       original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
-      short: Unique identifier of the user.
+      short: User email address.
       type: keyword
-    process.real_user.name:
-      dashed_name: process-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.real_user.name
+    process.session_leader.parent.user.full_name:
+      dashed_name: process-session-leader-parent-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.user.full_name
       ignore_above: 1024
-      level: core
+      level: extended
       multi_fields:
-      - flat_name: process.real_user.name.text
+      - flat_name: process.session_leader.parent.user.full_name.text
         name: text
         type: match_only_text
-      name: name
+      name: full_name
       normalize: []
       original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
-      short: Short name or login of the user.
+      short: User's full name, if available.
       type: keyword
-    process.saved_group.id:
-      dashed_name: process-saved-group-id
+    process.session_leader.parent.user.group.domain:
+      dashed_name: process-session-leader-parent-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.user.group.id:
+      dashed_name: process-session-leader-parent-user-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.saved_group.id
+      flat_name: process.session_leader.parent.user.group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -15709,10 +47077,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.saved_group.name:
-      dashed_name: process-saved-group-name
+    process.session_leader.parent.user.group.name:
+      dashed_name: process-session-leader-parent-user-group-name
       description: Name of the group.
-      flat_name: process.saved_group.name
+      flat_name: process.session_leader.parent.user.group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -15720,303 +47088,461 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.saved_user.id:
-      dashed_name: process-saved-user-id
+    process.session_leader.parent.user.hash:
+      dashed_name: process-session-leader-parent-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.user.id:
+      dashed_name: process-session-leader-parent-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.saved_user.id
+      flat_name: process.session_leader.parent.user.id
       ignore_above: 1024
       level: core
       name: id
       normalize: []
       original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
       short: Unique identifier of the user.
       type: keyword
-    process.saved_user.name:
-      dashed_name: process-saved-user-name
+    process.session_leader.parent.user.name:
+      dashed_name: process-session-leader-parent-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.saved_user.name
+      flat_name: process.session_leader.parent.user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.saved_user.name.text
+      - flat_name: process.session_leader.parent.user.name.text
         name: text
         type: match_only_text
       name: name
       normalize: []
       original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
       short: Short name or login of the user.
       type: keyword
-    process.session_leader.args:
-      dashed_name: process-session-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.session_leader.args
+    process.session_leader.parent.user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.user.risk.calculated_level
       ignore_above: 1024
       level: extended
-      name: args
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.parent.user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.user.risk.static_level:
+      dashed_name: process-session-leader-parent-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.user.risk.static_score:
+      dashed_name: process-session-leader-parent-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.user.roles:
+      dashed_name: process-session-leader-parent-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
       normalize:
       - array
-      original_fieldset: process
-      short: Array of process arguments.
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
       type: keyword
-    process.session_leader.args_count:
-      dashed_name: process-session-leader-args-count
-      description: 'Length of the process.args array.
+    process.session_leader.parent.vpid:
+      dashed_name: process-session-leader-parent-vpid
+      description: 'Virtual process id.
 
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.session_leader.args_count
-      level: extended
-      name: args_count
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.parent.vpid
+      format: string
+      level: core
+      name: vpid
       normalize: []
       original_fieldset: process
-      short: Length of the process.args array.
+      short: Virtual process id.
       type: long
-    process.session_leader.command_line:
-      dashed_name: process-session-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.session_leader.command_line
+    process.session_leader.parent.working_directory:
+      dashed_name: process-session-leader-parent-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.session_leader.parent.working_directory
+      ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.session_leader.command_line.text
+      - flat_name: process.session_leader.parent.working_directory.text
         name: text
         type: match_only_text
-      name: command_line
+      name: working_directory
       normalize: []
       original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.session_leader.entity_id:
-      dashed_name: process-session-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.session_leader.entity_id
+      short: The working directory of the process.
+      type: keyword
+    process.session_leader.pe.architecture:
+      dashed_name: process-session-leader-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.session_leader.pe.architecture
       ignore_above: 1024
       level: extended
-      name: entity_id
+      name: architecture
       normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
+      original_fieldset: pe
+      short: CPU architecture target for the file.
       type: keyword
-    process.session_leader.executable:
-      dashed_name: process-session-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.session_leader.executable
+    process.session_leader.pe.company:
+      dashed_name: process-session-leader-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.session_leader.pe.company
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.session_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.pe.description:
+      dashed_name: process-session-leader-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.session_leader.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
       normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
       type: keyword
-    process.session_leader.group.id:
-      dashed_name: process-session-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.group.id
+    process.session_leader.pe.file_version:
+      dashed_name: process-session-leader-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.session_leader.pe.file_version
       ignore_above: 1024
       level: extended
-      name: id
+      name: file_version
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: pe
+      short: Process name.
       type: keyword
-    process.session_leader.group.name:
-      dashed_name: process-session-leader-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.group.name
+    process.session_leader.pe.go_import_hash:
+      dashed_name: process-session-leader-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.pe.go_import_hash
       ignore_above: 1024
       level: extended
-      name: name
+      name: go_import_hash
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
       type: keyword
-    process.session_leader.interactive:
-      dashed_name: process-session-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.session_leader.interactive
+    process.session_leader.pe.go_imports:
+      dashed_name: process-session-leader-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.pe.go_imports
       level: extended
-      name: interactive
+      name: go_imports
       normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.pe.go_imports_names_entropy:
+      dashed_name: process-session-leader-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.pe.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.pe.go_stripped:
+      dashed_name: process-session-leader-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.session_leader.name:
-      dashed_name: process-session-leader-name
-      description: 'Process name.
+    process.session_leader.pe.imphash:
+      dashed_name: process-session-leader-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
 
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.session_leader.name
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.session_leader.pe.imphash
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.session_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
+      name: imphash
       normalize: []
-      original_fieldset: process
-      short: Process name.
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
       type: keyword
-    process.session_leader.parent.entity_id:
-      dashed_name: process-session-leader-parent-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
+    process.session_leader.pe.import_hash:
+      dashed_name: process-session-leader-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
 
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.session_leader.parent.entity_id
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.pe.import_hash
       ignore_above: 1024
       level: extended
-      name: entity_id
+      name: import_hash
       normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
       type: keyword
-    process.session_leader.parent.pid:
-      dashed_name: process-session-leader-parent-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.session_leader.parent.pid
-      format: string
-      level: core
-      name: pid
+    process.session_leader.pe.imports:
+      dashed_name: process-session-leader-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.pe.imports_names_entropy:
+      dashed_name: process-session-leader-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
       normalize: []
-      original_fieldset: process
-      short: Process id.
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
       type: long
-    process.session_leader.parent.session_leader.entity_id:
-      dashed_name: process-session-leader-parent-session-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
+    process.session_leader.pe.imports_names_var_entropy:
+      dashed_name: process-session-leader-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.pe.original_file_name:
+      dashed_name: process-session-leader-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.session_leader.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.pe.pehash:
+      dashed_name: process-session-leader-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
 
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.session_leader.parent.session_leader.entity_id
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.session_leader.pe.pehash
       ignore_above: 1024
       level: extended
-      name: entity_id
+      name: pehash
       normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
       type: keyword
-    process.session_leader.parent.session_leader.pid:
-      dashed_name: process-session-leader-parent-session-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.session_leader.parent.session_leader.pid
-      format: string
-      level: core
-      name: pid
+    process.session_leader.pe.product:
+      dashed_name: process-session-leader-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.session_leader.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
       normalize: []
-      original_fieldset: process
-      short: Process id.
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.pe.sections:
+      dashed_name: process-session-leader-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.session_leader.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.session_leader.pe.sections.entropy:
+      dashed_name: process-session-leader-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
       type: long
-    process.session_leader.parent.session_leader.start:
-      dashed_name: process-session-leader-parent-session-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.parent.session_leader.start
+    process.session_leader.pe.sections.name:
+      dashed_name: process-session-leader-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.session_leader.pe.sections.name
+      ignore_above: 1024
       level: extended
-      name: start
+      name: sections.name
       normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.session_leader.parent.session_leader.vpid:
-      dashed_name: process-session-leader-parent-session-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.session_leader.parent.session_leader.vpid
-      format: string
-      level: core
-      name: vpid
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.session_leader.pe.sections.physical_size:
+      dashed_name: process-session-leader-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.session_leader.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
       normalize: []
-      original_fieldset: process
-      short: Virtual process id.
+      original_fieldset: pe
+      short: PE Section List physical size.
       type: long
-    process.session_leader.parent.start:
-      dashed_name: process-session-leader-parent-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.parent.start
+    process.session_leader.pe.sections.var_entropy:
+      dashed_name: process-session-leader-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.pe.sections.var_entropy
+      format: number
       level: extended
-      name: start
+      name: sections.var_entropy
       normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.session_leader.parent.vpid:
-      dashed_name: process-session-leader-parent-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.session_leader.parent.vpid
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.pe.sections.virtual_size:
+      dashed_name: process-session-leader-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.session_leader.pe.sections.virtual_size
       format: string
-      level: core
-      name: vpid
+      level: extended
+      name: sections.virtual_size
       normalize: []
-      original_fieldset: process
-      short: Virtual process id.
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
       type: long
     process.session_leader.pid:
       dashed_name: process-session-leader-pid
@@ -16033,6 +47559,32 @@ process:
         stability: development
       short: Process id.
       type: long
+    process.session_leader.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.session_leader.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.session_leader.real_group.domain:
+      dashed_name: process-session-leader-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
     process.session_leader.real_group.id:
       dashed_name: process-session-leader-real-group-id
       description: Unique identifier for the group on the system/platform.
@@ -16055,6 +47607,96 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
+    process.session_leader.real_user.domain:
+      dashed_name: process-session-leader-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.real_user.email:
+      dashed_name: process-session-leader-real-user-email
+      description: User email address.
+      flat_name: process.session_leader.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.real_user.full_name:
+      dashed_name: process-session-leader-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.real_user.group.domain:
+      dashed_name: process-session-leader-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.real_user.group.id:
+      dashed_name: process-session-leader-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.real_user.group.name:
+      dashed_name: process-session-leader-real-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.real_user.hash:
+      dashed_name: process-session-leader-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
     process.session_leader.real_user.id:
       dashed_name: process-session-leader-real-user-id
       description: Unique identifier of the user.
@@ -16083,6 +47725,100 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    process.session_leader.real_user.risk.calculated_level:
+      dashed_name: process-session-leader-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.real_user.risk.calculated_score:
+      dashed_name: process-session-leader-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.real_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.real_user.risk.static_level:
+      dashed_name: process-session-leader-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.real_user.risk.static_score:
+      dashed_name: process-session-leader-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.real_user.risk.static_score_norm:
+      dashed_name: process-session-leader-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.real_user.roles:
+      dashed_name: process-session-leader-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
     process.session_leader.same_as_process:
       dashed_name: process-session-leader-same-as-process
       description: 'This boolean is used to identify if a leader process is the same
@@ -16102,21 +47838,109 @@ process:
         Instead these rules could be written like: `process.group_leader.same_as_process:
         true` OR `process.entry_leader.same_as_process: true`
 
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.session_leader.same_as_process
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.session_leader.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.session_leader.saved_group.domain:
+      dashed_name: process-session-leader-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.saved_group.id:
+      dashed_name: process-session-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.saved_group.name:
+      dashed_name: process-session-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.saved_user.domain:
+      dashed_name: process-session-leader-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.saved_user.email:
+      dashed_name: process-session-leader-saved-user-email
+      description: User email address.
+      flat_name: process.session_leader.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.saved_user.full_name:
+      dashed_name: process-session-leader-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.saved_user.group.domain:
+      dashed_name: process-session-leader-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.saved_user.group.domain
+      ignore_above: 1024
       level: extended
-      name: same_as_process
+      name: domain
       normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.session_leader.saved_group.id:
-      dashed_name: process-session-leader-saved-group-id
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.saved_user.group.id:
+      dashed_name: process-session-leader-saved-user-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.saved_group.id
+      flat_name: process.session_leader.saved_user.group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -16124,10 +47948,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.saved_group.name:
-      dashed_name: process-session-leader-saved-group-name
+    process.session_leader.saved_user.group.name:
+      dashed_name: process-session-leader-saved-user-group-name
       description: Name of the group.
-      flat_name: process.session_leader.saved_group.name
+      flat_name: process.session_leader.saved_user.group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -16135,6 +47959,21 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
+    process.session_leader.saved_user.hash:
+      dashed_name: process-session-leader-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
     process.session_leader.saved_user.id:
       dashed_name: process-session-leader-saved-user-id
       description: Unique identifier of the user.
@@ -16163,6 +48002,100 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    process.session_leader.saved_user.risk.calculated_level:
+      dashed_name: process-session-leader-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.saved_user.risk.calculated_score:
+      dashed_name: process-session-leader-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.saved_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.saved_user.risk.static_level:
+      dashed_name: process-session-leader-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.saved_user.risk.static_score:
+      dashed_name: process-session-leader-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.saved_user.risk.static_score_norm:
+      dashed_name: process-session-leader-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.saved_user.roles:
+      dashed_name: process-session-leader-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
     process.session_leader.start:
       dashed_name: process-session-leader-start
       description: The time the process started.
@@ -16174,6 +48107,19 @@ process:
       original_fieldset: process
       short: The time the process started.
       type: date
+    process.session_leader.supplemental_groups.domain:
+      dashed_name: process-session-leader-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
     process.session_leader.supplemental_groups.id:
       dashed_name: process-session-leader-supplemental-groups-id
       description: Unique identifier for the group on the system/platform.
@@ -16196,6 +48142,80 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
+    process.session_leader.thread.capabilities.effective:
+      dashed_name: process-session-leader-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.session_leader.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.thread.capabilities.permitted:
+      dashed_name: process-session-leader-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.session_leader.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.thread.id:
+      dashed_name: process-session-leader-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.session_leader.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.session_leader.thread.name:
+      dashed_name: process-session-leader-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.session_leader.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.session_leader.title:
+      dashed_name: process-session-leader-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.session_leader.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
     process.session_leader.tty:
       dashed_name: process-session-leader-tty
       description: Information about the controlling TTY device. If set, the process
@@ -16235,6 +48255,135 @@ process:
       original_fieldset: process
       short: The TTY character device's minor number.
       type: long
+    process.session_leader.tty.columns:
+      dashed_name: process-session-leader-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.session_leader.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.session_leader.tty.rows:
+      dashed_name: process-session-leader-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.session_leader.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.session_leader.uptime:
+      dashed_name: process-session-leader-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.session_leader.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.session_leader.user.domain:
+      dashed_name: process-session-leader-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.user.email:
+      dashed_name: process-session-leader-user-email
+      description: User email address.
+      flat_name: process.session_leader.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.user.full_name:
+      dashed_name: process-session-leader-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.user.group.domain:
+      dashed_name: process-session-leader-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.user.group.id:
+      dashed_name: process-session-leader-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.user.group.name:
+      dashed_name: process-session-leader-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.user.hash:
+      dashed_name: process-session-leader-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
     process.session_leader.user.id:
       dashed_name: process-session-leader-user-id
       description: Unique identifier of the user.
@@ -16263,6 +48412,100 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    process.session_leader.user.risk.calculated_level:
+      dashed_name: process-session-leader-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.user.risk.calculated_score:
+      dashed_name: process-session-leader-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.user.risk.static_level:
+      dashed_name: process-session-leader-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.user.risk.static_score:
+      dashed_name: process-session-leader-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.user.risk.static_score_norm:
+      dashed_name: process-session-leader-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.user.roles:
+      dashed_name: process-session-leader-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
     process.session_leader.vpid:
       dashed_name: process-session-leader-vpid
       description: 'Virtual process id.
@@ -16305,6 +48548,19 @@ process:
       normalize: []
       short: The time the process started.
       type: date
+    process.supplemental_groups.domain:
+      dashed_name: process-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
     process.supplemental_groups.id:
       dashed_name: process-supplemental-groups-id
       description: Unique identifier for the group on the system/platform.
@@ -16475,6 +48731,96 @@ process:
         stability: development
       short: Seconds the process has been up.
       type: long
+    process.user.domain:
+      dashed_name: process-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.user.email:
+      dashed_name: process-user-email
+      description: User email address.
+      flat_name: process.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.user.full_name:
+      dashed_name: process-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.user.group.domain:
+      dashed_name: process-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.user.group.id:
+      dashed_name: process-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.user.group.name:
+      dashed_name: process-user-group-name
+      description: Name of the group.
+      flat_name: process.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.user.hash:
+      dashed_name: process-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
     process.user.id:
       dashed_name: process-user-id
       description: Unique identifier of the user.
@@ -16509,6 +48855,100 @@ process:
         stability: development
       short: Short name or login of the user.
       type: keyword
+    process.user.risk.calculated_level:
+      dashed_name: process-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.user.risk.calculated_score:
+      dashed_name: process-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.user.risk.calculated_score_norm:
+      dashed_name: process-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.user.risk.static_level:
+      dashed_name: process-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.user.risk.static_score:
+      dashed_name: process-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.user.risk.static_score_norm:
+      dashed_name: process-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.user.roles:
+      dashed_name: process-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
     process.vpid:
       dashed_name: process-vpid
       description: 'Virtual process id.
@@ -17627,6 +50067,86 @@ server:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    server.user.risk.calculated_level:
+      dashed_name: server-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: server.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    server.user.risk.calculated_score:
+      dashed_name: server-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: server.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    server.user.risk.calculated_score_norm:
+      dashed_name: server-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: server.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    server.user.risk.static_level:
+      dashed_name: server-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: server.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    server.user.risk.static_score:
+      dashed_name: server-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: server.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    server.user.risk.static_score_norm:
+      dashed_name: server-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: server.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     server.user.roles:
       dashed_name: server-user-roles
       description: Array of user roles at the time of the event.
@@ -19045,6 +51565,86 @@ source:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    source.user.risk.calculated_level:
+      dashed_name: source-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: source.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    source.user.risk.calculated_score:
+      dashed_name: source-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: source.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    source.user.risk.calculated_score_norm:
+      dashed_name: source-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: source.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    source.user.risk.static_level:
+      dashed_name: source-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: source.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    source.user.risk.static_score:
+      dashed_name: source-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: source.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    source.user.risk.static_score_norm:
+      dashed_name: source-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: source.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     source.user.roles:
       dashed_name: source-user-roles
       description: Array of user roles at the time of the event.
@@ -26342,6 +58942,86 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    user.changes.risk.calculated_level:
+      dashed_name: user-changes-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.changes.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.changes.risk.calculated_score:
+      dashed_name: user-changes-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.changes.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.changes.risk.calculated_score_norm:
+      dashed_name: user-changes-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.changes.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    user.changes.risk.static_level:
+      dashed_name: user-changes-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.changes.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.changes.risk.static_score:
+      dashed_name: user-changes-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.changes.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.changes.risk.static_score_norm:
+      dashed_name: user-changes-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.changes.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     user.changes.roles:
       dashed_name: user-changes-roles
       description: Array of user roles at the time of the event.
@@ -26486,6 +59166,86 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    user.effective.risk.calculated_level:
+      dashed_name: user-effective-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.effective.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.effective.risk.calculated_score:
+      dashed_name: user-effective-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.effective.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.effective.risk.calculated_score_norm:
+      dashed_name: user-effective-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.effective.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    user.effective.risk.static_level:
+      dashed_name: user-effective-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.effective.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.effective.risk.static_score:
+      dashed_name: user-effective-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.effective.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.effective.risk.static_score_norm:
+      dashed_name: user-effective-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.effective.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     user.effective.roles:
       dashed_name: user-effective-roles
       description: Array of user roles at the time of the event.
@@ -27084,6 +59844,86 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    user.target.risk.calculated_level:
+      dashed_name: user-target-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.target.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.target.risk.calculated_score:
+      dashed_name: user-target-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.target.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.target.risk.calculated_score_norm:
+      dashed_name: user-target-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.target.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    user.target.risk.static_level:
+      dashed_name: user-target-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.target.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.target.risk.static_score:
+      dashed_name: user-target-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.target.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.target.risk.static_score_norm:
+      dashed_name: user-target-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.target.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     user.target.roles:
       dashed_name: user-target-roles
       description: Array of user roles at the time of the event.
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index 08cadb7b8a..fc8c6b7fcb 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -173,6 +173,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index 12d0c9d349..9e69df2d3d 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -173,6 +173,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index a2b964c83c..486956361a 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -15,6 +15,105 @@
             "args_count": {
               "type": "long"
             },
+            "attested_groups": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "attested_user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                }
+              }
+            },
             "code_signature": {
               "properties": {
                 "digest_algorithm": {
@@ -216,6 +315,9 @@
             "end": {
               "type": "date"
             },
+            "endpoint_security_client": {
+              "type": "boolean"
+            },
             "entity_id": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -231,6 +333,14 @@
                 },
                 "attested_groups": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -239,11 +349,15 @@
                 },
                 "attested_user": {
                   "properties": {
-                    "id": {
+                    "domain": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
                       "fields": {
                         "text": {
                           "type": "match_only_text"
@@ -251,276 +365,407 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
+                    },
+                    "group": {
                       "properties": {
-                        "ip": {
-                          "type": "ip"
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         }
                       }
                     },
-                    "type": {
+                    "hash": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "group": {
-                  "properties": {
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "parent": {
-                  "properties": {
-                    "entity_id": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "pid": {
-                      "type": "long"
-                    },
-                    "session_leader": {
+                    "risk": {
                       "properties": {
-                        "entity_id": {
+                        "calculated_level": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "pid": {
-                          "type": "long"
+                        "calculated_score": {
+                          "type": "float"
                         },
-                        "start": {
-                          "type": "date"
+                        "calculated_score_norm": {
+                          "type": "float"
                         },
-                        "vpid": {
-                          "type": "long"
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
                         }
                       }
                     },
-                    "start": {
-                      "type": "date"
-                    },
-                    "vpid": {
-                      "type": "long"
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
                     }
                   }
                 },
-                "pid": {
-                  "type": "long"
-                },
-                "real_group": {
+                "code_signature": {
                   "properties": {
-                    "id": {
+                    "digest_algorithm": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "flags": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
-                    "id": {
+                    },
+                    "signing_id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                    "status": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "same_as_process": {
-                  "type": "boolean"
-                },
-                "saved_group": {
-                  "properties": {
-                    "id": {
+                    },
+                    "subject_name": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
+                    "team_id": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
                     }
                   }
                 },
-                "saved_user": {
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
                   "properties": {
-                    "id": {
+                    "architecture": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                    "byte_order": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "id": {
+                    },
+                    "cpu_type": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "tty": {
-                  "properties": {
-                    "char_device": {
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "header": {
                       "properties": {
-                        "major": {
-                          "type": "long"
+                        "abi_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
-                        "minor": {
+                        "class": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "data": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entrypoint": {
                           "type": "long"
+                        },
+                        "object_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "os_abi": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         }
                       }
-                    }
-                  },
-                  "type": "object"
-                },
-                "user": {
-                  "properties": {
-                    "id": {
+                    },
+                    "import_hash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "segments": {
+                      "properties": {
+                        "sections": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         }
                       },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "vpid": {
-                  "type": "long"
+                "end": {
+                  "type": "date"
                 },
-                "working_directory": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "env_vars": {
-              "ignore_above": 1024,
-              "synthetic_source_keep": "none",
-              "type": "keyword"
-            },
-            "executable": {
-              "fields": {
-                "text": {
-                  "type": "match_only_text"
-                }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "exit_code": {
-              "type": "long"
-            },
-            "group": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                "endpoint_security_client": {
+                  "type": "boolean"
                 },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "group_leader": {
-              "properties": {
-                "args": {
+                "entity_id": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "args_count": {
-                  "type": "long"
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
+                "entry_meta": {
+                  "properties": {
+                    "source": {
+                      "properties": {
+                        "address": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "as": {
+                          "properties": {
+                            "number": {
+                              "type": "long"
+                            },
+                            "organization": {
+                              "properties": {
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "type": "match_only_text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            }
+                          }
+                        },
+                        "bytes": {
+                          "type": "long"
+                        },
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "geo": {
+                          "properties": {
+                            "city_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "location": {
+                              "type": "geo_point"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "postal_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "timezone": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "mac": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "nat": {
+                          "properties": {
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "port": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "packets": {
+                          "type": "long"
+                        },
+                        "port": {
+                          "type": "long"
+                        },
+                        "registered_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subdomain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "top_level_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
-                  },
-                  "type": "wildcard"
+                  }
                 },
-                "entity_id": {
+                "env_vars": {
                   "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
                   "type": "keyword"
                 },
                 "executable": {
@@ -532,8 +777,15 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "exit_code": {
+                  "type": "long"
+                },
                 "group": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -544,133 +796,136 @@
                     }
                   }
                 },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "pid": {
-                  "type": "long"
-                },
-                "real_group": {
+                "hash": {
                   "properties": {
-                    "id": {
+                    "cdhash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
-                    "id": {
+                    "md5": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "same_as_process": {
-                  "type": "boolean"
-                },
-                "saved_group": {
-                  "properties": {
-                    "id": {
+                    "sha1": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
+                    "sha256": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
-                    "id": {
+                    },
+                    "sha384": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                    "sha512": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "id": {
+                    },
+                    "ssdeep": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
+                    "tlsh": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "tty": {
+                "interactive": {
+                  "type": "boolean"
+                },
+                "io": {
                   "properties": {
-                    "char_device": {
+                    "bytes_skipped": {
                       "properties": {
-                        "major": {
+                        "length": {
                           "type": "long"
                         },
-                        "minor": {
+                        "offset": {
                           "type": "long"
                         }
-                      }
+                      },
+                      "type": "object"
+                    },
+                    "max_bytes_per_process_exceeded": {
+                      "type": "boolean"
+                    },
+                    "text": {
+                      "type": "wildcard"
+                    },
+                    "total_bytes_captured": {
+                      "type": "long"
+                    },
+                    "total_bytes_skipped": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   },
                   "type": "object"
                 },
-                "user": {
+                "macho": {
                   "properties": {
-                    "id": {
+                    "go_import_hash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
                         }
                       },
+                      "type": "nested"
+                    },
+                    "symhash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "vpid": {
-                  "type": "long"
-                },
-                "working_directory": {
+                "name": {
                   "fields": {
                     "text": {
                       "type": "match_only_text"
@@ -678,516 +933,2197 @@
                   },
                   "ignore_above": 1024,
                   "type": "keyword"
-                }
-              }
-            },
-            "hash": {
-              "properties": {
-                "cdhash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha384": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
                 },
-                "sha512": {
-                  "ignore_above": 1024,
+                "origin_referrer_url": {
+                  "ignore_above": 8192,
                   "type": "keyword"
                 },
-                "ssdeep": {
-                  "ignore_above": 1024,
+                "origin_url": {
+                  "ignore_above": 8192,
                   "type": "keyword"
                 },
-                "tlsh": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "interactive": {
-              "type": "boolean"
-            },
-            "io": {
-              "properties": {
-                "bytes_skipped": {
+                "parent": {
                   "properties": {
-                    "length": {
-                      "type": "long"
+                    "args": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "offset": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                },
-                "max_bytes_per_process_exceeded": {
-                  "type": "boolean"
-                },
-                "text": {
-                  "type": "wildcard"
-                },
-                "total_bytes_captured": {
-                  "type": "long"
-                },
-                "total_bytes_skipped": {
-                  "type": "long"
-                },
-                "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              },
-              "type": "object"
-            },
-            "macho": {
-              "properties": {
-                "go_import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "go_imports": {
-                  "type": "flattened"
-                },
-                "go_imports_names_entropy": {
-                  "type": "long"
-                },
-                "go_imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "go_stripped": {
-                  "type": "boolean"
-                },
-                "import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "imports": {
-                  "type": "flattened"
-                },
-                "imports_names_entropy": {
-                  "type": "long"
-                },
-                "imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "sections": {
-                  "properties": {
-                    "entropy": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "physical_size": {
-                      "type": "long"
-                    },
-                    "var_entropy": {
-                      "type": "long"
-                    },
-                    "virtual_size": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "nested"
-                },
-                "symhash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "name": {
-              "fields": {
-                "text": {
-                  "type": "match_only_text"
-                }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "parent": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "code_signature": {
-                  "properties": {
-                    "digest_algorithm": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "signing_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "team_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "byte_order": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "cpu_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
+                    "args_count": {
                       "type": "long"
                     },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
+                    "attested_groups": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
                     },
-                    "header": {
+                    "attested_user": {
                       "properties": {
-                        "abi_version": {
+                        "domain": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "class": {
+                        "email": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "data": {
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "entrypoint": {
-                          "type": "long"
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
                         },
-                        "object_version": {
+                        "hash": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "os_abi": {
+                        "id": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "type": {
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "version": {
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
                           "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
                           "type": "keyword"
                         }
                       }
                     },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
+                    "code_signature": {
                       "properties": {
-                        "chi2": {
-                          "type": "long"
+                        "digest_algorithm": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
-                        "entropy": {
-                          "type": "long"
+                        "exists": {
+                          "type": "boolean"
                         },
                         "flags": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "name": {
+                        "signing_id": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "physical_offset": {
+                        "status": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "physical_size": {
-                          "type": "long"
+                        "subject_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
-                        "type": {
+                        "team_id": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "var_entropy": {
-                          "type": "long"
+                        "thumbprint_sha256": {
+                          "ignore_above": 64,
+                          "type": "keyword"
                         },
-                        "virtual_address": {
-                          "type": "long"
+                        "timestamp": {
+                          "type": "date"
                         },
-                        "virtual_size": {
-                          "type": "long"
+                        "trusted": {
+                          "type": "boolean"
+                        },
+                        "valid": {
+                          "type": "boolean"
+                        }
+                      }
+                    },
+                    "command_line": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
                         }
                       },
-                      "type": "nested"
+                      "type": "wildcard"
                     },
-                    "segments": {
+                    "elf": {
                       "properties": {
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "byte_order": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "cpu_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "creation_date": {
+                          "type": "date"
+                        },
+                        "exports": {
+                          "type": "flattened"
+                        },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "header": {
+                          "properties": {
+                            "abi_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "class": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "data": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entrypoint": {
+                              "type": "long"
+                            },
+                            "object_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "os_abi": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
                         "sections": {
+                          "properties": {
+                            "chi2": {
+                              "type": "long"
+                            },
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "flags": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_offset": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_address": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "segments": {
+                          "properties": {
+                            "sections": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "shared_libraries": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "telfhash": {
                           "ignore_above": 1024,
                           "type": "keyword"
+                        }
+                      }
+                    },
+                    "end": {
+                      "type": "date"
+                    },
+                    "endpoint_security_client": {
+                      "type": "boolean"
+                    },
+                    "entity_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entry_meta": {
+                      "properties": {
+                        "source": {
+                          "properties": {
+                            "address": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "as": {
+                              "properties": {
+                                "number": {
+                                  "type": "long"
+                                },
+                                "organization": {
+                                  "properties": {
+                                    "name": {
+                                      "fields": {
+                                        "text": {
+                                          "type": "match_only_text"
+                                        }
+                                      },
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    }
+                                  }
+                                }
+                              }
+                            },
+                            "bytes": {
+                              "type": "long"
+                            },
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "geo": {
+                              "properties": {
+                                "city_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "continent_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "continent_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country_iso_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "location": {
+                                  "type": "geo_point"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "postal_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "region_iso_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "region_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "timezone": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "mac": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "nat": {
+                              "properties": {
+                                "ip": {
+                                  "type": "ip"
+                                },
+                                "port": {
+                                  "type": "long"
+                                }
+                              }
+                            },
+                            "packets": {
+                              "type": "long"
+                            },
+                            "port": {
+                              "type": "long"
+                            },
+                            "registered_domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "subdomain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "top_level_domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
                         },
                         "type": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         }
-                      },
-                      "type": "nested"
+                      }
                     },
-                    "shared_libraries": {
+                    "env_vars": {
                       "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
                       "type": "keyword"
                     },
-                    "telfhash": {
+                    "executable": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "end": {
-                  "type": "date"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
-                },
-                "group": {
-                  "properties": {
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "group_leader": {
-                  "properties": {
-                    "entity_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pid": {
-                      "type": "long"
-                    },
-                    "start": {
-                      "type": "date"
                     },
-                    "vpid": {
+                    "exit_code": {
                       "type": "long"
-                    }
-                  }
-                },
-                "hash": {
-                  "properties": {
-                    "cdhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
                     },
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
                     },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "hash": {
+                      "properties": {
+                        "cdhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "md5": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha1": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha256": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha384": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha512": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "ssdeep": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "tlsh": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
                     },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "interactive": {
+                      "type": "boolean"
                     },
-                    "sha384": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "io": {
+                      "properties": {
+                        "bytes_skipped": {
+                          "properties": {
+                            "length": {
+                              "type": "long"
+                            },
+                            "offset": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "max_bytes_per_process_exceeded": {
+                          "type": "boolean"
+                        },
+                        "text": {
+                          "type": "wildcard"
+                        },
+                        "total_bytes_captured": {
+                          "type": "long"
+                        },
+                        "total_bytes_skipped": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "object"
                     },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "macho": {
+                      "properties": {
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "symhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
                     },
-                    "ssdeep": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "tlsh": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "macho": {
-                  "properties": {
-                    "go_import_hash": {
-                      "ignore_above": 1024,
+                    "origin_referrer_url": {
+                      "ignore_above": 8192,
                       "type": "keyword"
                     },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
+                    "origin_url": {
+                      "ignore_above": 8192,
                       "type": "keyword"
                     },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
+                    "pe": {
                       "properties": {
-                        "entropy": {
-                          "type": "long"
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
-                        "name": {
+                        "company": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "physical_size": {
+                        "description": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "file_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
                           "type": "long"
                         },
-                        "var_entropy": {
+                        "go_imports_names_var_entropy": {
                           "type": "long"
                         },
-                        "virtual_size": {
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "imphash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
                           "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "original_file_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "pehash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "product": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
                         }
-                      },
-                      "type": "nested"
+                      }
                     },
-                    "symhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "pid": {
+                      "type": "long"
                     },
-                    "company": {
-                      "ignore_above": 1024,
+                    "platform_binary": {
+                      "type": "boolean"
+                    },
+                    "real_group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "real_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "same_as_process": {
+                      "type": "boolean"
+                    },
+                    "saved_group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "saved_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "session_leader": {
+                      "properties": {
+                        "args": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "args_count": {
+                          "type": "long"
+                        },
+                        "attested_groups": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "attested_user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "code_signature": {
+                          "properties": {
+                            "digest_algorithm": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "exists": {
+                              "type": "boolean"
+                            },
+                            "flags": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "signing_id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "status": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "subject_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "team_id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "thumbprint_sha256": {
+                              "ignore_above": 64,
+                              "type": "keyword"
+                            },
+                            "timestamp": {
+                              "type": "date"
+                            },
+                            "trusted": {
+                              "type": "boolean"
+                            },
+                            "valid": {
+                              "type": "boolean"
+                            }
+                          }
+                        },
+                        "command_line": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "type": "wildcard"
+                        },
+                        "elf": {
+                          "properties": {
+                            "architecture": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "byte_order": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "cpu_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "creation_date": {
+                              "type": "date"
+                            },
+                            "exports": {
+                              "type": "flattened"
+                            },
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
+                            "header": {
+                              "properties": {
+                                "abi_version": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "class": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "data": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "entrypoint": {
+                                  "type": "long"
+                                },
+                                "object_version": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "os_abi": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "version": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "sections": {
+                              "properties": {
+                                "chi2": {
+                                  "type": "long"
+                                },
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "flags": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_offset": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_address": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "segments": {
+                              "properties": {
+                                "sections": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "shared_libraries": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "telfhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "end": {
+                          "type": "date"
+                        },
+                        "endpoint_security_client": {
+                          "type": "boolean"
+                        },
+                        "entity_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entry_meta": {
+                          "properties": {
+                            "source": {
+                              "properties": {
+                                "address": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "as": {
+                                  "properties": {
+                                    "number": {
+                                      "type": "long"
+                                    },
+                                    "organization": {
+                                      "properties": {
+                                        "name": {
+                                          "fields": {
+                                            "text": {
+                                              "type": "match_only_text"
+                                            }
+                                          },
+                                          "ignore_above": 1024,
+                                          "type": "keyword"
+                                        }
+                                      }
+                                    }
+                                  }
+                                },
+                                "bytes": {
+                                  "type": "long"
+                                },
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "geo": {
+                                  "properties": {
+                                    "city_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "continent_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "continent_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "country_iso_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "country_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "location": {
+                                      "type": "geo_point"
+                                    },
+                                    "name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "postal_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "region_iso_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "region_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "timezone": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    }
+                                  }
+                                },
+                                "ip": {
+                                  "type": "ip"
+                                },
+                                "mac": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "nat": {
+                                  "properties": {
+                                    "ip": {
+                                      "type": "ip"
+                                    },
+                                    "port": {
+                                      "type": "long"
+                                    }
+                                  }
+                                },
+                                "packets": {
+                                  "type": "long"
+                                },
+                                "port": {
+                                  "type": "long"
+                                },
+                                "registered_domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "subdomain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "top_level_domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "env_vars": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "executable": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "exit_code": {
+                          "type": "long"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "properties": {
+                            "cdhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "md5": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha1": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha256": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha384": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha512": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "ssdeep": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "tlsh": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "interactive": {
+                          "type": "boolean"
+                        },
+                        "io": {
+                          "properties": {
+                            "bytes_skipped": {
+                              "properties": {
+                                "length": {
+                                  "type": "long"
+                                },
+                                "offset": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "object"
+                            },
+                            "max_bytes_per_process_exceeded": {
+                              "type": "boolean"
+                            },
+                            "text": {
+                              "type": "wildcard"
+                            },
+                            "total_bytes_captured": {
+                              "type": "long"
+                            },
+                            "total_bytes_skipped": {
+                              "type": "long"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "macho": {
+                          "properties": {
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "sections": {
+                              "properties": {
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "symhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "origin_referrer_url": {
+                          "ignore_above": 8192,
+                          "type": "keyword"
+                        },
+                        "origin_url": {
+                          "ignore_above": 8192,
+                          "type": "keyword"
+                        },
+                        "pe": {
+                          "properties": {
+                            "architecture": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "company": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "description": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "file_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
+                            "imphash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "original_file_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "pehash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "product": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sections": {
+                              "properties": {
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
+                            }
+                          }
+                        },
+                        "pid": {
+                          "type": "long"
+                        },
+                        "platform_binary": {
+                          "type": "boolean"
+                        },
+                        "real_group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "real_user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "same_as_process": {
+                          "type": "boolean"
+                        },
+                        "saved_group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "saved_user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "start": {
+                          "type": "date"
+                        },
+                        "supplemental_groups": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "thread": {
+                          "properties": {
+                            "capabilities": {
+                              "properties": {
+                                "effective": {
+                                  "ignore_above": 1024,
+                                  "synthetic_source_keep": "none",
+                                  "type": "keyword"
+                                },
+                                "permitted": {
+                                  "ignore_above": 1024,
+                                  "synthetic_source_keep": "none",
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "id": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "title": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "tty": {
+                          "properties": {
+                            "char_device": {
+                              "properties": {
+                                "major": {
+                                  "type": "long"
+                                },
+                                "minor": {
+                                  "type": "long"
+                                }
+                              }
+                            },
+                            "columns": {
+                              "type": "long"
+                            },
+                            "rows": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "uptime": {
+                          "type": "long"
+                        },
+                        "user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "vpid": {
+                          "type": "long"
+                        },
+                        "working_directory": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "start": {
+                      "type": "date"
+                    },
+                    "supplemental_groups": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "thread": {
+                      "properties": {
+                        "capabilities": {
+                          "properties": {
+                            "effective": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            },
+                            "permitted": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "id": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "title": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tty": {
+                      "properties": {
+                        "char_device": {
+                          "properties": {
+                            "major": {
+                              "type": "long"
+                            },
+                            "minor": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "columns": {
+                          "type": "long"
+                        },
+                        "rows": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "uptime": {
+                      "type": "long"
+                    },
+                    "user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "vpid": {
+                      "type": "long"
+                    },
+                    "working_directory": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
                       "type": "keyword"
                     },
                     "description": {
@@ -1269,8 +3205,15 @@
                 "pid": {
                   "type": "long"
                 },
+                "platform_binary": {
+                  "type": "boolean"
+                },
                 "real_group": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1283,6 +3226,43 @@
                 },
                 "real_user": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1295,11 +3275,47 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
                     }
                   }
                 },
+                "same_as_process": {
+                  "type": "boolean"
+                },
                 "saved_group": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1312,6 +3328,43 @@
                 },
                 "saved_user": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1324,6 +3377,35 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
                     }
                   }
                 },
@@ -1332,6 +3414,10 @@
                 },
                 "supplemental_groups": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1387,6 +3473,12 @@
                           "type": "long"
                         }
                       }
+                    },
+                    "columns": {
+                      "type": "long"
+                    },
+                    "rows": {
+                      "type": "long"
                     }
                   },
                   "type": "object"
@@ -1396,6 +3488,43 @@
                 },
                 "user": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1408,6 +3537,35 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
                     }
                   }
                 },
@@ -1425,174 +3583,165 @@
                 }
               }
             },
-            "pe": {
+            "entry_meta": {
               "properties": {
-                "architecture": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "company": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "description": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "file_version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "go_import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "go_imports": {
-                  "type": "flattened"
-                },
-                "go_imports_names_entropy": {
-                  "type": "long"
-                },
-                "go_imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "go_stripped": {
-                  "type": "boolean"
-                },
-                "imphash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "imports": {
-                  "type": "flattened"
-                },
-                "imports_names_entropy": {
-                  "type": "long"
-                },
-                "imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "original_file_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "pehash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "product": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sections": {
+                "source": {
                   "properties": {
-                    "entropy": {
-                      "type": "long"
-                    },
-                    "name": {
+                    "address": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "physical_size": {
-                      "type": "long"
+                    "as": {
+                      "properties": {
+                        "number": {
+                          "type": "long"
+                        },
+                        "organization": {
+                          "properties": {
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        }
+                      }
                     },
-                    "var_entropy": {
+                    "bytes": {
                       "type": "long"
                     },
-                    "virtual_size": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "nested"
-                }
-              }
-            },
-            "pid": {
-              "type": "long"
-            },
-            "previous": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "real_group": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "geo": {
+                      "properties": {
+                        "city_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "continent_code": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "continent_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "country_iso_code": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "country_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "location": {
+                          "type": "geo_point"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "postal_code": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "region_iso_code": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "region_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "timezone": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "ip": {
+                      "type": "ip"
+                    },
+                    "mac": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "nat": {
+                      "properties": {
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "port": {
+                          "type": "long"
+                        }
+                      }
+                    },
+                    "packets": {
+                      "type": "long"
+                    },
+                    "port": {
+                      "type": "long"
+                    },
+                    "registered_domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subdomain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "top_level_domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
                 },
-                "name": {
+                "type": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 }
               }
             },
-            "real_user": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+            "env_vars": {
+              "ignore_above": 1024,
+              "synthetic_source_keep": "none",
+              "type": "keyword"
+            },
+            "executable": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
                 }
-              }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
             },
-            "saved_group": {
+            "exit_code": {
+              "type": "long"
+            },
+            "group": {
               "properties": {
-                "id": {
+                "domain": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "saved_user": {
-              "properties": {
                 "id": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
                 "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
                   "ignore_above": 1024,
                   "type": "keyword"
                 }
               }
             },
-            "session_leader": {
+            "group_leader": {
               "properties": {
                 "args": {
                   "ignore_above": 1024,
@@ -1601,29 +3750,12 @@
                 "args_count": {
                   "type": "long"
                 },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "group": {
+                "attested_groups": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1634,57 +3766,8747 @@
                     }
                   }
                 },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "parent": {
+                "attested_user": {
                   "properties": {
-                    "entity_id": {
+                    "domain": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "pid": {
-                      "type": "long"
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "session_leader": {
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
                       "properties": {
-                        "entity_id": {
+                        "domain": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "pid": {
-                          "type": "long"
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
-                        "start": {
-                          "type": "date"
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "code_signature": {
+                  "properties": {
+                    "digest_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "byte_order": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "cpu_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "header": {
+                      "properties": {
+                        "abi_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "class": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "data": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entrypoint": {
+                          "type": "long"
+                        },
+                        "object_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "os_abi": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "segments": {
+                      "properties": {
+                        "sections": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "end": {
+                  "type": "date"
+                },
+                "endpoint_security_client": {
+                  "type": "boolean"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entry_meta": {
+                  "properties": {
+                    "source": {
+                      "properties": {
+                        "address": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "as": {
+                          "properties": {
+                            "number": {
+                              "type": "long"
+                            },
+                            "organization": {
+                              "properties": {
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "type": "match_only_text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            }
+                          }
+                        },
+                        "bytes": {
+                          "type": "long"
+                        },
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "geo": {
+                          "properties": {
+                            "city_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "location": {
+                              "type": "geo_point"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "postal_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "timezone": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "mac": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "nat": {
+                          "properties": {
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "port": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "packets": {
+                          "type": "long"
+                        },
+                        "port": {
+                          "type": "long"
+                        },
+                        "registered_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subdomain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "top_level_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "env_vars": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha384": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tlsh": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "io": {
+                  "properties": {
+                    "bytes_skipped": {
+                      "properties": {
+                        "length": {
+                          "type": "long"
+                        },
+                        "offset": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "max_bytes_per_process_exceeded": {
+                      "type": "boolean"
+                    },
+                    "text": {
+                      "type": "wildcard"
+                    },
+                    "total_bytes_captured": {
+                      "type": "long"
+                    },
+                    "total_bytes_skipped": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "object"
+                },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "symhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "origin_referrer_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "origin_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "original_file_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pehash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    }
+                  }
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "platform_binary": {
+                  "type": "boolean"
+                },
+                "real_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "real_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "same_as_process": {
+                  "type": "boolean"
+                },
+                "saved_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "thread": {
+                  "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tty": {
+                  "properties": {
+                    "char_device": {
+                      "properties": {
+                        "major": {
+                          "type": "long"
+                        },
+                        "minor": {
+                          "type": "long"
+                        }
+                      }
+                    },
+                    "columns": {
+                      "type": "long"
+                    },
+                    "rows": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "object"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vpid": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hash": {
+              "properties": {
+                "cdhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha384": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ssdeep": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tlsh": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "interactive": {
+              "type": "boolean"
+            },
+            "io": {
+              "properties": {
+                "bytes_skipped": {
+                  "properties": {
+                    "length": {
+                      "type": "long"
+                    },
+                    "offset": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "object"
+                },
+                "max_bytes_per_process_exceeded": {
+                  "type": "boolean"
+                },
+                "text": {
+                  "type": "wildcard"
+                },
+                "total_bytes_captured": {
+                  "type": "long"
+                },
+                "total_bytes_skipped": {
+                  "type": "long"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "object"
+            },
+            "macho": {
+              "properties": {
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "symhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "origin_referrer_url": {
+              "ignore_above": 8192,
+              "type": "keyword"
+            },
+            "origin_url": {
+              "ignore_above": 8192,
+              "type": "keyword"
+            },
+            "parent": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "attested_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "attested_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "code_signature": {
+                  "properties": {
+                    "digest_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "byte_order": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "cpu_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "header": {
+                      "properties": {
+                        "abi_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "class": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "data": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entrypoint": {
+                          "type": "long"
+                        },
+                        "object_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "os_abi": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "segments": {
+                      "properties": {
+                        "sections": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "end": {
+                  "type": "date"
+                },
+                "endpoint_security_client": {
+                  "type": "boolean"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entry_meta": {
+                  "properties": {
+                    "source": {
+                      "properties": {
+                        "address": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "as": {
+                          "properties": {
+                            "number": {
+                              "type": "long"
+                            },
+                            "organization": {
+                              "properties": {
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "type": "match_only_text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            }
+                          }
+                        },
+                        "bytes": {
+                          "type": "long"
+                        },
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "geo": {
+                          "properties": {
+                            "city_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "location": {
+                              "type": "geo_point"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "postal_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "timezone": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "mac": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "nat": {
+                          "properties": {
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "port": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "packets": {
+                          "type": "long"
+                        },
+                        "port": {
+                          "type": "long"
+                        },
+                        "registered_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subdomain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "top_level_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "env_vars": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "group_leader": {
+                  "properties": {
+                    "args": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "args_count": {
+                      "type": "long"
+                    },
+                    "attested_groups": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "attested_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "code_signature": {
+                      "properties": {
+                        "digest_algorithm": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "exists": {
+                          "type": "boolean"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "signing_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "status": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subject_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "team_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "thumbprint_sha256": {
+                          "ignore_above": 64,
+                          "type": "keyword"
+                        },
+                        "timestamp": {
+                          "type": "date"
+                        },
+                        "trusted": {
+                          "type": "boolean"
+                        },
+                        "valid": {
+                          "type": "boolean"
+                        }
+                      }
+                    },
+                    "command_line": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "type": "wildcard"
+                    },
+                    "elf": {
+                      "properties": {
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "byte_order": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "cpu_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "creation_date": {
+                          "type": "date"
+                        },
+                        "exports": {
+                          "type": "flattened"
+                        },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "header": {
+                          "properties": {
+                            "abi_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "class": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "data": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entrypoint": {
+                              "type": "long"
+                            },
+                            "object_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "os_abi": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "sections": {
+                          "properties": {
+                            "chi2": {
+                              "type": "long"
+                            },
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "flags": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_offset": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_address": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "segments": {
+                          "properties": {
+                            "sections": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "shared_libraries": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "telfhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "end": {
+                      "type": "date"
+                    },
+                    "endpoint_security_client": {
+                      "type": "boolean"
+                    },
+                    "entity_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entry_meta": {
+                      "properties": {
+                        "source": {
+                          "properties": {
+                            "address": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "as": {
+                              "properties": {
+                                "number": {
+                                  "type": "long"
+                                },
+                                "organization": {
+                                  "properties": {
+                                    "name": {
+                                      "fields": {
+                                        "text": {
+                                          "type": "match_only_text"
+                                        }
+                                      },
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    }
+                                  }
+                                }
+                              }
+                            },
+                            "bytes": {
+                              "type": "long"
+                            },
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "geo": {
+                              "properties": {
+                                "city_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "continent_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "continent_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country_iso_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "location": {
+                                  "type": "geo_point"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "postal_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "region_iso_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "region_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "timezone": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "mac": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "nat": {
+                              "properties": {
+                                "ip": {
+                                  "type": "ip"
+                                },
+                                "port": {
+                                  "type": "long"
+                                }
+                              }
+                            },
+                            "packets": {
+                              "type": "long"
+                            },
+                            "port": {
+                              "type": "long"
+                            },
+                            "registered_domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "subdomain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "top_level_domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "env_vars": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    },
+                    "executable": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exit_code": {
+                      "type": "long"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "properties": {
+                        "cdhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "md5": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha1": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha256": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha384": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha512": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "ssdeep": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "tlsh": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "interactive": {
+                      "type": "boolean"
+                    },
+                    "io": {
+                      "properties": {
+                        "bytes_skipped": {
+                          "properties": {
+                            "length": {
+                              "type": "long"
+                            },
+                            "offset": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "max_bytes_per_process_exceeded": {
+                          "type": "boolean"
+                        },
+                        "text": {
+                          "type": "wildcard"
+                        },
+                        "total_bytes_captured": {
+                          "type": "long"
+                        },
+                        "total_bytes_skipped": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "macho": {
+                      "properties": {
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "symhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "origin_referrer_url": {
+                      "ignore_above": 8192,
+                      "type": "keyword"
+                    },
+                    "origin_url": {
+                      "ignore_above": 8192,
+                      "type": "keyword"
+                    },
+                    "pe": {
+                      "properties": {
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "company": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "description": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "file_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "imphash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "original_file_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "pehash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "product": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        }
+                      }
+                    },
+                    "pid": {
+                      "type": "long"
+                    },
+                    "platform_binary": {
+                      "type": "boolean"
+                    },
+                    "real_group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "real_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "same_as_process": {
+                      "type": "boolean"
+                    },
+                    "saved_group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "saved_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "start": {
+                      "type": "date"
+                    },
+                    "supplemental_groups": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "thread": {
+                      "properties": {
+                        "capabilities": {
+                          "properties": {
+                            "effective": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            },
+                            "permitted": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "id": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "title": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tty": {
+                      "properties": {
+                        "char_device": {
+                          "properties": {
+                            "major": {
+                              "type": "long"
+                            },
+                            "minor": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "columns": {
+                          "type": "long"
+                        },
+                        "rows": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "uptime": {
+                      "type": "long"
+                    },
+                    "user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "vpid": {
+                      "type": "long"
+                    },
+                    "working_directory": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha384": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tlsh": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "io": {
+                  "properties": {
+                    "bytes_skipped": {
+                      "properties": {
+                        "length": {
+                          "type": "long"
+                        },
+                        "offset": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "max_bytes_per_process_exceeded": {
+                      "type": "boolean"
+                    },
+                    "text": {
+                      "type": "wildcard"
+                    },
+                    "total_bytes_captured": {
+                      "type": "long"
+                    },
+                    "total_bytes_skipped": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "object"
+                },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "symhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "origin_referrer_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "origin_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "original_file_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pehash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    }
+                  }
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "platform_binary": {
+                  "type": "boolean"
+                },
+                "real_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "real_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "same_as_process": {
+                  "type": "boolean"
+                },
+                "saved_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "thread": {
+                  "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tty": {
+                  "properties": {
+                    "char_device": {
+                      "properties": {
+                        "major": {
+                          "type": "long"
+                        },
+                        "minor": {
+                          "type": "long"
+                        }
+                      }
+                    },
+                    "columns": {
+                      "type": "long"
+                    },
+                    "rows": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "object"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vpid": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "pe": {
+              "properties": {
+                "architecture": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
+                "imphash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "original_file_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "pehash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
+                }
+              }
+            },
+            "pid": {
+              "type": "long"
+            },
+            "platform_binary": {
+              "type": "boolean"
+            },
+            "previous": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "attested_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "attested_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "code_signature": {
+                  "properties": {
+                    "digest_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "byte_order": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "cpu_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "header": {
+                      "properties": {
+                        "abi_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "class": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "data": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entrypoint": {
+                          "type": "long"
+                        },
+                        "object_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "os_abi": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "segments": {
+                      "properties": {
+                        "sections": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "end": {
+                  "type": "date"
+                },
+                "endpoint_security_client": {
+                  "type": "boolean"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entry_meta": {
+                  "properties": {
+                    "source": {
+                      "properties": {
+                        "address": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "as": {
+                          "properties": {
+                            "number": {
+                              "type": "long"
+                            },
+                            "organization": {
+                              "properties": {
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "type": "match_only_text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            }
+                          }
+                        },
+                        "bytes": {
+                          "type": "long"
+                        },
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "geo": {
+                          "properties": {
+                            "city_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "location": {
+                              "type": "geo_point"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "postal_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "timezone": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "mac": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "nat": {
+                          "properties": {
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "port": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "packets": {
+                          "type": "long"
+                        },
+                        "port": {
+                          "type": "long"
+                        },
+                        "registered_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subdomain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "top_level_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "env_vars": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha384": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tlsh": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "io": {
+                  "properties": {
+                    "bytes_skipped": {
+                      "properties": {
+                        "length": {
+                          "type": "long"
+                        },
+                        "offset": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "max_bytes_per_process_exceeded": {
+                      "type": "boolean"
+                    },
+                    "text": {
+                      "type": "wildcard"
+                    },
+                    "total_bytes_captured": {
+                      "type": "long"
+                    },
+                    "total_bytes_skipped": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "object"
+                },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "symhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "origin_referrer_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "origin_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "original_file_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pehash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    }
+                  }
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "platform_binary": {
+                  "type": "boolean"
+                },
+                "real_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "real_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "same_as_process": {
+                  "type": "boolean"
+                },
+                "saved_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "thread": {
+                  "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tty": {
+                  "properties": {
+                    "char_device": {
+                      "properties": {
+                        "major": {
+                          "type": "long"
+                        },
+                        "minor": {
+                          "type": "long"
+                        }
+                      }
+                    },
+                    "columns": {
+                      "type": "long"
+                    },
+                    "rows": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "object"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vpid": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "real_group": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "real_user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                }
+              }
+            },
+            "responsible": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "attested_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "attested_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "code_signature": {
+                  "properties": {
+                    "digest_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "byte_order": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "cpu_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "header": {
+                      "properties": {
+                        "abi_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "class": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "data": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entrypoint": {
+                          "type": "long"
+                        },
+                        "object_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "os_abi": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "segments": {
+                      "properties": {
+                        "sections": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "end": {
+                  "type": "date"
+                },
+                "endpoint_security_client": {
+                  "type": "boolean"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entry_meta": {
+                  "properties": {
+                    "source": {
+                      "properties": {
+                        "address": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "as": {
+                          "properties": {
+                            "number": {
+                              "type": "long"
+                            },
+                            "organization": {
+                              "properties": {
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "type": "match_only_text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            }
+                          }
+                        },
+                        "bytes": {
+                          "type": "long"
+                        },
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "geo": {
+                          "properties": {
+                            "city_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "location": {
+                              "type": "geo_point"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "postal_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "timezone": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "mac": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "nat": {
+                          "properties": {
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "port": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "packets": {
+                          "type": "long"
+                        },
+                        "port": {
+                          "type": "long"
+                        },
+                        "registered_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subdomain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "top_level_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "env_vars": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha384": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tlsh": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "io": {
+                  "properties": {
+                    "bytes_skipped": {
+                      "properties": {
+                        "length": {
+                          "type": "long"
+                        },
+                        "offset": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "max_bytes_per_process_exceeded": {
+                      "type": "boolean"
+                    },
+                    "text": {
+                      "type": "wildcard"
+                    },
+                    "total_bytes_captured": {
+                      "type": "long"
+                    },
+                    "total_bytes_skipped": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "object"
+                },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "symhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "origin_referrer_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "origin_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "original_file_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pehash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    }
+                  }
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "platform_binary": {
+                  "type": "boolean"
+                },
+                "real_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "real_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "same_as_process": {
+                  "type": "boolean"
+                },
+                "saved_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "thread": {
+                  "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tty": {
+                  "properties": {
+                    "char_device": {
+                      "properties": {
+                        "major": {
+                          "type": "long"
+                        },
+                        "minor": {
+                          "type": "long"
+                        }
+                      }
+                    },
+                    "columns": {
+                      "type": "long"
+                    },
+                    "rows": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "object"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vpid": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "same_as_process": {
+              "type": "boolean"
+            },
+            "saved_group": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "saved_user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                }
+              }
+            },
+            "session_leader": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "attested_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "attested_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "code_signature": {
+                  "properties": {
+                    "digest_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "byte_order": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "cpu_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "header": {
+                      "properties": {
+                        "abi_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "class": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "data": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entrypoint": {
+                          "type": "long"
+                        },
+                        "object_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "os_abi": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "segments": {
+                      "properties": {
+                        "sections": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "end": {
+                  "type": "date"
+                },
+                "endpoint_security_client": {
+                  "type": "boolean"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entry_meta": {
+                  "properties": {
+                    "source": {
+                      "properties": {
+                        "address": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "as": {
+                          "properties": {
+                            "number": {
+                              "type": "long"
+                            },
+                            "organization": {
+                              "properties": {
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "type": "match_only_text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            }
+                          }
+                        },
+                        "bytes": {
+                          "type": "long"
+                        },
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "geo": {
+                          "properties": {
+                            "city_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "location": {
+                              "type": "geo_point"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "postal_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "timezone": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "mac": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "nat": {
+                          "properties": {
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "port": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "packets": {
+                          "type": "long"
+                        },
+                        "port": {
+                          "type": "long"
+                        },
+                        "registered_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subdomain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "top_level_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "env_vars": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha384": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tlsh": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "io": {
+                  "properties": {
+                    "bytes_skipped": {
+                      "properties": {
+                        "length": {
+                          "type": "long"
+                        },
+                        "offset": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "max_bytes_per_process_exceeded": {
+                      "type": "boolean"
+                    },
+                    "text": {
+                      "type": "wildcard"
+                    },
+                    "total_bytes_captured": {
+                      "type": "long"
+                    },
+                    "total_bytes_skipped": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "object"
+                },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "symhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "origin_referrer_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "origin_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "parent": {
+                  "properties": {
+                    "args": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "args_count": {
+                      "type": "long"
+                    },
+                    "attested_groups": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "attested_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "code_signature": {
+                      "properties": {
+                        "digest_algorithm": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "exists": {
+                          "type": "boolean"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "signing_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "status": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subject_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "team_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "thumbprint_sha256": {
+                          "ignore_above": 64,
+                          "type": "keyword"
+                        },
+                        "timestamp": {
+                          "type": "date"
+                        },
+                        "trusted": {
+                          "type": "boolean"
+                        },
+                        "valid": {
+                          "type": "boolean"
+                        }
+                      }
+                    },
+                    "command_line": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "type": "wildcard"
+                    },
+                    "elf": {
+                      "properties": {
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "byte_order": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "cpu_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "creation_date": {
+                          "type": "date"
+                        },
+                        "exports": {
+                          "type": "flattened"
+                        },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "header": {
+                          "properties": {
+                            "abi_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "class": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "data": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entrypoint": {
+                              "type": "long"
+                            },
+                            "object_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "os_abi": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "sections": {
+                          "properties": {
+                            "chi2": {
+                              "type": "long"
+                            },
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "flags": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_offset": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_address": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "segments": {
+                          "properties": {
+                            "sections": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "shared_libraries": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "telfhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "end": {
+                      "type": "date"
+                    },
+                    "endpoint_security_client": {
+                      "type": "boolean"
+                    },
+                    "entity_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entry_meta": {
+                      "properties": {
+                        "source": {
+                          "properties": {
+                            "address": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "as": {
+                              "properties": {
+                                "number": {
+                                  "type": "long"
+                                },
+                                "organization": {
+                                  "properties": {
+                                    "name": {
+                                      "fields": {
+                                        "text": {
+                                          "type": "match_only_text"
+                                        }
+                                      },
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    }
+                                  }
+                                }
+                              }
+                            },
+                            "bytes": {
+                              "type": "long"
+                            },
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "geo": {
+                              "properties": {
+                                "city_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "continent_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "continent_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country_iso_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "location": {
+                                  "type": "geo_point"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "postal_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "region_iso_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "region_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "timezone": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "mac": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "nat": {
+                              "properties": {
+                                "ip": {
+                                  "type": "ip"
+                                },
+                                "port": {
+                                  "type": "long"
+                                }
+                              }
+                            },
+                            "packets": {
+                              "type": "long"
+                            },
+                            "port": {
+                              "type": "long"
+                            },
+                            "registered_domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "subdomain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "top_level_domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "env_vars": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    },
+                    "executable": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exit_code": {
+                      "type": "long"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "properties": {
+                        "cdhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "md5": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha1": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha256": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha384": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha512": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "ssdeep": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "tlsh": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "interactive": {
+                      "type": "boolean"
+                    },
+                    "io": {
+                      "properties": {
+                        "bytes_skipped": {
+                          "properties": {
+                            "length": {
+                              "type": "long"
+                            },
+                            "offset": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "max_bytes_per_process_exceeded": {
+                          "type": "boolean"
+                        },
+                        "text": {
+                          "type": "wildcard"
+                        },
+                        "total_bytes_captured": {
+                          "type": "long"
+                        },
+                        "total_bytes_skipped": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "macho": {
+                      "properties": {
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "symhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "origin_referrer_url": {
+                      "ignore_above": 8192,
+                      "type": "keyword"
+                    },
+                    "origin_url": {
+                      "ignore_above": 8192,
+                      "type": "keyword"
+                    },
+                    "pe": {
+                      "properties": {
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "company": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "description": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "file_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "imphash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "original_file_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "pehash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "product": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        }
+                      }
+                    },
+                    "pid": {
+                      "type": "long"
+                    },
+                    "platform_binary": {
+                      "type": "boolean"
+                    },
+                    "real_group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "real_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "same_as_process": {
+                      "type": "boolean"
+                    },
+                    "saved_group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "saved_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "session_leader": {
+                      "properties": {
+                        "args": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "args_count": {
+                          "type": "long"
+                        },
+                        "attested_groups": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "attested_user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "code_signature": {
+                          "properties": {
+                            "digest_algorithm": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "exists": {
+                              "type": "boolean"
+                            },
+                            "flags": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "signing_id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "status": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "subject_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "team_id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "thumbprint_sha256": {
+                              "ignore_above": 64,
+                              "type": "keyword"
+                            },
+                            "timestamp": {
+                              "type": "date"
+                            },
+                            "trusted": {
+                              "type": "boolean"
+                            },
+                            "valid": {
+                              "type": "boolean"
+                            }
+                          }
+                        },
+                        "command_line": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "type": "wildcard"
+                        },
+                        "elf": {
+                          "properties": {
+                            "architecture": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "byte_order": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "cpu_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "creation_date": {
+                              "type": "date"
+                            },
+                            "exports": {
+                              "type": "flattened"
+                            },
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
+                            "header": {
+                              "properties": {
+                                "abi_version": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "class": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "data": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "entrypoint": {
+                                  "type": "long"
+                                },
+                                "object_version": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "os_abi": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "version": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "sections": {
+                              "properties": {
+                                "chi2": {
+                                  "type": "long"
+                                },
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "flags": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_offset": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_address": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "segments": {
+                              "properties": {
+                                "sections": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "shared_libraries": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "telfhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "end": {
+                          "type": "date"
+                        },
+                        "endpoint_security_client": {
+                          "type": "boolean"
+                        },
+                        "entity_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entry_meta": {
+                          "properties": {
+                            "source": {
+                              "properties": {
+                                "address": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "as": {
+                                  "properties": {
+                                    "number": {
+                                      "type": "long"
+                                    },
+                                    "organization": {
+                                      "properties": {
+                                        "name": {
+                                          "fields": {
+                                            "text": {
+                                              "type": "match_only_text"
+                                            }
+                                          },
+                                          "ignore_above": 1024,
+                                          "type": "keyword"
+                                        }
+                                      }
+                                    }
+                                  }
+                                },
+                                "bytes": {
+                                  "type": "long"
+                                },
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "geo": {
+                                  "properties": {
+                                    "city_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "continent_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "continent_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "country_iso_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "country_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "location": {
+                                      "type": "geo_point"
+                                    },
+                                    "name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "postal_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "region_iso_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "region_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "timezone": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    }
+                                  }
+                                },
+                                "ip": {
+                                  "type": "ip"
+                                },
+                                "mac": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "nat": {
+                                  "properties": {
+                                    "ip": {
+                                      "type": "ip"
+                                    },
+                                    "port": {
+                                      "type": "long"
+                                    }
+                                  }
+                                },
+                                "packets": {
+                                  "type": "long"
+                                },
+                                "port": {
+                                  "type": "long"
+                                },
+                                "registered_domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "subdomain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "top_level_domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "env_vars": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "executable": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "exit_code": {
+                          "type": "long"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "properties": {
+                            "cdhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "md5": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha1": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha256": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha384": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha512": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "ssdeep": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "tlsh": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "interactive": {
+                          "type": "boolean"
+                        },
+                        "io": {
+                          "properties": {
+                            "bytes_skipped": {
+                              "properties": {
+                                "length": {
+                                  "type": "long"
+                                },
+                                "offset": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "object"
+                            },
+                            "max_bytes_per_process_exceeded": {
+                              "type": "boolean"
+                            },
+                            "text": {
+                              "type": "wildcard"
+                            },
+                            "total_bytes_captured": {
+                              "type": "long"
+                            },
+                            "total_bytes_skipped": {
+                              "type": "long"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "macho": {
+                          "properties": {
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "sections": {
+                              "properties": {
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "symhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "origin_referrer_url": {
+                          "ignore_above": 8192,
+                          "type": "keyword"
+                        },
+                        "origin_url": {
+                          "ignore_above": 8192,
+                          "type": "keyword"
+                        },
+                        "pe": {
+                          "properties": {
+                            "architecture": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "company": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "description": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "file_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
+                            "imphash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "original_file_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "pehash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "product": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sections": {
+                              "properties": {
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
+                            }
+                          }
+                        },
+                        "pid": {
+                          "type": "long"
+                        },
+                        "platform_binary": {
+                          "type": "boolean"
+                        },
+                        "real_group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "real_user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "same_as_process": {
+                          "type": "boolean"
+                        },
+                        "saved_group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "saved_user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "start": {
+                          "type": "date"
+                        },
+                        "supplemental_groups": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "thread": {
+                          "properties": {
+                            "capabilities": {
+                              "properties": {
+                                "effective": {
+                                  "ignore_above": 1024,
+                                  "synthetic_source_keep": "none",
+                                  "type": "keyword"
+                                },
+                                "permitted": {
+                                  "ignore_above": 1024,
+                                  "synthetic_source_keep": "none",
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "id": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "title": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "tty": {
+                          "properties": {
+                            "char_device": {
+                              "properties": {
+                                "major": {
+                                  "type": "long"
+                                },
+                                "minor": {
+                                  "type": "long"
+                                }
+                              }
+                            },
+                            "columns": {
+                              "type": "long"
+                            },
+                            "rows": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "uptime": {
+                          "type": "long"
+                        },
+                        "user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "vpid": {
+                          "type": "long"
+                        },
+                        "working_directory": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "start": {
+                      "type": "date"
+                    },
+                    "supplemental_groups": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "thread": {
+                      "properties": {
+                        "capabilities": {
+                          "properties": {
+                            "effective": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            },
+                            "permitted": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "id": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "title": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tty": {
+                      "properties": {
+                        "char_device": {
+                          "properties": {
+                            "major": {
+                              "type": "long"
+                            },
+                            "minor": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "columns": {
+                          "type": "long"
+                        },
+                        "rows": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "uptime": {
+                      "type": "long"
+                    },
+                    "user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "vpid": {
+                      "type": "long"
+                    },
+                    "working_directory": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "original_file_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pehash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
                         },
-                        "vpid": {
+                        "virtual_size": {
                           "type": "long"
                         }
-                      }
-                    },
-                    "start": {
-                      "type": "date"
-                    },
-                    "vpid": {
-                      "type": "long"
+                      },
+                      "type": "nested"
                     }
                   }
                 },
                 "pid": {
                   "type": "long"
                 },
+                "platform_binary": {
+                  "type": "boolean"
+                },
                 "real_group": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1697,6 +12519,43 @@
                 },
                 "real_user": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1709,6 +12568,35 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
                     }
                   }
                 },
@@ -1717,6 +12605,10 @@
                 },
                 "saved_group": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1729,6 +12621,43 @@
                 },
                 "saved_user": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1741,6 +12670,35 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
                     }
                   }
                 },
@@ -1749,6 +12707,10 @@
                 },
                 "supplemental_groups": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1759,6 +12721,40 @@
                     }
                   }
                 },
+                "thread": {
+                  "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "tty": {
                   "properties": {
                     "char_device": {
@@ -1770,12 +12766,58 @@
                           "type": "long"
                         }
                       }
+                    },
+                    "columns": {
+                      "type": "long"
+                    },
+                    "rows": {
+                      "type": "long"
                     }
                   },
                   "type": "object"
                 },
+                "uptime": {
+                  "type": "long"
+                },
                 "user": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1788,6 +12830,35 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
                     }
                   }
                 },
@@ -1810,6 +12881,10 @@
             },
             "supplemental_groups": {
               "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -1880,6 +12955,43 @@
             },
             "user": {
               "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -1892,6 +13004,35 @@
                   },
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index 76d7be670f..3fca2eed3c 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -173,6 +173,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index fbdd349235..a90539a3d1 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -173,6 +173,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index affa8f0284..690c665b64 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -60,6 +60,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
@@ -123,6 +147,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
@@ -319,6 +367,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index ce90e997d0..4c647d2914 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -4,47 +4,47 @@
     "ecs_version": "9.3.0-dev"
   },
   "composed_of": [
-    "ecs_9.3.0-dev_base",
-    "ecs_9.3.0-dev_agent",
-    "ecs_9.3.0-dev_client",
-    "ecs_9.3.0-dev_cloud",
-    "ecs_9.3.0-dev_container",
-    "ecs_9.3.0-dev_data_stream",
-    "ecs_9.3.0-dev_destination",
-    "ecs_9.3.0-dev_device",
-    "ecs_9.3.0-dev_dll",
-    "ecs_9.3.0-dev_dns",
-    "ecs_9.3.0-dev_ecs",
-    "ecs_9.3.0-dev_email",
-    "ecs_9.3.0-dev_error",
-    "ecs_9.3.0-dev_event",
-    "ecs_9.3.0-dev_faas",
-    "ecs_9.3.0-dev_file",
-    "ecs_9.3.0-dev_gen_ai",
-    "ecs_9.3.0-dev_group",
-    "ecs_9.3.0-dev_host",
-    "ecs_9.3.0-dev_http",
-    "ecs_9.3.0-dev_log",
-    "ecs_9.3.0-dev_network",
-    "ecs_9.3.0-dev_observer",
-    "ecs_9.3.0-dev_orchestrator",
-    "ecs_9.3.0-dev_organization",
-    "ecs_9.3.0-dev_package",
-    "ecs_9.3.0-dev_process",
-    "ecs_9.3.0-dev_registry",
-    "ecs_9.3.0-dev_related",
-    "ecs_9.3.0-dev_rule",
-    "ecs_9.3.0-dev_server",
-    "ecs_9.3.0-dev_service",
-    "ecs_9.3.0-dev_source",
-    "ecs_9.3.0-dev_threat",
-    "ecs_9.3.0-dev_tls",
-    "ecs_9.3.0-dev_tracing",
-    "ecs_9.3.0-dev_url",
-    "ecs_9.3.0-dev_user_agent",
-    "ecs_9.3.0-dev_user",
-    "ecs_9.3.0-dev_volume",
-    "ecs_9.3.0-dev_vulnerability"
+    "ecs_9.2.0-dev_agent",
+    "ecs_9.2.0-dev_base",
+    "ecs_9.2.0-dev_client",
+    "ecs_9.2.0-dev_cloud",
+    "ecs_9.2.0-dev_container",
+    "ecs_9.2.0-dev_data_stream",
+    "ecs_9.2.0-dev_destination",
+    "ecs_9.2.0-dev_device",
+    "ecs_9.2.0-dev_dll",
+    "ecs_9.2.0-dev_dns",
+    "ecs_9.2.0-dev_ecs",
+    "ecs_9.2.0-dev_email",
+    "ecs_9.2.0-dev_error",
+    "ecs_9.2.0-dev_event",
+    "ecs_9.2.0-dev_faas",
+    "ecs_9.2.0-dev_file",
+    "ecs_9.2.0-dev_gen_ai",
+    "ecs_9.2.0-dev_group",
+    "ecs_9.2.0-dev_host",
+    "ecs_9.2.0-dev_http",
+    "ecs_9.2.0-dev_log",
+    "ecs_9.2.0-dev_network",
+    "ecs_9.2.0-dev_observer",
+    "ecs_9.2.0-dev_orchestrator",
+    "ecs_9.2.0-dev_organization",
+    "ecs_9.2.0-dev_package",
+    "ecs_9.2.0-dev_process",
+    "ecs_9.2.0-dev_registry",
+    "ecs_9.2.0-dev_related",
+    "ecs_9.2.0-dev_rule",
+    "ecs_9.2.0-dev_server",
+    "ecs_9.2.0-dev_service",
+    "ecs_9.2.0-dev_source",
+    "ecs_9.2.0-dev_threat",
+    "ecs_9.2.0-dev_tls",
+    "ecs_9.2.0-dev_tracing",
+    "ecs_9.2.0-dev_url",
+    "ecs_9.2.0-dev_user",
+    "ecs_9.2.0-dev_user_agent",
+    "ecs_9.2.0-dev_volume",
+    "ecs_9.2.0-dev_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index cb2dbd54ed..2d4bf5a244 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -221,6 +221,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -775,6 +799,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -3047,6 +3095,105 @@
           "args_count": {
             "type": "long"
           },
+          "attested_groups": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "attested_user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              }
+            }
+          },
           "code_signature": {
             "properties": {
               "digest_algorithm": {
@@ -3248,6 +3395,9 @@
           "end": {
             "type": "date"
           },
+          "endpoint_security_client": {
+            "type": "boolean"
+          },
           "entity_id": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -3263,6 +3413,14 @@
               },
               "attested_groups": {
                 "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -3271,11 +3429,15 @@
               },
               "attested_user": {
                 "properties": {
-                  "id": {
+                  "domain": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
                     "fields": {
                       "text": {
                         "type": "match_only_text"
@@ -3283,303 +3445,410 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entry_meta": {
-                "properties": {
-                  "source": {
+                  },
+                  "group": {
                     "properties": {
-                      "ip": {
-                        "type": "ip"
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
                     }
                   },
-                  "type": {
+                  "hash": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
                   "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "parent": {
-                "properties": {
-                  "entity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pid": {
-                    "type": "long"
                   },
-                  "session_leader": {
+                  "risk": {
                     "properties": {
-                      "entity_id": {
+                      "calculated_level": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "pid": {
-                        "type": "long"
+                      "calculated_score": {
+                        "type": "float"
                       },
-                      "start": {
-                        "type": "date"
+                      "calculated_score_norm": {
+                        "type": "float"
                       },
-                      "vpid": {
-                        "type": "long"
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
                       }
                     }
                   },
-                  "start": {
-                    "type": "date"
-                  },
-                  "vpid": {
-                    "type": "long"
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
                   }
                 }
               },
-              "pid": {
-                "type": "long"
-              },
-              "real_group": {
+              "code_signature": {
                 "properties": {
-                  "id": {
+                  "digest_algorithm": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "flags": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "id": {
+                  },
+                  "signing_id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "status": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "id": {
+                  },
+                  "subject_name": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
+                  "team_id": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
                   }
                 }
               },
-              "saved_user": {
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
                 "properties": {
-                  "id": {
+                  "architecture": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "byte_order": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "id": {
+                  },
+                  "cpu_type": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
                     "properties": {
-                      "major": {
-                        "type": "long"
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
-                      "minor": {
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
                         "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
                     }
-                  }
-                },
-                "type": "object"
-              },
-              "user": {
-                "properties": {
-                  "id": {
+                  },
+                  "import_hash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
                     },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "env_vars": {
-            "ignore_above": 1024,
-            "synthetic_source_keep": "none",
-            "type": "keyword"
-          },
-          "executable": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "exit_code": {
-            "type": "long"
-          },
-          "group": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "group_leader": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
+              "end": {
+                "type": "date"
               },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
+              "endpoint_security_client": {
+                "type": "boolean"
               },
               "entity_id": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
+              "entry_meta": {
                 "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                  "source": {
+                    "properties": {
+                      "address": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "as": {
+                        "properties": {
+                          "number": {
+                            "type": "long"
+                          },
+                          "organization": {
+                            "properties": {
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "type": "match_only_text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "bytes": {
+                        "type": "long"
+                      },
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "geo": {
+                        "properties": {
+                          "city_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "location": {
+                            "type": "geo_point"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "postal_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "timezone": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "mac": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "nat": {
+                        "properties": {
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "port": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "packets": {
+                        "type": "long"
+                      },
+                      "port": {
+                        "type": "long"
+                      },
+                      "registered_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subdomain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "top_level_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
                   },
-                  "name": {
+                  "type": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "interactive": {
-                "type": "boolean"
+              "env_vars": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
               },
-              "name": {
+              "executable": {
                 "fields": {
                   "text": {
                     "type": "match_only_text"
@@ -3588,11 +3857,15 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "pid": {
+              "exit_code": {
                 "type": "long"
               },
-              "real_group": {
+              "group": {
                 "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -3603,106 +3876,136 @@
                   }
                 }
               },
-              "real_user": {
+              "hash": {
                 "properties": {
-                  "id": {
+                  "cdhash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "md5": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "id": {
+                  },
+                  "sha1": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
+                  "sha256": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "id": {
+                  },
+                  "sha384": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "sha512": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "id": {
+                  },
+                  "ssdeep": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
+                  "tlsh": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "tty": {
+              "interactive": {
+                "type": "boolean"
+              },
+              "io": {
                 "properties": {
-                  "char_device": {
+                  "bytes_skipped": {
                     "properties": {
-                      "major": {
+                      "length": {
                         "type": "long"
                       },
-                      "minor": {
+                      "offset": {
                         "type": "long"
                       }
-                    }
+                    },
+                    "type": "object"
+                  },
+                  "max_bytes_per_process_exceeded": {
+                    "type": "boolean"
+                  },
+                  "text": {
+                    "type": "wildcard"
+                  },
+                  "total_bytes_captured": {
+                    "type": "long"
+                  },
+                  "total_bytes_skipped": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 },
                 "type": "object"
               },
-              "user": {
+              "macho": {
                 "properties": {
-                  "id": {
+                  "go_import_hash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
                       }
                     },
+                    "type": "nested"
+                  },
+                  "symhash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
+              "name": {
                 "fields": {
                   "text": {
                     "type": "match_only_text"
@@ -3710,645 +4013,462 @@
                 },
                 "ignore_above": 1024,
                 "type": "keyword"
-              }
-            }
-          },
-          "hash": {
-            "properties": {
-              "cdhash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "md5": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha1": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha256": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha384": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha512": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "ssdeep": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tlsh": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "interactive": {
-            "type": "boolean"
-          },
-          "io": {
-            "properties": {
-              "bytes_skipped": {
-                "properties": {
-                  "length": {
-                    "type": "long"
-                  },
-                  "offset": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "max_bytes_per_process_exceeded": {
-                "type": "boolean"
-              },
-              "text": {
-                "type": "wildcard"
-              },
-              "total_bytes_captured": {
-                "type": "long"
-              },
-              "total_bytes_skipped": {
-                "type": "long"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            },
-            "type": "object"
-          },
-          "macho": {
-            "properties": {
-              "go_import_hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "go_imports": {
-                "type": "flattened"
-              },
-              "go_imports_names_entropy": {
-                "type": "long"
-              },
-              "go_imports_names_var_entropy": {
-                "type": "long"
-              },
-              "go_stripped": {
-                "type": "boolean"
               },
-              "import_hash": {
-                "ignore_above": 1024,
+              "origin_referrer_url": {
+                "ignore_above": 8192,
                 "type": "keyword"
               },
-              "imports": {
-                "type": "flattened"
-              },
-              "imports_names_entropy": {
-                "type": "long"
-              },
-              "imports_names_var_entropy": {
-                "type": "long"
-              },
-              "sections": {
-                "properties": {
-                  "entropy": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "physical_size": {
-                    "type": "long"
-                  },
-                  "var_entropy": {
-                    "type": "long"
-                  },
-                  "virtual_size": {
-                    "type": "long"
-                  }
-                },
-                "type": "nested"
-              },
-              "symhash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "name": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "parent": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
+              "origin_url": {
+                "ignore_above": 8192,
                 "type": "keyword"
               },
-              "args_count": {
-                "type": "long"
-              },
-              "code_signature": {
-                "properties": {
-                  "digest_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signing_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "status": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "team_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
+              "parent": {
                 "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
+                  "args": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
+                  "args_count": {
                     "type": "long"
                   },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
+                  "attested_groups": {
                     "properties": {
-                      "abi_version": {
+                      "domain": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "class": {
+                      "id": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "data": {
+                      "name": {
                         "ignore_above": 1024,
                         "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
+                      }
+                    }
+                  },
+                  "attested_user": {
+                    "properties": {
+                      "domain": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "os_abi": {
+                      "email": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "type": {
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
                   },
-                  "sections": {
+                  "code_signature": {
                     "properties": {
-                      "chi2": {
-                        "type": "long"
+                      "digest_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
-                      "entropy": {
-                        "type": "long"
+                      "exists": {
+                        "type": "boolean"
                       },
                       "flags": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "name": {
+                      "signing_id": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "physical_offset": {
+                      "status": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "physical_size": {
-                        "type": "long"
+                      "subject_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
-                      "type": {
+                      "team_id": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "var_entropy": {
-                        "type": "long"
+                      "thumbprint_sha256": {
+                        "ignore_above": 64,
+                        "type": "keyword"
                       },
-                      "virtual_address": {
-                        "type": "long"
+                      "timestamp": {
+                        "type": "date"
                       },
-                      "virtual_size": {
-                        "type": "long"
+                      "trusted": {
+                        "type": "boolean"
+                      },
+                      "valid": {
+                        "type": "boolean"
+                      }
+                    }
+                  },
+                  "command_line": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
                       }
                     },
-                    "type": "nested"
+                    "type": "wildcard"
                   },
-                  "segments": {
+                  "elf": {
                     "properties": {
-                      "sections": {
+                      "architecture": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "type": {
+                      "byte_order": {
                         "ignore_above": 1024,
                         "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "group_leader": {
-                "properties": {
-                  "entity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pid": {
-                    "type": "long"
-                  },
-                  "start": {
-                    "type": "date"
-                  },
-                  "vpid": {
-                    "type": "long"
-                  }
-                }
-              },
-              "hash": {
-                "properties": {
-                  "cdhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tlsh": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "macho": {
-                "properties": {
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
                       },
-                      "name": {
+                      "cpu_type": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "physical_size": {
-                        "type": "long"
+                      "creation_date": {
+                        "type": "date"
                       },
-                      "var_entropy": {
-                        "type": "long"
+                      "exports": {
+                        "type": "flattened"
                       },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "symhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
                         "type": "long"
                       },
-                      "name": {
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "header": {
+                        "properties": {
+                          "abi_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "class": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "data": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entrypoint": {
+                            "type": "long"
+                          },
+                          "object_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "os_abi": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "import_hash": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "physical_size": {
-                        "type": "long"
+                      "imports": {
+                        "type": "flattened"
                       },
-                      "var_entropy": {
+                      "imports_names_entropy": {
                         "type": "long"
                       },
-                      "virtual_size": {
+                      "imports_names_var_entropy": {
                         "type": "long"
+                      },
+                      "sections": {
+                        "properties": {
+                          "chi2": {
+                            "type": "long"
+                          },
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "flags": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_offset": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_address": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "segments": {
+                        "properties": {
+                          "sections": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "shared_libraries": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "telfhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "real_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    }
                   },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                  "end": {
+                    "type": "date"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                  "endpoint_security_client": {
+                    "type": "boolean"
                   },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "id": {
+                  "entity_id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
+                  "entry_meta": {
+                    "properties": {
+                      "source": {
+                        "properties": {
+                          "address": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "as": {
+                            "properties": {
+                              "number": {
+                                "type": "long"
+                              },
+                              "organization": {
+                                "properties": {
+                                  "name": {
+                                    "fields": {
+                                      "text": {
+                                        "type": "match_only_text"
+                                      }
+                                    },
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  }
+                                }
+                              }
+                            }
+                          },
+                          "bytes": {
+                            "type": "long"
+                          },
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "geo": {
+                            "properties": {
+                              "city_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "continent_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "continent_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country_iso_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "location": {
+                                "type": "geo_point"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "postal_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "region_iso_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "region_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "timezone": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "mac": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "nat": {
+                            "properties": {
+                              "ip": {
+                                "type": "ip"
+                              },
+                              "port": {
+                                "type": "long"
+                              }
+                            }
+                          },
+                          "packets": {
+                            "type": "long"
+                          },
+                          "port": {
+                            "type": "long"
+                          },
+                          "registered_domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subdomain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "top_level_domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "env_vars": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  },
+                  "executable": {
                     "fields": {
                       "text": {
                         "type": "match_only_text"
@@ -4356,306 +4476,11117 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
                   },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "thread": {
-                "properties": {
-                  "capabilities": {
+                  "exit_code": {
+                    "type": "long"
+                  },
+                  "group": {
                     "properties": {
-                      "effective": {
+                      "domain": {
                         "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
                         "type": "keyword"
                       },
-                      "permitted": {
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
                         "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
                         "type": "keyword"
                       }
                     }
                   },
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
+                  "hash": {
                     "properties": {
-                      "major": {
-                        "type": "long"
+                      "cdhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
-                      "minor": {
-                        "type": "long"
+                      "md5": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha1": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha256": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha384": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha512": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "ssdeep": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tlsh": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
                     }
-                  }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
                   },
-                  "name": {
-                    "fields": {
+                  "interactive": {
+                    "type": "boolean"
+                  },
+                  "io": {
+                    "properties": {
+                      "bytes_skipped": {
+                        "properties": {
+                          "length": {
+                            "type": "long"
+                          },
+                          "offset": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "max_bytes_per_process_exceeded": {
+                        "type": "boolean"
+                      },
                       "text": {
-                        "type": "match_only_text"
+                        "type": "wildcard"
+                      },
+                      "total_bytes_captured": {
+                        "type": "long"
+                      },
+                      "total_bytes_skipped": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
                     },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "pe": {
-            "properties": {
-              "architecture": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "company": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "description": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "file_version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "go_import_hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "go_imports": {
-                "type": "flattened"
-              },
-              "go_imports_names_entropy": {
-                "type": "long"
-              },
-              "go_imports_names_var_entropy": {
-                "type": "long"
-              },
-              "go_stripped": {
-                "type": "boolean"
-              },
-              "imphash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "import_hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "imports": {
-                "type": "flattened"
-              },
-              "imports_names_entropy": {
-                "type": "long"
-              },
-              "imports_names_var_entropy": {
-                "type": "long"
-              },
-              "original_file_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "pehash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "product": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sections": {
-                "properties": {
-                  "entropy": {
+                    "type": "object"
+                  },
+                  "macho": {
+                    "properties": {
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "symhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "origin_referrer_url": {
+                    "ignore_above": 8192,
+                    "type": "keyword"
+                  },
+                  "origin_url": {
+                    "ignore_above": 8192,
+                    "type": "keyword"
+                  },
+                  "pe": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "company": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "description": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "file_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "imphash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "original_file_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "pehash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "product": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      }
+                    }
+                  },
+                  "pid": {
                     "type": "long"
                   },
-                  "name": {
+                  "platform_binary": {
+                    "type": "boolean"
+                  },
+                  "real_group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "real_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "same_as_process": {
+                    "type": "boolean"
+                  },
+                  "saved_group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "saved_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "session_leader": {
+                    "properties": {
+                      "args": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "args_count": {
+                        "type": "long"
+                      },
+                      "attested_groups": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "attested_user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "code_signature": {
+                        "properties": {
+                          "digest_algorithm": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "exists": {
+                            "type": "boolean"
+                          },
+                          "flags": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "signing_id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "status": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subject_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "team_id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "thumbprint_sha256": {
+                            "ignore_above": 64,
+                            "type": "keyword"
+                          },
+                          "timestamp": {
+                            "type": "date"
+                          },
+                          "trusted": {
+                            "type": "boolean"
+                          },
+                          "valid": {
+                            "type": "boolean"
+                          }
+                        }
+                      },
+                      "command_line": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "type": "wildcard"
+                      },
+                      "elf": {
+                        "properties": {
+                          "architecture": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "byte_order": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "cpu_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "creation_date": {
+                            "type": "date"
+                          },
+                          "exports": {
+                            "type": "flattened"
+                          },
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
+                          "header": {
+                            "properties": {
+                              "abi_version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "class": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "data": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "entrypoint": {
+                                "type": "long"
+                              },
+                              "object_version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "os_abi": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "sections": {
+                            "properties": {
+                              "chi2": {
+                                "type": "long"
+                              },
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "flags": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_offset": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_address": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "segments": {
+                            "properties": {
+                              "sections": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "shared_libraries": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "telfhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "end": {
+                        "type": "date"
+                      },
+                      "endpoint_security_client": {
+                        "type": "boolean"
+                      },
+                      "entity_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entry_meta": {
+                        "properties": {
+                          "source": {
+                            "properties": {
+                              "address": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "as": {
+                                "properties": {
+                                  "number": {
+                                    "type": "long"
+                                  },
+                                  "organization": {
+                                    "properties": {
+                                      "name": {
+                                        "fields": {
+                                          "text": {
+                                            "type": "match_only_text"
+                                          }
+                                        },
+                                        "ignore_above": 1024,
+                                        "type": "keyword"
+                                      }
+                                    }
+                                  }
+                                }
+                              },
+                              "bytes": {
+                                "type": "long"
+                              },
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "geo": {
+                                "properties": {
+                                  "city_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "continent_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "continent_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "country_iso_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "country_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "location": {
+                                    "type": "geo_point"
+                                  },
+                                  "name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "postal_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "region_iso_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "region_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "timezone": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  }
+                                }
+                              },
+                              "ip": {
+                                "type": "ip"
+                              },
+                              "mac": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "nat": {
+                                "properties": {
+                                  "ip": {
+                                    "type": "ip"
+                                  },
+                                  "port": {
+                                    "type": "long"
+                                  }
+                                }
+                              },
+                              "packets": {
+                                "type": "long"
+                              },
+                              "port": {
+                                "type": "long"
+                              },
+                              "registered_domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "subdomain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "top_level_domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "env_vars": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "executable": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "exit_code": {
+                        "type": "long"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "properties": {
+                          "cdhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "md5": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha1": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha256": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha384": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha512": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "ssdeep": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "tlsh": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "interactive": {
+                        "type": "boolean"
+                      },
+                      "io": {
+                        "properties": {
+                          "bytes_skipped": {
+                            "properties": {
+                              "length": {
+                                "type": "long"
+                              },
+                              "offset": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "object"
+                          },
+                          "max_bytes_per_process_exceeded": {
+                            "type": "boolean"
+                          },
+                          "text": {
+                            "type": "wildcard"
+                          },
+                          "total_bytes_captured": {
+                            "type": "long"
+                          },
+                          "total_bytes_skipped": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "macho": {
+                        "properties": {
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "sections": {
+                            "properties": {
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "symhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "origin_referrer_url": {
+                        "ignore_above": 8192,
+                        "type": "keyword"
+                      },
+                      "origin_url": {
+                        "ignore_above": 8192,
+                        "type": "keyword"
+                      },
+                      "pe": {
+                        "properties": {
+                          "architecture": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "company": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "description": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "file_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
+                          "imphash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "original_file_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "pehash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "product": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sections": {
+                            "properties": {
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          }
+                        }
+                      },
+                      "pid": {
+                        "type": "long"
+                      },
+                      "platform_binary": {
+                        "type": "boolean"
+                      },
+                      "real_group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "real_user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "same_as_process": {
+                        "type": "boolean"
+                      },
+                      "saved_group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "saved_user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "start": {
+                        "type": "date"
+                      },
+                      "supplemental_groups": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "thread": {
+                        "properties": {
+                          "capabilities": {
+                            "properties": {
+                              "effective": {
+                                "ignore_above": 1024,
+                                "synthetic_source_keep": "none",
+                                "type": "keyword"
+                              },
+                              "permitted": {
+                                "ignore_above": 1024,
+                                "synthetic_source_keep": "none",
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "id": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "title": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tty": {
+                        "properties": {
+                          "char_device": {
+                            "properties": {
+                              "major": {
+                                "type": "long"
+                              },
+                              "minor": {
+                                "type": "long"
+                              }
+                            }
+                          },
+                          "columns": {
+                            "type": "long"
+                          },
+                          "rows": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "uptime": {
+                        "type": "long"
+                      },
+                      "user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "vpid": {
+                        "type": "long"
+                      },
+                      "working_directory": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "start": {
+                    "type": "date"
+                  },
+                  "supplemental_groups": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "thread": {
+                    "properties": {
+                      "capabilities": {
+                        "properties": {
+                          "effective": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          },
+                          "permitted": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "id": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "title": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tty": {
+                    "properties": {
+                      "char_device": {
+                        "properties": {
+                          "major": {
+                            "type": "long"
+                          },
+                          "minor": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "columns": {
+                        "type": "long"
+                      },
+                      "rows": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "uptime": {
+                    "type": "long"
+                  },
+                  "user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "vpid": {
+                    "type": "long"
+                  },
+                  "working_directory": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "platform_binary": {
+                "type": "boolean"
+              },
+              "real_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "thread": {
+                "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  },
+                  "columns": {
+                    "type": "long"
+                  },
+                  "rows": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "entry_meta": {
+            "properties": {
+              "source": {
+                "properties": {
+                  "address": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "as": {
+                    "properties": {
+                      "number": {
+                        "type": "long"
+                      },
+                      "organization": {
+                        "properties": {
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    }
+                  },
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "geo": {
+                    "properties": {
+                      "city_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "continent_code": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "continent_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country_iso_code": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "location": {
+                        "type": "geo_point"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "postal_code": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "region_iso_code": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "region_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "timezone": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "ip": {
+                    "type": "ip"
+                  },
+                  "mac": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "nat": {
+                    "properties": {
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "port": {
+                        "type": "long"
+                      }
+                    }
+                  },
+                  "packets": {
+                    "type": "long"
+                  },
+                  "port": {
+                    "type": "long"
+                  },
+                  "registered_domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subdomain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "top_level_domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "env_vars": {
+            "ignore_above": 1024,
+            "synthetic_source_keep": "none",
+            "type": "keyword"
+          },
+          "executable": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "exit_code": {
+            "type": "long"
+          },
+          "group": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "group_leader": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "attested_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "attested_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "code_signature": {
+                "properties": {
+                  "digest_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "byte_order": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
+                    "properties": {
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "end": {
+                "type": "date"
+              },
+              "endpoint_security_client": {
+                "type": "boolean"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entry_meta": {
+                "properties": {
+                  "source": {
+                    "properties": {
+                      "address": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "as": {
+                        "properties": {
+                          "number": {
+                            "type": "long"
+                          },
+                          "organization": {
+                            "properties": {
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "type": "match_only_text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "bytes": {
+                        "type": "long"
+                      },
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "geo": {
+                        "properties": {
+                          "city_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "location": {
+                            "type": "geo_point"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "postal_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "timezone": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "mac": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "nat": {
+                        "properties": {
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "port": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "packets": {
+                        "type": "long"
+                      },
+                      "port": {
+                        "type": "long"
+                      },
+                      "registered_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subdomain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "top_level_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "env_vars": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha384": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "io": {
+                "properties": {
+                  "bytes_skipped": {
+                    "properties": {
+                      "length": {
+                        "type": "long"
+                      },
+                      "offset": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "max_bytes_per_process_exceeded": {
+                    "type": "boolean"
+                  },
+                  "text": {
+                    "type": "wildcard"
+                  },
+                  "total_bytes_captured": {
+                    "type": "long"
+                  },
+                  "total_bytes_skipped": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "object"
+              },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "symhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "origin_referrer_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "origin_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "platform_binary": {
+                "type": "boolean"
+              },
+              "real_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "thread": {
+                "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  },
+                  "columns": {
+                    "type": "long"
+                  },
+                  "rows": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "hash": {
+            "properties": {
+              "cdhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "md5": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha1": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha256": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha384": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha512": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ssdeep": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tlsh": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "interactive": {
+            "type": "boolean"
+          },
+          "io": {
+            "properties": {
+              "bytes_skipped": {
+                "properties": {
+                  "length": {
+                    "type": "long"
+                  },
+                  "offset": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "max_bytes_per_process_exceeded": {
+                "type": "boolean"
+              },
+              "text": {
+                "type": "wildcard"
+              },
+              "total_bytes_captured": {
+                "type": "long"
+              },
+              "total_bytes_skipped": {
+                "type": "long"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "object"
+          },
+          "macho": {
+            "properties": {
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              },
+              "symhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "origin_referrer_url": {
+            "ignore_above": 8192,
+            "type": "keyword"
+          },
+          "origin_url": {
+            "ignore_above": 8192,
+            "type": "keyword"
+          },
+          "parent": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "attested_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "attested_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "code_signature": {
+                "properties": {
+                  "digest_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "byte_order": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
+                    "properties": {
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "end": {
+                "type": "date"
+              },
+              "endpoint_security_client": {
+                "type": "boolean"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entry_meta": {
+                "properties": {
+                  "source": {
+                    "properties": {
+                      "address": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "as": {
+                        "properties": {
+                          "number": {
+                            "type": "long"
+                          },
+                          "organization": {
+                            "properties": {
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "type": "match_only_text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "bytes": {
+                        "type": "long"
+                      },
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "geo": {
+                        "properties": {
+                          "city_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "location": {
+                            "type": "geo_point"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "postal_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "timezone": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "mac": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "nat": {
+                        "properties": {
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "port": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "packets": {
+                        "type": "long"
+                      },
+                      "port": {
+                        "type": "long"
+                      },
+                      "registered_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subdomain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "top_level_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "env_vars": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "group_leader": {
+                "properties": {
+                  "args": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "args_count": {
+                    "type": "long"
+                  },
+                  "attested_groups": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "attested_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "code_signature": {
+                    "properties": {
+                      "digest_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "exists": {
+                        "type": "boolean"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "signing_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "status": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subject_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "team_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "thumbprint_sha256": {
+                        "ignore_above": 64,
+                        "type": "keyword"
+                      },
+                      "timestamp": {
+                        "type": "date"
+                      },
+                      "trusted": {
+                        "type": "boolean"
+                      },
+                      "valid": {
+                        "type": "boolean"
+                      }
+                    }
+                  },
+                  "command_line": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "type": "wildcard"
+                  },
+                  "elf": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "byte_order": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "cpu_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "creation_date": {
+                        "type": "date"
+                      },
+                      "exports": {
+                        "type": "flattened"
+                      },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "header": {
+                        "properties": {
+                          "abi_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "class": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "data": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entrypoint": {
+                            "type": "long"
+                          },
+                          "object_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "os_abi": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "sections": {
+                        "properties": {
+                          "chi2": {
+                            "type": "long"
+                          },
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "flags": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_offset": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_address": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "segments": {
+                        "properties": {
+                          "sections": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "shared_libraries": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "telfhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "end": {
+                    "type": "date"
+                  },
+                  "endpoint_security_client": {
+                    "type": "boolean"
+                  },
+                  "entity_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entry_meta": {
+                    "properties": {
+                      "source": {
+                        "properties": {
+                          "address": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "as": {
+                            "properties": {
+                              "number": {
+                                "type": "long"
+                              },
+                              "organization": {
+                                "properties": {
+                                  "name": {
+                                    "fields": {
+                                      "text": {
+                                        "type": "match_only_text"
+                                      }
+                                    },
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  }
+                                }
+                              }
+                            }
+                          },
+                          "bytes": {
+                            "type": "long"
+                          },
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "geo": {
+                            "properties": {
+                              "city_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "continent_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "continent_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country_iso_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "location": {
+                                "type": "geo_point"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "postal_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "region_iso_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "region_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "timezone": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "mac": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "nat": {
+                            "properties": {
+                              "ip": {
+                                "type": "ip"
+                              },
+                              "port": {
+                                "type": "long"
+                              }
+                            }
+                          },
+                          "packets": {
+                            "type": "long"
+                          },
+                          "port": {
+                            "type": "long"
+                          },
+                          "registered_domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subdomain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "top_level_domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "env_vars": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  },
+                  "executable": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exit_code": {
+                    "type": "long"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "properties": {
+                      "cdhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "md5": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha1": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha256": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha384": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha512": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "ssdeep": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tlsh": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "interactive": {
+                    "type": "boolean"
+                  },
+                  "io": {
+                    "properties": {
+                      "bytes_skipped": {
+                        "properties": {
+                          "length": {
+                            "type": "long"
+                          },
+                          "offset": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "max_bytes_per_process_exceeded": {
+                        "type": "boolean"
+                      },
+                      "text": {
+                        "type": "wildcard"
+                      },
+                      "total_bytes_captured": {
+                        "type": "long"
+                      },
+                      "total_bytes_skipped": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "macho": {
+                    "properties": {
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "symhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "origin_referrer_url": {
+                    "ignore_above": 8192,
+                    "type": "keyword"
+                  },
+                  "origin_url": {
+                    "ignore_above": 8192,
+                    "type": "keyword"
+                  },
+                  "pe": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "company": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "description": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "file_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "imphash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "original_file_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "pehash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "product": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      }
+                    }
+                  },
+                  "pid": {
+                    "type": "long"
+                  },
+                  "platform_binary": {
+                    "type": "boolean"
+                  },
+                  "real_group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "real_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "same_as_process": {
+                    "type": "boolean"
+                  },
+                  "saved_group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "saved_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "start": {
+                    "type": "date"
+                  },
+                  "supplemental_groups": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "thread": {
+                    "properties": {
+                      "capabilities": {
+                        "properties": {
+                          "effective": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          },
+                          "permitted": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "id": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "title": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tty": {
+                    "properties": {
+                      "char_device": {
+                        "properties": {
+                          "major": {
+                            "type": "long"
+                          },
+                          "minor": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "columns": {
+                        "type": "long"
+                      },
+                      "rows": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "uptime": {
+                    "type": "long"
+                  },
+                  "user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "vpid": {
+                    "type": "long"
+                  },
+                  "working_directory": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha384": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "io": {
+                "properties": {
+                  "bytes_skipped": {
+                    "properties": {
+                      "length": {
+                        "type": "long"
+                      },
+                      "offset": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "max_bytes_per_process_exceeded": {
+                    "type": "boolean"
+                  },
+                  "text": {
+                    "type": "wildcard"
+                  },
+                  "total_bytes_captured": {
+                    "type": "long"
+                  },
+                  "total_bytes_skipped": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "object"
+              },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "symhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "origin_referrer_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "origin_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "platform_binary": {
+                "type": "boolean"
+              },
+              "real_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "thread": {
+                "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  },
+                  "columns": {
+                    "type": "long"
+                  },
+                  "rows": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "pe": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "company": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "description": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "file_version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
+              "imphash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
+              "original_file_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "pehash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "product": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              }
+            }
+          },
+          "pid": {
+            "type": "long"
+          },
+          "platform_binary": {
+            "type": "boolean"
+          },
+          "previous": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "attested_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "attested_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "code_signature": {
+                "properties": {
+                  "digest_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "byte_order": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
+                    "properties": {
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "end": {
+                "type": "date"
+              },
+              "endpoint_security_client": {
+                "type": "boolean"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entry_meta": {
+                "properties": {
+                  "source": {
+                    "properties": {
+                      "address": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "as": {
+                        "properties": {
+                          "number": {
+                            "type": "long"
+                          },
+                          "organization": {
+                            "properties": {
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "type": "match_only_text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "bytes": {
+                        "type": "long"
+                      },
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "geo": {
+                        "properties": {
+                          "city_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "location": {
+                            "type": "geo_point"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "postal_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "timezone": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "mac": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "nat": {
+                        "properties": {
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "port": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "packets": {
+                        "type": "long"
+                      },
+                      "port": {
+                        "type": "long"
+                      },
+                      "registered_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subdomain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "top_level_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "env_vars": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha384": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "io": {
+                "properties": {
+                  "bytes_skipped": {
+                    "properties": {
+                      "length": {
+                        "type": "long"
+                      },
+                      "offset": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "max_bytes_per_process_exceeded": {
+                    "type": "boolean"
+                  },
+                  "text": {
+                    "type": "wildcard"
+                  },
+                  "total_bytes_captured": {
+                    "type": "long"
+                  },
+                  "total_bytes_skipped": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "object"
+              },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "symhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "origin_referrer_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "origin_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "platform_binary": {
+                "type": "boolean"
+              },
+              "real_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "thread": {
+                "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  },
+                  "columns": {
+                    "type": "long"
+                  },
+                  "rows": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "real_group": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "real_user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              }
+            }
+          },
+          "responsible": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "attested_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "attested_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "code_signature": {
+                "properties": {
+                  "digest_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "byte_order": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
+                    "properties": {
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "end": {
+                "type": "date"
+              },
+              "endpoint_security_client": {
+                "type": "boolean"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entry_meta": {
+                "properties": {
+                  "source": {
+                    "properties": {
+                      "address": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "as": {
+                        "properties": {
+                          "number": {
+                            "type": "long"
+                          },
+                          "organization": {
+                            "properties": {
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "type": "match_only_text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "bytes": {
+                        "type": "long"
+                      },
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "geo": {
+                        "properties": {
+                          "city_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "location": {
+                            "type": "geo_point"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "postal_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "timezone": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "mac": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "nat": {
+                        "properties": {
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "port": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "packets": {
+                        "type": "long"
+                      },
+                      "port": {
+                        "type": "long"
+                      },
+                      "registered_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subdomain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "top_level_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "env_vars": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha384": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "io": {
+                "properties": {
+                  "bytes_skipped": {
+                    "properties": {
+                      "length": {
+                        "type": "long"
+                      },
+                      "offset": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "max_bytes_per_process_exceeded": {
+                    "type": "boolean"
+                  },
+                  "text": {
+                    "type": "wildcard"
+                  },
+                  "total_bytes_captured": {
+                    "type": "long"
+                  },
+                  "total_bytes_skipped": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "object"
+              },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "symhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "origin_referrer_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "origin_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "platform_binary": {
+                "type": "boolean"
+              },
+              "real_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "thread": {
+                "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  },
+                  "columns": {
+                    "type": "long"
+                  },
+                  "rows": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "same_as_process": {
+            "type": "boolean"
+          },
+          "saved_group": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "saved_user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              }
+            }
+          },
+          "session_leader": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "attested_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "attested_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "code_signature": {
+                "properties": {
+                  "digest_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "byte_order": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
+                    "properties": {
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "end": {
+                "type": "date"
+              },
+              "endpoint_security_client": {
+                "type": "boolean"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entry_meta": {
+                "properties": {
+                  "source": {
+                    "properties": {
+                      "address": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "as": {
+                        "properties": {
+                          "number": {
+                            "type": "long"
+                          },
+                          "organization": {
+                            "properties": {
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "type": "match_only_text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "bytes": {
+                        "type": "long"
+                      },
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "geo": {
+                        "properties": {
+                          "city_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "location": {
+                            "type": "geo_point"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "postal_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "timezone": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "mac": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "nat": {
+                        "properties": {
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "port": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "packets": {
+                        "type": "long"
+                      },
+                      "port": {
+                        "type": "long"
+                      },
+                      "registered_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subdomain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "top_level_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "env_vars": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha384": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "io": {
+                "properties": {
+                  "bytes_skipped": {
+                    "properties": {
+                      "length": {
+                        "type": "long"
+                      },
+                      "offset": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "max_bytes_per_process_exceeded": {
+                    "type": "boolean"
+                  },
+                  "text": {
+                    "type": "wildcard"
+                  },
+                  "total_bytes_captured": {
+                    "type": "long"
+                  },
+                  "total_bytes_skipped": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "object"
+              },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "symhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "origin_referrer_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "origin_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "parent": {
+                "properties": {
+                  "args": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "args_count": {
+                    "type": "long"
+                  },
+                  "attested_groups": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "attested_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "code_signature": {
+                    "properties": {
+                      "digest_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "exists": {
+                        "type": "boolean"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "signing_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "status": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subject_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "team_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "thumbprint_sha256": {
+                        "ignore_above": 64,
+                        "type": "keyword"
+                      },
+                      "timestamp": {
+                        "type": "date"
+                      },
+                      "trusted": {
+                        "type": "boolean"
+                      },
+                      "valid": {
+                        "type": "boolean"
+                      }
+                    }
+                  },
+                  "command_line": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "type": "wildcard"
+                  },
+                  "elf": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "byte_order": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "cpu_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "creation_date": {
+                        "type": "date"
+                      },
+                      "exports": {
+                        "type": "flattened"
+                      },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "header": {
+                        "properties": {
+                          "abi_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "class": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "data": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entrypoint": {
+                            "type": "long"
+                          },
+                          "object_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "os_abi": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "sections": {
+                        "properties": {
+                          "chi2": {
+                            "type": "long"
+                          },
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "flags": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_offset": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_address": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "segments": {
+                        "properties": {
+                          "sections": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "shared_libraries": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "telfhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "end": {
+                    "type": "date"
+                  },
+                  "endpoint_security_client": {
+                    "type": "boolean"
+                  },
+                  "entity_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entry_meta": {
+                    "properties": {
+                      "source": {
+                        "properties": {
+                          "address": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "as": {
+                            "properties": {
+                              "number": {
+                                "type": "long"
+                              },
+                              "organization": {
+                                "properties": {
+                                  "name": {
+                                    "fields": {
+                                      "text": {
+                                        "type": "match_only_text"
+                                      }
+                                    },
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  }
+                                }
+                              }
+                            }
+                          },
+                          "bytes": {
+                            "type": "long"
+                          },
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "geo": {
+                            "properties": {
+                              "city_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "continent_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "continent_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country_iso_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "location": {
+                                "type": "geo_point"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "postal_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "region_iso_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "region_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "timezone": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "mac": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "nat": {
+                            "properties": {
+                              "ip": {
+                                "type": "ip"
+                              },
+                              "port": {
+                                "type": "long"
+                              }
+                            }
+                          },
+                          "packets": {
+                            "type": "long"
+                          },
+                          "port": {
+                            "type": "long"
+                          },
+                          "registered_domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subdomain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "top_level_domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "env_vars": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  },
+                  "executable": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exit_code": {
+                    "type": "long"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "properties": {
+                      "cdhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "md5": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha1": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha256": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha384": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha512": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "ssdeep": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tlsh": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "interactive": {
+                    "type": "boolean"
+                  },
+                  "io": {
+                    "properties": {
+                      "bytes_skipped": {
+                        "properties": {
+                          "length": {
+                            "type": "long"
+                          },
+                          "offset": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "max_bytes_per_process_exceeded": {
+                        "type": "boolean"
+                      },
+                      "text": {
+                        "type": "wildcard"
+                      },
+                      "total_bytes_captured": {
+                        "type": "long"
+                      },
+                      "total_bytes_skipped": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "macho": {
+                    "properties": {
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "symhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "origin_referrer_url": {
+                    "ignore_above": 8192,
+                    "type": "keyword"
+                  },
+                  "origin_url": {
+                    "ignore_above": 8192,
+                    "type": "keyword"
+                  },
+                  "pe": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "company": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "description": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "file_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "imphash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "original_file_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "pehash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "product": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      }
+                    }
+                  },
+                  "pid": {
+                    "type": "long"
+                  },
+                  "platform_binary": {
+                    "type": "boolean"
+                  },
+                  "real_group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "real_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "same_as_process": {
+                    "type": "boolean"
+                  },
+                  "saved_group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "saved_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "session_leader": {
+                    "properties": {
+                      "args": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "args_count": {
+                        "type": "long"
+                      },
+                      "attested_groups": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "attested_user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "code_signature": {
+                        "properties": {
+                          "digest_algorithm": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "exists": {
+                            "type": "boolean"
+                          },
+                          "flags": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "signing_id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "status": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subject_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "team_id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "thumbprint_sha256": {
+                            "ignore_above": 64,
+                            "type": "keyword"
+                          },
+                          "timestamp": {
+                            "type": "date"
+                          },
+                          "trusted": {
+                            "type": "boolean"
+                          },
+                          "valid": {
+                            "type": "boolean"
+                          }
+                        }
+                      },
+                      "command_line": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "type": "wildcard"
+                      },
+                      "elf": {
+                        "properties": {
+                          "architecture": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "byte_order": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "cpu_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "creation_date": {
+                            "type": "date"
+                          },
+                          "exports": {
+                            "type": "flattened"
+                          },
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
+                          "header": {
+                            "properties": {
+                              "abi_version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "class": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "data": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "entrypoint": {
+                                "type": "long"
+                              },
+                              "object_version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "os_abi": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "sections": {
+                            "properties": {
+                              "chi2": {
+                                "type": "long"
+                              },
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "flags": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_offset": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_address": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "segments": {
+                            "properties": {
+                              "sections": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "shared_libraries": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "telfhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "end": {
+                        "type": "date"
+                      },
+                      "endpoint_security_client": {
+                        "type": "boolean"
+                      },
+                      "entity_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entry_meta": {
+                        "properties": {
+                          "source": {
+                            "properties": {
+                              "address": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "as": {
+                                "properties": {
+                                  "number": {
+                                    "type": "long"
+                                  },
+                                  "organization": {
+                                    "properties": {
+                                      "name": {
+                                        "fields": {
+                                          "text": {
+                                            "type": "match_only_text"
+                                          }
+                                        },
+                                        "ignore_above": 1024,
+                                        "type": "keyword"
+                                      }
+                                    }
+                                  }
+                                }
+                              },
+                              "bytes": {
+                                "type": "long"
+                              },
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "geo": {
+                                "properties": {
+                                  "city_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "continent_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "continent_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "country_iso_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "country_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "location": {
+                                    "type": "geo_point"
+                                  },
+                                  "name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "postal_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "region_iso_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "region_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "timezone": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  }
+                                }
+                              },
+                              "ip": {
+                                "type": "ip"
+                              },
+                              "mac": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "nat": {
+                                "properties": {
+                                  "ip": {
+                                    "type": "ip"
+                                  },
+                                  "port": {
+                                    "type": "long"
+                                  }
+                                }
+                              },
+                              "packets": {
+                                "type": "long"
+                              },
+                              "port": {
+                                "type": "long"
+                              },
+                              "registered_domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "subdomain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "top_level_domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "env_vars": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "executable": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "exit_code": {
+                        "type": "long"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "properties": {
+                          "cdhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "md5": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha1": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha256": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha384": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha512": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "ssdeep": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "tlsh": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "interactive": {
+                        "type": "boolean"
+                      },
+                      "io": {
+                        "properties": {
+                          "bytes_skipped": {
+                            "properties": {
+                              "length": {
+                                "type": "long"
+                              },
+                              "offset": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "object"
+                          },
+                          "max_bytes_per_process_exceeded": {
+                            "type": "boolean"
+                          },
+                          "text": {
+                            "type": "wildcard"
+                          },
+                          "total_bytes_captured": {
+                            "type": "long"
+                          },
+                          "total_bytes_skipped": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "macho": {
+                        "properties": {
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "sections": {
+                            "properties": {
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "symhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "origin_referrer_url": {
+                        "ignore_above": 8192,
+                        "type": "keyword"
+                      },
+                      "origin_url": {
+                        "ignore_above": 8192,
+                        "type": "keyword"
+                      },
+                      "pe": {
+                        "properties": {
+                          "architecture": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "company": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "description": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "file_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
+                          "imphash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "original_file_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "pehash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "product": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sections": {
+                            "properties": {
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          }
+                        }
+                      },
+                      "pid": {
+                        "type": "long"
+                      },
+                      "platform_binary": {
+                        "type": "boolean"
+                      },
+                      "real_group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "real_user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "same_as_process": {
+                        "type": "boolean"
+                      },
+                      "saved_group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "saved_user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "start": {
+                        "type": "date"
+                      },
+                      "supplemental_groups": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "thread": {
+                        "properties": {
+                          "capabilities": {
+                            "properties": {
+                              "effective": {
+                                "ignore_above": 1024,
+                                "synthetic_source_keep": "none",
+                                "type": "keyword"
+                              },
+                              "permitted": {
+                                "ignore_above": 1024,
+                                "synthetic_source_keep": "none",
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "id": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "title": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tty": {
+                        "properties": {
+                          "char_device": {
+                            "properties": {
+                              "major": {
+                                "type": "long"
+                              },
+                              "minor": {
+                                "type": "long"
+                              }
+                            }
+                          },
+                          "columns": {
+                            "type": "long"
+                          },
+                          "rows": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "uptime": {
+                        "type": "long"
+                      },
+                      "user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "vpid": {
+                        "type": "long"
+                      },
+                      "working_directory": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "start": {
+                    "type": "date"
+                  },
+                  "supplemental_groups": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "thread": {
+                    "properties": {
+                      "capabilities": {
+                        "properties": {
+                          "effective": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          },
+                          "permitted": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "id": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "title": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "physical_size": {
-                    "type": "long"
+                  "tty": {
+                    "properties": {
+                      "char_device": {
+                        "properties": {
+                          "major": {
+                            "type": "long"
+                          },
+                          "minor": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "columns": {
+                        "type": "long"
+                      },
+                      "rows": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
                   },
-                  "var_entropy": {
+                  "uptime": {
                     "type": "long"
                   },
-                  "virtual_size": {
+                  "user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "vpid": {
                     "type": "long"
+                  },
+                  "working_directory": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
-                },
-                "type": "nested"
-              }
-            }
-          },
-          "pid": {
-            "type": "long"
-          },
-          "previous": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "real_group": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "real_user": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "saved_group": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "saved_user": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "session_leader": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
+                }
               },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
                   }
-                },
-                "type": "wildcard"
+                }
               },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
+              "pid": {
+                "type": "long"
               },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
+              "platform_binary": {
+                "type": "boolean"
               },
-              "group": {
+              "real_group": {
                 "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -4666,57 +15597,98 @@
                   }
                 }
               },
-              "interactive": {
-                "type": "boolean"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "parent": {
+              "real_user": {
                 "properties": {
-                  "entity_id": {
+                  "domain": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "pid": {
-                    "type": "long"
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "session_leader": {
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
                     "properties": {
-                      "entity_id": {
+                      "domain": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "pid": {
-                        "type": "long"
-                      },
-                      "start": {
-                        "type": "date"
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
-                      "vpid": {
-                        "type": "long"
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
                     }
                   },
-                  "start": {
-                    "type": "date"
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "vpid": {
-                    "type": "long"
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
                   }
                 }
               },
-              "pid": {
-                "type": "long"
+              "same_as_process": {
+                "type": "boolean"
               },
-              "real_group": {
+              "saved_group": {
                 "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -4727,8 +15699,45 @@
                   }
                 }
               },
-              "real_user": {
+              "saved_user": {
                 "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -4741,49 +15750,75 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
                   }
                 }
               },
-              "same_as_process": {
-                "type": "boolean"
+              "start": {
+                "type": "date"
               },
-              "saved_group": {
+              "supplemental_groups": {
                 "properties": {
-                  "id": {
+                  "domain": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
                   "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
+              "thread": {
                 "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
                   "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "long"
                   },
                   "name": {
                     "ignore_above": 1024,
@@ -4791,6 +15826,15 @@
                   }
                 }
               },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "tty": {
                 "properties": {
                   "char_device": {
@@ -4802,12 +15846,58 @@
                         "type": "long"
                       }
                     }
+                  },
+                  "columns": {
+                    "type": "long"
+                  },
+                  "rows": {
+                    "type": "long"
                   }
                 },
                 "type": "object"
               },
+              "uptime": {
+                "type": "long"
+              },
               "user": {
                 "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -4820,6 +15910,35 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
                   }
                 }
               },
@@ -4842,6 +15961,10 @@
           },
           "supplemental_groups": {
             "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -4912,6 +16035,43 @@
           },
           "user": {
             "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -4924,6 +16084,35 @@
                 },
                 "ignore_above": 1024,
                 "type": "keyword"
+              },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
               }
             }
           },
@@ -5210,6 +16399,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -5607,6 +16820,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -8016,6 +19253,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -8079,6 +19340,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -8275,6 +19560,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",

From 4b32811e121b7213839320043fefcc1afccb8384 Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Thu, 18 Sep 2025 14:51:49 -0400
Subject: [PATCH 03/20] Update proposed type for tool.call.result

---
 rfcs/text/0052-gen_ai-additional-fields.md | 2 +-
 rfcs/text/0052/gen_ai.yaml                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rfcs/text/0052-gen_ai-additional-fields.md b/rfcs/text/0052-gen_ai-additional-fields.md
index 5569bd35a8..6dd016dc90 100644
--- a/rfcs/text/0052-gen_ai-additional-fields.md
+++ b/rfcs/text/0052-gen_ai-additional-fields.md
@@ -36,7 +36,7 @@ gen_ai.input.messages | (Looking for feedback) flattened | The chat history prov
 gen_ai.output.messages | (Looking for feedback) flattened | Messages returned by the model where each message represents a specific model response (choice, candidate).
 gen_ai.tool.definitions | (Looking for feedback) nested | (Part of invoke_agent span) The list of source system tool definitions available to the GenAI agent or model.
 gen_ai.tool.call.arguments | (Looking for feedback) nested | (Part of OTel execute_tool span) Parameters passed to the tool call.
-gen_ai.tool.call.result | (Looking for feedback) nested | (Part of OTel execute_tool span) The result returned by the tool call (if any and if execution was successful).
+gen_ai.tool.call.result | (Looking for feedback) flattened | (Part of OTel execute_tool span) The result returned by the tool call (if any and if execution was successful).
 
 Changes based on OTel https://github.com/open-telemetry/semantic-conventions/pull/2179/files
 
diff --git a/rfcs/text/0052/gen_ai.yaml b/rfcs/text/0052/gen_ai.yaml
index f2dca090dc..0baaa5218d 100644
--- a/rfcs/text/0052/gen_ai.yaml
+++ b/rfcs/text/0052/gen_ai.yaml
@@ -42,7 +42,7 @@
       otel:
         - relation: match
     - name: tool.call.results
-      type: nested
+      type: flattened
       description: The result returned by the tool call (if any and if execution was successful).
       example: TODO
       level: extended

From 9b177e45a0e2b2ea47b2fd36de9b35481dd10b6b Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Thu, 2 Oct 2025 12:08:30 -0400
Subject: [PATCH 04/20] Merge generated files from main

---
 generated/beats/fields.ecs.yml                | 22010 +--------
 generated/csv/fields.csv                      |  6366 +--
 generated/ecs/ecs_flat.yml                    | 38201 ++-------------
 generated/ecs/ecs_nested.yml                  | 38298 ++--------------
 .../composable/component/client.json          |    24 -
 .../composable/component/destination.json     |    24 -
 .../composable/component/process.json         | 12851 +-----
 .../composable/component/server.json          |    24 -
 .../composable/component/source.json          |    24 -
 .../composable/component/user.json            |    72 -
 .../elasticsearch/composable/template.json    |    82 +-
 generated/elasticsearch/legacy/template.json  | 13579 +-----
 12 files changed, 10696 insertions(+), 120859 deletions(-)

diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 44e5458513..4826341eee 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -405,52 +405,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -1290,52 +1244,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -5365,150 +5273,6 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
-    - name: attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
     - name: code_signature.digest_algorithm
       level: extended
       type: keyword
@@ -5866,12 +5630,6 @@
       description: The time the process ended.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
     - name: entity_id
       level: extended
       type: keyword
@@ -5907,18991 +5665,441 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
-    - name: entry_leader.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
     - name: entry_leader.attested_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: entry_leader.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.attested_user.email
-      level: extended
+    - name: entry_leader.attested_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: User email address.
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.attested_user.full_name
-      level: extended
+    - name: entry_leader.attested_user.name
+      level: core
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entry_leader.attested_user.group.domain
+    - name: entry_leader.command_line
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
 
-        For example, an LDAP or Active Directory domain name.'
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
       default_field: false
-    - name: entry_leader.attested_user.group.id
+    - name: entry_leader.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
+      description: 'Unique identifier for the process.
 
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: entry_leader.attested_user.id
+    - name: entry_leader.entry_meta.source.ip
       level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: entry_leader.entry_meta.type
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
       default_field: false
-    - name: entry_leader.attested_user.name
-      level: core
+    - name: entry_leader.executable
+      level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
       default_field: false
-    - name: entry_leader.attested_user.risk.calculated_level
+    - name: entry_leader.group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.attested_user.risk.static_level
+    - name: entry_leader.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.attested_user.risk.static_score_norm
+    - name: entry_leader.interactive
       level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
       default_field: false
-    - name: entry_leader.attested_user.roles
+    - name: entry_leader.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
       default_field: false
-    - name: entry_leader.code_signature.digest_algorithm
+    - name: entry_leader.parent.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
+      description: 'Unique identifier for the process.
 
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: entry_leader.code_signature.exists
+    - name: entry_leader.parent.pid
       level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: entry_leader.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: entry_leader.code_signature.signing_id
+    - name: entry_leader.parent.session_leader.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The identifier used to sign the process.
+      description: 'Unique identifier for the process.
 
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: entry_leader.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
 
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: entry_leader.code_signature.subject_name
+    - name: entry_leader.parent.session_leader.pid
       level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: entry_leader.code_signature.team_id
+    - name: entry_leader.parent.session_leader.start
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: entry_leader.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
+    - name: entry_leader.parent.session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
       default_field: false
-    - name: entry_leader.code_signature.timestamp
+    - name: entry_leader.parent.start
       level: extended
       type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: entry_leader.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
+    - name: entry_leader.parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
 
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
       default_field: false
-    - name: entry_leader.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
+    - name: entry_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: entry_leader.command_line
+    - name: entry_leader.real_group.id
       level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.elf.architecture
+    - name: entry_leader.real_group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.elf.byte_order
-      level: extended
+    - name: entry_leader.real_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.elf.cpu_type
-      level: extended
+    - name: entry_leader.real_user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entry_leader.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: entry_leader.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: entry_leader.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: entry_leader.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: entry_leader.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: entry_leader.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: entry_leader.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: entry_leader.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: entry_leader.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: entry_leader.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: entry_leader.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: entry_leader.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: entry_leader.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: entry_leader.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: entry_leader.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: entry_leader.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: entry_leader.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: entry_leader.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: entry_leader.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: entry_leader.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: entry_leader.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: entry_leader.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: entry_leader.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: entry_leader.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: entry_leader.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: entry_leader.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: entry_leader.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: entry_leader.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: entry_leader.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: entry_leader.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: entry_leader.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: entry_leader.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: entry_leader.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: entry_leader.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: entry_leader.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: entry_leader.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: entry_leader.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: entry_leader.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: entry_leader.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: entry_leader.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: entry_leader.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: entry_leader.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: entry_leader.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: entry_leader.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: entry_leader.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: entry_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: entry_leader.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: entry_leader.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: entry_leader.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: entry_leader.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: entry_leader.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: entry_leader.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: entry_leader.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: entry_leader.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: entry_leader.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: entry_leader.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: entry_leader.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: entry_leader.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: entry_leader.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: entry_leader.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: entry_leader.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: entry_leader.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: entry_leader.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: entry_leader.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: entry_leader.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: entry_leader.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: entry_leader.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: entry_leader.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: entry_leader.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: entry_leader.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: entry_leader.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: entry_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: entry_leader.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: entry_leader.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: entry_leader.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: entry_leader.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: entry_leader.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: entry_leader.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: entry_leader.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: entry_leader.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: entry_leader.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: entry_leader.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: entry_leader.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: entry_leader.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: entry_leader.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: entry_leader.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: entry_leader.parent.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: entry_leader.parent.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: entry_leader.parent.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.parent.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.parent.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.parent.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.parent.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: entry_leader.parent.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: entry_leader.parent.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: entry_leader.parent.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: entry_leader.parent.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: entry_leader.parent.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: entry_leader.parent.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: entry_leader.parent.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: entry_leader.parent.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: entry_leader.parent.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: entry_leader.parent.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: entry_leader.parent.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: entry_leader.parent.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: entry_leader.parent.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: entry_leader.parent.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: entry_leader.parent.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: entry_leader.parent.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: entry_leader.parent.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.parent.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.parent.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: entry_leader.parent.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: entry_leader.parent.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: entry_leader.parent.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: entry_leader.parent.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: entry_leader.parent.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: entry_leader.parent.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: entry_leader.parent.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: entry_leader.parent.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: entry_leader.parent.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.parent.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.parent.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: entry_leader.parent.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.parent.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: entry_leader.parent.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: entry_leader.parent.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: entry_leader.parent.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: entry_leader.parent.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: entry_leader.parent.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: entry_leader.parent.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: entry_leader.parent.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: entry_leader.parent.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: entry_leader.parent.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: entry_leader.parent.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: entry_leader.parent.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: entry_leader.parent.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: entry_leader.parent.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: entry_leader.parent.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: entry_leader.parent.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: entry_leader.parent.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: entry_leader.parent.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: entry_leader.parent.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: entry_leader.parent.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: entry_leader.parent.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: entry_leader.parent.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: entry_leader.parent.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: entry_leader.parent.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: entry_leader.parent.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: entry_leader.parent.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: entry_leader.parent.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: entry_leader.parent.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: entry_leader.parent.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: entry_leader.parent.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: entry_leader.parent.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: entry_leader.parent.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: entry_leader.parent.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: entry_leader.parent.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: entry_leader.parent.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: entry_leader.parent.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: entry_leader.parent.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: entry_leader.parent.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: entry_leader.parent.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: entry_leader.parent.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.parent.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.parent.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: entry_leader.parent.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.parent.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.parent.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: entry_leader.parent.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.parent.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: entry_leader.parent.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: entry_leader.parent.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: entry_leader.parent.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: entry_leader.parent.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: entry_leader.parent.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: entry_leader.parent.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: entry_leader.parent.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: entry_leader.parent.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: entry_leader.parent.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: entry_leader.parent.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: entry_leader.parent.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: entry_leader.parent.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.parent.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.parent.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: entry_leader.parent.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: entry_leader.parent.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.parent.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.parent.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: entry_leader.parent.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.parent.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: entry_leader.parent.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: entry_leader.parent.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: entry_leader.parent.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: entry_leader.parent.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: entry_leader.parent.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: entry_leader.parent.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: entry_leader.parent.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: entry_leader.parent.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: entry_leader.parent.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.parent.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.parent.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.parent.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.parent.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: entry_leader.parent.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.parent.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.parent.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.parent.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.parent.session_leader.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: entry_leader.parent.session_leader.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: entry_leader.parent.session_leader.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: entry_leader.parent.session_leader.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: entry_leader.parent.session_leader.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: entry_leader.parent.session_leader.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: entry_leader.parent.session_leader.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: entry_leader.parent.session_leader.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: entry_leader.parent.session_leader.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: entry_leader.parent.session_leader.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: entry_leader.parent.session_leader.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: entry_leader.parent.session_leader.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: entry_leader.parent.session_leader.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: entry_leader.parent.session_leader.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.parent.session_leader.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.parent.session_leader.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: entry_leader.parent.session_leader.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: entry_leader.parent.session_leader.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: entry_leader.parent.session_leader.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: entry_leader.parent.session_leader.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: entry_leader.parent.session_leader.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: entry_leader.parent.session_leader.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: entry_leader.parent.session_leader.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: entry_leader.parent.session_leader.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: entry_leader.parent.session_leader.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: entry_leader.parent.session_leader.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.parent.session_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: entry_leader.parent.session_leader.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: entry_leader.parent.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: entry_leader.parent.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: entry_leader.parent.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: entry_leader.parent.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: entry_leader.parent.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: entry_leader.parent.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: entry_leader.parent.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: entry_leader.parent.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: entry_leader.parent.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: entry_leader.parent.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: entry_leader.parent.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: entry_leader.parent.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: entry_leader.parent.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.parent.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.parent.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.parent.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.parent.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: entry_leader.parent.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: entry_leader.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: entry_leader.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: entry_leader.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: entry_leader.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: entry_leader.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: entry_leader.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: entry_leader.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: entry_leader.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: entry_leader.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: entry_leader.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: entry_leader.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: entry_leader.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: entry_leader.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: entry_leader.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: entry_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: entry_leader.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: entry_leader.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: entry_leader.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: entry_leader.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: entry_leader.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: entry_leader.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: entry_leader.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: entry_leader.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: entry_leader.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: entry_leader.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: entry_leader.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: entry_leader.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: entry_leader.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: entry_leader.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: entry_leader.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: entry_leader.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-    - name: exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: group_leader.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: group_leader.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: group_leader.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: group_leader.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: group_leader.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: group_leader.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: group_leader.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: group_leader.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: group_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: group_leader.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: group_leader.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: group_leader.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: group_leader.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: group_leader.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: group_leader.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: group_leader.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: group_leader.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: group_leader.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: group_leader.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: group_leader.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: group_leader.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: group_leader.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: group_leader.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: group_leader.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: group_leader.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: group_leader.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: group_leader.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: group_leader.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: group_leader.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: group_leader.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: group_leader.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: group_leader.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: group_leader.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: group_leader.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: group_leader.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: group_leader.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: group_leader.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: group_leader.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: group_leader.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: group_leader.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: group_leader.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: group_leader.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: group_leader.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: group_leader.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: group_leader.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: group_leader.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: group_leader.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: group_leader.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: group_leader.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: group_leader.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: group_leader.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: group_leader.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: group_leader.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: group_leader.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: group_leader.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: group_leader.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: group_leader.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: group_leader.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: group_leader.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: group_leader.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: group_leader.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: group_leader.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: group_leader.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: group_leader.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: group_leader.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: group_leader.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: group_leader.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: group_leader.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: group_leader.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: group_leader.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: group_leader.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: group_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: group_leader.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: group_leader.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: group_leader.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: group_leader.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: group_leader.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: group_leader.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: group_leader.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: group_leader.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: group_leader.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: group_leader.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: group_leader.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: group_leader.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: group_leader.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: group_leader.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: group_leader.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: group_leader.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: group_leader.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: group_leader.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: group_leader.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: group_leader.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: group_leader.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: group_leader.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: group_leader.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: group_leader.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: group_leader.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: group_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: group_leader.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: group_leader.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: group_leader.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: group_leader.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: group_leader.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: group_leader.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: group_leader.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: group_leader.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: group_leader.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: group_leader.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: group_leader.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: group_leader.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: group_leader.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: group_leader.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: group_leader.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: group_leader.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: group_leader.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: group_leader.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: group_leader.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: group_leader.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: group_leader.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: group_leader.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: group_leader.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: group_leader.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: group_leader.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: group_leader.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: group_leader.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: group_leader.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: group_leader.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: group_leader.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: group_leader.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: group_leader.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: group_leader.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: group_leader.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: group_leader.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: group_leader.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: group_leader.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: group_leader.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: group_leader.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: group_leader.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: group_leader.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: group_leader.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: group_leader.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: group_leader.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: group_leader.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: group_leader.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: group_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: group_leader.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: group_leader.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: group_leader.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: group_leader.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: group_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: group_leader.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: group_leader.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: group_leader.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: group_leader.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: group_leader.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: group_leader.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: group_leader.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: group_leader.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: group_leader.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: group_leader.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: group_leader.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: group_leader.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: group_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: group_leader.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: group_leader.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: group_leader.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: group_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: group_leader.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: group_leader.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: group_leader.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: group_leader.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: group_leader.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: group_leader.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: group_leader.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: group_leader.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: group_leader.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: group_leader.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: group_leader.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: group_leader.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: group_leader.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: group_leader.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: group_leader.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: group_leader.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: group_leader.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: group_leader.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: group_leader.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: group_leader.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: group_leader.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: group_leader.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: group_leader.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: group_leader.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: group_leader.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: group_leader.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: group_leader.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: group_leader.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: group_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: group_leader.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-    - name: hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-    - name: hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-    - name: hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-    - name: hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-    - name: origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: parent.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: parent.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: parent.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: parent.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: parent.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: parent.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: parent.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: parent.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: parent.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: parent.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: parent.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: parent.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: parent.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: parent.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: parent.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: parent.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: parent.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: parent.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: parent.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: parent.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: parent.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: parent.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: parent.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: parent.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: parent.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: parent.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: parent.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: parent.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: parent.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: parent.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: parent.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: parent.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: parent.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: parent.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: parent.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: parent.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: parent.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: parent.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: parent.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: parent.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: parent.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: parent.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: parent.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: parent.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: parent.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: parent.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: parent.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: parent.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: parent.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: parent.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: parent.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: parent.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: parent.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: parent.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: parent.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: parent.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: parent.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: parent.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: parent.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: parent.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: parent.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: parent.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: parent.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: parent.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: parent.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: parent.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: parent.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: parent.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: parent.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: parent.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: parent.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: parent.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: parent.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: parent.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: parent.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: parent.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: parent.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: parent.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: parent.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: parent.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: parent.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: parent.group_leader.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: parent.group_leader.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.group_leader.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.group_leader.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.group_leader.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.group_leader.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.group_leader.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.group_leader.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.group_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.group_leader.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.group_leader.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.group_leader.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.group_leader.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.group_leader.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: parent.group_leader.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: parent.group_leader.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: parent.group_leader.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: parent.group_leader.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: parent.group_leader.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: parent.group_leader.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: parent.group_leader.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: parent.group_leader.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: parent.group_leader.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: parent.group_leader.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: parent.group_leader.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: parent.group_leader.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: parent.group_leader.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: parent.group_leader.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: parent.group_leader.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: parent.group_leader.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: parent.group_leader.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: parent.group_leader.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: parent.group_leader.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.group_leader.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.group_leader.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: parent.group_leader.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: parent.group_leader.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: parent.group_leader.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: parent.group_leader.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: parent.group_leader.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: parent.group_leader.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: parent.group_leader.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: parent.group_leader.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: parent.group_leader.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: parent.group_leader.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: parent.group_leader.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: parent.group_leader.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: parent.group_leader.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: parent.group_leader.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: parent.group_leader.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.group_leader.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: parent.group_leader.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: parent.group_leader.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: parent.group_leader.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: parent.group_leader.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: parent.group_leader.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.group_leader.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: parent.group_leader.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: parent.group_leader.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: parent.group_leader.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: parent.group_leader.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: parent.group_leader.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: parent.group_leader.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: parent.group_leader.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: parent.group_leader.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: parent.group_leader.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: parent.group_leader.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: parent.group_leader.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: parent.group_leader.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: parent.group_leader.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: parent.group_leader.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: parent.group_leader.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: parent.group_leader.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: parent.group_leader.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: parent.group_leader.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: parent.group_leader.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: parent.group_leader.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: parent.group_leader.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: parent.group_leader.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: parent.group_leader.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: parent.group_leader.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: parent.group_leader.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: parent.group_leader.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: parent.group_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: parent.group_leader.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: parent.group_leader.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: parent.group_leader.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: parent.group_leader.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: parent.group_leader.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: parent.group_leader.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: parent.group_leader.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.group_leader.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.group_leader.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: parent.group_leader.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: parent.group_leader.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: parent.group_leader.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: parent.group_leader.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: parent.group_leader.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: parent.group_leader.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.group_leader.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: parent.group_leader.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: parent.group_leader.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.group_leader.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: parent.group_leader.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: parent.group_leader.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: parent.group_leader.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: parent.group_leader.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: parent.group_leader.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: parent.group_leader.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: parent.group_leader.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: parent.group_leader.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: parent.group_leader.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: parent.group_leader.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: parent.group_leader.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.group_leader.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.group_leader.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: parent.group_leader.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: parent.group_leader.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: parent.group_leader.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: parent.group_leader.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: parent.group_leader.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: parent.group_leader.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: parent.group_leader.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: parent.group_leader.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: parent.group_leader.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: parent.group_leader.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.group_leader.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: parent.group_leader.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: parent.group_leader.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.group_leader.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: parent.group_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: parent.group_leader.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: parent.group_leader.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.group_leader.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.group_leader.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.group_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.group_leader.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.group_leader.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.group_leader.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.group_leader.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.group_leader.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.group_leader.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.group_leader.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.group_leader.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.group_leader.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: parent.group_leader.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.group_leader.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.group_leader.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.group_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.group_leader.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.group_leader.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.group_leader.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.group_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.group_leader.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.group_leader.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.group_leader.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.group_leader.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.group_leader.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: parent.group_leader.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: parent.group_leader.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: parent.group_leader.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: parent.group_leader.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: parent.group_leader.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: parent.group_leader.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: parent.group_leader.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: parent.group_leader.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: parent.group_leader.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: parent.group_leader.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: parent.group_leader.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: parent.group_leader.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.group_leader.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.group_leader.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.group_leader.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.group_leader.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.group_leader.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.group_leader.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.group_leader.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.group_leader.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.group_leader.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.group_leader.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.group_leader.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.group_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: parent.group_leader.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: parent.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: parent.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: parent.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: parent.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: parent.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: parent.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: parent.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: parent.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: parent.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: parent.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: parent.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: parent.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: parent.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: parent.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: parent.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: parent.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: parent.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: parent.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: parent.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: parent.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: parent.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: parent.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: parent.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: parent.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: parent.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: parent.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: parent.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: parent.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: parent.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: parent.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: parent.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: parent.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: parent.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: parent.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: parent.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: parent.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: parent.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: parent.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: parent.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: parent.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: parent.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: parent.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: parent.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: parent.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: parent.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: parent.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: parent.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: parent.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: parent.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: parent.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: parent.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: parent.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: parent.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: parent.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: parent.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: parent.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: parent.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: parent.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: parent.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: parent.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: parent.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: parent.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: parent.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: parent.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: parent.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: parent.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: parent.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: parent.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: parent.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-    - name: platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: previous.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: previous.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: previous.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: previous.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: previous.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: previous.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: previous.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: previous.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: previous.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: previous.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: previous.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: previous.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: previous.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: previous.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: previous.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: previous.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: previous.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: previous.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: previous.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: previous.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: previous.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: previous.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: previous.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: previous.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: previous.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: previous.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: previous.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: previous.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: previous.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: previous.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: previous.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: previous.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: previous.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: previous.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: previous.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: previous.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: previous.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: previous.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: previous.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: previous.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: previous.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: previous.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: previous.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: previous.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: previous.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: previous.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: previous.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: previous.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: previous.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: previous.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: previous.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: previous.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: previous.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: previous.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: previous.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: previous.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: previous.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: previous.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: previous.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: previous.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: previous.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: previous.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: previous.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: previous.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: previous.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: previous.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: previous.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: previous.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: previous.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: previous.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: previous.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: previous.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: previous.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: previous.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: previous.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: previous.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: previous.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: previous.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: previous.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: previous.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: previous.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: previous.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: previous.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: previous.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: previous.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: previous.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: previous.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: previous.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: previous.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: previous.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: previous.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: previous.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: previous.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: previous.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: previous.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: previous.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: previous.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: previous.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: previous.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: previous.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: previous.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: previous.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: previous.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: previous.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: previous.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: previous.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: previous.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: previous.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: previous.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: previous.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: previous.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: previous.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: previous.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: previous.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: previous.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: previous.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: previous.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: previous.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: previous.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: previous.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: previous.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: previous.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: previous.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: previous.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: previous.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: previous.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: previous.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: previous.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: previous.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: previous.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: previous.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: previous.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: previous.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: previous.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: previous.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: previous.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: previous.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: previous.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: previous.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: previous.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: previous.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: previous.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: previous.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: previous.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: previous.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: previous.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: previous.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: previous.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: previous.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: previous.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: previous.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: previous.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: previous.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: previous.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: previous.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: previous.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: previous.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: previous.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: previous.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: previous.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: previous.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: previous.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: previous.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: previous.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: previous.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: previous.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: previous.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: previous.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: previous.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: previous.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: previous.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: previous.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: previous.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: previous.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: previous.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: previous.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: previous.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: previous.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: previous.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: previous.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: previous.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: previous.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: previous.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: previous.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: previous.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: previous.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: previous.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: previous.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: previous.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: previous.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: previous.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: previous.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: previous.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: previous.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: previous.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: previous.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: previous.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: previous.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: previous.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: previous.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: previous.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: previous.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: previous.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: previous.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: previous.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: previous.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: previous.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: previous.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: previous.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: responsible.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: responsible.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: responsible.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: responsible.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: responsible.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: responsible.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: responsible.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: responsible.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: responsible.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: responsible.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: responsible.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: responsible.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: responsible.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: responsible.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: responsible.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: responsible.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: responsible.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: responsible.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: responsible.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: responsible.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: responsible.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: responsible.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: responsible.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: responsible.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: responsible.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: responsible.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: responsible.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: responsible.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: responsible.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: responsible.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: responsible.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: responsible.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: responsible.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: responsible.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: responsible.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: responsible.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: responsible.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: responsible.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: responsible.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: responsible.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: responsible.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: responsible.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: responsible.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: responsible.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: responsible.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: responsible.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: responsible.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: responsible.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: responsible.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: responsible.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: responsible.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: responsible.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: responsible.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: responsible.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: responsible.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: responsible.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: responsible.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: responsible.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: responsible.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: responsible.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: responsible.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: responsible.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: responsible.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: responsible.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: responsible.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: responsible.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: responsible.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: responsible.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: responsible.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: responsible.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: responsible.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: responsible.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: responsible.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: responsible.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: responsible.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: responsible.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: responsible.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: responsible.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: responsible.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: responsible.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: responsible.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: responsible.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: responsible.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: responsible.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: responsible.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: responsible.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: responsible.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: responsible.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: responsible.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: responsible.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: responsible.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: responsible.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: responsible.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: responsible.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: responsible.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: responsible.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: responsible.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: responsible.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: responsible.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: responsible.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: responsible.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: responsible.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: responsible.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: responsible.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: responsible.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: responsible.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: responsible.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: responsible.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: responsible.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: responsible.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: responsible.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: responsible.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: responsible.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: responsible.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: responsible.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: responsible.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: responsible.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: responsible.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: responsible.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: responsible.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: responsible.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: responsible.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: responsible.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: responsible.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: responsible.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: responsible.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: responsible.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: responsible.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: responsible.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: responsible.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: responsible.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: responsible.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: responsible.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: responsible.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: responsible.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: responsible.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: responsible.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: responsible.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: responsible.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: responsible.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: responsible.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: responsible.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: responsible.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: responsible.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: responsible.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: responsible.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: responsible.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: responsible.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: responsible.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: responsible.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: responsible.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: responsible.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: responsible.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: responsible.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: responsible.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: responsible.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: responsible.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: responsible.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: responsible.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: responsible.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: responsible.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: responsible.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: responsible.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: responsible.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: responsible.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: responsible.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: responsible.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: responsible.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: responsible.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: responsible.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: responsible.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: responsible.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: responsible.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: responsible.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: responsible.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: responsible.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: responsible.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: responsible.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: responsible.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: responsible.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: responsible.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: responsible.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: responsible.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: responsible.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: responsible.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: responsible.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: responsible.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: responsible.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: responsible.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: responsible.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: responsible.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: responsible.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: responsible.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: responsible.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: responsible.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: responsible.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: responsible.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: responsible.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: responsible.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: responsible.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: responsible.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: responsible.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: responsible.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: responsible.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: responsible.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: responsible.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: responsible.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: responsible.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: responsible.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: session_leader.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: session_leader.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: session_leader.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: session_leader.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: session_leader.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: session_leader.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: session_leader.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: session_leader.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: session_leader.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: session_leader.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: session_leader.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: session_leader.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: session_leader.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: session_leader.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: session_leader.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: session_leader.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: session_leader.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: session_leader.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: session_leader.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: session_leader.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: session_leader.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: session_leader.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: session_leader.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: session_leader.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: session_leader.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: session_leader.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: session_leader.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: session_leader.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: session_leader.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: session_leader.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: session_leader.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: session_leader.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: session_leader.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: session_leader.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: session_leader.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: session_leader.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: session_leader.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: session_leader.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: session_leader.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: session_leader.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: session_leader.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: session_leader.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: session_leader.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: session_leader.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: session_leader.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: session_leader.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: session_leader.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: session_leader.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: session_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: session_leader.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: session_leader.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: session_leader.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: session_leader.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: session_leader.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: session_leader.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: session_leader.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: session_leader.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: session_leader.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: session_leader.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: session_leader.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: session_leader.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: session_leader.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: session_leader.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: session_leader.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: session_leader.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: session_leader.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: session_leader.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: session_leader.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: session_leader.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: session_leader.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: session_leader.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: session_leader.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: session_leader.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: session_leader.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: session_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: session_leader.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: session_leader.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: session_leader.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: session_leader.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: session_leader.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: session_leader.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: session_leader.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: session_leader.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: session_leader.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: session_leader.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: session_leader.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: session_leader.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: session_leader.parent.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: session_leader.parent.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: session_leader.parent.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.parent.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.parent.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.parent.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.parent.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.parent.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.parent.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: session_leader.parent.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: session_leader.parent.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: session_leader.parent.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: session_leader.parent.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: session_leader.parent.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: session_leader.parent.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: session_leader.parent.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: session_leader.parent.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: session_leader.parent.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: session_leader.parent.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: session_leader.parent.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: session_leader.parent.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: session_leader.parent.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: session_leader.parent.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: session_leader.parent.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: session_leader.parent.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: session_leader.parent.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.parent.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.parent.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.parent.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: session_leader.parent.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: session_leader.parent.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: session_leader.parent.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: session_leader.parent.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: session_leader.parent.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: session_leader.parent.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: session_leader.parent.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: session_leader.parent.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.parent.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.parent.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.parent.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.parent.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: session_leader.parent.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: session_leader.parent.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: session_leader.parent.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: session_leader.parent.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: session_leader.parent.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: session_leader.parent.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: session_leader.parent.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: session_leader.parent.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: session_leader.parent.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: session_leader.parent.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: session_leader.parent.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: session_leader.parent.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: session_leader.parent.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: session_leader.parent.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: session_leader.parent.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: session_leader.parent.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: session_leader.parent.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: session_leader.parent.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: session_leader.parent.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: session_leader.parent.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: session_leader.parent.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: session_leader.parent.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: session_leader.parent.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: session_leader.parent.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: session_leader.parent.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: session_leader.parent.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: session_leader.parent.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: session_leader.parent.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: session_leader.parent.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: session_leader.parent.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: session_leader.parent.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: session_leader.parent.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: session_leader.parent.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: session_leader.parent.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: session_leader.parent.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: session_leader.parent.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: session_leader.parent.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: session_leader.parent.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: session_leader.parent.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.parent.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.parent.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.parent.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.parent.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.parent.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.parent.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.parent.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: session_leader.parent.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: session_leader.parent.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: session_leader.parent.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: session_leader.parent.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: session_leader.parent.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: session_leader.parent.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: session_leader.parent.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: session_leader.parent.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: session_leader.parent.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: session_leader.parent.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: session_leader.parent.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: session_leader.parent.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.parent.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.parent.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.parent.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: session_leader.parent.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.parent.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.parent.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.parent.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.parent.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: session_leader.parent.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: session_leader.parent.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: session_leader.parent.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: session_leader.parent.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: session_leader.parent.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: session_leader.parent.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: session_leader.parent.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: session_leader.parent.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: session_leader.parent.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.parent.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.parent.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.parent.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.parent.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.parent.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.parent.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: session_leader.parent.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.parent.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.parent.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.parent.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.parent.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.parent.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.parent.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.session_leader.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: session_leader.parent.session_leader.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.valid
+    - name: entry_leader.same_as_process
       level: extended
       type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: session_leader.parent.session_leader.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
 
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
       default_field: false
-    - name: session_leader.parent.session_leader.elf.header.class
+    - name: entry_leader.saved_group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header class of the ELF file.
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.parent.session_leader.elf.header.data
+    - name: entry_leader.saved_group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
+      description: Name of the group.
       default_field: false
-    - name: session_leader.parent.session_leader.elf.header.object_version
-      level: extended
+    - name: entry_leader.saved_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: '"0x1" for original ELF files.'
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: session_leader.parent.session_leader.elf.header.os_abi
-      level: extended
+    - name: entry_leader.saved_user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: session_leader.parent.session_leader.elf.header.type
+    - name: entry_leader.start
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: session_leader.parent.session_leader.elf.header.version
+    - name: entry_leader.supplemental_groups.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.parent.session_leader.elf.import_hash
+    - name: entry_leader.supplemental_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+      description: Name of the group.
       default_field: false
-    - name: session_leader.parent.session_leader.elf.sections
+    - name: entry_leader.tty
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
       default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.chi2
+    - name: entry_leader.tty.char_device.major
       level: extended
       type: long
-      format: number
-      description: Chi-square probability distribution of the section.
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
       default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.entropy
+    - name: entry_leader.tty.char_device.minor
       level: extended
       type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
       default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.name
-      level: extended
+    - name: entry_leader.user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: ELF Section List name.
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.physical_offset
-      level: extended
+    - name: entry_leader.user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: ELF Section List offset.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.physical_size
-      level: extended
+    - name: entry_leader.vpid
+      level: core
       type: long
-      format: bytes
-      description: ELF Section List physical size.
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
       default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.type
+    - name: entry_leader.working_directory
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
       default_field: false
-    - name: session_leader.parent.session_leader.elf.segments
+    - name: env_vars
       level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       default_field: false
-    - name: session_leader.parent.session_leader.elf.segments.sections
+    - name: executable
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment sections.
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+    - name: exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
       default_field: false
-    - name: session_leader.parent.session_leader.elf.segments.type
+    - name: group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.parent.session_leader.elf.shared_libraries
+    - name: group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
+      description: Name of the group.
       default_field: false
-    - name: session_leader.parent.session_leader.elf.telfhash
+    - name: group_leader.args
       level: extended
       type: keyword
       ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
       default_field: false
-    - name: session_leader.parent.session_leader.end
+    - name: group_leader.args_count
       level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
       default_field: false
-    - name: session_leader.parent.session_leader.endpoint_security_client
+    - name: group_leader.command_line
       level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
       default_field: false
-    - name: session_leader.parent.session_leader.entity_id
+    - name: group_leader.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
@@ -24906,283 +6114,226 @@
         monitored hosts.'
       example: c2c455d9f99375d
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.address
+    - name: group_leader.executable
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.as.number
+    - name: group_leader.group.id
       level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.as.organization.name
+    - name: group_leader.name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
+      description: 'Process name.
 
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
+        Sometimes called program name or similar.'
+      example: ssh
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.city_name
+    - name: group_leader.pid
       level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.continent_code
-      level: core
+    - name: group_leader.real_group.id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.continent_name
-      level: core
+    - name: group_leader.real_group.name
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the continent.
-      example: North America
+      description: Name of the group.
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+    - name: group_leader.real_user.id
       level: core
       type: keyword
       ignore_above: 1024
-      description: Country ISO code.
-      example: CA
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.country_name
+    - name: group_leader.real_user.name
       level: core
       type: keyword
       ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.name
+    - name: group_leader.same_as_process
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
 
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
 
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
 
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
-      level: core
+    - name: group_leader.saved_group.id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.region_name
-      level: core
+    - name: group_leader.saved_group.name
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Region name.
-      example: Quebec
+      description: Name of the group.
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.timezone
+    - name: group_leader.saved_user.id
       level: core
       type: keyword
       ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.mac
+    - name: group_leader.saved_user.name
       level: core
       type: keyword
       ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.nat.port
+    - name: group_leader.start
       level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.registered_domain
+    - name: group_leader.supplemental_groups.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.subdomain
+    - name: group_leader.supplemental_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
+      description: Name of the group.
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.top_level_domain
+    - name: group_leader.tty
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
       default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.type
+    - name: group_leader.tty.char_device.major
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
       default_field: false
-    - name: session_leader.parent.session_leader.env_vars
+    - name: group_leader.tty.char_device.minor
       level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: group_leader.user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: session_leader.parent.session_leader.executable
-      level: extended
+    - name: group_leader.user.name
+      level: core
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: session_leader.parent.session_leader.exit_code
-      level: extended
+    - name: group_leader.vpid
+      level: core
       type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: session_leader.parent.session_leader.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      format: string
+      description: 'Virtual process id.
 
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
       default_field: false
-    - name: session_leader.parent.session_leader.group.name
+    - name: group_leader.working_directory
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
       default_field: false
-    - name: session_leader.parent.session_leader.hash.cdhash
+    - name: hash.cdhash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -25190,49 +6341,45 @@
         the integrity of the executable code.
       example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
       default_field: false
-    - name: session_leader.parent.session_leader.hash.md5
+    - name: hash.md5
       level: extended
       type: keyword
       ignore_above: 1024
       description: MD5 hash.
-      default_field: false
-    - name: session_leader.parent.session_leader.hash.sha1
+    - name: hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
       description: SHA1 hash.
-      default_field: false
-    - name: session_leader.parent.session_leader.hash.sha256
+    - name: hash.sha256
       level: extended
       type: keyword
       ignore_above: 1024
       description: SHA256 hash.
-      default_field: false
-    - name: session_leader.parent.session_leader.hash.sha384
+    - name: hash.sha384
       level: extended
       type: keyword
       ignore_above: 1024
       description: SHA384 hash.
       default_field: false
-    - name: session_leader.parent.session_leader.hash.sha512
+    - name: hash.sha512
       level: extended
       type: keyword
       ignore_above: 1024
       description: SHA512 hash.
-      default_field: false
-    - name: session_leader.parent.session_leader.hash.ssdeep
+    - name: hash.ssdeep
       level: extended
       type: keyword
       ignore_above: 1024
       description: SSDEEP hash.
       default_field: false
-    - name: session_leader.parent.session_leader.hash.tlsh
+    - name: hash.tlsh
       level: extended
       type: keyword
       ignore_above: 1024
       description: TLSH hash.
       default_field: false
-    - name: session_leader.parent.session_leader.interactive
+    - name: interactive
       level: extended
       type: boolean
       description: 'Whether the process is connected to an interactive shell.
@@ -25248,7 +6395,7 @@
         connected to the controlling TTY.'
       example: true
       default_field: false
-    - name: session_leader.parent.session_leader.io
+    - name: io
       level: extended
       type: object
       description: 'A chunk of input or output (IO) from a single process.
@@ -25256,30 +6403,30 @@
         This field only appears on the top level process object, which is the process
         that wrote the output or read the input.'
       default_field: false
-    - name: session_leader.parent.session_leader.io.bytes_skipped
+    - name: io.bytes_skipped
       level: extended
       type: object
       description: An array of byte offsets and lengths denoting where IO data has
         been skipped.
       default_field: false
-    - name: session_leader.parent.session_leader.io.bytes_skipped.length
+    - name: io.bytes_skipped.length
       level: extended
       type: long
       description: The length of bytes skipped.
       default_field: false
-    - name: session_leader.parent.session_leader.io.bytes_skipped.offset
+    - name: io.bytes_skipped.offset
       level: extended
       type: long
       description: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
       default_field: false
-    - name: session_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+    - name: io.max_bytes_per_process_exceeded
       level: extended
       type: boolean
       description: If true, the process producing the output has exceeded the max_kilobytes_per_process
         configuration setting.
       default_field: false
-    - name: session_leader.parent.session_leader.io.text
+    - name: io.text
       level: extended
       type: wildcard
       description: 'A chunk of output or input sanitized to UTF-8.
@@ -25290,19 +6437,19 @@
         so some string queries may not match due to terminal codes inserted between
         characters of a word.'
       default_field: false
-    - name: session_leader.parent.session_leader.io.total_bytes_captured
+    - name: io.total_bytes_captured
       level: extended
       type: long
       description: The total number of bytes captured in this event.
       default_field: false
-    - name: session_leader.parent.session_leader.io.total_bytes_skipped
+    - name: io.total_bytes_skipped
       level: extended
       type: long
       description: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits. Implementors should strive to ensure
         this value is always zero
       default_field: false
-    - name: session_leader.parent.session_leader.io.type
+    - name: io.type
       level: extended
       type: keyword
       ignore_above: 1024
@@ -25312,7 +6459,7 @@
         Currently only ''tty'' is supported. Other types may be added in the future
         for ''file'' and ''socket'' support.'
       default_field: false
-    - name: session_leader.parent.session_leader.macho.go_import_hash
+    - name: macho.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -25325,30 +6472,30 @@
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: session_leader.parent.session_leader.macho.go_imports
+    - name: macho.go_imports
       level: extended
       type: flattened
       description: List of imported Go language element names and types.
       default_field: false
-    - name: session_leader.parent.session_leader.macho.go_imports_names_entropy
+    - name: macho.go_imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: session_leader.parent.session_leader.macho.go_imports_names_var_entropy
+    - name: macho.go_imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: session_leader.parent.session_leader.macho.go_stripped
+    - name: macho.go_stripped
       level: extended
       type: boolean
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: session_leader.parent.session_leader.macho.import_hash
+    - name: macho.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -25359,26 +6506,26 @@
         This is a synonym for symhash.'
       example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: session_leader.parent.session_leader.macho.imports
+    - name: macho.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
-    - name: session_leader.parent.session_leader.macho.imports_names_entropy
+    - name: macho.imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of imported element names
         and types.
       default_field: false
-    - name: session_leader.parent.session_leader.macho.imports_names_var_entropy
+    - name: macho.imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
       default_field: false
-    - name: session_leader.parent.session_leader.macho.sections
+    - name: macho.sections
       level: extended
       type: nested
       description: 'An array containing an object for each section of the Mach-O file.
@@ -25386,37 +6533,37 @@
         The keys that should be present in these objects are defined by sub-fields
         underneath `macho.sections.*`.'
       default_field: false
-    - name: session_leader.parent.session_leader.macho.sections.entropy
+    - name: macho.sections.entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the section.
       default_field: false
-    - name: session_leader.parent.session_leader.macho.sections.name
+    - name: macho.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Mach-O Section List name.
       default_field: false
-    - name: session_leader.parent.session_leader.macho.sections.physical_size
+    - name: macho.sections.physical_size
       level: extended
       type: long
       format: bytes
       description: Mach-O Section List physical size.
       default_field: false
-    - name: session_leader.parent.session_leader.macho.sections.var_entropy
+    - name: macho.sections.var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: session_leader.parent.session_leader.macho.sections.virtual_size
+    - name: macho.sections.virtual_size
       level: extended
       type: long
       format: string
       description: Mach-O Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: session_leader.parent.session_leader.macho.symhash
+    - name: macho.symhash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -25427,66 +6574,180 @@
         This is a Mach-O implementation of the Windows PE imphash'
       example: d3ccf195b62a9279c3c19af1080497ec
       default_field: false
-    - name: session_leader.parent.session_leader.name
+    - name: name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
+        default_field: false
       description: 'Process name.
 
         Sometimes called program name or similar.'
       example: ssh
+    - name: parent.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: parent.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
       default_field: false
-    - name: session_leader.parent.session_leader.origin_referrer_url
+    - name: parent.code_signature.digest_algorithm
       level: extended
       type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: parent.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
       default_field: false
-    - name: session_leader.parent.session_leader.origin_url
+    - name: parent.code_signature.flags
       level: extended
       type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
       default_field: false
-    - name: session_leader.parent.session_leader.pe.architecture
+    - name: parent.code_signature.signing_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
       default_field: false
-    - name: session_leader.parent.session_leader.pe.company
+    - name: parent.code_signature.status
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: parent.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
-    - name: session_leader.parent.session_leader.pe.description
+    - name: parent.code_signature.team_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: parent.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
       default_field: false
-    - name: session_leader.parent.session_leader.pe.file_version
+    - name: parent.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: parent.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: parent.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: parent.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: parent.elf.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      description: Machine architecture of the ELF file.
+      example: x86-64
       default_field: false
-    - name: session_leader.parent.session_leader.pe.go_import_hash
+    - name: parent.elf.byte_order
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: parent.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: parent.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: parent.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: parent.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
         change more traditional hash values.
@@ -25495,638 +6756,686 @@
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: session_leader.parent.session_leader.pe.go_imports
+    - name: parent.elf.go_imports
       level: extended
       type: flattened
       description: List of imported Go language element names and types.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.go_imports_names_entropy
+    - name: parent.elf.go_imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.go_imports_names_var_entropy
+    - name: parent.elf.go_imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.go_stripped
+    - name: parent.elf.go_stripped
       level: extended
       type: boolean
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.imphash
+    - name: parent.elf.header.abi_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
+      description: Version of the ELF Application Binary Interface (ABI).
       default_field: false
-    - name: session_leader.parent.session_leader.pe.import_hash
+    - name: parent.elf.header.class
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
+      description: Header class of the ELF file.
+      default_field: false
+    - name: parent.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: parent.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: parent.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: parent.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: parent.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: parent.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: parent.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
         to fingerprint binaries even after recompilation or other code-level transformations
         have occurred, which would change more traditional hash values.
 
-        This is a synonym for imphash.'
+        This is an ELF implementation of the Windows PE imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: session_leader.parent.session_leader.pe.imports
+    - name: parent.elf.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.imports_names_entropy
+    - name: parent.elf.imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of imported element names
         and types.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.imports_names_var_entropy
+    - name: parent.elf.imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.original_file_name
+    - name: parent.elf.sections
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: parent.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: parent.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.pehash
+    - name: parent.elf.sections.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      description: ELF Section List flags.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.product
+    - name: parent.elf.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
+      description: ELF Section List name.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.sections
+    - name: parent.elf.sections.physical_offset
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.sections.entropy
+    - name: parent.elf.sections.physical_size
       level: extended
       type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      format: bytes
+      description: ELF Section List physical size.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.sections.name
+    - name: parent.elf.sections.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
+      description: ELF Section List type.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.sections.var_entropy
+    - name: parent.elf.sections.var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: session_leader.parent.session_leader.pe.sections.virtual_size
+    - name: parent.elf.sections.virtual_address
       level: extended
       type: long
       format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
+      description: ELF Section List virtual address.
       default_field: false
-    - name: session_leader.parent.session_leader.pid
-      level: core
+    - name: parent.elf.sections.virtual_size
+      level: extended
       type: long
       format: string
-      description: Process id.
-      example: 4242
+      description: ELF Section List virtual size.
       default_field: false
-    - name: session_leader.parent.session_leader.platform_binary
+    - name: parent.elf.segments
       level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
       default_field: false
-    - name: session_leader.parent.session_leader.real_group.domain
+    - name: parent.elf.segments.sections
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: ELF object segment sections.
       default_field: false
-    - name: session_leader.parent.session_leader.real_group.id
+    - name: parent.elf.segments.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: ELF object segment type.
       default_field: false
-    - name: session_leader.parent.session_leader.real_group.name
+    - name: parent.elf.shared_libraries
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: List of shared libraries used by this ELF object.
       default_field: false
-    - name: session_leader.parent.session_leader.real_user.domain
+    - name: parent.elf.telfhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: parent.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: session_leader.parent.session_leader.real_user.email
+    - name: parent.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: User email address.
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: session_leader.parent.session_leader.real_user.full_name
+    - name: parent.executable
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
       default_field: false
-    - name: session_leader.parent.session_leader.real_user.group.domain
+    - name: parent.exit_code
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
 
-        For example, an LDAP or Active Directory domain name.'
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
       default_field: false
-    - name: session_leader.parent.session_leader.real_user.group.id
+    - name: parent.group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.parent.session_leader.real_user.group.name
+    - name: parent.group.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: session_leader.parent.session_leader.real_user.hash
+    - name: parent.group_leader.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
+      description: 'Unique identifier for the process.
 
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: session_leader.parent.session_leader.real_user.name
+    - name: parent.group_leader.pid
       level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: session_leader.parent.session_leader.real_user.risk.static_score
+    - name: parent.group_leader.start
       level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: session_leader.parent.session_leader.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
+    - name: parent.group_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
       default_field: false
-    - name: session_leader.parent.session_leader.real_user.roles
+    - name: parent.hash.cdhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.session_leader.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
       default_field: false
-    - name: session_leader.parent.session_leader.saved_group.domain
+    - name: parent.hash.md5
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: MD5 hash.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_group.id
+    - name: parent.hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: SHA1 hash.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_group.name
+    - name: parent.hash.sha256
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: SHA256 hash.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.domain
+    - name: parent.hash.sha384
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: SHA384 hash.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.email
+    - name: parent.hash.sha512
       level: extended
       type: keyword
       ignore_above: 1024
-      description: User email address.
+      description: SHA512 hash.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.full_name
+    - name: parent.hash.ssdeep
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
+      description: SSDEEP hash.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.group.domain
+    - name: parent.hash.tlsh
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      description: TLSH hash.
+      default_field: false
+    - name: parent.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
 
-        For example, an LDAP or Active Directory domain name.'
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.group.id
+    - name: parent.macho.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.group.name
+    - name: parent.macho.go_imports
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
+      type: flattened
+      description: List of imported Go language element names and types.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.hash
+    - name: parent.macho.go_imports_names_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: parent.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+    - name: parent.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.risk.calculated_level
+    - name: parent.macho.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.risk.calculated_score
+    - name: parent.macho.imports
       level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+    - name: parent.macho.imports_names_entropy
       level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.risk.static_level
+    - name: parent.macho.imports_names_var_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.risk.static_score
+    - name: parent.macho.sections
       level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.risk.static_score_norm
+    - name: parent.macho.sections.entropy
       level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
       default_field: false
-    - name: session_leader.parent.session_leader.saved_user.roles
+    - name: parent.macho.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      description: Mach-O Section List name.
       default_field: false
-    - name: session_leader.parent.session_leader.start
+    - name: parent.macho.sections.physical_size
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: parent.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: session_leader.parent.session_leader.supplemental_groups.domain
+    - name: parent.macho.symhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
 
-        For example, an LDAP or Active Directory domain name.'
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
       default_field: false
-    - name: session_leader.parent.session_leader.supplemental_groups.id
+    - name: parent.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
       default_field: false
-    - name: session_leader.parent.session_leader.supplemental_groups.name
+    - name: parent.pe.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: CPU architecture target for the file.
+      example: x64
       default_field: false
-    - name: session_leader.parent.session_leader.thread.capabilities.effective
+    - name: parent.pe.company
       level: extended
       type: keyword
       ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
       default_field: false
-    - name: session_leader.parent.session_leader.thread.capabilities.permitted
+    - name: parent.pe.description
       level: extended
       type: keyword
       ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: session_leader.parent.session_leader.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
       default_field: false
-    - name: session_leader.parent.session_leader.thread.name
+    - name: parent.pe.file_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Thread name.
-      example: thread-0
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
       default_field: false
-    - name: session_leader.parent.session_leader.title
+    - name: parent.pe.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
 
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: session_leader.parent.session_leader.tty
+    - name: parent.pe.go_imports
       level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
+      type: flattened
+      description: List of imported Go language element names and types.
       default_field: false
-    - name: session_leader.parent.session_leader.tty.char_device.major
+    - name: parent.pe.go_imports_names_entropy
       level: extended
       type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: session_leader.parent.session_leader.tty.char_device.minor
+    - name: parent.pe.go_imports_names_var_entropy
       level: extended
       type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
-    - name: session_leader.parent.session_leader.tty.columns
+    - name: parent.pe.import_hash
       level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
 
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: session_leader.parent.session_leader.tty.rows
+    - name: parent.pe.imports_names_entropy
       level: extended
       type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: session_leader.parent.session_leader.uptime
+    - name: parent.pe.imports_names_var_entropy
       level: extended
       type: long
-      description: Seconds the process has been up.
-      example: 1325
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: session_leader.parent.session_leader.user.domain
+    - name: parent.pe.original_file_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
       default_field: false
-    - name: session_leader.parent.session_leader.user.email
+    - name: parent.pe.pehash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: User email address.
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
       default_field: false
-    - name: session_leader.parent.session_leader.user.full_name
+    - name: parent.pe.product
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
       default_field: false
-    - name: session_leader.parent.session_leader.user.group.domain
+    - name: parent.pe.sections
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
 
-        For example, an LDAP or Active Directory domain name.'
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: parent.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
       default_field: false
-    - name: session_leader.parent.session_leader.user.group.id
+    - name: parent.pe.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: PE Section List name.
+      default_field: false
+    - name: parent.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: parent.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: parent.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: session_leader.parent.session_leader.user.group.name
+    - name: parent.real_group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.parent.session_leader.user.hash
+    - name: parent.real_group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
+      description: Name of the group.
       default_field: false
-    - name: session_leader.parent.session_leader.user.id
+    - name: parent.real_user.id
       level: core
       type: keyword
       ignore_above: 1024
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: session_leader.parent.session_leader.user.name
+    - name: parent.real_user.name
       level: core
       type: keyword
       ignore_above: 1024
@@ -26136,107 +7445,54 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: session_leader.parent.session_leader.user.risk.calculated_level
+    - name: parent.saved_group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.session_leader.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.session_leader.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.parent.session_leader.user.risk.static_level
+    - name: parent.saved_group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.session_leader.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.session_leader.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
+      description: Name of the group.
       default_field: false
-    - name: session_leader.parent.session_leader.user.roles
-      level: extended
+    - name: parent.saved_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: session_leader.parent.session_leader.vpid
+    - name: parent.saved_user.name
       level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: session_leader.parent.session_leader.working_directory
-      level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: session_leader.parent.start
+    - name: parent.start
       level: extended
       type: date
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: session_leader.parent.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.supplemental_groups.id
+    - name: parent.supplemental_groups.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.parent.supplemental_groups.name
+    - name: parent.supplemental_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: session_leader.parent.thread.capabilities.effective
+    - name: parent.thread.capabilities.effective
       level: extended
       type: keyword
       ignore_above: 1024
@@ -26245,7 +7501,7 @@
       example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
       pattern: ^(CAP_[A-Z_]+|\d+)$
       default_field: false
-    - name: session_leader.parent.thread.capabilities.permitted
+    - name: parent.thread.capabilities.permitted
       level: extended
       type: keyword
       ignore_above: 1024
@@ -26254,21 +7510,21 @@
       example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
       pattern: ^(CAP_[A-Z_]+|\d+)$
       default_field: false
-    - name: session_leader.parent.thread.id
+    - name: parent.thread.id
       level: extended
       type: long
       format: string
       description: Thread ID.
       example: 4242
       default_field: false
-    - name: session_leader.parent.thread.name
+    - name: parent.thread.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Thread name.
       example: thread-0
       default_field: false
-    - name: session_leader.parent.title
+    - name: parent.title
       level: extended
       type: keyword
       ignore_above: 1024
@@ -26280,116 +7536,44 @@
         The proctitle, some times the same as process name. Can also be different:
         for example a browser setting its title to the web page currently opened.'
       default_field: false
-    - name: session_leader.parent.tty
+    - name: parent.tty
       level: extended
       type: object
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
       default_field: false
-    - name: session_leader.parent.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: session_leader.parent.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: session_leader.parent.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: session_leader.parent.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: session_leader.parent.uptime
+    - name: parent.tty.char_device.major
       level: extended
       type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: session_leader.parent.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.parent.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.parent.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
       default_field: false
-    - name: session_leader.parent.user.group.name
+    - name: parent.tty.char_device.minor
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
       default_field: false
-    - name: session_leader.parent.user.hash
+    - name: parent.uptime
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
       default_field: false
-    - name: session_leader.parent.user.id
+    - name: parent.user.id
       level: core
       type: keyword
       ignore_above: 1024
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: session_leader.parent.user.name
+    - name: parent.user.name
       level: core
       type: keyword
       ignore_above: 1024
@@ -26399,60 +7583,7 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: session_leader.parent.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.parent.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.vpid
+    - name: parent.vpid
       level: core
       type: long
       format: string
@@ -26463,7 +7594,7 @@
         the process exists within.'
       example: 4242
       default_field: false
-    - name: session_leader.parent.working_directory
+    - name: parent.working_directory
       level: extended
       type: keyword
       ignore_above: 1024
@@ -26473,35 +7604,35 @@
       description: The working directory of the process.
       example: /home/alice
       default_field: false
-    - name: session_leader.pe.architecture
+    - name: pe.architecture
       level: extended
       type: keyword
       ignore_above: 1024
       description: CPU architecture target for the file.
       example: x64
       default_field: false
-    - name: session_leader.pe.company
+    - name: pe.company
       level: extended
       type: keyword
       ignore_above: 1024
       description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
       default_field: false
-    - name: session_leader.pe.description
+    - name: pe.description
       level: extended
       type: keyword
       ignore_above: 1024
       description: Internal description of the file, provided at compile-time.
       example: Paint
       default_field: false
-    - name: session_leader.pe.file_version
+    - name: pe.file_version
       level: extended
       type: keyword
       ignore_above: 1024
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
       default_field: false
-    - name: session_leader.pe.go_import_hash
+    - name: pe.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -26514,30 +7645,30 @@
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: session_leader.pe.go_imports
+    - name: pe.go_imports
       level: extended
       type: flattened
       description: List of imported Go language element names and types.
       default_field: false
-    - name: session_leader.pe.go_imports_names_entropy
+    - name: pe.go_imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: session_leader.pe.go_imports_names_var_entropy
+    - name: pe.go_imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: session_leader.pe.go_stripped
+    - name: pe.go_stripped
       level: extended
       type: boolean
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: session_leader.pe.imphash
+    - name: pe.imphash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -26548,7 +7679,7 @@
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
-    - name: session_leader.pe.import_hash
+    - name: pe.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -26559,33 +7690,33 @@
         This is a synonym for imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: session_leader.pe.imports
+    - name: pe.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
-    - name: session_leader.pe.imports_names_entropy
+    - name: pe.imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of imported element names
         and types.
       default_field: false
-    - name: session_leader.pe.imports_names_var_entropy
+    - name: pe.imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
       default_field: false
-    - name: session_leader.pe.original_file_name
+    - name: pe.original_file_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
-    - name: session_leader.pe.pehash
+    - name: pe.pehash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -26596,14 +7727,14 @@
         Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
       example: 73ff189b63cd6be375a7ff25179a38d347651975
       default_field: false
-    - name: session_leader.pe.product
+    - name: pe.product
       level: extended
       type: keyword
       ignore_above: 1024
       description: Internal product name of the file, provided at compile-time.
       example: Microsoft® Windows® Operating System
       default_field: false
-    - name: session_leader.pe.sections
+    - name: pe.sections
       level: extended
       type: nested
       description: 'An array containing an object for each section of the PE file.
@@ -26611,430 +7742,411 @@
         The keys that should be present in these objects are defined by sub-fields
         underneath `pe.sections.*`.'
       default_field: false
-    - name: session_leader.pe.sections.entropy
+    - name: pe.sections.entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the section.
       default_field: false
-    - name: session_leader.pe.sections.name
+    - name: pe.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: PE Section List name.
       default_field: false
-    - name: session_leader.pe.sections.physical_size
+    - name: pe.sections.physical_size
       level: extended
       type: long
       format: bytes
       description: PE Section List physical size.
       default_field: false
-    - name: session_leader.pe.sections.var_entropy
+    - name: pe.sections.var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: session_leader.pe.sections.virtual_size
+    - name: pe.sections.virtual_size
       level: extended
       type: long
       format: string
       description: PE Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: session_leader.pid
+    - name: pid
       level: core
       type: long
       format: string
       description: Process id.
       example: 4242
-      default_field: false
-    - name: session_leader.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: session_leader.real_group.domain
+    - name: previous.args
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
 
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
       default_field: false
-    - name: session_leader.real_user.domain
+    - name: previous.args_count
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
+      type: long
+      description: 'Length of the process.args array.
 
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
       default_field: false
-    - name: session_leader.real_user.full_name
+    - name: previous.executable
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
       default_field: false
-    - name: session_leader.real_user.group.id
+    - name: real_group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: session_leader.saved_group.domain
+    - name: real_group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: Name of the group.
       default_field: false
-    - name: session_leader.saved_group.id
+    - name: real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: saved_group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.saved_group.name
+    - name: saved_group.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: session_leader.saved_user.domain
-      level: extended
+    - name: saved_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: session_leader.saved_user.email
-      level: extended
+    - name: saved_user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: User email address.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: session_leader.saved_user.full_name
+    - name: session_leader.args
       level: extended
       type: keyword
       ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: session_leader.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: session_leader.command_line
+      level: extended
+      type: wildcard
       multi_fields:
       - name: text
         type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
       default_field: false
-    - name: session_leader.saved_user.group.domain
+    - name: session_leader.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      description: 'Unique identifier for the process.
 
-        For example, an LDAP or Active Directory domain name.'
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: session_leader.saved_user.group.id
+    - name: session_leader.executable
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
       default_field: false
-    - name: session_leader.saved_user.group.name
+    - name: session_leader.group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.saved_user.hash
+    - name: session_leader.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
+      description: Name of the group.
       default_field: false
-    - name: session_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: session_leader.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
       default_field: false
-    - name: session_leader.saved_user.name
-      level: core
+    - name: session_leader.name
+      level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
       default_field: false
-    - name: session_leader.saved_user.risk.calculated_level
+    - name: session_leader.parent.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: session_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
+    - name: session_leader.parent.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: session_leader.saved_user.risk.static_level
+    - name: session_leader.parent.session_leader.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: session_leader.parent.session_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: session_leader.saved_user.risk.static_score
+    - name: session_leader.parent.session_leader.start
       level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: session_leader.parent.session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
       default_field: false
-    - name: session_leader.saved_user.risk.static_score_norm
+    - name: session_leader.parent.start
       level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: session_leader.parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: session_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: session_leader.saved_user.roles
+    - name: session_leader.real_group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.start
+    - name: session_leader.real_group.name
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: session_leader.supplemental_groups.domain
+    - name: session_leader.same_as_process
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
 
-        For example, an LDAP or Active Directory domain name.'
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
       default_field: false
-    - name: session_leader.supplemental_groups.id
+    - name: session_leader.saved_group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.supplemental_groups.name
+    - name: session_leader.saved_group.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: session_leader.thread.capabilities.effective
-      level: extended
+    - name: session_leader.saved_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: session_leader.thread.capabilities.permitted
-      level: extended
+    - name: session_leader.saved_user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: session_leader.thread.id
+    - name: session_leader.start
       level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: session_leader.thread.name
+    - name: session_leader.supplemental_groups.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Thread name.
-      example: thread-0
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: session_leader.title
+    - name: session_leader.supplemental_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
+      description: Name of the group.
       default_field: false
     - name: session_leader.tty
       level: extended
@@ -27060,84 +8172,6 @@
         number provides a way for the driver to differentiate among them.
       example: 1
       default_field: false
-    - name: session_leader.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: session_leader.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: session_leader.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: session_leader.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
     - name: session_leader.user.id
       level: core
       type: keyword
@@ -27155,59 +8189,6 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: session_leader.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
     - name: session_leader.vpid
       level: core
       type: long
@@ -27234,14 +8215,6 @@
       type: date
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
-    - name: supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
     - name: supplemental_groups.id
       level: extended
       type: keyword
@@ -27333,70 +8306,16 @@
       level: extended
       type: long
       description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-    - name: user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
       default_field: false
+    - name: uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
     - name: user.id
       level: core
       type: keyword
@@ -27414,59 +8333,6 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
     - name: vpid
       level: core
       type: long
@@ -27974,52 +8840,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -28868,52 +9688,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -33106,52 +13880,6 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: changes.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: changes.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: changes.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: changes.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: changes.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: changes.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: changes.roles
       level: extended
       type: keyword
@@ -33237,52 +13965,6 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: effective.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: effective.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: effective.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: effective.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: effective.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: effective.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: effective.roles
       level: extended
       type: keyword
@@ -33591,52 +14273,6 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: target.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: target.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: target.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: target.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: target.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: target.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: target.roles
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index ad2d151afd..3871df200a 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -1,4484 +1,1884 @@
 ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
-9.2.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
-9.2.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
-9.2.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
-9.2.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
-9.2.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
-9.2.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
-9.2.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
-9.2.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
-9.2.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
-9.2.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
-9.2.0-dev,true,client,client.address,keyword,extended,,,Client network address.
-9.2.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
-9.2.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
-9.2.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
-9.2.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
-9.2.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
-9.2.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
-9.2.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
-9.2.0-dev,true,client,client.port,long,core,,,Port of the client.
-9.2.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
-9.2.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,client,client.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,client,client.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,client,client.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,client,client.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,client,client.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,client,client.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-9.2.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
-9.2.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-9.2.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-9.2.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
-9.2.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-9.2.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-9.2.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
-9.2.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-9.2.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-9.2.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
-9.2.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-9.2.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
-9.2.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
-9.2.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
-9.2.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-9.2.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
-9.2.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
-9.2.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
-9.2.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
-9.2.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-9.2.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
-9.2.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
-9.2.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
-9.2.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-9.2.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
-9.2.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
-9.2.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
-9.2.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
-9.2.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
-9.2.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
-9.2.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
-9.2.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
-9.2.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-9.2.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-9.2.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-9.2.0-dev,true,container,container.id,keyword,core,,,Unique container id.
-9.2.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
-9.2.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
-9.2.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
-9.2.0-dev,true,container,container.labels,object,extended,,,Image labels.
-9.2.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
-9.2.0-dev,true,container,container.name,keyword,extended,,,Container name.
-9.2.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-9.2.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-9.2.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
-9.2.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
-9.2.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
-9.2.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
-9.2.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
-9.2.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
-9.2.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
-9.2.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
-9.2.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
-9.2.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
-9.2.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
-9.2.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
-9.2.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
-9.2.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
-9.2.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
-9.2.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,destination,destination.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,destination,destination.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,destination,destination.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,destination,destination.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,destination,destination.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,destination,destination.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
-9.2.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
-9.2.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
-9.2.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
-9.2.0-dev,true,device,device.product.id,keyword,extended,,43981,ProductID of the device
-9.2.0-dev,true,device,device.product.name,keyword,extended,,Extreme V2 SSD,Product name of the device
-9.2.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
-9.2.0-dev,true,device,device.type,keyword,extended,,Storage Device,Device type classification
-9.2.0-dev,true,device,device.vendor.id,keyword,extended,,4660,VendorID of the device
-9.2.0-dev,true,device,device.vendor.name,keyword,extended,,SanDisk,Vendor name of the device
-9.2.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,dll,dll.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
-9.2.0-dev,true,dll,dll.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the dll file.
-9.2.0-dev,true,dll,dll.origin_url,keyword,extended,,http://example.com/files/example.dll,The URL where the dll file is hosted.
-9.2.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
-9.2.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
-9.2.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
-9.2.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
-9.2.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
-9.2.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
-9.2.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
-9.2.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
-9.2.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-9.2.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
-9.2.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
-9.2.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
-9.2.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
-9.2.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
-9.2.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
-9.2.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
-9.2.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
-9.2.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
-9.2.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
-9.2.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
-9.2.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
-9.2.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
-9.2.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
-9.2.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
-9.2.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
-9.2.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
-9.2.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
-9.2.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
-9.2.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
-9.2.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
-9.2.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
-9.2.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
-9.2.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
-9.2.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
-9.2.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
-9.2.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
-9.2.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
-9.2.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
-9.2.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-9.2.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
-9.2.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
-9.2.0-dev,true,error,error.message,match_only_text,core,,,Error message.
-9.2.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
-9.2.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
-9.2.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
-9.2.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
-9.2.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
-9.2.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
-9.2.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
-9.2.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
-9.2.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
-9.2.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
-9.2.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
-9.2.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
-9.2.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
-9.2.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
-9.2.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
-9.2.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-9.2.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
-9.2.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
-9.2.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
-9.2.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
-9.2.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
-9.2.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
-9.2.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
-9.2.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
-9.2.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
-9.2.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
-9.2.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
-9.2.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
-9.2.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
-9.2.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
-9.2.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
-9.2.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
-9.2.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
-9.2.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
-9.2.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
-9.2.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
-9.2.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
-9.2.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-9.2.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,file,file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,file,file.created,date,extended,,,File creation time.
-9.2.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-9.2.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
-9.2.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-9.2.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-9.2.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-9.2.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-9.2.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-9.2.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
-9.2.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-9.2.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.2.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.2.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.2.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.2.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-9.2.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-9.2.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
-9.2.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-9.2.0-dev,true,file,file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
-9.2.0-dev,true,file,file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
-9.2.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
-9.2.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-9.2.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-9.2.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
-9.2.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
-9.2.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-9.2.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-9.2.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-9.2.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.2.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.2.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.2.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.2.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.2.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.2.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.2.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.2.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.2.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.2.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.2.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.2.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.2.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.2.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.2.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.2.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.2.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.2.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.2.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.2.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.2.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.2.0-dev,false,gen_ai,gen_ai.agent.description,keyword,extended,,Helps with math problems; Generates fiction stories,Free-form description of the GenAI agent provided by the application.
-9.2.0-dev,true,gen_ai,gen_ai.agent.id,keyword,extended,,asst_5j66UpCpwteGg4YSxUnt7lPY,The unique identifier of the GenAI agent.
-9.2.0-dev,true,gen_ai,gen_ai.agent.name,keyword,extended,,Math Tutor; Fiction Writer,Human-readable name of the GenAI agent provided by the application.
-9.2.0-dev,true,gen_ai,gen_ai.operation.name,keyword,extended,,chat; text_completion; embeddings,The name of the operation being performed.
-9.2.0-dev,true,gen_ai,gen_ai.output.type,keyword,extended,,text; json; image,Represents the content type requested by the client.
-9.2.0-dev,true,gen_ai,gen_ai.request.choice.count,integer,extended,,3,The target number of candidate completions to return.
-9.2.0-dev,true,gen_ai,gen_ai.request.encoding_formats,nested,extended,,"[""float"", ""binary""]","The encoding formats requested in an embeddings operation, if specified."
-9.2.0-dev,true,gen_ai,gen_ai.request.frequency_penalty,double,extended,,0.1,The frequency penalty setting for the GenAI request.
-9.2.0-dev,true,gen_ai,gen_ai.request.max_tokens,integer,extended,,100,The maximum number of tokens the model generates for a request.
-9.2.0-dev,true,gen_ai,gen_ai.request.model,keyword,extended,,gpt-4,The name of the GenAI model a request is being made to.
-9.2.0-dev,true,gen_ai,gen_ai.request.presence_penalty,double,extended,,0.1,The presence penalty setting for the GenAI request.
-9.2.0-dev,true,gen_ai,gen_ai.request.seed,integer,extended,,100,Requests with same seed value more likely to return same result.
-9.2.0-dev,true,gen_ai,gen_ai.request.stop_sequences,nested,extended,,"[""forest"", ""lived""]",List of sequences that the model will use to stop generating further tokens.
-9.2.0-dev,true,gen_ai,gen_ai.request.temperature,double,extended,,0.0,The temperature setting for the GenAI request.
-9.2.0-dev,true,gen_ai,gen_ai.request.top_k,double,extended,,1.0,The top_k sampling setting for the GenAI request.
-9.2.0-dev,true,gen_ai,gen_ai.request.top_p,double,extended,,1.0,The top_p sampling setting for the GenAI request.
-9.2.0-dev,true,gen_ai,gen_ai.response.finish_reasons,nested,extended,,"[""stop"", ""length""]","Array of reasons the model stopped generating tokens, corresponding to each generation received."
-9.2.0-dev,true,gen_ai,gen_ai.response.id,keyword,extended,,chatcmpl-123,The unique identifier for the completion.
-9.2.0-dev,true,gen_ai,gen_ai.response.model,keyword,extended,,gpt-4-0613,The name of the model that generated the response.
-9.2.0-dev,true,gen_ai,gen_ai.system,keyword,extended,,openai,The Generative AI product as identified by the client or server instrumentation.
-9.2.0-dev,true,gen_ai,gen_ai.token.type,keyword,extended,,input; output,The type of token being counted.
-9.2.0-dev,true,gen_ai,gen_ai.tool.call.id,keyword,extended,,call_mszuSIzqtI65i1wAUOE8w5H4,The tool call identifier.
-9.2.0-dev,true,gen_ai,gen_ai.tool.name,keyword,extended,,Flights,Name of the tool utilized by the agent.
-9.2.0-dev,true,gen_ai,gen_ai.tool.type,keyword,extended,,function; extension; datastore,Type of the tool utilized by the agent
-9.2.0-dev,true,gen_ai,gen_ai.usage.input_tokens,integer,extended,,100,The number of tokens used in the GenAI input (prompt).
-9.2.0-dev,true,gen_ai,gen_ai.usage.output_tokens,integer,extended,,180,The number of tokens used in the GenAI response (completion).
-9.2.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
-9.2.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
-9.2.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
-9.2.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
-9.2.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
-9.2.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
-9.2.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
-9.2.0-dev,true,host,host.id,keyword,core,,,Unique host id.
-9.2.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
-9.2.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
-9.2.0-dev,true,host,host.name,keyword,core,,,Name of the host.
-9.2.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
-9.2.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
-9.2.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
-9.2.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
-9.2.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-9.2.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-9.2.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-9.2.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-9.2.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-9.2.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-9.2.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-9.2.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-9.2.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-9.2.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
-9.2.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,host,host.type,keyword,core,,,Type of host.
-9.2.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
-9.2.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
-9.2.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
-9.2.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
-9.2.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
-9.2.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
-9.2.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
-9.2.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-9.2.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
-9.2.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
-9.2.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
-9.2.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
-9.2.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
-9.2.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
-9.2.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
-9.2.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
-9.2.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
-9.2.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
-9.2.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
-9.2.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
-9.2.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
-9.2.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
-9.2.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
-9.2.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
-9.2.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
-9.2.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
-9.2.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
-9.2.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
-9.2.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
-9.2.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
-9.2.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
-9.2.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
-9.2.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
-9.2.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
-9.2.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
-9.2.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
-9.2.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
-9.2.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
-9.2.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
-9.2.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
-9.2.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
-9.2.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-9.2.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-9.2.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
-9.2.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
-9.2.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
-9.2.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
-9.2.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
-9.2.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-9.2.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-9.2.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
-9.2.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
-9.2.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
-9.2.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
-9.2.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-9.2.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-9.2.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
-9.2.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
-9.2.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
-9.2.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
-9.2.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
-9.2.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
-9.2.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
-9.2.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
-9.2.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
-9.2.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
-9.2.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
-9.2.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
-9.2.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-9.2.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-9.2.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-9.2.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-9.2.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-9.2.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-9.2.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-9.2.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-9.2.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-9.2.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
-9.2.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
-9.2.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
-9.2.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
-9.2.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
-9.2.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
-9.2.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
-9.2.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
-9.2.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
-9.2.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
-9.2.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
-9.2.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
-9.2.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
-9.2.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
-9.2.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
-9.2.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
-9.2.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
-9.2.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
-9.2.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
-9.2.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
-9.2.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
-9.2.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
-9.2.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
-9.2.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
-9.2.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
-9.2.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
-9.2.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
-9.2.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
-9.2.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
-9.2.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
-9.2.0-dev,true,package,package.name,keyword,extended,,go,Package name
-9.2.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
-9.2.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
-9.2.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
-9.2.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
-9.2.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
-9.2.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.2.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-9.2.0-dev,true,process,process.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.attested_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.attested_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.attested_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,process,process.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.2.0-dev,true,process,process.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.2.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.2.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.2.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-9.2.0-dev,true,process,process.entry_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.entry_leader.attested_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.entry_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.attested_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.entry_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.entry_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.entry_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,process,process.entry_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,process,process.entry_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,process,process.entry_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,process,process.entry_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,process,process.entry_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,process,process.entry_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,process,process.entry_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,process,process.entry_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,process,process.entry_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,process,process.entry_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.entry_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,process,process.entry_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,process,process.entry_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,process,process.entry_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,process,process.entry_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.entry_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.entry_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,process,process.entry_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,process,process.entry_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,process,process.entry_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,process,process.entry_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,process,process.entry_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,process,process.entry_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,process,process.entry_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,process,process.entry_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,process,process.entry_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,process,process.entry_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,process,process.entry_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,process,process.entry_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,process,process.entry_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,process,process.entry_leader.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,process,process.entry_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,process,process.entry_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,process,process.entry_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,process,process.entry_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,process,process.entry_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.2.0-dev,true,process,process.entry_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.2.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.address,keyword,extended,,,Source network address.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.port,long,core,,,Port of the source.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,process,process.entry_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.2.0-dev,true,process,process.entry_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.2.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.entry_leader.exit_code,long,extended,,137,The exit code of the process.
-9.2.0-dev,true,process,process.entry_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,process,process.entry_leader.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,process,process.entry_leader.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,process,process.entry_leader.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,process,process.entry_leader.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,process,process.entry_leader.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,process,process.entry_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,process,process.entry_leader.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.2.0-dev,true,process,process.entry_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.2.0-dev,true,process,process.entry_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.2.0-dev,true,process,process.entry_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.2.0-dev,true,process,process.entry_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.2.0-dev,true,process,process.entry_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.2.0-dev,true,process,process.entry_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.2.0-dev,true,process,process.entry_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.2.0-dev,true,process,process.entry_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.2.0-dev,true,process,process.entry_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.2.0-dev,true,process,process.entry_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.2.0-dev,true,process,process.entry_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.entry_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.entry_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.entry_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.2.0-dev,true,process,process.entry_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.2.0-dev,true,process,process.entry_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.2.0-dev,true,process,process.entry_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.entry_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.entry_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.2.0-dev,true,process,process.entry_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.2.0-dev,true,process,process.entry_leader.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.2.0-dev,true,process,process.entry_leader.parent.args_count,long,extended,,4,Length of the process.args array.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.entry_leader.parent.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.entry_leader.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,process,process.entry_leader.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,process,process.entry_leader.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,process,process.entry_leader.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,process,process.entry_leader.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,process,process.entry_leader.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,process,process.entry_leader.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,process,process.entry_leader.parent.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,process,process.entry_leader.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,process,process.entry_leader.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,process,process.entry_leader.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,process,process.entry_leader.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.entry_leader.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,process,process.entry_leader.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,process,process.entry_leader.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,process,process.entry_leader.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.2.0-dev,true,process,process.entry_leader.parent.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.2.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.address,keyword,extended,,,Source network address.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.port,long,core,,,Port of the source.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,process,process.entry_leader.parent.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.2.0-dev,true,process,process.entry_leader.parent.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.2.0-dev,true,process,process.entry_leader.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.entry_leader.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.entry_leader.parent.exit_code,long,extended,,137,The exit code of the process.
-9.2.0-dev,true,process,process.entry_leader.parent.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,process,process.entry_leader.parent.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,process,process.entry_leader.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,process,process.entry_leader.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,process,process.entry_leader.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,process,process.entry_leader.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,process,process.entry_leader.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,process,process.entry_leader.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,process,process.entry_leader.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.2.0-dev,true,process,process.entry_leader.parent.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.2.0-dev,true,process,process.entry_leader.parent.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.2.0-dev,true,process,process.entry_leader.parent.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.2.0-dev,true,process,process.entry_leader.parent.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.2.0-dev,true,process,process.entry_leader.parent.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.2.0-dev,true,process,process.entry_leader.parent.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.2.0-dev,true,process,process.entry_leader.parent.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.2.0-dev,true,process,process.entry_leader.parent.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.2.0-dev,true,process,process.entry_leader.parent.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.entry_leader.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.entry_leader.parent.name,keyword,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.entry_leader.parent.name.text,match_only_text,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.entry_leader.parent.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.2.0-dev,true,process,process.entry_leader.parent.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.entry_leader.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,process,process.entry_leader.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.entry_leader.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.entry_leader.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-9.2.0-dev,true,process,process.entry_leader.parent.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.2.0-dev,true,process,process.entry_leader.parent.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.real_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.entry_leader.parent.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.entry_leader.parent.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.entry_leader.parent.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.args_count,long,extended,,4,Length of the process.args array.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.address,keyword,extended,,,Source network address.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.port,long,core,,,Port of the source.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.exit_code,long,extended,,137,The exit code of the process.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.name,keyword,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.thread.id,long,extended,,4242,Thread ID.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.thread.name,keyword,extended,,thread-0,Thread name.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.title,keyword,extended,,,Process title.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.title.text,match_only_text,extended,,,Process title.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.uptime,long,extended,,1325,Seconds the process has been up.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.entry_leader.parent.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.2.0-dev,true,process,process.entry_leader.parent.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.2.0-dev,true,process,process.entry_leader.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.2.0-dev,true,process,process.entry_leader.parent.thread.id,long,extended,,4242,Thread ID.
-9.2.0-dev,true,process,process.entry_leader.parent.thread.name,keyword,extended,,thread-0,Thread name.
-9.2.0-dev,true,process,process.entry_leader.parent.title,keyword,extended,,,Process title.
-9.2.0-dev,true,process,process.entry_leader.parent.title.text,match_only_text,extended,,,Process title.
-9.2.0-dev,true,process,process.entry_leader.parent.tty,object,extended,,,Information about the controlling TTY device.
-9.2.0-dev,true,process,process.entry_leader.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.2.0-dev,true,process,process.entry_leader.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.2.0-dev,true,process,process.entry_leader.parent.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.2.0-dev,true,process,process.entry_leader.parent.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.2.0-dev,true,process,process.entry_leader.parent.uptime,long,extended,,1325,Seconds the process has been up.
-9.2.0-dev,true,process,process.entry_leader.parent.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.entry_leader.parent.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.parent.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.parent.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.parent.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.parent.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.entry_leader.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.parent.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.parent.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.entry_leader.parent.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.parent.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.entry_leader.parent.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
-9.2.0-dev,true,process,process.entry_leader.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.entry_leader.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.entry_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,process,process.entry_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.entry_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,process,process.entry_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,process,process.entry_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,process,process.entry_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.entry_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.entry_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.entry_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.entry_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.entry_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.entry_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.entry_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,process,process.entry_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.entry_leader.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,process,process.entry_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,process,process.entry_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,process,process.entry_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.entry_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-9.2.0-dev,true,process,process.entry_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.2.0-dev,true,process,process.entry_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.entry_leader.real_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.entry_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.real_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.entry_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.entry_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.2.0-dev,true,process,process.entry_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.entry_leader.saved_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.entry_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.saved_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.entry_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.entry_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.2.0-dev,true,process,process.entry_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.2.0-dev,true,process,process.entry_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.2.0-dev,true,process,process.entry_leader.thread.id,long,extended,,4242,Thread ID.
-9.2.0-dev,true,process,process.entry_leader.thread.name,keyword,extended,,thread-0,Thread name.
-9.2.0-dev,true,process,process.entry_leader.title,keyword,extended,,,Process title.
-9.2.0-dev,true,process,process.entry_leader.title.text,match_only_text,extended,,,Process title.
-9.2.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-9.2.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.2.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.2.0-dev,true,process,process.entry_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.2.0-dev,true,process,process.entry_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.2.0-dev,true,process,process.entry_leader.uptime,long,extended,,1325,Seconds the process has been up.
-9.2.0-dev,true,process,process.entry_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.entry_leader.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.entry_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.entry_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.entry_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.entry_leader.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.entry_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.entry_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.entry_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.entry_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.entry_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.entry_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
-9.2.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.entry_meta.source.address,keyword,extended,,,Source network address.
-9.2.0-dev,true,process,process.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,process,process.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.2.0-dev,true,process,process.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.2.0-dev,true,process,process.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,process,process.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,process,process.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,process,process.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,process,process.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,process,process.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,process,process.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,process,process.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,process,process.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,process,process.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,process,process.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,process,process.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.2.0-dev,true,process,process.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.2.0-dev,true,process,process.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.2.0-dev,true,process,process.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.2.0-dev,true,process,process.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.2.0-dev,true,process,process.entry_meta.source.port,long,core,,,Port of the source.
-9.2.0-dev,true,process,process.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.2.0-dev,true,process,process.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,process,process.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,process,process.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.2.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.2.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-9.2.0-dev,true,process,process.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.2.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-9.2.0-dev,true,process,process.group_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.group_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.group_leader.attested_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.group_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.group_leader.attested_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.group_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.group_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.group_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.group_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.group_leader.attested_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.group_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.group_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.group_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.group_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.group_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.group_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.group_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.group_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.group_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.group_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.group_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.group_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,process,process.group_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,process,process.group_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,process,process.group_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,process,process.group_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,process,process.group_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,process,process.group_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,process,process.group_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,process,process.group_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,process,process.group_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,process,process.group_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.group_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,process,process.group_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,process,process.group_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,process,process.group_leader.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,process,process.group_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,process,process.group_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,process,process.group_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.group_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.group_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.group_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.group_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,process,process.group_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,process,process.group_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,process,process.group_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,process,process.group_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,process,process.group_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,process,process.group_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,process,process.group_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,process,process.group_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,process,process.group_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.group_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.group_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.group_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,process,process.group_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,process,process.group_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.group_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,process,process.group_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,process,process.group_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,process,process.group_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,process,process.group_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,process,process.group_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.group_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,process,process.group_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,process,process.group_leader.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,process,process.group_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,process,process.group_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,process,process.group_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,process,process.group_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,process,process.group_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.2.0-dev,true,process,process.group_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.2.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.address,keyword,extended,,,Source network address.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.port,long,core,,,Port of the source.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,process,process.group_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,process,process.group_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.2.0-dev,true,process,process.group_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.2.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.group_leader.exit_code,long,extended,,137,The exit code of the process.
-9.2.0-dev,true,process,process.group_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.group_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,process,process.group_leader.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,process,process.group_leader.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,process,process.group_leader.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,process,process.group_leader.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,process,process.group_leader.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,process,process.group_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,process,process.group_leader.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.2.0-dev,true,process,process.group_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.2.0-dev,true,process,process.group_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.2.0-dev,true,process,process.group_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.2.0-dev,true,process,process.group_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.2.0-dev,true,process,process.group_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.2.0-dev,true,process,process.group_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.2.0-dev,true,process,process.group_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.2.0-dev,true,process,process.group_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.2.0-dev,true,process,process.group_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.2.0-dev,true,process,process.group_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.2.0-dev,true,process,process.group_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.group_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.group_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.group_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.group_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.group_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.group_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.group_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.group_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.2.0-dev,true,process,process.group_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.group_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.2.0-dev,true,process,process.group_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.2.0-dev,true,process,process.group_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.group_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.group_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.group_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.2.0-dev,true,process,process.group_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.2.0-dev,true,process,process.group_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,process,process.group_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.group_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,process,process.group_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,process,process.group_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,process,process.group_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.group_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.group_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.group_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.group_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.group_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.group_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.group_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.group_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.group_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.group_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,process,process.group_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.group_leader.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,process,process.group_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.group_leader.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,process,process.group_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,process,process.group_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.group_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
-9.2.0-dev,true,process,process.group_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.2.0-dev,true,process,process.group_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.group_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.group_leader.real_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.group_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.group_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.group_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.group_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.group_leader.real_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.group_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.group_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.group_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.group_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.group_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.group_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.group_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.group_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.2.0-dev,true,process,process.group_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.group_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.group_leader.saved_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.group_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.group_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.group_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.group_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.group_leader.saved_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.group_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.group_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.group_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.group_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.group_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.group_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.group_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.group_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.2.0-dev,true,process,process.group_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.group_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.2.0-dev,true,process,process.group_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.2.0-dev,true,process,process.group_leader.thread.id,long,extended,,4242,Thread ID.
-9.2.0-dev,true,process,process.group_leader.thread.name,keyword,extended,,thread-0,Thread name.
-9.2.0-dev,true,process,process.group_leader.title,keyword,extended,,,Process title.
-9.2.0-dev,true,process,process.group_leader.title.text,match_only_text,extended,,,Process title.
-9.2.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-9.2.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.2.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.2.0-dev,true,process,process.group_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.2.0-dev,true,process,process.group_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.2.0-dev,true,process,process.group_leader.uptime,long,extended,,1325,Seconds the process has been up.
-9.2.0-dev,true,process,process.group_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.group_leader.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.group_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.group_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.group_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.group_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.group_leader.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.group_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.group_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.group_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.group_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.group_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.group_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.group_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.group_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
-9.2.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.2.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.2.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.2.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.2.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.2.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.2.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.2.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.2.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.2.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.2.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.2.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.2.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.2.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.2.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.2.0-dev,true,process,process.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.2.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.2.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-9.2.0-dev,true,process,process.parent.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.attested_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.parent.attested_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.parent.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.attested_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.parent.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.parent.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.parent.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.parent.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,process,process.parent.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.2.0-dev,true,process,process.parent.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.2.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.2.0-dev,true,process,process.parent.entry_meta.source.address,keyword,extended,,,Source network address.
-9.2.0-dev,true,process,process.parent.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,process,process.parent.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.parent.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.parent.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.2.0-dev,true,process,process.parent.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.2.0-dev,true,process,process.parent.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,process,process.parent.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,process,process.parent.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,process,process.parent.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,process,process.parent.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,process,process.parent.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,process,process.parent.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,process,process.parent.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,process,process.parent.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,process,process.parent.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,process,process.parent.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,process,process.parent.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.2.0-dev,true,process,process.parent.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.2.0-dev,true,process,process.parent.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.2.0-dev,true,process,process.parent.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.2.0-dev,true,process,process.parent.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.2.0-dev,true,process,process.parent.entry_meta.source.port,long,core,,,Port of the source.
-9.2.0-dev,true,process,process.parent.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.2.0-dev,true,process,process.parent.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,process,process.parent.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,process,process.parent.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.2.0-dev,true,process,process.parent.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.2.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-9.2.0-dev,true,process,process.parent.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.2.0-dev,true,process,process.parent.group_leader.args_count,long,extended,,4,Length of the process.args array.
-9.2.0-dev,true,process,process.parent.group_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.group_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.group_leader.attested_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.parent.group_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.parent.group_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,process,process.parent.group_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,process,process.parent.group_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,process,process.parent.group_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,process,process.parent.group_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,process,process.parent.group_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,process,process.parent.group_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,process,process.parent.group_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,process,process.parent.group_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,process,process.parent.group_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,process,process.parent.group_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,process,process.parent.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.parent.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.parent.group_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,process,process.parent.group_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,process,process.parent.group_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,process,process.parent.group_leader.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,process,process.parent.group_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,process,process.parent.group_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,process,process.parent.group_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.parent.group_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.parent.group_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.parent.group_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.parent.group_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,process,process.parent.group_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,process,process.parent.group_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,process,process.parent.group_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,process,process.parent.group_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,process,process.parent.group_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,process,process.parent.group_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,process,process.parent.group_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,process,process.parent.group_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,process,process.parent.group_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.parent.group_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.parent.group_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.parent.group_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,process,process.parent.group_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,process,process.parent.group_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.parent.group_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,process,process.parent.group_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,process,process.parent.group_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,process,process.parent.group_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,process,process.parent.group_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,process,process.parent.group_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.parent.group_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,process,process.parent.group_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,process,process.parent.group_leader.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,process,process.parent.group_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,process,process.parent.group_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,process,process.parent.group_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,process,process.parent.group_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,process,process.parent.group_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.2.0-dev,true,process,process.parent.group_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.2.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.address,keyword,extended,,,Source network address.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.port,long,core,,,Port of the source.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,process,process.parent.group_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.2.0-dev,true,process,process.parent.group_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.2.0-dev,true,process,process.parent.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.parent.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.parent.group_leader.exit_code,long,extended,,137,The exit code of the process.
-9.2.0-dev,true,process,process.parent.group_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.group_leader.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.group_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,process,process.parent.group_leader.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,process,process.parent.group_leader.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,process,process.parent.group_leader.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,process,process.parent.group_leader.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,process,process.parent.group_leader.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,process,process.parent.group_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,process,process.parent.group_leader.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,process,process.parent.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.2.0-dev,true,process,process.parent.group_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.2.0-dev,true,process,process.parent.group_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.2.0-dev,true,process,process.parent.group_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.2.0-dev,true,process,process.parent.group_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.2.0-dev,true,process,process.parent.group_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.2.0-dev,true,process,process.parent.group_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.2.0-dev,true,process,process.parent.group_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.2.0-dev,true,process,process.parent.group_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.2.0-dev,true,process,process.parent.group_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.2.0-dev,true,process,process.parent.group_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.2.0-dev,true,process,process.parent.group_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.parent.group_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.parent.group_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.parent.group_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.parent.group_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.parent.group_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.parent.group_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.parent.group_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.parent.group_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.2.0-dev,true,process,process.parent.group_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.parent.group_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.2.0-dev,true,process,process.parent.group_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.2.0-dev,true,process,process.parent.group_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.parent.group_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.parent.group_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.parent.group_leader.name,keyword,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.parent.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.parent.group_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.2.0-dev,true,process,process.parent.group_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.2.0-dev,true,process,process.parent.group_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,process,process.parent.group_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.parent.group_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,process,process.parent.group_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,process,process.parent.group_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,process,process.parent.group_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.parent.group_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.parent.group_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.parent.group_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.parent.group_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.parent.group_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.parent.group_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.parent.group_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.parent.group_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.parent.group_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.parent.group_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,process,process.parent.group_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.parent.group_leader.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,process,process.parent.group_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.parent.group_leader.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,process,process.parent.group_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,process,process.parent.group_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.parent.group_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-9.2.0-dev,true,process,process.parent.group_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.2.0-dev,true,process,process.parent.group_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.group_leader.real_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.group_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.group_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.group_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.group_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.parent.group_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.parent.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.2.0-dev,true,process,process.parent.group_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.parent.group_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.2.0-dev,true,process,process.parent.group_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.group_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.2.0-dev,true,process,process.parent.group_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.2.0-dev,true,process,process.parent.group_leader.thread.id,long,extended,,4242,Thread ID.
-9.2.0-dev,true,process,process.parent.group_leader.thread.name,keyword,extended,,thread-0,Thread name.
-9.2.0-dev,true,process,process.parent.group_leader.title,keyword,extended,,,Process title.
-9.2.0-dev,true,process,process.parent.group_leader.title.text,match_only_text,extended,,,Process title.
-9.2.0-dev,true,process,process.parent.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-9.2.0-dev,true,process,process.parent.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.2.0-dev,true,process,process.parent.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.2.0-dev,true,process,process.parent.group_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.2.0-dev,true,process,process.parent.group_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.2.0-dev,true,process,process.parent.group_leader.uptime,long,extended,,1325,Seconds the process has been up.
-9.2.0-dev,true,process,process.parent.group_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.parent.group_leader.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.parent.group_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.group_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.group_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.group_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.group_leader.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.group_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.parent.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.parent.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.group_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.group_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.group_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.parent.group_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.group_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.group_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.parent.group_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
-9.2.0-dev,true,process,process.parent.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.parent.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.2.0-dev,true,process,process.parent.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.2.0-dev,true,process,process.parent.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.2.0-dev,true,process,process.parent.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.2.0-dev,true,process,process.parent.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.2.0-dev,true,process,process.parent.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.2.0-dev,true,process,process.parent.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.2.0-dev,true,process,process.parent.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.2.0-dev,true,process,process.parent.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.2.0-dev,true,process,process.parent.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.2.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.2.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.2.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.2.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.2.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.parent.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.2.0-dev,true,process,process.parent.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.2.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-9.2.0-dev,true,process,process.parent.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.2.0-dev,true,process,process.parent.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.parent.real_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.parent.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.real_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.parent.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.parent.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.parent.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.2.0-dev,true,process,process.parent.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.parent.saved_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.parent.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.saved_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.parent.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.parent.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.2.0-dev,true,process,process.parent.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.2.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.2.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
-9.2.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
-9.2.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
-9.2.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
-9.2.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-9.2.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.2.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.2.0-dev,true,process,process.parent.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.2.0-dev,true,process,process.parent.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.2.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-9.2.0-dev,true,process,process.parent.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.parent.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.parent.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.parent.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.parent.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.parent.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.parent.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.parent.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.parent.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.parent.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.parent.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.parent.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
-9.2.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.pid,long,core,,4242,Process id.
-9.2.0-dev,true,process,process.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.2.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.2.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-9.2.0-dev,true,process,process.previous.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.previous.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.previous.attested_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.previous.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.previous.attested_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.previous.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.previous.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.previous.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.previous.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.previous.attested_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.previous.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.previous.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.previous.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.previous.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.previous.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.previous.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.previous.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.previous.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.previous.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.previous.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.previous.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.previous.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,process,process.previous.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,process,process.previous.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,process,process.previous.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,process,process.previous.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,process,process.previous.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,process,process.previous.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,process,process.previous.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,process,process.previous.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,process,process.previous.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,process,process.previous.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,process,process.previous.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.previous.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.previous.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,process,process.previous.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,process,process.previous.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,process,process.previous.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,process,process.previous.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,process,process.previous.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,process,process.previous.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.previous.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.previous.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.previous.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.previous.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,process,process.previous.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,process,process.previous.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,process,process.previous.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,process,process.previous.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,process,process.previous.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,process,process.previous.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,process,process.previous.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,process,process.previous.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,process,process.previous.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.previous.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.previous.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.previous.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,process,process.previous.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,process,process.previous.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.previous.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,process,process.previous.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,process,process.previous.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,process,process.previous.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,process,process.previous.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,process,process.previous.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.previous.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,process,process.previous.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,process,process.previous.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,process,process.previous.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,process,process.previous.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,process,process.previous.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,process,process.previous.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,process,process.previous.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.2.0-dev,true,process,process.previous.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.2.0-dev,true,process,process.previous.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.2.0-dev,true,process,process.previous.entry_meta.source.address,keyword,extended,,,Source network address.
-9.2.0-dev,true,process,process.previous.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,process,process.previous.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.previous.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.previous.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.2.0-dev,true,process,process.previous.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.2.0-dev,true,process,process.previous.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,process,process.previous.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,process,process.previous.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,process,process.previous.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,process,process.previous.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,process,process.previous.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,process,process.previous.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,process,process.previous.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,process,process.previous.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,process,process.previous.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,process,process.previous.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,process,process.previous.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.2.0-dev,true,process,process.previous.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.2.0-dev,true,process,process.previous.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.2.0-dev,true,process,process.previous.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.2.0-dev,true,process,process.previous.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.2.0-dev,true,process,process.previous.entry_meta.source.port,long,core,,,Port of the source.
-9.2.0-dev,true,process,process.previous.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.2.0-dev,true,process,process.previous.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,process,process.previous.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,process,process.previous.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.2.0-dev,true,process,process.previous.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.2.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.previous.exit_code,long,extended,,137,The exit code of the process.
-9.2.0-dev,true,process,process.previous.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.previous.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.previous.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.previous.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,process,process.previous.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,process,process.previous.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,process,process.previous.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,process,process.previous.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,process,process.previous.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,process,process.previous.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,process,process.previous.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,process,process.previous.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.2.0-dev,true,process,process.previous.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.2.0-dev,true,process,process.previous.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.2.0-dev,true,process,process.previous.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.2.0-dev,true,process,process.previous.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.2.0-dev,true,process,process.previous.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.2.0-dev,true,process,process.previous.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.2.0-dev,true,process,process.previous.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.2.0-dev,true,process,process.previous.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.2.0-dev,true,process,process.previous.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.2.0-dev,true,process,process.previous.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.2.0-dev,true,process,process.previous.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.previous.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.previous.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.previous.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.previous.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.previous.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.previous.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.previous.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.previous.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.2.0-dev,true,process,process.previous.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.previous.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.2.0-dev,true,process,process.previous.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.2.0-dev,true,process,process.previous.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.previous.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.previous.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.previous.name,keyword,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.previous.name.text,match_only_text,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.previous.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.2.0-dev,true,process,process.previous.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.2.0-dev,true,process,process.previous.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,process,process.previous.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.previous.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,process,process.previous.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,process,process.previous.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,process,process.previous.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.previous.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.previous.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.previous.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.previous.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.previous.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.previous.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.previous.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.previous.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.previous.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.previous.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,process,process.previous.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.previous.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,process,process.previous.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.previous.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,process,process.previous.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,process,process.previous.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.previous.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.previous.pid,long,core,,4242,Process id.
-9.2.0-dev,true,process,process.previous.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.2.0-dev,true,process,process.previous.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.previous.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.previous.real_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.previous.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.previous.real_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.previous.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.previous.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.previous.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.previous.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.previous.real_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.previous.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.previous.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.previous.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.previous.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.previous.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.previous.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.previous.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.previous.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.previous.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.previous.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.previous.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.previous.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.2.0-dev,true,process,process.previous.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.previous.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.previous.saved_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.previous.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.previous.saved_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.previous.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.previous.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.previous.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.previous.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.previous.saved_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.previous.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.previous.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.previous.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.previous.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.previous.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.previous.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.previous.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.previous.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.previous.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.previous.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.previous.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.previous.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.2.0-dev,true,process,process.previous.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.previous.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.previous.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.previous.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.2.0-dev,true,process,process.previous.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.2.0-dev,true,process,process.previous.thread.id,long,extended,,4242,Thread ID.
-9.2.0-dev,true,process,process.previous.thread.name,keyword,extended,,thread-0,Thread name.
-9.2.0-dev,true,process,process.previous.title,keyword,extended,,,Process title.
-9.2.0-dev,true,process,process.previous.title.text,match_only_text,extended,,,Process title.
-9.2.0-dev,true,process,process.previous.tty,object,extended,,,Information about the controlling TTY device.
-9.2.0-dev,true,process,process.previous.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.2.0-dev,true,process,process.previous.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.2.0-dev,true,process,process.previous.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.2.0-dev,true,process,process.previous.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.2.0-dev,true,process,process.previous.uptime,long,extended,,1325,Seconds the process has been up.
-9.2.0-dev,true,process,process.previous.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.previous.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.previous.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.previous.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.previous.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.previous.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.previous.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.previous.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.previous.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.previous.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.previous.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.previous.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.previous.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.previous.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.previous.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.previous.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.previous.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.previous.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.previous.vpid,long,core,,4242,Virtual process id.
-9.2.0-dev,true,process,process.previous.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.previous.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.real_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.real_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.responsible.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.2.0-dev,true,process,process.responsible.args_count,long,extended,,4,Length of the process.args array.
-9.2.0-dev,true,process,process.responsible.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.responsible.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.responsible.attested_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.responsible.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.responsible.attested_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.responsible.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.responsible.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.responsible.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.responsible.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.responsible.attested_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.responsible.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.responsible.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.responsible.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.responsible.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.responsible.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.responsible.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.responsible.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.responsible.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.responsible.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.responsible.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.responsible.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.responsible.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,process,process.responsible.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,process,process.responsible.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,process,process.responsible.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,process,process.responsible.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,process,process.responsible.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,process,process.responsible.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,process,process.responsible.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,process,process.responsible.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,process,process.responsible.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,process,process.responsible.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,process,process.responsible.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.responsible.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.responsible.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,process,process.responsible.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,process,process.responsible.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,process,process.responsible.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,process,process.responsible.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,process,process.responsible.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,process,process.responsible.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.responsible.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.responsible.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.responsible.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.responsible.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,process,process.responsible.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,process,process.responsible.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,process,process.responsible.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,process,process.responsible.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,process,process.responsible.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,process,process.responsible.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,process,process.responsible.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,process,process.responsible.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,process,process.responsible.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.responsible.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.responsible.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.responsible.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,process,process.responsible.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,process,process.responsible.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.responsible.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,process,process.responsible.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,process,process.responsible.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,process,process.responsible.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,process,process.responsible.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,process,process.responsible.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.responsible.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,process,process.responsible.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,process,process.responsible.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,process,process.responsible.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,process,process.responsible.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,process,process.responsible.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,process,process.responsible.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,process,process.responsible.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.2.0-dev,true,process,process.responsible.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.2.0-dev,true,process,process.responsible.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.address,keyword,extended,,,Source network address.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.2.0-dev,true,process,process.responsible.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.2.0-dev,true,process,process.responsible.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.port,long,core,,,Port of the source.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.2.0-dev,true,process,process.responsible.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,process,process.responsible.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,process,process.responsible.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.2.0-dev,true,process,process.responsible.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.2.0-dev,true,process,process.responsible.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.responsible.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.responsible.exit_code,long,extended,,137,The exit code of the process.
-9.2.0-dev,true,process,process.responsible.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.responsible.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.responsible.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.responsible.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,process,process.responsible.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,process,process.responsible.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,process,process.responsible.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,process,process.responsible.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,process,process.responsible.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,process,process.responsible.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,process,process.responsible.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,process,process.responsible.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.2.0-dev,true,process,process.responsible.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.2.0-dev,true,process,process.responsible.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.2.0-dev,true,process,process.responsible.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.2.0-dev,true,process,process.responsible.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.2.0-dev,true,process,process.responsible.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.2.0-dev,true,process,process.responsible.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.2.0-dev,true,process,process.responsible.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.2.0-dev,true,process,process.responsible.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.2.0-dev,true,process,process.responsible.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.2.0-dev,true,process,process.responsible.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.2.0-dev,true,process,process.responsible.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.responsible.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.responsible.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.responsible.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.responsible.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.responsible.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.responsible.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.responsible.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.responsible.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.2.0-dev,true,process,process.responsible.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.responsible.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.2.0-dev,true,process,process.responsible.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.2.0-dev,true,process,process.responsible.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.responsible.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.responsible.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.responsible.name,keyword,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.responsible.name.text,match_only_text,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.responsible.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.2.0-dev,true,process,process.responsible.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.2.0-dev,true,process,process.responsible.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,process,process.responsible.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.responsible.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,process,process.responsible.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,process,process.responsible.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,process,process.responsible.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.responsible.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.responsible.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.responsible.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.responsible.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.responsible.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.responsible.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.responsible.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.responsible.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.responsible.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.responsible.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,process,process.responsible.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.responsible.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,process,process.responsible.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.responsible.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,process,process.responsible.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,process,process.responsible.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.responsible.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.responsible.pid,long,core,,4242,Process id.
-9.2.0-dev,true,process,process.responsible.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.2.0-dev,true,process,process.responsible.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.responsible.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.responsible.real_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.responsible.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.responsible.real_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.responsible.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.responsible.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.responsible.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.responsible.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.responsible.real_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.responsible.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.responsible.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.responsible.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.responsible.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.responsible.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.responsible.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.responsible.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.responsible.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.responsible.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.responsible.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.responsible.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.responsible.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.2.0-dev,true,process,process.responsible.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.responsible.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.responsible.saved_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.responsible.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.responsible.saved_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.responsible.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.responsible.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.responsible.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.responsible.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.responsible.saved_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.responsible.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.responsible.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.responsible.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.responsible.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.responsible.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.responsible.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.responsible.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.responsible.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.responsible.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.responsible.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.responsible.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.responsible.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.2.0-dev,true,process,process.responsible.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.responsible.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.responsible.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.responsible.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.2.0-dev,true,process,process.responsible.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.2.0-dev,true,process,process.responsible.thread.id,long,extended,,4242,Thread ID.
-9.2.0-dev,true,process,process.responsible.thread.name,keyword,extended,,thread-0,Thread name.
-9.2.0-dev,true,process,process.responsible.title,keyword,extended,,,Process title.
-9.2.0-dev,true,process,process.responsible.title.text,match_only_text,extended,,,Process title.
-9.2.0-dev,true,process,process.responsible.tty,object,extended,,,Information about the controlling TTY device.
-9.2.0-dev,true,process,process.responsible.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.2.0-dev,true,process,process.responsible.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.2.0-dev,true,process,process.responsible.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.2.0-dev,true,process,process.responsible.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.2.0-dev,true,process,process.responsible.uptime,long,extended,,1325,Seconds the process has been up.
-9.2.0-dev,true,process,process.responsible.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.responsible.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.responsible.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.responsible.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.responsible.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.responsible.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.responsible.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.responsible.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.responsible.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.responsible.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.responsible.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.responsible.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.responsible.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.responsible.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.responsible.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.responsible.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.responsible.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.responsible.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.responsible.vpid,long,core,,4242,Virtual process id.
-9.2.0-dev,true,process,process.responsible.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.responsible.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.2.0-dev,true,process,process.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.saved_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.saved_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.2.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-9.2.0-dev,true,process,process.session_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.attested_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.session_leader.attested_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.session_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.attested_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.session_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.session_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.session_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.session_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.session_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,process,process.session_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,process,process.session_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,process,process.session_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,process,process.session_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,process,process.session_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,process,process.session_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,process,process.session_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,process,process.session_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,process,process.session_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,process,process.session_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.session_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,process,process.session_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,process,process.session_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,process,process.session_leader.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,process,process.session_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,process,process.session_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,process,process.session_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.session_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.session_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,process,process.session_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,process,process.session_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,process,process.session_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,process,process.session_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,process,process.session_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,process,process.session_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,process,process.session_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,process,process.session_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,process,process.session_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,process,process.session_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,process,process.session_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,process,process.session_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,process,process.session_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,process,process.session_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,process,process.session_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,process,process.session_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,process,process.session_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,process,process.session_leader.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,process,process.session_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,process,process.session_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,process,process.session_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,process,process.session_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,process,process.session_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.2.0-dev,true,process,process.session_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.2.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.address,keyword,extended,,,Source network address.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.port,long,core,,,Port of the source.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,process,process.session_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,process,process.session_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.2.0-dev,true,process,process.session_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.2.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.session_leader.exit_code,long,extended,,137,The exit code of the process.
-9.2.0-dev,true,process,process.session_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,process,process.session_leader.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,process,process.session_leader.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,process,process.session_leader.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,process,process.session_leader.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,process,process.session_leader.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,process,process.session_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,process,process.session_leader.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.2.0-dev,true,process,process.session_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.2.0-dev,true,process,process.session_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.2.0-dev,true,process,process.session_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.2.0-dev,true,process,process.session_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.2.0-dev,true,process,process.session_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.2.0-dev,true,process,process.session_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.2.0-dev,true,process,process.session_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.2.0-dev,true,process,process.session_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.2.0-dev,true,process,process.session_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.2.0-dev,true,process,process.session_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.2.0-dev,true,process,process.session_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.session_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.session_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.session_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.2.0-dev,true,process,process.session_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.2.0-dev,true,process,process.session_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.2.0-dev,true,process,process.session_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.session_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.session_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.2.0-dev,true,process,process.session_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.2.0-dev,true,process,process.session_leader.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.2.0-dev,true,process,process.session_leader.parent.args_count,long,extended,,4,Length of the process.args array.
-9.2.0-dev,true,process,process.session_leader.parent.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.attested_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.session_leader.parent.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.session_leader.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,process,process.session_leader.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,process,process.session_leader.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,process,process.session_leader.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,process,process.session_leader.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,process,process.session_leader.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,process,process.session_leader.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,process,process.session_leader.parent.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,process,process.session_leader.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,process,process.session_leader.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,process,process.session_leader.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,process,process.session_leader.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.session_leader.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.session_leader.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,process,process.session_leader.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.session_leader.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,process,process.session_leader.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,process,process.session_leader.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,process,process.session_leader.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,process,process.session_leader.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,process,process.session_leader.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,process,process.session_leader.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,process,process.session_leader.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,process,process.session_leader.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,process,process.session_leader.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,process,process.session_leader.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,process,process.session_leader.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,process,process.session_leader.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,process,process.session_leader.parent.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,process,process.session_leader.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,process,process.session_leader.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,process,process.session_leader.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,process,process.session_leader.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.2.0-dev,true,process,process.session_leader.parent.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.2.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.address,keyword,extended,,,Source network address.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.port,long,core,,,Port of the source.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,process,process.session_leader.parent.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.2.0-dev,true,process,process.session_leader.parent.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.2.0-dev,true,process,process.session_leader.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.session_leader.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.session_leader.parent.exit_code,long,extended,,137,The exit code of the process.
-9.2.0-dev,true,process,process.session_leader.parent.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,process,process.session_leader.parent.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,process,process.session_leader.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,process,process.session_leader.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,process,process.session_leader.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,process,process.session_leader.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,process,process.session_leader.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,process,process.session_leader.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,process,process.session_leader.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.2.0-dev,true,process,process.session_leader.parent.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.2.0-dev,true,process,process.session_leader.parent.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.2.0-dev,true,process,process.session_leader.parent.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.2.0-dev,true,process,process.session_leader.parent.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.2.0-dev,true,process,process.session_leader.parent.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.2.0-dev,true,process,process.session_leader.parent.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.2.0-dev,true,process,process.session_leader.parent.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.2.0-dev,true,process,process.session_leader.parent.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.2.0-dev,true,process,process.session_leader.parent.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.2.0-dev,true,process,process.session_leader.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.2.0-dev,true,process,process.session_leader.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.session_leader.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.session_leader.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.2.0-dev,true,process,process.session_leader.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.2.0-dev,true,process,process.session_leader.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.2.0-dev,true,process,process.session_leader.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.session_leader.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.session_leader.parent.name,keyword,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.session_leader.parent.name.text,match_only_text,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.session_leader.parent.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.2.0-dev,true,process,process.session_leader.parent.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.2.0-dev,true,process,process.session_leader.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,process,process.session_leader.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.session_leader.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,process,process.session_leader.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,process,process.session_leader.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,process,process.session_leader.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.session_leader.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.session_leader.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.session_leader.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.session_leader.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,process,process.session_leader.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.session_leader.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,process,process.session_leader.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,process,process.session_leader.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,process,process.session_leader.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-9.2.0-dev,true,process,process.session_leader.parent.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.2.0-dev,true,process,process.session_leader.parent.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.real_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.session_leader.parent.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.session_leader.parent.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.2.0-dev,true,process,process.session_leader.parent.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.saved_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.session_leader.parent.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.args_count,long,extended,,4,Length of the process.args array.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.address,keyword,extended,,,Source network address.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.port,long,core,,,Port of the source.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.exit_code,long,extended,,137,The exit code of the process.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.name,keyword,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.thread.id,long,extended,,4242,Thread ID.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.thread.name,keyword,extended,,thread-0,Thread name.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.title,keyword,extended,,,Process title.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.title.text,match_only_text,extended,,,Process title.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.uptime,long,extended,,1325,Seconds the process has been up.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.session_leader.parent.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.2.0-dev,true,process,process.session_leader.parent.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.2.0-dev,true,process,process.session_leader.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.2.0-dev,true,process,process.session_leader.parent.thread.id,long,extended,,4242,Thread ID.
-9.2.0-dev,true,process,process.session_leader.parent.thread.name,keyword,extended,,thread-0,Thread name.
-9.2.0-dev,true,process,process.session_leader.parent.title,keyword,extended,,,Process title.
-9.2.0-dev,true,process,process.session_leader.parent.title.text,match_only_text,extended,,,Process title.
-9.2.0-dev,true,process,process.session_leader.parent.tty,object,extended,,,Information about the controlling TTY device.
-9.2.0-dev,true,process,process.session_leader.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.2.0-dev,true,process,process.session_leader.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.2.0-dev,true,process,process.session_leader.parent.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.2.0-dev,true,process,process.session_leader.parent.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.2.0-dev,true,process,process.session_leader.parent.uptime,long,extended,,1325,Seconds the process has been up.
-9.2.0-dev,true,process,process.session_leader.parent.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.session_leader.parent.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.parent.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.parent.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.parent.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.parent.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.session_leader.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.session_leader.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.parent.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.parent.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.session_leader.parent.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.parent.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.session_leader.parent.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
-9.2.0-dev,true,process,process.session_leader.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.session_leader.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.session_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,process,process.session_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.session_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,process,process.session_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,process,process.session_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,process,process.session_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,process,process.session_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,process,process.session_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,process,process.session_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.session_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,process,process.session_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,process,process.session_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.session_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,process,process.session_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,process,process.session_leader.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,process,process.session_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,process,process.session_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,process,process.session_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,process,process.session_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
-9.2.0-dev,true,process,process.session_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.2.0-dev,true,process,process.session_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.session_leader.real_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.session_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.real_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.session_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.session_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.2.0-dev,true,process,process.session_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.session_leader.saved_user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.session_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.saved_user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.session_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.session_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.2.0-dev,true,process,process.session_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.2.0-dev,true,process,process.session_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.2.0-dev,true,process,process.session_leader.thread.id,long,extended,,4242,Thread ID.
-9.2.0-dev,true,process,process.session_leader.thread.name,keyword,extended,,thread-0,Thread name.
-9.2.0-dev,true,process,process.session_leader.title,keyword,extended,,,Process title.
-9.2.0-dev,true,process,process.session_leader.title.text,match_only_text,extended,,,Process title.
-9.2.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-9.2.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.2.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.2.0-dev,true,process,process.session_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.2.0-dev,true,process,process.session_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.2.0-dev,true,process,process.session_leader.uptime,long,extended,,1325,Seconds the process has been up.
-9.2.0-dev,true,process,process.session_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.session_leader.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.session_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.session_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.session_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.session_leader.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.session_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.session_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.session_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.session_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.session_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.session_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
-9.2.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.2.0-dev,true,process,process.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.2.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.2.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
-9.2.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
-9.2.0-dev,true,process,process.title,keyword,extended,,,Process title.
-9.2.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
-9.2.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-9.2.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.2.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.2.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.2.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.2.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-9.2.0-dev,true,process,process.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,process,process.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,process,process.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,process,process.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,process,process.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,process,process.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,process,process.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,process,process.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,process,process.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,process,process.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,process,process.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,process,process.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
-9.2.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.2.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-9.2.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-9.2.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-9.2.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-9.2.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-9.2.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-9.2.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
-9.2.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-9.2.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
-9.2.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
-9.2.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
-9.2.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
-9.2.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
-9.2.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
-9.2.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
-9.2.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
-9.2.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
-9.2.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
-9.2.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
-9.2.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
-9.2.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
-9.2.0-dev,true,server,server.address,keyword,extended,,,Server network address.
-9.2.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
-9.2.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
-9.2.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
-9.2.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
-9.2.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
-9.2.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
-9.2.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
-9.2.0-dev,true,server,server.port,long,core,,,Port of the server.
-9.2.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
-9.2.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,server,server.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,server,server.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,server,server.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,server,server.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,server,server.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,server,server.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-9.2.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
-9.2.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-9.2.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-9.2.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
-9.2.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-9.2.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-9.2.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-9.2.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-9.2.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
-9.2.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-9.2.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-9.2.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
-9.2.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-9.2.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-9.2.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-9.2.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
-9.2.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
-9.2.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
-9.2.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
-9.2.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-9.2.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
-9.2.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
-9.2.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
-9.2.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
-9.2.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
-9.2.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
-9.2.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
-9.2.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
-9.2.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
-9.2.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
-9.2.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
-9.2.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
-9.2.0-dev,true,source,source.address,keyword,extended,,,Source network address.
-9.2.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.2.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.2.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
-9.2.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.2.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
-9.2.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
-9.2.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
-9.2.0-dev,true,source,source.port,long,core,,,Port of the source.
-9.2.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.2.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,source,source.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,source,source.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,source,source.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,source,source.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,source,source.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,source,source.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-9.2.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
-9.2.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
-9.2.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-9.2.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-9.2.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.2.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.2.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-9.2.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-9.2.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-9.2.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-9.2.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-9.2.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-9.2.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-9.2.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
-9.2.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-9.2.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-9.2.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-9.2.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-9.2.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-9.2.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-9.2.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-9.2.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-9.2.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-9.2.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
-9.2.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
-9.2.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.2.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.2.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
-9.2.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
-9.2.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
-9.2.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
-9.2.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
-9.2.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
-9.2.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
-9.2.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
-9.2.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
-9.2.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
-9.2.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-9.2.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
-9.2.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
-9.2.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
-9.2.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
-9.2.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.2.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.2.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.2.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
-9.2.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
-9.2.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
-9.2.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
-9.2.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
-9.2.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.2.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.2.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.2.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.2.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.2.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.2.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.2.0-dev,true,threat,threat.indicator.file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.2.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.2.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.2.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.2.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
-9.2.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
-9.2.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
-9.2.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
-9.2.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
-9.2.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.2.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.2.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.2.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
-9.2.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.2.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.2.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.2.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.2.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.2.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.2.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.2.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.2.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.2.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.2.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.2.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.2.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.2.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.2.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.2.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.2.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.2.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.2.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.2.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.2.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
-9.2.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.2.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.2.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.2.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.2.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
-9.2.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
-9.2.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
-9.2.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
-9.2.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.2.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
-9.2.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
-9.2.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
-9.2.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
-9.2.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
-9.2.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.2.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
-9.2.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
-9.2.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
-9.2.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
-9.2.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
-9.2.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
-9.2.0-dev,true,threat,threat.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
-9.2.0-dev,true,threat,threat.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
-9.2.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
-9.2.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-9.2.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-9.2.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.2.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.2.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.2.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.2.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.2.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.2.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.2.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.2.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.2.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.2.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.2.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.2.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.2.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.2.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.2.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
-9.2.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.2.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
-9.2.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.2.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.2.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.2.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
-9.2.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
-9.2.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
-9.2.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
-9.2.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
-9.2.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.2.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.2.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.2.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.2.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.2.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.2.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.2.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.2.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.2.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.2.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.2.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.2.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.2.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.2.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.2.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
-9.2.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
-9.2.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
-9.2.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.2.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.2.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
-9.2.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.2.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.2.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
-9.2.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.2.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
-9.2.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.2.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator
-9.2.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
-9.2.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-9.2.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
-9.2.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
-9.2.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
-9.2.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
-9.2.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
-9.2.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
-9.2.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
-9.2.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
-9.2.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
-9.2.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
-9.2.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
-9.2.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
-9.2.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
-9.2.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
-9.2.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
-9.2.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
-9.2.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
-9.2.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-9.2.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-9.2.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
-9.2.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-9.2.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-9.2.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-9.2.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-9.2.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
-9.2.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-9.2.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
-9.2.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
-9.2.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-9.2.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
-9.2.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
-9.2.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.2.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.2.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.2.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.2.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.2.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.2.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.2.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.2.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.2.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.2.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.2.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.2.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.2.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.2.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.2.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.2.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.2.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.2.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.2.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
-9.2.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
-9.2.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
-9.2.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
-9.2.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
-9.2.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
-9.2.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
-9.2.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
-9.2.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
-9.2.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
-9.2.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
-9.2.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
-9.2.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
-9.2.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
-9.2.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
-9.2.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
-9.2.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-9.2.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
-9.2.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
-9.2.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
-9.2.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
-9.2.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
-9.2.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
-9.2.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
-9.2.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
-9.2.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
-9.2.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
-9.2.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
-9.2.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
-9.2.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
-9.2.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.2.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.2.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.2.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.2.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.2.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.2.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.2.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.2.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.2.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.2.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.2.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.2.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.2.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.2.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.2.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.2.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.2.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.2.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.2.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.2.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.2.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.2.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
-9.2.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
-9.2.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
-9.2.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
-9.2.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
-9.2.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
-9.2.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
-9.2.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
-9.2.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
-9.2.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
-9.2.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
-9.2.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
-9.2.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
-9.2.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
-9.2.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
-9.2.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
-9.2.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
-9.2.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
-9.2.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
-9.2.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
-9.2.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
-9.2.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
-9.2.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
-9.2.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
-9.2.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
-9.2.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
-9.2.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
-9.2.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
-9.2.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
-9.2.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
-9.2.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
-9.2.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
-9.2.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
-9.2.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
-9.2.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
-9.2.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
-9.2.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
-9.2.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
-9.2.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
-9.2.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
-9.2.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
-9.2.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
-9.2.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
-9.2.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
-9.2.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-9.2.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
-9.2.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-9.2.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
-9.2.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
-9.2.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
-9.2.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
-9.2.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
-9.2.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
-9.2.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
-9.2.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.2.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.2.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
-9.2.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-9.2.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-9.2.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,user,user.email,keyword,extended,,,User email address.
-9.2.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.2.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
-9.2.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.2.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.2.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.2.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
-9.2.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.2.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.2.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.2.0-dev,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.2.0-dev,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.2.0-dev,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.2.0-dev,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.2.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.2.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
-9.2.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
-9.2.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-9.2.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
-9.2.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
-9.2.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-9.2.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
-9.2.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
-9.2.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
-9.2.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
-9.2.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
-9.2.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
-9.2.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
-9.2.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
-9.2.0-dev,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
-9.2.0-dev,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
-9.2.0-dev,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
-9.2.0-dev,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
-9.2.0-dev,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
-9.2.0-dev,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
-9.2.0-dev,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
-9.2.0-dev,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
-9.2.0-dev,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
-9.2.0-dev,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
-9.2.0-dev,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
-9.2.0-dev,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
-9.2.0-dev,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
-9.2.0-dev,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
-9.2.0-dev,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
-9.2.0-dev,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
-9.2.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
-9.2.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
-9.2.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-9.2.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
-9.2.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
-9.2.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
-9.2.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
-9.2.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
-9.2.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
-9.2.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
-9.2.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
-9.2.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
-9.2.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
-9.2.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
+9.3.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated.
+9.3.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs.
+9.3.0-dev,true,base,message,match_only_text,core,,Hello World,Log message optimized for viewing in a log viewer.
+9.3.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event.
+9.3.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent.
+9.3.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent.
+9.3.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent.
+9.3.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent.
+9.3.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent.
+9.3.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent.
+9.3.0-dev,true,client,client.address,keyword,extended,,,Client network address.
+9.3.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,client,client.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server.
+9.3.0-dev,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client.
+9.3.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,client,client.ip,ip,core,,,IP address of the client.
+9.3.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client.
+9.3.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address
+9.3.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port
+9.3.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server.
+9.3.0-dev,true,client,client.port,long,core,,,Port of the client.
+9.3.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain."
+9.3.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+9.3.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
+9.3.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.3.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+9.3.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
+9.3.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+9.3.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+9.3.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
+9.3.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.3.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+9.3.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
+9.3.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+9.3.0-dev,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id.
+9.3.0-dev,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name.
+9.3.0-dev,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider.
+9.3.0-dev,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+9.3.0-dev,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name.
+9.3.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id.
+9.3.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name.
+9.3.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
+9.3.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+9.3.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name.
+9.3.0-dev,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id.
+9.3.0-dev,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name.
+9.3.0-dev,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.3.0-dev,true,cloud,cloud.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,cloud,cloud.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,cloud,cloud.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,cloud,cloud.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,cloud,cloud.target.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,cloud,cloud.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,cloud,cloud.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,cloud,cloud.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,cloud,cloud.target.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,cloud,cloud.target.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,cloud,cloud.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,cloud,cloud.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
+9.3.0-dev,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine.
+9.3.0-dev,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
+9.3.0-dev,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id.
+9.3.0-dev,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name.
+9.3.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
+9.3.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
+9.3.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
+9.3.0-dev,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+9.3.0-dev,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+9.3.0-dev,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+9.3.0-dev,true,container,container.id,keyword,core,,,Unique container id.
+9.3.0-dev,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on.
+9.3.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
+9.3.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
+9.3.0-dev,true,container,container.labels,object,extended,,,Image labels.
+9.3.0-dev,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1."
+9.3.0-dev,true,container,container.name,keyword,extended,,,Container name.
+9.3.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+9.3.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+9.3.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
+9.3.0-dev,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode.
+9.3.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
+9.3.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
+9.3.0-dev,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream.
+9.3.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address.
+9.3.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,destination,destination.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source.
+9.3.0-dev,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination.
+9.3.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination.
+9.3.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination.
+9.3.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip
+9.3.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port
+9.3.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source.
+9.3.0-dev,true,destination,destination.port,long,core,,,Port of the destination.
+9.3.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain."
+9.3.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+9.3.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+9.3.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+9.3.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
+9.3.0-dev,true,device,device.product.id,keyword,extended,,43981,ProductID of the device
+9.3.0-dev,true,device,device.product.name,keyword,extended,,Extreme V2 SSD,Product name of the device
+9.3.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
+9.3.0-dev,true,device,device.type,keyword,extended,,Storage Device,Device type classification
+9.3.0-dev,true,device,device.vendor.id,keyword,extended,,4660,VendorID of the device
+9.3.0-dev,true,device,device.vendor.name,keyword,extended,,SanDisk,Vendor name of the device
+9.3.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,dll,dll.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.3.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+9.3.0-dev,true,dll,dll.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the dll file.
+9.3.0-dev,true,dll,dll.origin_url,keyword,extended,,http://example.com/files/example.dll,The URL where the dll file is hosted.
+9.3.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
+9.3.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,dll,dll.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,dll,dll.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
+9.3.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
+9.3.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.
+9.3.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains.
+9.3.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded.
+9.3.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record.
+9.3.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags.
+9.3.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+9.3.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message.
+9.3.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried.
+9.3.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried.
+9.3.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain."
+9.3.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain.
+9.3.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried.
+9.3.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data
+9.3.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code.
+9.3.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer."
+9.3.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to.
+9.3.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments.
+9.3.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension.
+9.3.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file.
+9.3.0-dev,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file.
+9.3.0-dev,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size.
+9.3.0-dev,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient
+9.3.0-dev,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient
+9.3.0-dev,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message.
+9.3.0-dev,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered.
+9.3.0-dev,true,email,email.direction,keyword,extended,,inbound,Direction of the message.
+9.3.0-dev,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address.
+9.3.0-dev,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source.
+9.3.0-dev,true,email,email.message_id,wildcard,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header.
+9.3.0-dev,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed.
+9.3.0-dev,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to.
+9.3.0-dev,true,email,email.sender.address,keyword,extended,,,Address of the message sender.
+9.3.0-dev,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message.
+9.3.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
+9.3.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
+9.3.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+9.3.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
+9.3.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
+9.3.0-dev,true,error,error.message,match_only_text,core,,,Error message.
+9.3.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text.
+9.3.0-dev,true,error,error.stack_trace.text,match_only_text,extended,,,The stack trace of this error in plain text.
+9.3.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception."
+9.3.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event.
+9.3.0-dev,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field.
+9.3.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy.
+9.3.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event.
+9.3.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline.
+9.3.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset.
+9.3.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds.
+9.3.0-dev,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed.
+9.3.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
+9.3.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event.
+9.3.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
+9.3.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
+9.3.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
+9.3.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+9.3.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
+9.3.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
+9.3.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
+9.3.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL
+9.3.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+9.3.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100).
+9.3.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event.
+9.3.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event.
+9.3.0-dev,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed.
+9.3.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone.
+9.3.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
+9.3.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL
+9.3.0-dev,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function.
+9.3.0-dev,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution.
+9.3.0-dev,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function.
+9.3.0-dev,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function.
+9.3.0-dev,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc."
+9.3.0-dev,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution.
+9.3.0-dev,true,faas,faas.version,keyword,extended,,123,The version of a serverless function.
+9.3.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
+9.3.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+9.3.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,file,file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.3.0-dev,true,file,file.created,date,extended,,,File creation time.
+9.3.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+9.3.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
+9.3.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+9.3.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+9.3.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,file,file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+9.3.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+9.3.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+9.3.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
+9.3.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+9.3.0-dev,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.3.0-dev,true,file,file.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,file,file.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.3.0-dev,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.3.0-dev,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.3.0-dev,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+9.3.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+9.3.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified.
+9.3.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.3.0-dev,true,file,file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
+9.3.0-dev,true,file,file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
+9.3.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username.
+9.3.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.3.0-dev,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.3.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,file,file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,file,file.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
+9.3.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks.
+9.3.0-dev,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+9.3.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+9.3.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+9.3.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.3.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.3.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.3.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.3.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.3.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.3.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.3.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.3.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.3.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.3.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.3.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.3.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.3.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.3.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.3.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.3.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.3.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.3.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.3.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.3.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.3.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.3.0-dev,false,gen_ai,gen_ai.agent.description,keyword,extended,,Helps with math problems; Generates fiction stories,Free-form description of the GenAI agent provided by the application.
+9.3.0-dev,true,gen_ai,gen_ai.agent.id,keyword,extended,,asst_5j66UpCpwteGg4YSxUnt7lPY,The unique identifier of the GenAI agent.
+9.3.0-dev,true,gen_ai,gen_ai.agent.name,keyword,extended,,Math Tutor; Fiction Writer,Human-readable name of the GenAI agent provided by the application.
+9.3.0-dev,true,gen_ai,gen_ai.operation.name,keyword,extended,,chat; text_completion; embeddings,The name of the operation being performed.
+9.3.0-dev,true,gen_ai,gen_ai.output.type,keyword,extended,,text; json; image,Represents the content type requested by the client.
+9.3.0-dev,true,gen_ai,gen_ai.request.choice.count,integer,extended,,3,The target number of candidate completions to return.
+9.3.0-dev,true,gen_ai,gen_ai.request.encoding_formats,nested,extended,,"[""float"", ""binary""]","The encoding formats requested in an embeddings operation, if specified."
+9.3.0-dev,true,gen_ai,gen_ai.request.frequency_penalty,double,extended,,0.1,The frequency penalty setting for the GenAI request.
+9.3.0-dev,true,gen_ai,gen_ai.request.max_tokens,integer,extended,,100,The maximum number of tokens the model generates for a request.
+9.3.0-dev,true,gen_ai,gen_ai.request.model,keyword,extended,,gpt-4,The name of the GenAI model a request is being made to.
+9.3.0-dev,true,gen_ai,gen_ai.request.presence_penalty,double,extended,,0.1,The presence penalty setting for the GenAI request.
+9.3.0-dev,true,gen_ai,gen_ai.request.seed,integer,extended,,100,Requests with same seed value more likely to return same result.
+9.3.0-dev,true,gen_ai,gen_ai.request.stop_sequences,nested,extended,,"[""forest"", ""lived""]",List of sequences that the model will use to stop generating further tokens.
+9.3.0-dev,true,gen_ai,gen_ai.request.temperature,double,extended,,0.0,The temperature setting for the GenAI request.
+9.3.0-dev,true,gen_ai,gen_ai.request.top_k,double,extended,,1.0,The top_k sampling setting for the GenAI request.
+9.3.0-dev,true,gen_ai,gen_ai.request.top_p,double,extended,,1.0,The top_p sampling setting for the GenAI request.
+9.3.0-dev,true,gen_ai,gen_ai.response.finish_reasons,nested,extended,,"[""stop"", ""length""]","Array of reasons the model stopped generating tokens, corresponding to each generation received."
+9.3.0-dev,true,gen_ai,gen_ai.response.id,keyword,extended,,chatcmpl-123,The unique identifier for the completion.
+9.3.0-dev,true,gen_ai,gen_ai.response.model,keyword,extended,,gpt-4-0613,The name of the model that generated the response.
+9.3.0-dev,true,gen_ai,gen_ai.system,keyword,extended,,openai,The Generative AI product as identified by the client or server instrumentation.
+9.3.0-dev,true,gen_ai,gen_ai.token.type,keyword,extended,,input; output,The type of token being counted.
+9.3.0-dev,true,gen_ai,gen_ai.tool.call.id,keyword,extended,,call_mszuSIzqtI65i1wAUOE8w5H4,The tool call identifier.
+9.3.0-dev,true,gen_ai,gen_ai.tool.name,keyword,extended,,Flights,Name of the tool utilized by the agent.
+9.3.0-dev,true,gen_ai,gen_ai.tool.type,keyword,extended,,function; extension; datastore,Type of the tool utilized by the agent
+9.3.0-dev,true,gen_ai,gen_ai.usage.input_tokens,integer,extended,,100,The number of tokens used in the GenAI input (prompt).
+9.3.0-dev,true,gen_ai,gen_ai.usage.output_tokens,integer,extended,,180,The number of tokens used in the GenAI response (completion).
+9.3.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,group,group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture.
+9.3.0-dev,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id
+9.3.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1."
+9.3.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks.
+9.3.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks.
+9.3.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of.
+9.3.0-dev,true,host,host.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,host,host.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,host,host.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,host,host.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,host,host.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,host,host.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,host,host.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,host,host.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,host,host.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,host,host.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,host,host.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,host,host.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host.
+9.3.0-dev,true,host,host.id,keyword,core,,,Unique host id.
+9.3.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
+9.3.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses.
+9.3.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+9.3.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
+9.3.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces.
+9.3.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+9.3.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+9.3.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+9.3.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.3.0-dev,true,host,host.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.3.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+9.3.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+9.3.0-dev,true,host,host.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+9.3.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+9.3.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+9.3.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+9.3.0-dev,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode
+9.3.0-dev,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,host,host.type,keyword,core,,,Type of host.
+9.3.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up.
+9.3.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
+9.3.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body.
+9.3.0-dev,true,http,http.request.body.content.text,match_only_text,extended,,Hello world,The full HTTP request body.
+9.3.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
+9.3.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID.
+9.3.0-dev,true,http,http.request.method,keyword,extended,,POST,HTTP request method.
+9.3.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
+9.3.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+9.3.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
+9.3.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
+9.3.0-dev,true,http,http.response.body.content.text,match_only_text,extended,,Hello world,The full HTTP response body.
+9.3.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers).
+9.3.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response.
+9.3.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code.
+9.3.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version.
+9.3.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from.
+9.3.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event.
+9.3.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
+9.3.0-dev,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event.
+9.3.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event.
+9.3.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event.
+9.3.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata
+9.3.0-dev,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message.
+9.3.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event.
+9.3.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event.
+9.3.0-dev,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message.
+9.3.0-dev,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message.
+9.3.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event.
+9.3.0-dev,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message.
+9.3.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event.
+9.3.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event.
+9.3.0-dev,true,log,log.syslog.structured_data,flattened,extended,,,Structured data expressed in RFC 5424 messages.
+9.3.0-dev,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version.
+9.3.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name.
+9.3.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions.
+9.3.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports.
+9.3.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic.
+9.3.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy.
+9.3.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number.
+9.3.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information
+9.3.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.3.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.3.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network.
+9.3.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions.
+9.3.0-dev,true,network,network.protocol,keyword,core,,http,Application protocol name.
+9.3.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`.
+9.3.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc"
+9.3.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.3.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.3.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information
+9.3.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias
+9.3.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID
+9.3.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name
+9.3.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.3.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.3.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone
+9.3.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer.
+9.3.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information
+9.3.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias
+9.3.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID
+9.3.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name
+9.3.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer.
+9.3.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer.
+9.3.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone
+9.3.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
+9.3.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer.
+9.3.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+9.3.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+9.3.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.3.0-dev,true,observer,observer.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.3.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+9.3.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+9.3.0-dev,true,observer,observer.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+9.3.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+9.3.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+9.3.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+9.3.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer.
+9.3.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number.
+9.3.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from.
+9.3.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer.
+9.3.0-dev,true,observer,observer.version,keyword,core,,,Observer version.
+9.3.0-dev,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action
+9.3.0-dev,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster.
+9.3.0-dev,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
+9.3.0-dev,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
+9.3.0-dev,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+9.3.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
+9.3.0-dev,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
+9.3.0-dev,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
+9.3.0-dev,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon.
+9.3.0-dev,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed.
+9.3.0-dev,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource.
+9.3.0-dev,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon.
+9.3.0-dev,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed.
+9.3.0-dev,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon.
+9.3.0-dev,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)."
+9.3.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization.
+9.3.0-dev,true,organization,organization.name,keyword,extended,,,Organization name.
+9.3.0-dev,true,organization,organization.name.text,match_only_text,extended,,,Organization name.
+9.3.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture.
+9.3.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information
+9.3.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification.
+9.3.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package.
+9.3.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global."
+9.3.0-dev,true,package,package.installed,date,extended,,,Time when package was installed.
+9.3.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license
+9.3.0-dev,true,package,package.name,keyword,extended,,go,Package name
+9.3.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed.
+9.3.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL
+9.3.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes.
+9.3.0-dev,true,package,package.type,keyword,extended,,rpm,Package type
+9.3.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
+9.3.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.3.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,process,process.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.3.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,process,process.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.3.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.3.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.3.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.3.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.3.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.3.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.3.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.3.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.3.0-dev,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.3.0-dev,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.3.0-dev,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.3.0-dev,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.3.0-dev,true,process,process.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.3.0-dev,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.3.0-dev,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.3.0-dev,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.3.0-dev,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.3.0-dev,true,process,process.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.3.0-dev,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.3.0-dev,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.3.0-dev,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.3.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,process,process.parent.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.3.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,process,process.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.3.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.3.0-dev,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.3.0-dev,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.3.0-dev,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,process,process.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.3.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.3.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
+9.3.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
+9.3.0-dev,true,process,process.parent.title,keyword,extended,,,Process title.
+9.3.0-dev,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
+9.3.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
+9.3.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.3.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,process,process.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.3.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.3.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.3.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.3.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.3.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.3.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID.
+9.3.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
+9.3.0-dev,true,process,process.title,keyword,extended,,,Process title.
+9.3.0-dev,true,process,process.title.text,match_only_text,extended,,,Process title.
+9.3.0-dev,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
+9.3.0-dev,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.3.0-dev,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.3.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.3.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+9.3.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+9.3.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+9.3.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+9.3.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+9.3.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+9.3.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
+9.3.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+9.3.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
+9.3.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
+9.3.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event.
+9.3.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author
+9.3.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category
+9.3.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+9.3.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID
+9.3.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license
+9.3.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name
+9.3.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+9.3.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset
+9.3.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID
+9.3.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version
+9.3.0-dev,true,server,server.address,keyword,extended,,,Server network address.
+9.3.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,server,server.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client.
+9.3.0-dev,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server.
+9.3.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,server,server.ip,ip,core,,,IP address of the server.
+9.3.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server.
+9.3.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip
+9.3.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port
+9.3.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client.
+9.3.0-dev,true,server,server.port,long,core,,,Port of the server.
+9.3.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain."
+9.3.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.3.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
+9.3.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+9.3.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+9.3.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
+9.3.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+9.3.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+9.3.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+9.3.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.3.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
+9.3.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+9.3.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+9.3.0-dev,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service.
+9.3.0-dev,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+9.3.0-dev,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+9.3.0-dev,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+9.3.0-dev,true,service,service.origin.state,keyword,core,,,Current state of the service.
+9.3.0-dev,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service.
+9.3.0-dev,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service.
+9.3.0-dev,true,service,service.state,keyword,core,,,Current state of the service.
+9.3.0-dev,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.3.0-dev,true,service,service.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,service,service.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,service,service.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,service,service.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,service,service.target.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,service,service.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,service,service.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,service,service.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,service,service.target.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,service,service.target.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,service,service.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,service,service.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
+9.3.0-dev,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
+9.3.0-dev,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
+9.3.0-dev,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service.
+9.3.0-dev,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node.
+9.3.0-dev,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
+9.3.0-dev,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
+9.3.0-dev,true,service,service.target.state,keyword,core,,,Current state of the service.
+9.3.0-dev,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service.
+9.3.0-dev,true,service,service.target.version,keyword,core,,3.2.4,Version of the service.
+9.3.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service.
+9.3.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service.
+9.3.0-dev,true,source,source.address,keyword,extended,,,Source network address.
+9.3.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,source,source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.3.0-dev,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.3.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,source,source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.3.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip
+9.3.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port
+9.3.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination.
+9.3.0-dev,true,source,source.port,long,core,,,Port of the source.
+9.3.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.3.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
+9.3.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
+9.3.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
+9.3.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+9.3.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+9.3.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.3.0-dev,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.3.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+9.3.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+9.3.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+9.3.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+9.3.0-dev,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+9.3.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+9.3.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+9.3.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
+9.3.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+9.3.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+9.3.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+9.3.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+9.3.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+9.3.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+9.3.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+9.3.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+9.3.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+9.3.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics
+9.3.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed
+9.3.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request.
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request.
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.3.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.3.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value
+9.3.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field
+9.3.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier
+9.3.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index
+9.3.0-dev,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match
+9.3.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match
+9.3.0-dev,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID.
+9.3.0-dev,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed.
+9.3.0-dev,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed.
+9.3.0-dev,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed.
+9.3.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
+9.3.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group.
+9.3.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group.
+9.3.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group.
+9.3.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group.
+9.3.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,threat,threat.indicator.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating
+9.3.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description
+9.3.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address
+9.3.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed.
+9.3.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+9.3.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,threat,threat.indicator.file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.3.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time.
+9.3.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed.
+9.3.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file.
+9.3.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located.
+9.3.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located.
+9.3.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,threat,threat.indicator.file.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+9.3.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
+9.3.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
+9.3.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
+9.3.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
+9.3.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes."
+9.3.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
+9.3.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
+9.3.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.3.0-dev,true,threat,threat.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
+9.3.0-dev,true,threat,threat.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
+9.3.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
+9.3.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.3.0-dev,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
+9.3.0-dev,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,threat,threat.indicator.file.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,threat,threat.indicator.file.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes.
+9.3.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks.
+9.3.0-dev,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks.
+9.3.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)."
+9.3.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
+9.3.0-dev,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.3.0-dev,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.3.0-dev,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.3.0-dev,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.3.0-dev,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.3.0-dev,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.3.0-dev,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.3.0-dev,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.3.0-dev,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.3.0-dev,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.3.0-dev,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.3.0-dev,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.3.0-dev,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.3.0-dev,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.3.0-dev,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.3.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported.
+9.3.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator
+9.3.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
+9.3.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
+9.3.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+9.3.0-dev,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
+9.3.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
+9.3.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
+9.3.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
+9.3.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
+9.3.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
+9.3.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding.
+9.3.0-dev,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry.
+9.3.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents
+9.3.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive.
+9.3.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
+9.3.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
+9.3.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written.
+9.3.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics
+9.3.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed
+9.3.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
+9.3.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+9.3.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+9.3.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`.
+9.3.0-dev,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.3.0-dev,true,threat,threat.indicator.url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.3.0-dev,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.3.0-dev,true,threat,threat.indicator.url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.3.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request.
+9.3.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+9.3.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443."
+9.3.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request.
+9.3.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+9.3.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url.
+9.3.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request.
+9.3.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.3.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.3.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.3.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.3.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.3.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.3.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.3.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.3.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.3.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.3.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.3.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.3.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.3.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.3.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.3.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.3.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.3.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.3.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.3.0-dev,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software
+9.3.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
+9.3.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
+9.3.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
+9.3.0-dev,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
+9.3.0-dev,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
+9.3.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+9.3.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+9.3.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+9.3.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+9.3.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+9.3.0-dev,true,threat,threat.technique.name.text,match_only_text,extended,,Command and Scripting Interpreter,Threat technique name.
+9.3.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+9.3.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+9.3.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+9.3.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
+9.3.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+9.3.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
+9.3.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
+9.3.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
+9.3.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
+9.3.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
+9.3.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
+9.3.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client.
+9.3.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake.
+9.3.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid.
+9.3.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid.
+9.3.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI.
+9.3.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client.
+9.3.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello.
+9.3.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.3.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.3.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.3.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.3.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.3.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.3.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.3.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.3.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.3.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.3.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.3.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.3.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.3.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.3.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.3.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.3.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.3.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.3.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.3.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.3.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.3.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.3.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable."
+9.3.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
+9.3.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled.
+9.3.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
+9.3.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server.
+9.3.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server.
+9.3.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
+9.3.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
+9.3.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
+9.3.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server.
+9.3.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake.
+9.3.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid.
+9.3.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid.
+9.3.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server.
+9.3.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN).
+9.3.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority.
+9.3.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes
+9.3.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority.
+9.3.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L)
+9.3.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority.
+9.3.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority.
+9.3.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid.
+9.3.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid.
+9.3.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key.
+9.3.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+9.3.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific.
+9.3.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits.
+9.3.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority.
+9.3.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm.
+9.3.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject.
+9.3.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code
+9.3.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity.
+9.3.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L)
+9.3.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject.
+9.3.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject.
+9.3.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)"
+9.3.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format.
+9.3.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string.
+9.3.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string.
+9.3.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace.
+9.3.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace.
+9.3.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url.
+9.3.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot."
+9.3.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`.
+9.3.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.3.0-dev,true,url,url.full.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL.
+9.3.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.3.0-dev,true,url,url.original.text,match_only_text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source.
+9.3.0-dev,true,url,url.password,keyword,extended,,,Password of the request.
+9.3.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""."
+9.3.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443."
+9.3.0-dev,true,url,url.query,keyword,extended,,,Query string of the request.
+9.3.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain."
+9.3.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
+9.3.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+9.3.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+9.3.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+9.3.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,user,user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+9.3.0-dev,true,user,user.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,user,user.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,user,user.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,user,user.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,user,user.target.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,user,user.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,user,user.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,user,user.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,user,user.target.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,user,user.target.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,user,user.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,user,user.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,user,user.target.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
+9.3.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
+9.3.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+9.3.0-dev,true,user_agent,user_agent.original.text,match_only_text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+9.3.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
+9.3.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.3.0-dev,true,user_agent,user_agent.os.full.text,match_only_text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
+9.3.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string.
+9.3.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version."
+9.3.0-dev,true,user_agent,user_agent.os.name.text,match_only_text,extended,,Mac OS X,"Operating system name, without the version."
+9.3.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)."
+9.3.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)."
+9.3.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string.
+9.3.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent.
+9.3.0-dev,true,volume,volume.bus_type,keyword,extended,,FileBackedVirtual,Bus type of the device.
+9.3.0-dev,true,volume,volume.default_access,keyword,extended,,,Bus type of the device.
+9.3.0-dev,true,volume,volume.device_name,keyword,extended,,,Device name of the volume.
+9.3.0-dev,true,volume,volume.device_type,keyword,extended,,CD-ROM File System,Volume device type.
+9.3.0-dev,true,volume,volume.dos_name,keyword,extended,,E:,DOS name of the device.
+9.3.0-dev,true,volume,volume.file_system_type,keyword,extended,,,Volume device file system type.
+9.3.0-dev,true,volume,volume.mount_name,keyword,extended,,,Mount name of the volume.
+9.3.0-dev,true,volume,volume.nt_name,keyword,extended,,\Device\Cdrom1,NT name of the device.
+9.3.0-dev,true,volume,volume.product_id,keyword,extended,,,ProductID of the device.
+9.3.0-dev,true,volume,volume.product_name,keyword,extended,,Virtual DVD-ROM,Produce name of the volume.
+9.3.0-dev,true,volume,volume.removable,boolean,extended,,,Indicates if the volume is removable.
+9.3.0-dev,true,volume,volume.serial_number,keyword,extended,,,Serial number of the device.
+9.3.0-dev,true,volume,volume.size,long,extended,,,Size of the volume device in bytes.
+9.3.0-dev,true,volume,volume.vendor_id,keyword,extended,,,VendorID of the device.
+9.3.0-dev,true,volume,volume.vendor_name,keyword,extended,,Msft,Vendor name of the device.
+9.3.0-dev,true,volume,volume.writable,boolean,extended,,,Indicates if the volume is writable.
+9.3.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability.
+9.3.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability.
+9.3.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+9.3.0-dev,true,vulnerability,vulnerability.description.text,match_only_text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability.
+9.3.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability.
+9.3.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability.
+9.3.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability.
+9.3.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number.
+9.3.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor.
+9.3.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score.
+9.3.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score.
+9.3.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score.
+9.3.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version.
+9.3.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 8ce7e27f2a..68c3dd6471 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -569,86 +569,6 @@ client.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-client.user.risk.calculated_level:
-  dashed_name: client-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: client.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-client.user.risk.calculated_score:
-  dashed_name: client-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: client.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-client.user.risk.calculated_score_norm:
-  dashed_name: client-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: client.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-client.user.risk.static_level:
-  dashed_name: client-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: client.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-client.user.risk.static_score:
-  dashed_name: client-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: client.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-client.user.risk.static_score_norm:
-  dashed_name: client-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: client.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 client.user.roles:
   dashed_name: client-user-roles
   description: Array of user roles at the time of the event.
@@ -2041,86 +1961,6 @@ destination.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-destination.user.risk.calculated_level:
-  dashed_name: destination-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: destination.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-destination.user.risk.calculated_score:
-  dashed_name: destination-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: destination.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-destination.user.risk.calculated_score_norm:
-  dashed_name: destination-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: destination.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-destination.user.risk.static_level:
-  dashed_name: destination-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: destination.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-destination.user.risk.static_score:
-  dashed_name: destination-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: destination.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-destination.user.risk.static_score_norm:
-  dashed_name: destination-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: destination.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 destination.user.roles:
   dashed_name: destination-user-roles
   description: Array of user roles at the time of the event.
@@ -9246,253 +9086,6 @@ process.args_count:
     stability: development
   short: Length of the process.args array.
   type: long
-process.attested_groups.domain:
-  dashed_name: process-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.attested_groups.id:
-  dashed_name: process-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.attested_groups.name:
-  dashed_name: process-attested-groups-name
-  description: Name of the group.
-  flat_name: process.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.attested_user.domain:
-  dashed_name: process-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.attested_user.email:
-  dashed_name: process-attested-user-email
-  description: User email address.
-  flat_name: process.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.attested_user.full_name:
-  dashed_name: process-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.attested_user.group.domain:
-  dashed_name: process-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.attested_user.group.id:
-  dashed_name: process-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.attested_user.group.name:
-  dashed_name: process-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.attested_user.hash:
-  dashed_name: process-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.attested_user.id:
-  dashed_name: process-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.attested_user.name:
-  dashed_name: process-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.attested_user.risk.calculated_level:
-  dashed_name: process-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.attested_user.risk.calculated_score:
-  dashed_name: process-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.attested_user.risk.calculated_score_norm:
-  dashed_name: process-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.attested_user.risk.static_level:
-  dashed_name: process-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.attested_user.risk.static_score:
-  dashed_name: process-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.attested_user.risk.static_score_norm:
-  dashed_name: process-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.attested_user.roles:
-  dashed_name: process-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
 process.code_signature.digest_algorithm:
   dashed_name: process-code-signature-digest-algorithm
   description: 'The hashing algorithm used to sign the process.
@@ -10116,17 +9709,6 @@ process.end:
   normalize: []
   short: The time the process ended.
   type: date
-process.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
 process.entity_id:
   dashed_name: process-entity-id
   description: 'Unique identifier for the process.
@@ -10177,30 +9759,6 @@ process.entry_leader.args_count:
   original_fieldset: process
   short: Length of the process.args array.
   type: long
-process.entry_leader.attested_groups.domain:
-  dashed_name: process-entry-leader-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.attested_groups.id:
-  dashed_name: process-entry-leader-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
 process.entry_leader.attested_groups.name:
   dashed_name: process-entry-leader-attested-groups-name
   description: Name of the group.
@@ -10212,96 +9770,6 @@ process.entry_leader.attested_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.entry_leader.attested_user.domain:
-  dashed_name: process-entry-leader-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.attested_user.email:
-  dashed_name: process-entry-leader-attested-user-email
-  description: User email address.
-  flat_name: process.entry_leader.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.attested_user.full_name:
-  dashed_name: process-entry-leader-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.attested_user.group.domain:
-  dashed_name: process-entry-leader-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.attested_user.group.id:
-  dashed_name: process-entry-leader-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.attested_user.group.name:
-  dashed_name: process-entry-leader-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.attested_user.hash:
-  dashed_name: process-entry-leader-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
 process.entry_leader.attested_user.id:
   dashed_name: process-entry-leader-attested-user-id
   description: Unique identifier of the user.
@@ -10330,31880 +9798,658 @@ process.entry_leader.attested_user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.entry_leader.attested_user.risk.calculated_level:
-  dashed_name: process-entry-leader-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.attested_user.risk.calculated_score:
-  dashed_name: process-entry-leader-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.attested_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.attested_user.risk.calculated_score_norm
+process.entry_leader.command_line:
+  dashed_name: process-entry-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.entry_leader.command_line
   level: extended
-  name: calculated_score_norm
+  multi_fields:
+  - flat_name: process.entry_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
   normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.attested_user.risk.static_level:
-  dashed_name: process-entry-leader-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.attested_user.risk.static_level
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.entry_leader.entity_id:
+  dashed_name: process-entry-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.entry_leader.entity_id
   ignore_above: 1024
   level: extended
-  name: static_level
+  name: entity_id
   normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
+  original_fieldset: process
+  short: Unique identifier for the process.
   type: keyword
-process.entry_leader.attested_user.risk.static_score:
-  dashed_name: process-entry-leader-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.attested_user.risk.static_score
-  level: extended
-  name: static_score
+process.entry_leader.entry_meta.source.ip:
+  dashed_name: process-entry-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.entry_leader.entry_meta.source.ip
+  level: core
+  name: ip
   normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.attested_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.attested_user.risk.static_score_norm
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.entry_leader.entry_meta.type:
+  dashed_name: process-entry-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.entry_leader.entry_meta.type
+  ignore_above: 1024
   level: extended
-  name: static_score_norm
+  name: entry_meta.type
   normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.attested_user.roles:
-  dashed_name: process-entry-leader-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.attested_user.roles
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.entry_leader.executable:
+  dashed_name: process-entry-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.entry_leader.executable
   ignore_above: 1024
   level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
+  multi_fields:
+  - flat_name: process.entry_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
   type: keyword
-process.entry_leader.code_signature.digest_algorithm:
-  dashed_name: process-entry-leader-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.entry_leader.code_signature.digest_algorithm
+process.entry_leader.group.id:
+  dashed_name: process-entry-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.group.id
   ignore_above: 1024
   level: extended
-  name: digest_algorithm
+  name: id
   normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.code_signature.exists:
-  dashed_name: process-entry-leader-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.entry_leader.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.entry_leader.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.entry_leader.code_signature.flags
+process.entry_leader.group.name:
+  dashed_name: process-entry-leader-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.group.name
   ignore_above: 1024
   level: extended
-  name: flags
+  name: name
   normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.entry_leader.code_signature.signing_id:
-  dashed_name: process-entry-leader-code-signature-signing-id
-  description: 'The identifier used to sign the process.
+process.entry_leader.interactive:
+  dashed_name: process-entry-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
 
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.entry_leader.code_signature.signing_id
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.entry_leader.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.entry_leader.name:
+  dashed_name: process-entry-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.entry_leader.name
   ignore_above: 1024
   level: extended
-  name: signing_id
+  multi_fields:
+  - flat_name: process.entry_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
+  original_fieldset: process
+  short: Process name.
   type: keyword
-process.entry_leader.code_signature.status:
-  dashed_name: process-entry-leader-code-signature-status
-  description: 'Additional information about the certificate status.
+process.entry_leader.parent.entity_id:
+  dashed_name: process-entry-leader-parent-entity-id
+  description: 'Unique identifier for the process.
 
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.entry_leader.code_signature.status
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.entry_leader.parent.entity_id
   ignore_above: 1024
   level: extended
-  name: status
+  name: entity_id
   normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
+  original_fieldset: process
+  short: Unique identifier for the process.
   type: keyword
-process.entry_leader.code_signature.subject_name:
-  dashed_name: process-entry-leader-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.entry_leader.code_signature.subject_name
-  ignore_above: 1024
+process.entry_leader.parent.pid:
+  dashed_name: process-entry-leader-parent-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.entry_leader.parent.pid
+  format: string
   level: core
-  name: subject_name
+  name: pid
   normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.entry_leader.code_signature.team_id:
-  dashed_name: process-entry-leader-code-signature-team-id
-  description: 'The team identifier used to sign the process.
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.entry_leader.parent.session_leader.entity_id:
+  dashed_name: process-entry-leader-parent-session-leader-entity-id
+  description: 'Unique identifier for the process.
 
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.entry_leader.code_signature.team_id
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.entry_leader.parent.session_leader.entity_id
   ignore_above: 1024
   level: extended
-  name: team_id
+  name: entity_id
   normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
+  original_fieldset: process
+  short: Unique identifier for the process.
   type: keyword
-process.entry_leader.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.entry_leader.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
+process.entry_leader.parent.session_leader.pid:
+  dashed_name: process-entry-leader-parent-session-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.entry_leader.parent.session_leader.pid
+  format: string
+  level: core
+  name: pid
   normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.entry_leader.code_signature.timestamp:
-  dashed_name: process-entry-leader-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.entry_leader.code_signature.timestamp
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.entry_leader.parent.session_leader.start:
+  dashed_name: process-entry-leader-parent-session-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.parent.session_leader.start
   level: extended
-  name: timestamp
+  name: start
   normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
+  original_fieldset: process
+  short: The time the process started.
   type: date
-process.entry_leader.code_signature.trusted:
-  dashed_name: process-entry-leader-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
+process.entry_leader.parent.session_leader.vpid:
+  dashed_name: process-entry-leader-parent-session-leader-vpid
+  description: 'Virtual process id.
 
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.entry_leader.code_signature.trusted
-  level: extended
-  name: trusted
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.parent.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
   normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.entry_leader.code_signature.valid:
-  dashed_name: process-entry-leader-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.entry_leader.code_signature.valid
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.entry_leader.parent.start:
+  dashed_name: process-entry-leader-parent-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.parent.start
   level: extended
-  name: valid
+  name: start
   normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.entry_leader.command_line:
-  dashed_name: process-entry-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.entry_leader.parent.vpid:
+  dashed_name: process-entry-leader-parent-vpid
+  description: 'Virtual process id.
 
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.entry_leader.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.parent.vpid
+  format: string
+  level: core
+  name: vpid
   normalize: []
   original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.entry_leader.elf.architecture:
-  dashed_name: process-entry-leader-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.entry_leader.elf.architecture
+  short: Virtual process id.
+  type: long
+process.entry_leader.pid:
+  dashed_name: process-entry-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.entry_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.entry_leader.real_group.id:
+  dashed_name: process-entry-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.real_group.id
   ignore_above: 1024
   level: extended
-  name: architecture
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.elf.byte_order:
-  dashed_name: process-entry-leader-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.entry_leader.elf.byte_order
+process.entry_leader.real_group.name:
+  dashed_name: process-entry-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.real_group.name
   ignore_above: 1024
   level: extended
-  name: byte_order
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.entry_leader.elf.cpu_type:
-  dashed_name: process-entry-leader-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.entry_leader.elf.cpu_type
+process.entry_leader.real_user.id:
+  dashed_name: process-entry-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.real_user.id
   ignore_above: 1024
-  level: extended
-  name: cpu_type
+  level: core
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.entry_leader.elf.creation_date:
-  dashed_name: process-entry-leader-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.entry_leader.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.entry_leader.elf.exports:
-  dashed_name: process-entry-leader-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.entry_leader.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.entry_leader.elf.go_import_hash:
-  dashed_name: process-entry-leader-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.entry_leader.elf.go_imports:
-  dashed_name: process-entry-leader-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.elf.go_imports_names_entropy:
-  dashed_name: process-entry-leader-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.elf.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.elf.go_stripped:
-  dashed_name: process-entry-leader-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.entry_leader.elf.header.abi_version:
-  dashed_name: process-entry-leader-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.entry_leader.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.entry_leader.elf.header.class:
-  dashed_name: process-entry-leader-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.entry_leader.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.entry_leader.elf.header.data:
-  dashed_name: process-entry-leader-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.entry_leader.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.entry_leader.elf.header.entrypoint:
-  dashed_name: process-entry-leader-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.entry_leader.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.entry_leader.elf.header.object_version:
-  dashed_name: process-entry-leader-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.entry_leader.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.entry_leader.elf.header.os_abi:
-  dashed_name: process-entry-leader-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.entry_leader.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.entry_leader.elf.header.type:
-  dashed_name: process-entry-leader-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.entry_leader.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.entry_leader.elf.header.version:
-  dashed_name: process-entry-leader-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.entry_leader.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.entry_leader.elf.import_hash:
-  dashed_name: process-entry-leader-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.entry_leader.elf.imports:
-  dashed_name: process-entry-leader-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.elf.imports_names_entropy:
-  dashed_name: process-entry-leader-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.elf.imports_names_var_entropy:
-  dashed_name: process-entry-leader-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.elf.sections:
-  dashed_name: process-entry-leader-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.entry_leader.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.entry_leader.elf.sections.chi2:
-  dashed_name: process-entry-leader-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.entry_leader.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.entry_leader.elf.sections.entropy:
-  dashed_name: process-entry-leader-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.elf.sections.flags:
-  dashed_name: process-entry-leader-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.entry_leader.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.entry_leader.elf.sections.name:
-  dashed_name: process-entry-leader-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.entry_leader.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.entry_leader.elf.sections.physical_offset:
-  dashed_name: process-entry-leader-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.entry_leader.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.entry_leader.elf.sections.physical_size:
-  dashed_name: process-entry-leader-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.entry_leader.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.entry_leader.elf.sections.type:
-  dashed_name: process-entry-leader-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.entry_leader.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.entry_leader.elf.sections.var_entropy:
-  dashed_name: process-entry-leader-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.elf.sections.virtual_address:
-  dashed_name: process-entry-leader-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.entry_leader.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.entry_leader.elf.sections.virtual_size:
-  dashed_name: process-entry-leader-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.entry_leader.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.entry_leader.elf.segments:
-  dashed_name: process-entry-leader-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.entry_leader.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.entry_leader.elf.segments.sections:
-  dashed_name: process-entry-leader-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.entry_leader.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.entry_leader.elf.segments.type:
-  dashed_name: process-entry-leader-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.entry_leader.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.entry_leader.elf.shared_libraries:
-  dashed_name: process-entry-leader-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.entry_leader.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.entry_leader.elf.telfhash:
-  dashed_name: process-entry-leader-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.entry_leader.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.entry_leader.end:
-  dashed_name: process-entry-leader-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.entry_leader.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.entry_leader.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.entry_leader.entity_id:
-  dashed_name: process-entry-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.entry_leader.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.entry_leader.entry_meta.source.address:
-  dashed_name: process-entry-leader-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.entry_leader.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.entry_leader.entry_meta.source.as.number:
-  dashed_name: process-entry-leader-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.entry_leader.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.entry_leader.entry_meta.source.as.organization.name:
-  dashed_name: process-entry-leader-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.entry_leader.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.entry_leader.entry_meta.source.bytes:
-  dashed_name: process-entry-leader-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.entry_leader.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.entry_leader.entry_meta.source.domain:
-  dashed_name: process-entry-leader-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.entry_leader.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.entry_leader.entry_meta.source.geo.city_name:
-  dashed_name: process-entry-leader-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.entry_leader.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.entry_leader.entry_meta.source.geo.continent_code:
-  dashed_name: process-entry-leader-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.entry_leader.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.entry_leader.entry_meta.source.geo.continent_name:
-  dashed_name: process-entry-leader-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.entry_leader.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.entry_leader.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-entry-leader-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.entry_leader.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.entry_leader.entry_meta.source.geo.country_name:
-  dashed_name: process-entry-leader-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.entry_leader.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.entry_leader.entry_meta.source.geo.location:
-  dashed_name: process-entry-leader-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.entry_leader.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.entry_leader.entry_meta.source.geo.name:
-  dashed_name: process-entry-leader-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.entry_leader.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.entry_leader.entry_meta.source.geo.postal_code:
-  dashed_name: process-entry-leader-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.entry_leader.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.entry_leader.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-entry-leader-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.entry_leader.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.entry_leader.entry_meta.source.geo.region_name:
-  dashed_name: process-entry-leader-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.entry_leader.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.entry_leader.entry_meta.source.geo.timezone:
-  dashed_name: process-entry-leader-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.entry_leader.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.entry_leader.entry_meta.source.ip:
-  dashed_name: process-entry-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.entry_leader.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.entry_leader.entry_meta.source.mac:
-  dashed_name: process-entry-leader-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.entry_leader.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.entry_leader.entry_meta.source.nat.ip:
-  dashed_name: process-entry-leader-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.entry_leader.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.entry_leader.entry_meta.source.nat.port:
-  dashed_name: process-entry-leader-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.entry_leader.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.entry_leader.entry_meta.source.packets:
-  dashed_name: process-entry-leader-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.entry_leader.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.entry_leader.entry_meta.source.port:
-  dashed_name: process-entry-leader-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.entry_leader.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.entry_leader.entry_meta.source.registered_domain:
-  dashed_name: process-entry-leader-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.entry_leader.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.entry_leader.entry_meta.source.subdomain:
-  dashed_name: process-entry-leader-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.entry_leader.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.entry_leader.entry_meta.source.top_level_domain:
-  dashed_name: process-entry-leader-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.entry_leader.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.entry_leader.entry_meta.type:
-  dashed_name: process-entry-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.entry_leader.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.entry_leader.env_vars:
-  dashed_name: process-entry-leader-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.entry_leader.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.executable:
-  dashed_name: process-entry-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.entry_leader.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.entry_leader.exit_code:
-  dashed_name: process-entry-leader-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.entry_leader.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.entry_leader.group.domain:
-  dashed_name: process-entry-leader-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.group.id:
-  dashed_name: process-entry-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.group.name:
-  dashed_name: process-entry-leader-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.entry_leader.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.entry_leader.hash.md5:
-  dashed_name: process-entry-leader-hash-md5
-  description: MD5 hash.
-  flat_name: process.entry_leader.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.entry_leader.hash.sha1:
-  dashed_name: process-entry-leader-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.entry_leader.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.entry_leader.hash.sha256:
-  dashed_name: process-entry-leader-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.entry_leader.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.entry_leader.hash.sha384:
-  dashed_name: process-entry-leader-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.entry_leader.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.entry_leader.hash.sha512:
-  dashed_name: process-entry-leader-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.entry_leader.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.entry_leader.hash.ssdeep:
-  dashed_name: process-entry-leader-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.entry_leader.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.entry_leader.hash.tlsh:
-  dashed_name: process-entry-leader-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.entry_leader.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.entry_leader.interactive:
-  dashed_name: process-entry-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.entry_leader.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.entry_leader.io:
-  dashed_name: process-entry-leader-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.entry_leader.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.entry_leader.io.bytes_skipped:
-  dashed_name: process-entry-leader-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.entry_leader.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.entry_leader.io.bytes_skipped.length:
-  dashed_name: process-entry-leader-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.entry_leader.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.entry_leader.io.bytes_skipped.offset:
-  dashed_name: process-entry-leader-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.entry_leader.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.entry_leader.io.max_bytes_per_process_exceeded:
-  dashed_name: process-entry-leader-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.entry_leader.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.entry_leader.io.text:
-  dashed_name: process-entry-leader-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.entry_leader.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.entry_leader.io.total_bytes_captured:
-  dashed_name: process-entry-leader-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.entry_leader.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.entry_leader.io.total_bytes_skipped:
-  dashed_name: process-entry-leader-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.entry_leader.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.entry_leader.io.type:
-  dashed_name: process-entry-leader-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.entry_leader.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.entry_leader.macho.go_import_hash:
-  dashed_name: process-entry-leader-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.entry_leader.macho.go_imports:
-  dashed_name: process-entry-leader-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.macho.go_imports_names_entropy:
-  dashed_name: process-entry-leader-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.macho.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.macho.go_stripped:
-  dashed_name: process-entry-leader-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.entry_leader.macho.import_hash:
-  dashed_name: process-entry-leader-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.entry_leader.macho.imports:
-  dashed_name: process-entry-leader-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.macho.imports_names_entropy:
-  dashed_name: process-entry-leader-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.macho.imports_names_var_entropy:
-  dashed_name: process-entry-leader-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.macho.sections:
-  dashed_name: process-entry-leader-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.entry_leader.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.entry_leader.macho.sections.entropy:
-  dashed_name: process-entry-leader-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.macho.sections.name:
-  dashed_name: process-entry-leader-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.entry_leader.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.entry_leader.macho.sections.physical_size:
-  dashed_name: process-entry-leader-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.entry_leader.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.entry_leader.macho.sections.var_entropy:
-  dashed_name: process-entry-leader-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.macho.sections.virtual_size:
-  dashed_name: process-entry-leader-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.entry_leader.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.entry_leader.macho.symhash:
-  dashed_name: process-entry-leader-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.entry_leader.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.entry_leader.name:
-  dashed_name: process-entry-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.entry_leader.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.entry_leader.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.entry_leader.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.entry_leader.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.entry_leader.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.entry_leader.parent.args:
-  dashed_name: process-entry-leader-parent-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.entry_leader.parent.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.entry_leader.parent.args_count:
-  dashed_name: process-entry-leader-parent-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.entry_leader.parent.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.entry_leader.parent.attested_groups.domain:
-  dashed_name: process-entry-leader-parent-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.attested_groups.id:
-  dashed_name: process-entry-leader-parent-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.attested_groups.name:
-  dashed_name: process-entry-leader-parent-attested-groups-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.attested_user.domain:
-  dashed_name: process-entry-leader-parent-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.parent.attested_user.email:
-  dashed_name: process-entry-leader-parent-attested-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.parent.attested_user.full_name:
-  dashed_name: process-entry-leader-parent-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.attested_user.group.domain:
-  dashed_name: process-entry-leader-parent-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.attested_user.group.id:
-  dashed_name: process-entry-leader-parent-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.attested_user.group.name:
-  dashed_name: process-entry-leader-parent-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.attested_user.hash:
-  dashed_name: process-entry-leader-parent-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.attested_user.id:
-  dashed_name: process-entry-leader-parent-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.attested_user.name:
-  dashed_name: process-entry-leader-parent-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.attested_user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.attested_user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.attested_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.attested_user.risk.static_level:
-  dashed_name: process-entry-leader-parent-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.attested_user.risk.static_score:
-  dashed_name: process-entry-leader-parent-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.attested_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.attested_user.roles:
-  dashed_name: process-entry-leader-parent-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.code_signature.digest_algorithm:
-  dashed_name: process-entry-leader-parent-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.entry_leader.parent.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.entry_leader.parent.code_signature.exists:
-  dashed_name: process-entry-leader-parent-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.entry_leader.parent.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.entry_leader.parent.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.entry_leader.parent.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.entry_leader.parent.code_signature.signing_id:
-  dashed_name: process-entry-leader-parent-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.entry_leader.parent.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.entry_leader.parent.code_signature.status:
-  dashed_name: process-entry-leader-parent-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.entry_leader.parent.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.entry_leader.parent.code_signature.subject_name:
-  dashed_name: process-entry-leader-parent-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.entry_leader.parent.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.entry_leader.parent.code_signature.team_id:
-  dashed_name: process-entry-leader-parent-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.entry_leader.parent.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.entry_leader.parent.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.entry_leader.parent.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.entry_leader.parent.code_signature.timestamp:
-  dashed_name: process-entry-leader-parent-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.entry_leader.parent.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.entry_leader.parent.code_signature.trusted:
-  dashed_name: process-entry-leader-parent-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.entry_leader.parent.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.entry_leader.parent.code_signature.valid:
-  dashed_name: process-entry-leader-parent-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.entry_leader.parent.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.entry_leader.parent.command_line:
-  dashed_name: process-entry-leader-parent-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.entry_leader.parent.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.entry_leader.parent.elf.architecture:
-  dashed_name: process-entry-leader-parent-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.entry_leader.parent.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.entry_leader.parent.elf.byte_order:
-  dashed_name: process-entry-leader-parent-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.entry_leader.parent.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.entry_leader.parent.elf.cpu_type:
-  dashed_name: process-entry-leader-parent-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.entry_leader.parent.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.entry_leader.parent.elf.creation_date:
-  dashed_name: process-entry-leader-parent-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.entry_leader.parent.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.entry_leader.parent.elf.exports:
-  dashed_name: process-entry-leader-parent-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.entry_leader.parent.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.entry_leader.parent.elf.go_import_hash:
-  dashed_name: process-entry-leader-parent-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.parent.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.entry_leader.parent.elf.go_imports:
-  dashed_name: process-entry-leader-parent-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.parent.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.parent.elf.go_imports_names_entropy:
-  dashed_name: process-entry-leader-parent-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.elf.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.elf.go_stripped:
-  dashed_name: process-entry-leader-parent-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.parent.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.entry_leader.parent.elf.header.abi_version:
-  dashed_name: process-entry-leader-parent-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.entry_leader.parent.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.entry_leader.parent.elf.header.class:
-  dashed_name: process-entry-leader-parent-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.entry_leader.parent.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.entry_leader.parent.elf.header.data:
-  dashed_name: process-entry-leader-parent-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.entry_leader.parent.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.entry_leader.parent.elf.header.entrypoint:
-  dashed_name: process-entry-leader-parent-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.entry_leader.parent.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.entry_leader.parent.elf.header.object_version:
-  dashed_name: process-entry-leader-parent-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.entry_leader.parent.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.entry_leader.parent.elf.header.os_abi:
-  dashed_name: process-entry-leader-parent-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.entry_leader.parent.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.entry_leader.parent.elf.header.type:
-  dashed_name: process-entry-leader-parent-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.entry_leader.parent.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.entry_leader.parent.elf.header.version:
-  dashed_name: process-entry-leader-parent-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.entry_leader.parent.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.entry_leader.parent.elf.import_hash:
-  dashed_name: process-entry-leader-parent-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.parent.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.entry_leader.parent.elf.imports:
-  dashed_name: process-entry-leader-parent-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.parent.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.parent.elf.imports_names_entropy:
-  dashed_name: process-entry-leader-parent-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.parent.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.parent.elf.imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.parent.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.parent.elf.sections:
-  dashed_name: process-entry-leader-parent-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.entry_leader.parent.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.entry_leader.parent.elf.sections.chi2:
-  dashed_name: process-entry-leader-parent-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.entry_leader.parent.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.entry_leader.parent.elf.sections.entropy:
-  dashed_name: process-entry-leader-parent-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.elf.sections.flags:
-  dashed_name: process-entry-leader-parent-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.entry_leader.parent.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.entry_leader.parent.elf.sections.name:
-  dashed_name: process-entry-leader-parent-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.entry_leader.parent.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.entry_leader.parent.elf.sections.physical_offset:
-  dashed_name: process-entry-leader-parent-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.entry_leader.parent.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.entry_leader.parent.elf.sections.physical_size:
-  dashed_name: process-entry-leader-parent-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.entry_leader.parent.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.entry_leader.parent.elf.sections.type:
-  dashed_name: process-entry-leader-parent-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.entry_leader.parent.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.entry_leader.parent.elf.sections.var_entropy:
-  dashed_name: process-entry-leader-parent-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.elf.sections.virtual_address:
-  dashed_name: process-entry-leader-parent-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.entry_leader.parent.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.entry_leader.parent.elf.sections.virtual_size:
-  dashed_name: process-entry-leader-parent-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.entry_leader.parent.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.entry_leader.parent.elf.segments:
-  dashed_name: process-entry-leader-parent-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.entry_leader.parent.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.entry_leader.parent.elf.segments.sections:
-  dashed_name: process-entry-leader-parent-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.entry_leader.parent.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.entry_leader.parent.elf.segments.type:
-  dashed_name: process-entry-leader-parent-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.entry_leader.parent.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.entry_leader.parent.elf.shared_libraries:
-  dashed_name: process-entry-leader-parent-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.entry_leader.parent.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.entry_leader.parent.elf.telfhash:
-  dashed_name: process-entry-leader-parent-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.entry_leader.parent.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.entry_leader.parent.end:
-  dashed_name: process-entry-leader-parent-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.parent.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.entry_leader.parent.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.entry_leader.parent.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.entry_leader.parent.entity_id:
-  dashed_name: process-entry-leader-parent-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.entry_leader.parent.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.address:
-  dashed_name: process-entry-leader-parent-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.entry_leader.parent.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.as.number:
-  dashed_name: process-entry-leader-parent-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.entry_leader.parent.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.entry_leader.parent.entry_meta.source.as.organization.name:
-  dashed_name: process-entry-leader-parent-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.bytes:
-  dashed_name: process-entry-leader-parent-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.entry_leader.parent.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.entry_leader.parent.entry_meta.source.domain:
-  dashed_name: process-entry-leader-parent-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.entry_leader.parent.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.city_name:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.continent_code:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.continent_name:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.country_name:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.location:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.entry_leader.parent.entry_meta.source.geo.name:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.postal_code:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.region_name:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.timezone:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.ip:
-  dashed_name: process-entry-leader-parent-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.entry_leader.parent.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.entry_leader.parent.entry_meta.source.mac:
-  dashed_name: process-entry-leader-parent-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.entry_leader.parent.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.nat.ip:
-  dashed_name: process-entry-leader-parent-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.entry_leader.parent.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.entry_leader.parent.entry_meta.source.nat.port:
-  dashed_name: process-entry-leader-parent-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.entry_leader.parent.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.entry_leader.parent.entry_meta.source.packets:
-  dashed_name: process-entry-leader-parent-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.entry_leader.parent.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.entry_leader.parent.entry_meta.source.port:
-  dashed_name: process-entry-leader-parent-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.entry_leader.parent.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.entry_leader.parent.entry_meta.source.registered_domain:
-  dashed_name: process-entry-leader-parent-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.entry_leader.parent.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.subdomain:
-  dashed_name: process-entry-leader-parent-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.entry_leader.parent.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.top_level_domain:
-  dashed_name: process-entry-leader-parent-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.entry_leader.parent.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.entry_leader.parent.entry_meta.type:
-  dashed_name: process-entry-leader-parent-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.entry_leader.parent.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.entry_leader.parent.env_vars:
-  dashed_name: process-entry-leader-parent-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.entry_leader.parent.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.executable:
-  dashed_name: process-entry-leader-parent-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.entry_leader.parent.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.entry_leader.parent.exit_code:
-  dashed_name: process-entry-leader-parent-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.entry_leader.parent.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.entry_leader.parent.group.domain:
-  dashed_name: process-entry-leader-parent-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.group.id:
-  dashed_name: process-entry-leader-parent-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.group.name:
-  dashed_name: process-entry-leader-parent-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.entry_leader.parent.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.entry_leader.parent.hash.md5:
-  dashed_name: process-entry-leader-parent-hash-md5
-  description: MD5 hash.
-  flat_name: process.entry_leader.parent.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.entry_leader.parent.hash.sha1:
-  dashed_name: process-entry-leader-parent-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.entry_leader.parent.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.entry_leader.parent.hash.sha256:
-  dashed_name: process-entry-leader-parent-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.entry_leader.parent.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.entry_leader.parent.hash.sha384:
-  dashed_name: process-entry-leader-parent-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.entry_leader.parent.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.entry_leader.parent.hash.sha512:
-  dashed_name: process-entry-leader-parent-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.entry_leader.parent.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.entry_leader.parent.hash.ssdeep:
-  dashed_name: process-entry-leader-parent-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.entry_leader.parent.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.entry_leader.parent.hash.tlsh:
-  dashed_name: process-entry-leader-parent-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.entry_leader.parent.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.entry_leader.parent.interactive:
-  dashed_name: process-entry-leader-parent-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.entry_leader.parent.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.entry_leader.parent.io:
-  dashed_name: process-entry-leader-parent-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.entry_leader.parent.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.entry_leader.parent.io.bytes_skipped:
-  dashed_name: process-entry-leader-parent-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.entry_leader.parent.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.entry_leader.parent.io.bytes_skipped.length:
-  dashed_name: process-entry-leader-parent-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.entry_leader.parent.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.entry_leader.parent.io.bytes_skipped.offset:
-  dashed_name: process-entry-leader-parent-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.entry_leader.parent.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.entry_leader.parent.io.max_bytes_per_process_exceeded:
-  dashed_name: process-entry-leader-parent-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.entry_leader.parent.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.entry_leader.parent.io.text:
-  dashed_name: process-entry-leader-parent-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.entry_leader.parent.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.entry_leader.parent.io.total_bytes_captured:
-  dashed_name: process-entry-leader-parent-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.entry_leader.parent.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.entry_leader.parent.io.total_bytes_skipped:
-  dashed_name: process-entry-leader-parent-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.entry_leader.parent.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.entry_leader.parent.io.type:
-  dashed_name: process-entry-leader-parent-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.entry_leader.parent.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.entry_leader.parent.macho.go_import_hash:
-  dashed_name: process-entry-leader-parent-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.parent.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.entry_leader.parent.macho.go_imports:
-  dashed_name: process-entry-leader-parent-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.parent.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.parent.macho.go_imports_names_entropy:
-  dashed_name: process-entry-leader-parent-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.macho.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.macho.go_stripped:
-  dashed_name: process-entry-leader-parent-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.parent.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.entry_leader.parent.macho.import_hash:
-  dashed_name: process-entry-leader-parent-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.parent.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.entry_leader.parent.macho.imports:
-  dashed_name: process-entry-leader-parent-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.parent.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.parent.macho.imports_names_entropy:
-  dashed_name: process-entry-leader-parent-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.parent.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.parent.macho.imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.parent.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.parent.macho.sections:
-  dashed_name: process-entry-leader-parent-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.entry_leader.parent.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.entry_leader.parent.macho.sections.entropy:
-  dashed_name: process-entry-leader-parent-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.macho.sections.name:
-  dashed_name: process-entry-leader-parent-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.entry_leader.parent.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.entry_leader.parent.macho.sections.physical_size:
-  dashed_name: process-entry-leader-parent-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.entry_leader.parent.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.entry_leader.parent.macho.sections.var_entropy:
-  dashed_name: process-entry-leader-parent-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.macho.sections.virtual_size:
-  dashed_name: process-entry-leader-parent-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.entry_leader.parent.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.entry_leader.parent.macho.symhash:
-  dashed_name: process-entry-leader-parent-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.entry_leader.parent.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.entry_leader.parent.name:
-  dashed_name: process-entry-leader-parent-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.entry_leader.parent.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.entry_leader.parent.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.entry_leader.parent.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.entry_leader.parent.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.entry_leader.parent.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.entry_leader.parent.pe.architecture:
-  dashed_name: process-entry-leader-parent-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.entry_leader.parent.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.entry_leader.parent.pe.company:
-  dashed_name: process-entry-leader-parent-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.entry_leader.parent.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.parent.pe.description:
-  dashed_name: process-entry-leader-parent-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.entry_leader.parent.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.parent.pe.file_version:
-  dashed_name: process-entry-leader-parent-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.entry_leader.parent.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.entry_leader.parent.pe.go_import_hash:
-  dashed_name: process-entry-leader-parent-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.parent.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.entry_leader.parent.pe.go_imports:
-  dashed_name: process-entry-leader-parent-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.parent.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.parent.pe.go_imports_names_entropy:
-  dashed_name: process-entry-leader-parent-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.pe.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.pe.go_stripped:
-  dashed_name: process-entry-leader-parent-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.parent.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.entry_leader.parent.pe.imphash:
-  dashed_name: process-entry-leader-parent-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.entry_leader.parent.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.entry_leader.parent.pe.import_hash:
-  dashed_name: process-entry-leader-parent-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.parent.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.entry_leader.parent.pe.imports:
-  dashed_name: process-entry-leader-parent-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.parent.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.parent.pe.imports_names_entropy:
-  dashed_name: process-entry-leader-parent-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.parent.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.parent.pe.imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.parent.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.parent.pe.original_file_name:
-  dashed_name: process-entry-leader-parent-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.entry_leader.parent.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.parent.pe.pehash:
-  dashed_name: process-entry-leader-parent-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.entry_leader.parent.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.entry_leader.parent.pe.product:
-  dashed_name: process-entry-leader-parent-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.entry_leader.parent.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.parent.pe.sections:
-  dashed_name: process-entry-leader-parent-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.entry_leader.parent.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.entry_leader.parent.pe.sections.entropy:
-  dashed_name: process-entry-leader-parent-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.pe.sections.name:
-  dashed_name: process-entry-leader-parent-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.entry_leader.parent.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.entry_leader.parent.pe.sections.physical_size:
-  dashed_name: process-entry-leader-parent-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.entry_leader.parent.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.entry_leader.parent.pe.sections.var_entropy:
-  dashed_name: process-entry-leader-parent-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.pe.sections.virtual_size:
-  dashed_name: process-entry-leader-parent-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.entry_leader.parent.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.entry_leader.parent.pid:
-  dashed_name: process-entry-leader-parent-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.entry_leader.parent.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.entry_leader.parent.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.entry_leader.parent.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.entry_leader.parent.real_group.domain:
-  dashed_name: process-entry-leader-parent-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.real_group.id:
-  dashed_name: process-entry-leader-parent-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.real_group.name:
-  dashed_name: process-entry-leader-parent-real-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.real_user.domain:
-  dashed_name: process-entry-leader-parent-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.parent.real_user.email:
-  dashed_name: process-entry-leader-parent-real-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.parent.real_user.full_name:
-  dashed_name: process-entry-leader-parent-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.real_user.group.domain:
-  dashed_name: process-entry-leader-parent-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.real_user.group.id:
-  dashed_name: process-entry-leader-parent-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.real_user.group.name:
-  dashed_name: process-entry-leader-parent-real-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.real_user.hash:
-  dashed_name: process-entry-leader-parent-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.real_user.id:
-  dashed_name: process-entry-leader-parent-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.real_user.name:
-  dashed_name: process-entry-leader-parent-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.real_user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.real_user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.real_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.real_user.risk.static_level:
-  dashed_name: process-entry-leader-parent-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.real_user.risk.static_score:
-  dashed_name: process-entry-leader-parent-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.real_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.real_user.roles:
-  dashed_name: process-entry-leader-parent-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.same_as_process:
-  dashed_name: process-entry-leader-parent-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.entry_leader.parent.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.entry_leader.parent.saved_group.domain:
-  dashed_name: process-entry-leader-parent-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.saved_group.id:
-  dashed_name: process-entry-leader-parent-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.saved_group.name:
-  dashed_name: process-entry-leader-parent-saved-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.saved_user.domain:
-  dashed_name: process-entry-leader-parent-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.parent.saved_user.email:
-  dashed_name: process-entry-leader-parent-saved-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.parent.saved_user.full_name:
-  dashed_name: process-entry-leader-parent-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.saved_user.group.domain:
-  dashed_name: process-entry-leader-parent-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.saved_user.group.id:
-  dashed_name: process-entry-leader-parent-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.saved_user.group.name:
-  dashed_name: process-entry-leader-parent-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.saved_user.hash:
-  dashed_name: process-entry-leader-parent-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.saved_user.id:
-  dashed_name: process-entry-leader-parent-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.saved_user.name:
-  dashed_name: process-entry-leader-parent-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.saved_user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.saved_user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.saved_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.saved_user.risk.static_level:
-  dashed_name: process-entry-leader-parent-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.saved_user.risk.static_score:
-  dashed_name: process-entry-leader-parent-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.saved_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.saved_user.roles:
-  dashed_name: process-entry-leader-parent-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.args:
-  dashed_name: process-entry-leader-parent-session-leader-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.entry_leader.parent.session_leader.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.entry_leader.parent.session_leader.args_count:
-  dashed_name: process-entry-leader-parent-session-leader-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.entry_leader.parent.session_leader.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.entry_leader.parent.session_leader.attested_groups.domain:
-  dashed_name: process-entry-leader-parent-session-leader-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_groups.id:
-  dashed_name: process-entry-leader-parent-session-leader-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_groups.name:
-  dashed_name: process-entry-leader-parent-session-leader-attested-groups-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.domain:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.email:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.full_name:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.session_leader.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.group.id:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.group.name:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.hash:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.session_leader.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.id:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.session_leader.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.name:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.session_leader.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.session_leader.attested_user.risk.static_level:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.risk.static_score:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.session_leader.attested_user.roles:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.session_leader.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.digest_algorithm:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.entry_leader.parent.session_leader.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.exists:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.entry_leader.parent.session_leader.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.entry_leader.parent.session_leader.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.entry_leader.parent.session_leader.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.signing_id:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.entry_leader.parent.session_leader.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.status:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.entry_leader.parent.session_leader.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.subject_name:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.entry_leader.parent.session_leader.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.team_id:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.entry_leader.parent.session_leader.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.timestamp:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.entry_leader.parent.session_leader.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.entry_leader.parent.session_leader.code_signature.trusted:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.entry_leader.parent.session_leader.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.entry_leader.parent.session_leader.code_signature.valid:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.entry_leader.parent.session_leader.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.entry_leader.parent.session_leader.command_line:
-  dashed_name: process-entry-leader-parent-session-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.entry_leader.parent.session_leader.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.entry_leader.parent.session_leader.elf.architecture:
-  dashed_name: process-entry-leader-parent-session-leader-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.entry_leader.parent.session_leader.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.byte_order:
-  dashed_name: process-entry-leader-parent-session-leader-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.entry_leader.parent.session_leader.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.cpu_type:
-  dashed_name: process-entry-leader-parent-session-leader-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.entry_leader.parent.session_leader.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.creation_date:
-  dashed_name: process-entry-leader-parent-session-leader-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.entry_leader.parent.session_leader.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.entry_leader.parent.session_leader.elf.exports:
-  dashed_name: process-entry-leader-parent-session-leader-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.entry_leader.parent.session_leader.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.elf.go_import_hash:
-  dashed_name: process-entry-leader-parent-session-leader-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.parent.session_leader.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.go_imports:
-  dashed_name: process-entry-leader-parent-session-leader-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.parent.session_leader.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.elf.go_imports_names_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.session_leader.elf.go_stripped:
-  dashed_name: process-entry-leader-parent-session-leader-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.parent.session_leader.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.entry_leader.parent.session_leader.elf.header.abi_version:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.entry_leader.parent.session_leader.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.entry_leader.parent.session_leader.elf.header.class:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.entry_leader.parent.session_leader.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.header.data:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.entry_leader.parent.session_leader.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.header.entrypoint:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.entry_leader.parent.session_leader.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.entry_leader.parent.session_leader.elf.header.object_version:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.entry_leader.parent.session_leader.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.entry_leader.parent.session_leader.elf.header.os_abi:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.entry_leader.parent.session_leader.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.header.type:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.entry_leader.parent.session_leader.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.header.version:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.entry_leader.parent.session_leader.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.import_hash:
-  dashed_name: process-entry-leader-parent-session-leader-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.parent.session_leader.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.imports:
-  dashed_name: process-entry-leader-parent-session-leader-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.parent.session_leader.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.elf.imports_names_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.parent.session_leader.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.parent.session_leader.elf.imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.parent.session_leader.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.parent.session_leader.elf.sections:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.entry_leader.parent.session_leader.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.entry_leader.parent.session_leader.elf.sections.chi2:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.entry_leader.parent.session_leader.elf.sections.entropy:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.session_leader.elf.sections.flags:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.sections.name:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.sections.physical_offset:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.sections.physical_size:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.entry_leader.parent.session_leader.elf.sections.type:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.sections.var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.session_leader.elf.sections.virtual_address:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.entry_leader.parent.session_leader.elf.sections.virtual_size:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.entry_leader.parent.session_leader.elf.segments:
-  dashed_name: process-entry-leader-parent-session-leader-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.entry_leader.parent.session_leader.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.entry_leader.parent.session_leader.elf.segments.sections:
-  dashed_name: process-entry-leader-parent-session-leader-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.entry_leader.parent.session_leader.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.segments.type:
-  dashed_name: process-entry-leader-parent-session-leader-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.entry_leader.parent.session_leader.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.shared_libraries:
-  dashed_name: process-entry-leader-parent-session-leader-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.entry_leader.parent.session_leader.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.telfhash:
-  dashed_name: process-entry-leader-parent-session-leader-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.entry_leader.parent.session_leader.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.end:
-  dashed_name: process-entry-leader-parent-session-leader-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.parent.session_leader.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.entry_leader.parent.session_leader.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.entry_leader.parent.session_leader.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.entry_leader.parent.session_leader.entity_id:
-  dashed_name: process-entry-leader-parent-session-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.entry_leader.parent.session_leader.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.address:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.as.number:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.bytes:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.entry_leader.parent.session_leader.entry_meta.source.domain:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.location:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.entry_leader.parent.session_leader.entry_meta.source.geo.name:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.ip:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.entry_leader.parent.session_leader.entry_meta.source.mac:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.nat.ip:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.entry_leader.parent.session_leader.entry_meta.source.nat.port:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.entry_leader.parent.session_leader.entry_meta.source.packets:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.entry_leader.parent.session_leader.entry_meta.source.port:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.entry_leader.parent.session_leader.entry_meta.source.registered_domain:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.subdomain:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.type:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.entry_leader.parent.session_leader.env_vars:
-  dashed_name: process-entry-leader-parent-session-leader-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.entry_leader.parent.session_leader.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.executable:
-  dashed_name: process-entry-leader-parent-session-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.entry_leader.parent.session_leader.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.entry_leader.parent.session_leader.exit_code:
-  dashed_name: process-entry-leader-parent-session-leader-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.entry_leader.parent.session_leader.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.entry_leader.parent.session_leader.group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.group.id:
-  dashed_name: process-entry-leader-parent-session-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.group.name:
-  dashed_name: process-entry-leader-parent-session-leader-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.entry_leader.parent.session_leader.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.md5:
-  dashed_name: process-entry-leader-parent-session-leader-hash-md5
-  description: MD5 hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.sha1:
-  dashed_name: process-entry-leader-parent-session-leader-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.sha256:
-  dashed_name: process-entry-leader-parent-session-leader-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.sha384:
-  dashed_name: process-entry-leader-parent-session-leader-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.sha512:
-  dashed_name: process-entry-leader-parent-session-leader-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.ssdeep:
-  dashed_name: process-entry-leader-parent-session-leader-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.tlsh:
-  dashed_name: process-entry-leader-parent-session-leader-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.entry_leader.parent.session_leader.interactive:
-  dashed_name: process-entry-leader-parent-session-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.entry_leader.parent.session_leader.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.entry_leader.parent.session_leader.io:
-  dashed_name: process-entry-leader-parent-session-leader-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.entry_leader.parent.session_leader.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.entry_leader.parent.session_leader.io.bytes_skipped:
-  dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.entry_leader.parent.session_leader.io.bytes_skipped.length:
-  dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.entry_leader.parent.session_leader.io.bytes_skipped.offset:
-  dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
-  dashed_name: process-entry-leader-parent-session-leader-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.entry_leader.parent.session_leader.io.text:
-  dashed_name: process-entry-leader-parent-session-leader-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.entry_leader.parent.session_leader.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.entry_leader.parent.session_leader.io.total_bytes_captured:
-  dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.entry_leader.parent.session_leader.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.entry_leader.parent.session_leader.io.total_bytes_skipped:
-  dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.entry_leader.parent.session_leader.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.entry_leader.parent.session_leader.io.type:
-  dashed_name: process-entry-leader-parent-session-leader-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.entry_leader.parent.session_leader.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.entry_leader.parent.session_leader.macho.go_import_hash:
-  dashed_name: process-entry-leader-parent-session-leader-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.parent.session_leader.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.entry_leader.parent.session_leader.macho.go_imports:
-  dashed_name: process-entry-leader-parent-session-leader-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.parent.session_leader.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.macho.go_imports_names_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.session_leader.macho.go_stripped:
-  dashed_name: process-entry-leader-parent-session-leader-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.parent.session_leader.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.entry_leader.parent.session_leader.macho.import_hash:
-  dashed_name: process-entry-leader-parent-session-leader-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.parent.session_leader.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.entry_leader.parent.session_leader.macho.imports:
-  dashed_name: process-entry-leader-parent-session-leader-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.parent.session_leader.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.macho.imports_names_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.parent.session_leader.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.parent.session_leader.macho.imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.parent.session_leader.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.parent.session_leader.macho.sections:
-  dashed_name: process-entry-leader-parent-session-leader-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.entry_leader.parent.session_leader.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.entry_leader.parent.session_leader.macho.sections.entropy:
-  dashed_name: process-entry-leader-parent-session-leader-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.session_leader.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.session_leader.macho.sections.name:
-  dashed_name: process-entry-leader-parent-session-leader-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.entry_leader.parent.session_leader.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.entry_leader.parent.session_leader.macho.sections.physical_size:
-  dashed_name: process-entry-leader-parent-session-leader-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.entry_leader.parent.session_leader.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.entry_leader.parent.session_leader.macho.sections.var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.session_leader.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.session_leader.macho.sections.virtual_size:
-  dashed_name: process-entry-leader-parent-session-leader-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.entry_leader.parent.session_leader.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.entry_leader.parent.session_leader.macho.symhash:
-  dashed_name: process-entry-leader-parent-session-leader-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.entry_leader.parent.session_leader.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.entry_leader.parent.session_leader.name:
-  dashed_name: process-entry-leader-parent-session-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.entry_leader.parent.session_leader.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.entry_leader.parent.session_leader.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.entry_leader.parent.session_leader.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.entry_leader.parent.session_leader.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.entry_leader.parent.session_leader.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.architecture:
-  dashed_name: process-entry-leader-parent-session-leader-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.entry_leader.parent.session_leader.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.company:
-  dashed_name: process-entry-leader-parent-session-leader-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.entry_leader.parent.session_leader.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.description:
-  dashed_name: process-entry-leader-parent-session-leader-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.entry_leader.parent.session_leader.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.file_version:
-  dashed_name: process-entry-leader-parent-session-leader-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.entry_leader.parent.session_leader.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.go_import_hash:
-  dashed_name: process-entry-leader-parent-session-leader-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.parent.session_leader.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.go_imports:
-  dashed_name: process-entry-leader-parent-session-leader-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.parent.session_leader.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.pe.go_imports_names_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.session_leader.pe.go_stripped:
-  dashed_name: process-entry-leader-parent-session-leader-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.parent.session_leader.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.entry_leader.parent.session_leader.pe.imphash:
-  dashed_name: process-entry-leader-parent-session-leader-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.entry_leader.parent.session_leader.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.import_hash:
-  dashed_name: process-entry-leader-parent-session-leader-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.parent.session_leader.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.imports:
-  dashed_name: process-entry-leader-parent-session-leader-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.parent.session_leader.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.pe.imports_names_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.parent.session_leader.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.parent.session_leader.pe.imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.parent.session_leader.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.parent.session_leader.pe.original_file_name:
-  dashed_name: process-entry-leader-parent-session-leader-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.entry_leader.parent.session_leader.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.pehash:
-  dashed_name: process-entry-leader-parent-session-leader-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.entry_leader.parent.session_leader.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.product:
-  dashed_name: process-entry-leader-parent-session-leader-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.entry_leader.parent.session_leader.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.sections:
-  dashed_name: process-entry-leader-parent-session-leader-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.entry_leader.parent.session_leader.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.entry_leader.parent.session_leader.pe.sections.entropy:
-  dashed_name: process-entry-leader-parent-session-leader-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.session_leader.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.session_leader.pe.sections.name:
-  dashed_name: process-entry-leader-parent-session-leader-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.entry_leader.parent.session_leader.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.sections.physical_size:
-  dashed_name: process-entry-leader-parent-session-leader-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.entry_leader.parent.session_leader.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.entry_leader.parent.session_leader.pe.sections.var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.session_leader.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.session_leader.pe.sections.virtual_size:
-  dashed_name: process-entry-leader-parent-session-leader-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.entry_leader.parent.session_leader.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.entry_leader.parent.session_leader.pid:
-  dashed_name: process-entry-leader-parent-session-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.entry_leader.parent.session_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.entry_leader.parent.session_leader.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.entry_leader.parent.session_leader.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.entry_leader.parent.session_leader.real_group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.real_group.id:
-  dashed_name: process-entry-leader-parent-session-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.real_group.name:
-  dashed_name: process-entry-leader-parent-session-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.domain:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.email:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.session_leader.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.full_name:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.session_leader.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.group.id:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.group.name:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.hash:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.session_leader.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.id:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.session_leader.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.name:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.session_leader.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.session_leader.real_user.risk.static_level:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.risk.static_score:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.session_leader.real_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.session_leader.real_user.roles:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.session_leader.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.same_as_process:
-  dashed_name: process-entry-leader-parent-session-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.entry_leader.parent.session_leader.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.entry_leader.parent.session_leader.saved_group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_group.id:
-  dashed_name: process-entry-leader-parent-session-leader-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_group.name:
-  dashed_name: process-entry-leader-parent-session-leader-saved-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.domain:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.email:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.full_name:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.session_leader.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.group.id:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.group.name:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.hash:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.session_leader.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.id:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.session_leader.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.name:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.session_leader.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.session_leader.saved_user.risk.static_level:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.risk.static_score:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.session_leader.saved_user.roles:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.session_leader.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.start:
-  dashed_name: process-entry-leader-parent-session-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.parent.session_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.entry_leader.parent.session_leader.supplemental_groups.domain:
-  dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.supplemental_groups.id:
-  dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.supplemental_groups.name:
-  dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.thread.capabilities.effective:
-  dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.entry_leader.parent.session_leader.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.thread.capabilities.permitted:
-  dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.entry_leader.parent.session_leader.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.thread.id:
-  dashed_name: process-entry-leader-parent-session-leader-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.entry_leader.parent.session_leader.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.entry_leader.parent.session_leader.thread.name:
-  dashed_name: process-entry-leader-parent-session-leader-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.entry_leader.parent.session_leader.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.entry_leader.parent.session_leader.title:
-  dashed_name: process-entry-leader-parent-session-leader-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.entry_leader.parent.session_leader.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.entry_leader.parent.session_leader.tty:
-  dashed_name: process-entry-leader-parent-session-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.entry_leader.parent.session_leader.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.entry_leader.parent.session_leader.tty.char_device.major:
-  dashed_name: process-entry-leader-parent-session-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.entry_leader.parent.session_leader.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.entry_leader.parent.session_leader.tty.char_device.minor:
-  dashed_name: process-entry-leader-parent-session-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.entry_leader.parent.session_leader.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.entry_leader.parent.session_leader.tty.columns:
-  dashed_name: process-entry-leader-parent-session-leader-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.entry_leader.parent.session_leader.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.entry_leader.parent.session_leader.tty.rows:
-  dashed_name: process-entry-leader-parent-session-leader-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.entry_leader.parent.session_leader.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.entry_leader.parent.session_leader.uptime:
-  dashed_name: process-entry-leader-parent-session-leader-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.entry_leader.parent.session_leader.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.entry_leader.parent.session_leader.user.domain:
-  dashed_name: process-entry-leader-parent-session-leader-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.user.email:
-  dashed_name: process-entry-leader-parent-session-leader-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.session_leader.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.parent.session_leader.user.full_name:
-  dashed_name: process-entry-leader-parent-session-leader-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.session_leader.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.session_leader.user.group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.user.group.id:
-  dashed_name: process-entry-leader-parent-session-leader-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.user.group.name:
-  dashed_name: process-entry-leader-parent-session-leader-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.user.hash:
-  dashed_name: process-entry-leader-parent-session-leader-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.session_leader.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.session_leader.user.id:
-  dashed_name: process-entry-leader-parent-session-leader-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.session_leader.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.user.name:
-  dashed_name: process-entry-leader-parent-session-leader-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.session_leader.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.session_leader.user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.session_leader.user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.session_leader.user.risk.static_level:
-  dashed_name: process-entry-leader-parent-session-leader-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.session_leader.user.risk.static_score:
-  dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.session_leader.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.session_leader.user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.session_leader.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.session_leader.user.roles:
-  dashed_name: process-entry-leader-parent-session-leader-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.session_leader.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.vpid:
-  dashed_name: process-entry-leader-parent-session-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.entry_leader.parent.session_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.entry_leader.parent.session_leader.working_directory:
-  dashed_name: process-entry-leader-parent-session-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.entry_leader.parent.session_leader.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.entry_leader.parent.start:
-  dashed_name: process-entry-leader-parent-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.parent.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.entry_leader.parent.supplemental_groups.domain:
-  dashed_name: process-entry-leader-parent-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.supplemental_groups.id:
-  dashed_name: process-entry-leader-parent-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.supplemental_groups.name:
-  dashed_name: process-entry-leader-parent-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.thread.capabilities.effective:
-  dashed_name: process-entry-leader-parent-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.entry_leader.parent.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.thread.capabilities.permitted:
-  dashed_name: process-entry-leader-parent-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.entry_leader.parent.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.thread.id:
-  dashed_name: process-entry-leader-parent-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.entry_leader.parent.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.entry_leader.parent.thread.name:
-  dashed_name: process-entry-leader-parent-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.entry_leader.parent.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.entry_leader.parent.title:
-  dashed_name: process-entry-leader-parent-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.entry_leader.parent.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.entry_leader.parent.tty:
-  dashed_name: process-entry-leader-parent-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.entry_leader.parent.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.entry_leader.parent.tty.char_device.major:
-  dashed_name: process-entry-leader-parent-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.entry_leader.parent.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.entry_leader.parent.tty.char_device.minor:
-  dashed_name: process-entry-leader-parent-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.entry_leader.parent.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.entry_leader.parent.tty.columns:
-  dashed_name: process-entry-leader-parent-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.entry_leader.parent.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.entry_leader.parent.tty.rows:
-  dashed_name: process-entry-leader-parent-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.entry_leader.parent.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.entry_leader.parent.uptime:
-  dashed_name: process-entry-leader-parent-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.entry_leader.parent.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.entry_leader.parent.user.domain:
-  dashed_name: process-entry-leader-parent-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.parent.user.email:
-  dashed_name: process-entry-leader-parent-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.parent.user.full_name:
-  dashed_name: process-entry-leader-parent-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.user.group.domain:
-  dashed_name: process-entry-leader-parent-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.user.group.id:
-  dashed_name: process-entry-leader-parent-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.user.group.name:
-  dashed_name: process-entry-leader-parent-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.user.hash:
-  dashed_name: process-entry-leader-parent-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.user.id:
-  dashed_name: process-entry-leader-parent-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.user.name:
-  dashed_name: process-entry-leader-parent-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.user.risk.static_level:
-  dashed_name: process-entry-leader-parent-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.user.risk.static_score:
-  dashed_name: process-entry-leader-parent-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.user.roles:
-  dashed_name: process-entry-leader-parent-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.vpid:
-  dashed_name: process-entry-leader-parent-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.entry_leader.parent.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.entry_leader.parent.working_directory:
-  dashed_name: process-entry-leader-parent-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.entry_leader.parent.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.entry_leader.pe.architecture:
-  dashed_name: process-entry-leader-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.entry_leader.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.entry_leader.pe.company:
-  dashed_name: process-entry-leader-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.entry_leader.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.pe.description:
-  dashed_name: process-entry-leader-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.entry_leader.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.pe.file_version:
-  dashed_name: process-entry-leader-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.entry_leader.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.entry_leader.pe.go_import_hash:
-  dashed_name: process-entry-leader-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.entry_leader.pe.go_imports:
-  dashed_name: process-entry-leader-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.pe.go_imports_names_entropy:
-  dashed_name: process-entry-leader-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.pe.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.pe.go_stripped:
-  dashed_name: process-entry-leader-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.entry_leader.pe.imphash:
-  dashed_name: process-entry-leader-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.entry_leader.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.entry_leader.pe.import_hash:
-  dashed_name: process-entry-leader-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.entry_leader.pe.imports:
-  dashed_name: process-entry-leader-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.pe.imports_names_entropy:
-  dashed_name: process-entry-leader-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.pe.imports_names_var_entropy:
-  dashed_name: process-entry-leader-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.pe.original_file_name:
-  dashed_name: process-entry-leader-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.entry_leader.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.pe.pehash:
-  dashed_name: process-entry-leader-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.entry_leader.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.entry_leader.pe.product:
-  dashed_name: process-entry-leader-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.entry_leader.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.pe.sections:
-  dashed_name: process-entry-leader-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.entry_leader.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.entry_leader.pe.sections.entropy:
-  dashed_name: process-entry-leader-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.pe.sections.name:
-  dashed_name: process-entry-leader-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.entry_leader.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.entry_leader.pe.sections.physical_size:
-  dashed_name: process-entry-leader-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.entry_leader.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.entry_leader.pe.sections.var_entropy:
-  dashed_name: process-entry-leader-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.pe.sections.virtual_size:
-  dashed_name: process-entry-leader-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.entry_leader.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.entry_leader.pid:
-  dashed_name: process-entry-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.entry_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.entry_leader.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.entry_leader.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.entry_leader.real_group.domain:
-  dashed_name: process-entry-leader-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.real_group.id:
-  dashed_name: process-entry-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.real_group.name:
-  dashed_name: process-entry-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.real_user.domain:
-  dashed_name: process-entry-leader-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.real_user.email:
-  dashed_name: process-entry-leader-real-user-email
-  description: User email address.
-  flat_name: process.entry_leader.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.real_user.full_name:
-  dashed_name: process-entry-leader-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.real_user.group.domain:
-  dashed_name: process-entry-leader-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.real_user.group.id:
-  dashed_name: process-entry-leader-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.real_user.group.name:
-  dashed_name: process-entry-leader-real-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.real_user.hash:
-  dashed_name: process-entry-leader-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.real_user.id:
-  dashed_name: process-entry-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.real_user.name:
-  dashed_name: process-entry-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.real_user.risk.calculated_level:
-  dashed_name: process-entry-leader-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.real_user.risk.calculated_score:
-  dashed_name: process-entry-leader-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.real_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.real_user.risk.static_level:
-  dashed_name: process-entry-leader-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.real_user.risk.static_score:
-  dashed_name: process-entry-leader-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.real_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.real_user.roles:
-  dashed_name: process-entry-leader-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.same_as_process:
-  dashed_name: process-entry-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.entry_leader.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.entry_leader.saved_group.domain:
-  dashed_name: process-entry-leader-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.saved_group.id:
-  dashed_name: process-entry-leader-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.saved_group.name:
-  dashed_name: process-entry-leader-saved-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.saved_user.domain:
-  dashed_name: process-entry-leader-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.saved_user.email:
-  dashed_name: process-entry-leader-saved-user-email
-  description: User email address.
-  flat_name: process.entry_leader.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.saved_user.full_name:
-  dashed_name: process-entry-leader-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.saved_user.group.domain:
-  dashed_name: process-entry-leader-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.saved_user.group.id:
-  dashed_name: process-entry-leader-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.saved_user.group.name:
-  dashed_name: process-entry-leader-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.saved_user.hash:
-  dashed_name: process-entry-leader-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.saved_user.id:
-  dashed_name: process-entry-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.saved_user.name:
-  dashed_name: process-entry-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.saved_user.risk.calculated_level:
-  dashed_name: process-entry-leader-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.saved_user.risk.calculated_score:
-  dashed_name: process-entry-leader-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.saved_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.saved_user.risk.static_level:
-  dashed_name: process-entry-leader-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.saved_user.risk.static_score:
-  dashed_name: process-entry-leader-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.saved_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.saved_user.roles:
-  dashed_name: process-entry-leader-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.start:
-  dashed_name: process-entry-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.entry_leader.supplemental_groups.domain:
-  dashed_name: process-entry-leader-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.supplemental_groups.id:
-  dashed_name: process-entry-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.supplemental_groups.name:
-  dashed_name: process-entry-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.entry_leader.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.thread.capabilities.effective:
-  dashed_name: process-entry-leader-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.entry_leader.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.thread.capabilities.permitted:
-  dashed_name: process-entry-leader-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.entry_leader.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.thread.id:
-  dashed_name: process-entry-leader-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.entry_leader.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.entry_leader.thread.name:
-  dashed_name: process-entry-leader-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.entry_leader.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.entry_leader.title:
-  dashed_name: process-entry-leader-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.entry_leader.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.entry_leader.tty:
-  dashed_name: process-entry-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.entry_leader.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.entry_leader.tty.char_device.major:
-  dashed_name: process-entry-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.entry_leader.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.entry_leader.tty.char_device.minor:
-  dashed_name: process-entry-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.entry_leader.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.entry_leader.tty.columns:
-  dashed_name: process-entry-leader-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.entry_leader.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.entry_leader.tty.rows:
-  dashed_name: process-entry-leader-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.entry_leader.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.entry_leader.uptime:
-  dashed_name: process-entry-leader-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.entry_leader.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.entry_leader.user.domain:
-  dashed_name: process-entry-leader-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.user.email:
-  dashed_name: process-entry-leader-user-email
-  description: User email address.
-  flat_name: process.entry_leader.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.user.full_name:
-  dashed_name: process-entry-leader-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.user.group.domain:
-  dashed_name: process-entry-leader-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.user.group.id:
-  dashed_name: process-entry-leader-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.user.group.name:
-  dashed_name: process-entry-leader-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.user.hash:
-  dashed_name: process-entry-leader-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.user.id:
-  dashed_name: process-entry-leader-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.user.name:
-  dashed_name: process-entry-leader-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.user.risk.calculated_level:
-  dashed_name: process-entry-leader-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.user.risk.calculated_score:
-  dashed_name: process-entry-leader-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.user.risk.static_level:
-  dashed_name: process-entry-leader-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.user.risk.static_score:
-  dashed_name: process-entry-leader-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.user.risk.static_score_norm:
-  dashed_name: process-entry-leader-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.user.roles:
-  dashed_name: process-entry-leader-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.vpid:
-  dashed_name: process-entry-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.entry_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.entry_leader.working_directory:
-  dashed_name: process-entry-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.entry_leader.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.entry_meta.source.address:
-  dashed_name: process-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.entry_meta.source.as.number:
-  dashed_name: process-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.entry_meta.source.as.organization.name:
-  dashed_name: process-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.entry_meta.source.bytes:
-  dashed_name: process-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.entry_meta.source.domain:
-  dashed_name: process-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.entry_meta.source.geo.city_name:
-  dashed_name: process-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.entry_meta.source.geo.continent_code:
-  dashed_name: process-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.entry_meta.source.geo.continent_name:
-  dashed_name: process-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.entry_meta.source.geo.country_name:
-  dashed_name: process-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.entry_meta.source.geo.location:
-  dashed_name: process-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.entry_meta.source.geo.name:
-  dashed_name: process-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.entry_meta.source.geo.postal_code:
-  dashed_name: process-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.entry_meta.source.geo.region_name:
-  dashed_name: process-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.entry_meta.source.geo.timezone:
-  dashed_name: process-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.entry_meta.source.ip:
-  dashed_name: process-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.entry_meta.source.mac:
-  dashed_name: process-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.entry_meta.source.nat.ip:
-  dashed_name: process-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.entry_meta.source.nat.port:
-  dashed_name: process-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.entry_meta.source.packets:
-  dashed_name: process-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.entry_meta.source.port:
-  dashed_name: process-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.entry_meta.source.registered_domain:
-  dashed_name: process-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.entry_meta.source.subdomain:
-  dashed_name: process-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.entry_meta.source.top_level_domain:
-  dashed_name: process-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.entry_meta.type:
-  dashed_name: process-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  short: The entry type for the entry session leader.
-  type: keyword
-process.env_vars:
-  dashed_name: process-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.executable:
-  dashed_name: process-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  otel:
-  - attribute: process.executable.path
-    relation: equivalent
-    stability: development
-  short: Absolute path to the process executable.
-  type: keyword
-process.exit_code:
-  dashed_name: process-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  short: The exit code of the process.
-  type: long
-process.group.domain:
-  dashed_name: process-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group.id:
-  dashed_name: process-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group.name:
-  dashed_name: process-group-name
-  description: Name of the group.
-  flat_name: process.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.args:
-  dashed_name: process-group-leader-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.group_leader.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.group_leader.args_count:
-  dashed_name: process-group-leader-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.group_leader.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.group_leader.attested_groups.domain:
-  dashed_name: process-group-leader-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.attested_groups.id:
-  dashed_name: process-group-leader-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.attested_groups.name:
-  dashed_name: process-group-leader-attested-groups-name
-  description: Name of the group.
-  flat_name: process.group_leader.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.attested_user.domain:
-  dashed_name: process-group-leader-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.group_leader.attested_user.email:
-  dashed_name: process-group-leader-attested-user-email
-  description: User email address.
-  flat_name: process.group_leader.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.group_leader.attested_user.full_name:
-  dashed_name: process-group-leader-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.group_leader.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.group_leader.attested_user.group.domain:
-  dashed_name: process-group-leader-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.attested_user.group.id:
-  dashed_name: process-group-leader-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.attested_user.group.name:
-  dashed_name: process-group-leader-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.attested_user.hash:
-  dashed_name: process-group-leader-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.group_leader.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.group_leader.attested_user.id:
-  dashed_name: process-group-leader-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.group_leader.attested_user.name:
-  dashed_name: process-group-leader-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.group_leader.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.group_leader.attested_user.risk.calculated_level:
-  dashed_name: process-group-leader-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.group_leader.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.group_leader.attested_user.risk.calculated_score:
-  dashed_name: process-group-leader-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.group_leader.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.group_leader.attested_user.risk.calculated_score_norm:
-  dashed_name: process-group-leader-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.group_leader.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.group_leader.attested_user.risk.static_level:
-  dashed_name: process-group-leader-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.group_leader.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.group_leader.attested_user.risk.static_score:
-  dashed_name: process-group-leader-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.group_leader.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.group_leader.attested_user.risk.static_score_norm:
-  dashed_name: process-group-leader-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.group_leader.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.group_leader.attested_user.roles:
-  dashed_name: process-group-leader-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.group_leader.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.code_signature.digest_algorithm:
-  dashed_name: process-group-leader-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.group_leader.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.group_leader.code_signature.exists:
-  dashed_name: process-group-leader-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.group_leader.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.group_leader.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.group_leader.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.group_leader.code_signature.signing_id:
-  dashed_name: process-group-leader-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.group_leader.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.group_leader.code_signature.status:
-  dashed_name: process-group-leader-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.group_leader.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.group_leader.code_signature.subject_name:
-  dashed_name: process-group-leader-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.group_leader.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.group_leader.code_signature.team_id:
-  dashed_name: process-group-leader-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.group_leader.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.group_leader.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.group_leader.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.group_leader.code_signature.timestamp:
-  dashed_name: process-group-leader-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.group_leader.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.group_leader.code_signature.trusted:
-  dashed_name: process-group-leader-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.group_leader.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.group_leader.code_signature.valid:
-  dashed_name: process-group-leader-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.group_leader.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.group_leader.command_line:
-  dashed_name: process-group-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.group_leader.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.group_leader.elf.architecture:
-  dashed_name: process-group-leader-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.group_leader.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.group_leader.elf.byte_order:
-  dashed_name: process-group-leader-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.group_leader.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.group_leader.elf.cpu_type:
-  dashed_name: process-group-leader-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.group_leader.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.group_leader.elf.creation_date:
-  dashed_name: process-group-leader-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.group_leader.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.group_leader.elf.exports:
-  dashed_name: process-group-leader-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.group_leader.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.group_leader.elf.go_import_hash:
-  dashed_name: process-group-leader-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.group_leader.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.group_leader.elf.go_imports:
-  dashed_name: process-group-leader-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.group_leader.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.group_leader.elf.go_imports_names_entropy:
-  dashed_name: process-group-leader-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.group_leader.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.group_leader.elf.go_imports_names_var_entropy:
-  dashed_name: process-group-leader-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.group_leader.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.group_leader.elf.go_stripped:
-  dashed_name: process-group-leader-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.group_leader.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.group_leader.elf.header.abi_version:
-  dashed_name: process-group-leader-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.group_leader.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.group_leader.elf.header.class:
-  dashed_name: process-group-leader-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.group_leader.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.group_leader.elf.header.data:
-  dashed_name: process-group-leader-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.group_leader.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.group_leader.elf.header.entrypoint:
-  dashed_name: process-group-leader-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.group_leader.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.group_leader.elf.header.object_version:
-  dashed_name: process-group-leader-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.group_leader.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.group_leader.elf.header.os_abi:
-  dashed_name: process-group-leader-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.group_leader.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.group_leader.elf.header.type:
-  dashed_name: process-group-leader-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.group_leader.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.group_leader.elf.header.version:
-  dashed_name: process-group-leader-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.group_leader.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.group_leader.elf.import_hash:
-  dashed_name: process-group-leader-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.group_leader.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.group_leader.elf.imports:
-  dashed_name: process-group-leader-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.group_leader.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.group_leader.elf.imports_names_entropy:
-  dashed_name: process-group-leader-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.group_leader.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.group_leader.elf.imports_names_var_entropy:
-  dashed_name: process-group-leader-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.group_leader.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.group_leader.elf.sections:
-  dashed_name: process-group-leader-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.group_leader.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.group_leader.elf.sections.chi2:
-  dashed_name: process-group-leader-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.group_leader.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.group_leader.elf.sections.entropy:
-  dashed_name: process-group-leader-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.group_leader.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.group_leader.elf.sections.flags:
-  dashed_name: process-group-leader-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.group_leader.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.group_leader.elf.sections.name:
-  dashed_name: process-group-leader-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.group_leader.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.group_leader.elf.sections.physical_offset:
-  dashed_name: process-group-leader-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.group_leader.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.group_leader.elf.sections.physical_size:
-  dashed_name: process-group-leader-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.group_leader.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.group_leader.elf.sections.type:
-  dashed_name: process-group-leader-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.group_leader.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.group_leader.elf.sections.var_entropy:
-  dashed_name: process-group-leader-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.group_leader.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.group_leader.elf.sections.virtual_address:
-  dashed_name: process-group-leader-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.group_leader.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.group_leader.elf.sections.virtual_size:
-  dashed_name: process-group-leader-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.group_leader.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.group_leader.elf.segments:
-  dashed_name: process-group-leader-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.group_leader.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.group_leader.elf.segments.sections:
-  dashed_name: process-group-leader-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.group_leader.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.group_leader.elf.segments.type:
-  dashed_name: process-group-leader-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.group_leader.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.group_leader.elf.shared_libraries:
-  dashed_name: process-group-leader-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.group_leader.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.group_leader.elf.telfhash:
-  dashed_name: process-group-leader-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.group_leader.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.group_leader.end:
-  dashed_name: process-group-leader-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.group_leader.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.group_leader.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.group_leader.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.group_leader.entity_id:
-  dashed_name: process-group-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.group_leader.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.group_leader.entry_meta.source.address:
-  dashed_name: process-group-leader-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.group_leader.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.group_leader.entry_meta.source.as.number:
-  dashed_name: process-group-leader-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.group_leader.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.group_leader.entry_meta.source.as.organization.name:
-  dashed_name: process-group-leader-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.group_leader.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.group_leader.entry_meta.source.bytes:
-  dashed_name: process-group-leader-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.group_leader.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.group_leader.entry_meta.source.domain:
-  dashed_name: process-group-leader-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.group_leader.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.group_leader.entry_meta.source.geo.city_name:
-  dashed_name: process-group-leader-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.group_leader.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.group_leader.entry_meta.source.geo.continent_code:
-  dashed_name: process-group-leader-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.group_leader.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.group_leader.entry_meta.source.geo.continent_name:
-  dashed_name: process-group-leader-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.group_leader.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.group_leader.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-group-leader-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.group_leader.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.group_leader.entry_meta.source.geo.country_name:
-  dashed_name: process-group-leader-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.group_leader.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.group_leader.entry_meta.source.geo.location:
-  dashed_name: process-group-leader-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.group_leader.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.group_leader.entry_meta.source.geo.name:
-  dashed_name: process-group-leader-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.group_leader.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.group_leader.entry_meta.source.geo.postal_code:
-  dashed_name: process-group-leader-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.group_leader.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.group_leader.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-group-leader-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.group_leader.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.group_leader.entry_meta.source.geo.region_name:
-  dashed_name: process-group-leader-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.group_leader.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.group_leader.entry_meta.source.geo.timezone:
-  dashed_name: process-group-leader-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.group_leader.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.group_leader.entry_meta.source.ip:
-  dashed_name: process-group-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.group_leader.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.group_leader.entry_meta.source.mac:
-  dashed_name: process-group-leader-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.group_leader.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.group_leader.entry_meta.source.nat.ip:
-  dashed_name: process-group-leader-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.group_leader.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.group_leader.entry_meta.source.nat.port:
-  dashed_name: process-group-leader-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.group_leader.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.group_leader.entry_meta.source.packets:
-  dashed_name: process-group-leader-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.group_leader.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.group_leader.entry_meta.source.port:
-  dashed_name: process-group-leader-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.group_leader.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.group_leader.entry_meta.source.registered_domain:
-  dashed_name: process-group-leader-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.group_leader.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.group_leader.entry_meta.source.subdomain:
-  dashed_name: process-group-leader-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.group_leader.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.group_leader.entry_meta.source.top_level_domain:
-  dashed_name: process-group-leader-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.group_leader.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.group_leader.entry_meta.type:
-  dashed_name: process-group-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.group_leader.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.group_leader.env_vars:
-  dashed_name: process-group-leader-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.group_leader.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.executable:
-  dashed_name: process-group-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.group_leader.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.group_leader.exit_code:
-  dashed_name: process-group-leader-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.group_leader.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.group_leader.group.domain:
-  dashed_name: process-group-leader-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.group.id:
-  dashed_name: process-group-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.group.name:
-  dashed_name: process-group-leader-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.group_leader.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.group_leader.hash.md5:
-  dashed_name: process-group-leader-hash-md5
-  description: MD5 hash.
-  flat_name: process.group_leader.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.group_leader.hash.sha1:
-  dashed_name: process-group-leader-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.group_leader.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.group_leader.hash.sha256:
-  dashed_name: process-group-leader-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.group_leader.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.group_leader.hash.sha384:
-  dashed_name: process-group-leader-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.group_leader.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.group_leader.hash.sha512:
-  dashed_name: process-group-leader-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.group_leader.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.group_leader.hash.ssdeep:
-  dashed_name: process-group-leader-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.group_leader.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.group_leader.hash.tlsh:
-  dashed_name: process-group-leader-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.group_leader.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.group_leader.interactive:
-  dashed_name: process-group-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.group_leader.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.group_leader.io:
-  dashed_name: process-group-leader-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.group_leader.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.group_leader.io.bytes_skipped:
-  dashed_name: process-group-leader-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.group_leader.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.group_leader.io.bytes_skipped.length:
-  dashed_name: process-group-leader-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.group_leader.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.group_leader.io.bytes_skipped.offset:
-  dashed_name: process-group-leader-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.group_leader.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.group_leader.io.max_bytes_per_process_exceeded:
-  dashed_name: process-group-leader-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.group_leader.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.group_leader.io.text:
-  dashed_name: process-group-leader-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.group_leader.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.group_leader.io.total_bytes_captured:
-  dashed_name: process-group-leader-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.group_leader.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.group_leader.io.total_bytes_skipped:
-  dashed_name: process-group-leader-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.group_leader.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.group_leader.io.type:
-  dashed_name: process-group-leader-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.group_leader.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.group_leader.macho.go_import_hash:
-  dashed_name: process-group-leader-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.group_leader.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.group_leader.macho.go_imports:
-  dashed_name: process-group-leader-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.group_leader.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.group_leader.macho.go_imports_names_entropy:
-  dashed_name: process-group-leader-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.group_leader.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.group_leader.macho.go_imports_names_var_entropy:
-  dashed_name: process-group-leader-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.group_leader.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.group_leader.macho.go_stripped:
-  dashed_name: process-group-leader-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.group_leader.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.group_leader.macho.import_hash:
-  dashed_name: process-group-leader-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.group_leader.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.group_leader.macho.imports:
-  dashed_name: process-group-leader-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.group_leader.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.group_leader.macho.imports_names_entropy:
-  dashed_name: process-group-leader-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.group_leader.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.group_leader.macho.imports_names_var_entropy:
-  dashed_name: process-group-leader-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.group_leader.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.group_leader.macho.sections:
-  dashed_name: process-group-leader-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.group_leader.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.group_leader.macho.sections.entropy:
-  dashed_name: process-group-leader-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.group_leader.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.group_leader.macho.sections.name:
-  dashed_name: process-group-leader-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.group_leader.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.group_leader.macho.sections.physical_size:
-  dashed_name: process-group-leader-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.group_leader.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.group_leader.macho.sections.var_entropy:
-  dashed_name: process-group-leader-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.group_leader.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.group_leader.macho.sections.virtual_size:
-  dashed_name: process-group-leader-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.group_leader.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.group_leader.macho.symhash:
-  dashed_name: process-group-leader-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.group_leader.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.group_leader.name:
-  dashed_name: process-group-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.group_leader.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.group_leader.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.group_leader.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.group_leader.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.group_leader.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.group_leader.pe.architecture:
-  dashed_name: process-group-leader-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.group_leader.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.group_leader.pe.company:
-  dashed_name: process-group-leader-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.group_leader.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.group_leader.pe.description:
-  dashed_name: process-group-leader-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.group_leader.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.group_leader.pe.file_version:
-  dashed_name: process-group-leader-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.group_leader.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.group_leader.pe.go_import_hash:
-  dashed_name: process-group-leader-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.group_leader.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.group_leader.pe.go_imports:
-  dashed_name: process-group-leader-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.group_leader.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.group_leader.pe.go_imports_names_entropy:
-  dashed_name: process-group-leader-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.group_leader.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.group_leader.pe.go_imports_names_var_entropy:
-  dashed_name: process-group-leader-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.group_leader.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.group_leader.pe.go_stripped:
-  dashed_name: process-group-leader-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.group_leader.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.group_leader.pe.imphash:
-  dashed_name: process-group-leader-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.group_leader.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.group_leader.pe.import_hash:
-  dashed_name: process-group-leader-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.group_leader.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.group_leader.pe.imports:
-  dashed_name: process-group-leader-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.group_leader.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.group_leader.pe.imports_names_entropy:
-  dashed_name: process-group-leader-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.group_leader.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.group_leader.pe.imports_names_var_entropy:
-  dashed_name: process-group-leader-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.group_leader.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.group_leader.pe.original_file_name:
-  dashed_name: process-group-leader-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.group_leader.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.group_leader.pe.pehash:
-  dashed_name: process-group-leader-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.group_leader.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.group_leader.pe.product:
-  dashed_name: process-group-leader-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.group_leader.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.group_leader.pe.sections:
-  dashed_name: process-group-leader-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.group_leader.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.group_leader.pe.sections.entropy:
-  dashed_name: process-group-leader-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.group_leader.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.group_leader.pe.sections.name:
-  dashed_name: process-group-leader-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.group_leader.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.group_leader.pe.sections.physical_size:
-  dashed_name: process-group-leader-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.group_leader.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.group_leader.pe.sections.var_entropy:
-  dashed_name: process-group-leader-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.group_leader.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.group_leader.pe.sections.virtual_size:
-  dashed_name: process-group-leader-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.group_leader.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.group_leader.pid:
-  dashed_name: process-group-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.group_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  otel:
-  - relation: match
-    stability: development
-  short: Process id.
-  type: long
-process.group_leader.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.group_leader.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.group_leader.real_group.domain:
-  dashed_name: process-group-leader-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.real_group.id:
-  dashed_name: process-group-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.real_group.name:
-  dashed_name: process-group-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.real_user.domain:
-  dashed_name: process-group-leader-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.group_leader.real_user.email:
-  dashed_name: process-group-leader-real-user-email
-  description: User email address.
-  flat_name: process.group_leader.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.group_leader.real_user.full_name:
-  dashed_name: process-group-leader-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.group_leader.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.group_leader.real_user.group.domain:
-  dashed_name: process-group-leader-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.real_user.group.id:
-  dashed_name: process-group-leader-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.real_user.group.name:
-  dashed_name: process-group-leader-real-user-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.real_user.hash:
-  dashed_name: process-group-leader-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.group_leader.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.group_leader.real_user.id:
-  dashed_name: process-group-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.group_leader.real_user.name:
-  dashed_name: process-group-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.group_leader.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.group_leader.real_user.risk.calculated_level:
-  dashed_name: process-group-leader-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.group_leader.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.group_leader.real_user.risk.calculated_score:
-  dashed_name: process-group-leader-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.group_leader.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.group_leader.real_user.risk.calculated_score_norm:
-  dashed_name: process-group-leader-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.group_leader.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.group_leader.real_user.risk.static_level:
-  dashed_name: process-group-leader-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.group_leader.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.group_leader.real_user.risk.static_score:
-  dashed_name: process-group-leader-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.group_leader.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.group_leader.real_user.risk.static_score_norm:
-  dashed_name: process-group-leader-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.group_leader.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.group_leader.real_user.roles:
-  dashed_name: process-group-leader-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.group_leader.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.same_as_process:
-  dashed_name: process-group-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.group_leader.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.group_leader.saved_group.domain:
-  dashed_name: process-group-leader-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.saved_group.id:
-  dashed_name: process-group-leader-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.saved_group.name:
-  dashed_name: process-group-leader-saved-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.saved_user.domain:
-  dashed_name: process-group-leader-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.group_leader.saved_user.email:
-  dashed_name: process-group-leader-saved-user-email
-  description: User email address.
-  flat_name: process.group_leader.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.group_leader.saved_user.full_name:
-  dashed_name: process-group-leader-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.group_leader.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.group_leader.saved_user.group.domain:
-  dashed_name: process-group-leader-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.saved_user.group.id:
-  dashed_name: process-group-leader-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.saved_user.group.name:
-  dashed_name: process-group-leader-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.saved_user.hash:
-  dashed_name: process-group-leader-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.group_leader.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.group_leader.saved_user.id:
-  dashed_name: process-group-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.group_leader.saved_user.name:
-  dashed_name: process-group-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.group_leader.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.group_leader.saved_user.risk.calculated_level:
-  dashed_name: process-group-leader-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.group_leader.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.group_leader.saved_user.risk.calculated_score:
-  dashed_name: process-group-leader-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.group_leader.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.group_leader.saved_user.risk.calculated_score_norm:
-  dashed_name: process-group-leader-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.group_leader.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.group_leader.saved_user.risk.static_level:
-  dashed_name: process-group-leader-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.group_leader.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.group_leader.saved_user.risk.static_score:
-  dashed_name: process-group-leader-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.group_leader.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.group_leader.saved_user.risk.static_score_norm:
-  dashed_name: process-group-leader-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.group_leader.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.group_leader.saved_user.roles:
-  dashed_name: process-group-leader-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.group_leader.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.start:
-  dashed_name: process-group-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.group_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.group_leader.supplemental_groups.domain:
-  dashed_name: process-group-leader-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.supplemental_groups.id:
-  dashed_name: process-group-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.supplemental_groups.name:
-  dashed_name: process-group-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.group_leader.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.thread.capabilities.effective:
-  dashed_name: process-group-leader-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.group_leader.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.thread.capabilities.permitted:
-  dashed_name: process-group-leader-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.group_leader.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.thread.id:
-  dashed_name: process-group-leader-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.group_leader.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.group_leader.thread.name:
-  dashed_name: process-group-leader-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.group_leader.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.group_leader.title:
-  dashed_name: process-group-leader-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.group_leader.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.group_leader.tty:
-  dashed_name: process-group-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.group_leader.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.group_leader.tty.char_device.major:
-  dashed_name: process-group-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.group_leader.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.group_leader.tty.char_device.minor:
-  dashed_name: process-group-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.group_leader.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.group_leader.tty.columns:
-  dashed_name: process-group-leader-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.group_leader.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.group_leader.tty.rows:
-  dashed_name: process-group-leader-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.group_leader.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.group_leader.uptime:
-  dashed_name: process-group-leader-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.group_leader.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.group_leader.user.domain:
-  dashed_name: process-group-leader-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.group_leader.user.email:
-  dashed_name: process-group-leader-user-email
-  description: User email address.
-  flat_name: process.group_leader.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.group_leader.user.full_name:
-  dashed_name: process-group-leader-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.group_leader.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.group_leader.user.group.domain:
-  dashed_name: process-group-leader-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.user.group.id:
-  dashed_name: process-group-leader-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.user.group.name:
-  dashed_name: process-group-leader-user-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.user.hash:
-  dashed_name: process-group-leader-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.group_leader.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.group_leader.user.id:
-  dashed_name: process-group-leader-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.group_leader.user.name:
-  dashed_name: process-group-leader-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.group_leader.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.group_leader.user.risk.calculated_level:
-  dashed_name: process-group-leader-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.group_leader.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.group_leader.user.risk.calculated_score:
-  dashed_name: process-group-leader-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.group_leader.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.group_leader.user.risk.calculated_score_norm:
-  dashed_name: process-group-leader-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.group_leader.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.group_leader.user.risk.static_level:
-  dashed_name: process-group-leader-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.group_leader.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.group_leader.user.risk.static_score:
-  dashed_name: process-group-leader-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.group_leader.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.group_leader.user.risk.static_score_norm:
-  dashed_name: process-group-leader-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.group_leader.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.group_leader.user.roles:
-  dashed_name: process-group-leader-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.group_leader.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.vpid:
-  dashed_name: process-group-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.group_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.group_leader.working_directory:
-  dashed_name: process-group-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.group_leader.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.hash.md5:
-  dashed_name: process-hash-md5
-  description: MD5 hash.
-  flat_name: process.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.hash.sha1:
-  dashed_name: process-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.hash.sha256:
-  dashed_name: process-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.hash.sha384:
-  dashed_name: process-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.hash.sha512:
-  dashed_name: process-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.hash.ssdeep:
-  dashed_name: process-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.hash.tlsh:
-  dashed_name: process-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.interactive:
-  dashed_name: process-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  otel:
-  - relation: match
-    stability: development
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.io:
-  dashed_name: process-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.io
-  level: extended
-  name: io
-  normalize: []
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.io.bytes_skipped:
-  dashed_name: process-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.io.bytes_skipped.length:
-  dashed_name: process-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  short: The length of bytes skipped.
-  type: long
-process.io.bytes_skipped.offset:
-  dashed_name: process-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.io.max_bytes_per_process_exceeded:
-  dashed_name: process-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.io.text:
-  dashed_name: process-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.io.total_bytes_captured:
-  dashed_name: process-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  short: The total number of bytes captured in this event.
-  type: long
-process.io.total_bytes_skipped:
-  dashed_name: process-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.io.type:
-  dashed_name: process-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.macho.go_import_hash:
-  dashed_name: process-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.macho.go_imports:
-  dashed_name: process-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.macho.go_imports_names_entropy:
-  dashed_name: process-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.macho.go_imports_names_var_entropy:
-  dashed_name: process-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.macho.go_stripped:
-  dashed_name: process-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.macho.import_hash:
-  dashed_name: process-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.macho.imports:
-  dashed_name: process-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.macho.imports_names_entropy:
-  dashed_name: process-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.macho.imports_names_var_entropy:
-  dashed_name: process-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.macho.sections:
-  dashed_name: process-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.macho.sections.entropy:
-  dashed_name: process-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.macho.sections.name:
-  dashed_name: process-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.macho.sections.physical_size:
-  dashed_name: process-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.macho.sections.var_entropy:
-  dashed_name: process-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.macho.sections.virtual_size:
-  dashed_name: process-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.macho.symhash:
-  dashed_name: process-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.name:
-  dashed_name: process-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  short: Process name.
-  type: keyword
-process.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.parent.args:
-  dashed_name: process-parent-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.parent.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.parent.args_count:
-  dashed_name: process-parent-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.parent.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.parent.attested_groups.domain:
-  dashed_name: process-parent-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.attested_groups.id:
-  dashed_name: process-parent-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.attested_groups.name:
-  dashed_name: process-parent-attested-groups-name
-  description: Name of the group.
-  flat_name: process.parent.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.attested_user.domain:
-  dashed_name: process-parent-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.attested_user.email:
-  dashed_name: process-parent-attested-user-email
-  description: User email address.
-  flat_name: process.parent.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.attested_user.full_name:
-  dashed_name: process-parent-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.attested_user.group.domain:
-  dashed_name: process-parent-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.attested_user.group.id:
-  dashed_name: process-parent-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.attested_user.group.name:
-  dashed_name: process-parent-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.attested_user.hash:
-  dashed_name: process-parent-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.attested_user.id:
-  dashed_name: process-parent-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.attested_user.name:
-  dashed_name: process-parent-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.attested_user.risk.calculated_level:
-  dashed_name: process-parent-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.attested_user.risk.calculated_score:
-  dashed_name: process-parent-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.attested_user.risk.calculated_score_norm:
-  dashed_name: process-parent-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.attested_user.risk.static_level:
-  dashed_name: process-parent-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.attested_user.risk.static_score:
-  dashed_name: process-parent-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.attested_user.risk.static_score_norm:
-  dashed_name: process-parent-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.attested_user.roles:
-  dashed_name: process-parent-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.code_signature.digest_algorithm:
-  dashed_name: process-parent-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.parent.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.parent.code_signature.exists:
-  dashed_name: process-parent-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.parent.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.parent.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.parent.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.parent.code_signature.signing_id:
-  dashed_name: process-parent-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.parent.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.parent.code_signature.status:
-  dashed_name: process-parent-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.parent.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.parent.code_signature.subject_name:
-  dashed_name: process-parent-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.parent.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.parent.code_signature.team_id:
-  dashed_name: process-parent-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.parent.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.parent.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.parent.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.parent.code_signature.timestamp:
-  dashed_name: process-parent-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.parent.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.parent.code_signature.trusted:
-  dashed_name: process-parent-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.parent.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.parent.code_signature.valid:
-  dashed_name: process-parent-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.parent.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.parent.command_line:
-  dashed_name: process-parent-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.parent.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.parent.elf.architecture:
-  dashed_name: process-parent-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.parent.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.parent.elf.byte_order:
-  dashed_name: process-parent-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.parent.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.parent.elf.cpu_type:
-  dashed_name: process-parent-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.parent.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.parent.elf.creation_date:
-  dashed_name: process-parent-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.parent.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.parent.elf.exports:
-  dashed_name: process-parent-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.parent.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.parent.elf.go_import_hash:
-  dashed_name: process-parent-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.parent.elf.go_imports:
-  dashed_name: process-parent-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.parent.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.parent.elf.go_imports_names_entropy:
-  dashed_name: process-parent-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.elf.go_imports_names_var_entropy:
-  dashed_name: process-parent-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.elf.go_stripped:
-  dashed_name: process-parent-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.parent.elf.header.abi_version:
-  dashed_name: process-parent-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.parent.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.parent.elf.header.class:
-  dashed_name: process-parent-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.parent.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.parent.elf.header.data:
-  dashed_name: process-parent-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.parent.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.parent.elf.header.entrypoint:
-  dashed_name: process-parent-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.parent.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.parent.elf.header.object_version:
-  dashed_name: process-parent-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.parent.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.parent.elf.header.os_abi:
-  dashed_name: process-parent-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.parent.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.parent.elf.header.type:
-  dashed_name: process-parent-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.parent.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.parent.elf.header.version:
-  dashed_name: process-parent-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.parent.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.parent.elf.import_hash:
-  dashed_name: process-parent-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.parent.elf.imports:
-  dashed_name: process-parent-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.parent.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.parent.elf.imports_names_entropy:
-  dashed_name: process-parent-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.parent.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.parent.elf.imports_names_var_entropy:
-  dashed_name: process-parent-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.parent.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.parent.elf.sections:
-  dashed_name: process-parent-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.parent.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.parent.elf.sections.chi2:
-  dashed_name: process-parent-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.parent.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.parent.elf.sections.entropy:
-  dashed_name: process-parent-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.parent.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.parent.elf.sections.flags:
-  dashed_name: process-parent-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.parent.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.parent.elf.sections.name:
-  dashed_name: process-parent-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.parent.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.parent.elf.sections.physical_offset:
-  dashed_name: process-parent-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.parent.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.parent.elf.sections.physical_size:
-  dashed_name: process-parent-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.parent.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.parent.elf.sections.type:
-  dashed_name: process-parent-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.parent.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.parent.elf.sections.var_entropy:
-  dashed_name: process-parent-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.parent.elf.sections.virtual_address:
-  dashed_name: process-parent-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.parent.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.parent.elf.sections.virtual_size:
-  dashed_name: process-parent-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.parent.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.parent.elf.segments:
-  dashed_name: process-parent-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.parent.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.parent.elf.segments.sections:
-  dashed_name: process-parent-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.parent.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.parent.elf.segments.type:
-  dashed_name: process-parent-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.parent.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.parent.elf.shared_libraries:
-  dashed_name: process-parent-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.parent.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.parent.elf.telfhash:
-  dashed_name: process-parent-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.parent.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.parent.end:
-  dashed_name: process-parent-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.parent.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.parent.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.parent.entity_id:
-  dashed_name: process-parent-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.parent.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.parent.entry_meta.source.address:
-  dashed_name: process-parent-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.parent.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.parent.entry_meta.source.as.number:
-  dashed_name: process-parent-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.parent.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.parent.entry_meta.source.as.organization.name:
-  dashed_name: process-parent-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.parent.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.parent.entry_meta.source.bytes:
-  dashed_name: process-parent-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.parent.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.parent.entry_meta.source.domain:
-  dashed_name: process-parent-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.parent.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.parent.entry_meta.source.geo.city_name:
-  dashed_name: process-parent-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.parent.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.parent.entry_meta.source.geo.continent_code:
-  dashed_name: process-parent-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.parent.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.parent.entry_meta.source.geo.continent_name:
-  dashed_name: process-parent-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.parent.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.parent.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-parent-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.parent.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.parent.entry_meta.source.geo.country_name:
-  dashed_name: process-parent-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.parent.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.parent.entry_meta.source.geo.location:
-  dashed_name: process-parent-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.parent.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.parent.entry_meta.source.geo.name:
-  dashed_name: process-parent-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.parent.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.parent.entry_meta.source.geo.postal_code:
-  dashed_name: process-parent-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.parent.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.parent.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-parent-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.parent.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.parent.entry_meta.source.geo.region_name:
-  dashed_name: process-parent-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.parent.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.parent.entry_meta.source.geo.timezone:
-  dashed_name: process-parent-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.parent.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.parent.entry_meta.source.ip:
-  dashed_name: process-parent-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.parent.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.parent.entry_meta.source.mac:
-  dashed_name: process-parent-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.parent.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.parent.entry_meta.source.nat.ip:
-  dashed_name: process-parent-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.parent.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.parent.entry_meta.source.nat.port:
-  dashed_name: process-parent-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.parent.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.parent.entry_meta.source.packets:
-  dashed_name: process-parent-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.parent.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.parent.entry_meta.source.port:
-  dashed_name: process-parent-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.parent.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.parent.entry_meta.source.registered_domain:
-  dashed_name: process-parent-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.parent.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.parent.entry_meta.source.subdomain:
-  dashed_name: process-parent-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.parent.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.parent.entry_meta.source.top_level_domain:
-  dashed_name: process-parent-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.parent.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.parent.entry_meta.type:
-  dashed_name: process-parent-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.parent.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.parent.env_vars:
-  dashed_name: process-parent-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.parent.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.executable:
-  dashed_name: process-parent-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.parent.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.parent.exit_code:
-  dashed_name: process-parent-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.parent.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.parent.group.domain:
-  dashed_name: process-parent-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group.id:
-  dashed_name: process-parent-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group.name:
-  dashed_name: process-parent-group-name
-  description: Name of the group.
-  flat_name: process.parent.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.args:
-  dashed_name: process-parent-group-leader-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.parent.group_leader.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.parent.group_leader.args_count:
-  dashed_name: process-parent-group-leader-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.parent.group_leader.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.parent.group_leader.attested_groups.domain:
-  dashed_name: process-parent-group-leader-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.attested_groups.id:
-  dashed_name: process-parent-group-leader-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.attested_groups.name:
-  dashed_name: process-parent-group-leader-attested-groups-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.attested_user.domain:
-  dashed_name: process-parent-group-leader-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.group_leader.attested_user.email:
-  dashed_name: process-parent-group-leader-attested-user-email
-  description: User email address.
-  flat_name: process.parent.group_leader.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.group_leader.attested_user.full_name:
-  dashed_name: process-parent-group-leader-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.group_leader.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.group_leader.attested_user.group.domain:
-  dashed_name: process-parent-group-leader-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.attested_user.group.id:
-  dashed_name: process-parent-group-leader-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.attested_user.group.name:
-  dashed_name: process-parent-group-leader-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.attested_user.hash:
-  dashed_name: process-parent-group-leader-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.group_leader.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.group_leader.attested_user.id:
-  dashed_name: process-parent-group-leader-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.group_leader.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.group_leader.attested_user.name:
-  dashed_name: process-parent-group-leader-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.group_leader.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.group_leader.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.group_leader.attested_user.risk.calculated_level:
-  dashed_name: process-parent-group-leader-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.group_leader.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.group_leader.attested_user.risk.calculated_score:
-  dashed_name: process-parent-group-leader-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.group_leader.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.group_leader.attested_user.risk.calculated_score_norm:
-  dashed_name: process-parent-group-leader-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.group_leader.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.group_leader.attested_user.risk.static_level:
-  dashed_name: process-parent-group-leader-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.group_leader.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.group_leader.attested_user.risk.static_score:
-  dashed_name: process-parent-group-leader-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.group_leader.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.group_leader.attested_user.risk.static_score_norm:
-  dashed_name: process-parent-group-leader-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.group_leader.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.group_leader.attested_user.roles:
-  dashed_name: process-parent-group-leader-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.group_leader.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.code_signature.digest_algorithm:
-  dashed_name: process-parent-group-leader-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.parent.group_leader.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.parent.group_leader.code_signature.exists:
-  dashed_name: process-parent-group-leader-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.parent.group_leader.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.parent.group_leader.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.parent.group_leader.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.parent.group_leader.code_signature.signing_id:
-  dashed_name: process-parent-group-leader-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.parent.group_leader.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.parent.group_leader.code_signature.status:
-  dashed_name: process-parent-group-leader-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.parent.group_leader.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.parent.group_leader.code_signature.subject_name:
-  dashed_name: process-parent-group-leader-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.parent.group_leader.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.parent.group_leader.code_signature.team_id:
-  dashed_name: process-parent-group-leader-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.parent.group_leader.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.parent.group_leader.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.parent.group_leader.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.parent.group_leader.code_signature.timestamp:
-  dashed_name: process-parent-group-leader-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.parent.group_leader.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.parent.group_leader.code_signature.trusted:
-  dashed_name: process-parent-group-leader-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.parent.group_leader.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.parent.group_leader.code_signature.valid:
-  dashed_name: process-parent-group-leader-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.parent.group_leader.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.parent.group_leader.command_line:
-  dashed_name: process-parent-group-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.parent.group_leader.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.parent.group_leader.elf.architecture:
-  dashed_name: process-parent-group-leader-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.parent.group_leader.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.parent.group_leader.elf.byte_order:
-  dashed_name: process-parent-group-leader-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.parent.group_leader.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.parent.group_leader.elf.cpu_type:
-  dashed_name: process-parent-group-leader-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.parent.group_leader.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.parent.group_leader.elf.creation_date:
-  dashed_name: process-parent-group-leader-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.parent.group_leader.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.parent.group_leader.elf.exports:
-  dashed_name: process-parent-group-leader-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.parent.group_leader.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.parent.group_leader.elf.go_import_hash:
-  dashed_name: process-parent-group-leader-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.group_leader.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.parent.group_leader.elf.go_imports:
-  dashed_name: process-parent-group-leader-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.parent.group_leader.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.parent.group_leader.elf.go_imports_names_entropy:
-  dashed_name: process-parent-group-leader-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.group_leader.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.group_leader.elf.go_imports_names_var_entropy:
-  dashed_name: process-parent-group-leader-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.group_leader.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.group_leader.elf.go_stripped:
-  dashed_name: process-parent-group-leader-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.group_leader.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.parent.group_leader.elf.header.abi_version:
-  dashed_name: process-parent-group-leader-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.parent.group_leader.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.parent.group_leader.elf.header.class:
-  dashed_name: process-parent-group-leader-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.parent.group_leader.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.parent.group_leader.elf.header.data:
-  dashed_name: process-parent-group-leader-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.parent.group_leader.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.parent.group_leader.elf.header.entrypoint:
-  dashed_name: process-parent-group-leader-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.parent.group_leader.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.parent.group_leader.elf.header.object_version:
-  dashed_name: process-parent-group-leader-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.parent.group_leader.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.parent.group_leader.elf.header.os_abi:
-  dashed_name: process-parent-group-leader-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.parent.group_leader.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.parent.group_leader.elf.header.type:
-  dashed_name: process-parent-group-leader-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.parent.group_leader.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.parent.group_leader.elf.header.version:
-  dashed_name: process-parent-group-leader-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.parent.group_leader.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.parent.group_leader.elf.import_hash:
-  dashed_name: process-parent-group-leader-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.group_leader.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.parent.group_leader.elf.imports:
-  dashed_name: process-parent-group-leader-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.parent.group_leader.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.parent.group_leader.elf.imports_names_entropy:
-  dashed_name: process-parent-group-leader-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.parent.group_leader.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.parent.group_leader.elf.imports_names_var_entropy:
-  dashed_name: process-parent-group-leader-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.parent.group_leader.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.parent.group_leader.elf.sections:
-  dashed_name: process-parent-group-leader-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.parent.group_leader.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.parent.group_leader.elf.sections.chi2:
-  dashed_name: process-parent-group-leader-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.parent.group_leader.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.parent.group_leader.elf.sections.entropy:
-  dashed_name: process-parent-group-leader-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.parent.group_leader.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.parent.group_leader.elf.sections.flags:
-  dashed_name: process-parent-group-leader-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.parent.group_leader.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.parent.group_leader.elf.sections.name:
-  dashed_name: process-parent-group-leader-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.parent.group_leader.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.parent.group_leader.elf.sections.physical_offset:
-  dashed_name: process-parent-group-leader-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.parent.group_leader.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.parent.group_leader.elf.sections.physical_size:
-  dashed_name: process-parent-group-leader-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.parent.group_leader.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.parent.group_leader.elf.sections.type:
-  dashed_name: process-parent-group-leader-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.parent.group_leader.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.parent.group_leader.elf.sections.var_entropy:
-  dashed_name: process-parent-group-leader-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.group_leader.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.parent.group_leader.elf.sections.virtual_address:
-  dashed_name: process-parent-group-leader-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.parent.group_leader.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.parent.group_leader.elf.sections.virtual_size:
-  dashed_name: process-parent-group-leader-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.parent.group_leader.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.parent.group_leader.elf.segments:
-  dashed_name: process-parent-group-leader-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.parent.group_leader.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.parent.group_leader.elf.segments.sections:
-  dashed_name: process-parent-group-leader-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.parent.group_leader.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.parent.group_leader.elf.segments.type:
-  dashed_name: process-parent-group-leader-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.parent.group_leader.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.parent.group_leader.elf.shared_libraries:
-  dashed_name: process-parent-group-leader-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.parent.group_leader.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.parent.group_leader.elf.telfhash:
-  dashed_name: process-parent-group-leader-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.parent.group_leader.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.parent.group_leader.end:
-  dashed_name: process-parent-group-leader-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.group_leader.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.parent.group_leader.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.parent.group_leader.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.parent.group_leader.entity_id:
-  dashed_name: process-parent-group-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.parent.group_leader.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.parent.group_leader.entry_meta.source.address:
-  dashed_name: process-parent-group-leader-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.parent.group_leader.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.parent.group_leader.entry_meta.source.as.number:
-  dashed_name: process-parent-group-leader-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.parent.group_leader.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.parent.group_leader.entry_meta.source.as.organization.name:
-  dashed_name: process-parent-group-leader-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.parent.group_leader.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.parent.group_leader.entry_meta.source.bytes:
-  dashed_name: process-parent-group-leader-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.parent.group_leader.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.parent.group_leader.entry_meta.source.domain:
-  dashed_name: process-parent-group-leader-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.parent.group_leader.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.city_name:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.parent.group_leader.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.continent_code:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.parent.group_leader.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.continent_name:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.parent.group_leader.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.parent.group_leader.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.country_name:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.parent.group_leader.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.location:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.parent.group_leader.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.parent.group_leader.entry_meta.source.geo.name:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.parent.group_leader.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.postal_code:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.parent.group_leader.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.parent.group_leader.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.region_name:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.parent.group_leader.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.timezone:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.parent.group_leader.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.parent.group_leader.entry_meta.source.ip:
-  dashed_name: process-parent-group-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.parent.group_leader.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.parent.group_leader.entry_meta.source.mac:
-  dashed_name: process-parent-group-leader-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.parent.group_leader.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.parent.group_leader.entry_meta.source.nat.ip:
-  dashed_name: process-parent-group-leader-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.parent.group_leader.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.parent.group_leader.entry_meta.source.nat.port:
-  dashed_name: process-parent-group-leader-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.parent.group_leader.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.parent.group_leader.entry_meta.source.packets:
-  dashed_name: process-parent-group-leader-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.parent.group_leader.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.parent.group_leader.entry_meta.source.port:
-  dashed_name: process-parent-group-leader-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.parent.group_leader.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.parent.group_leader.entry_meta.source.registered_domain:
-  dashed_name: process-parent-group-leader-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.parent.group_leader.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.parent.group_leader.entry_meta.source.subdomain:
-  dashed_name: process-parent-group-leader-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.parent.group_leader.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.parent.group_leader.entry_meta.source.top_level_domain:
-  dashed_name: process-parent-group-leader-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.parent.group_leader.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.parent.group_leader.entry_meta.type:
-  dashed_name: process-parent-group-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.parent.group_leader.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.parent.group_leader.env_vars:
-  dashed_name: process-parent-group-leader-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.parent.group_leader.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.executable:
-  dashed_name: process-parent-group-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.parent.group_leader.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.parent.group_leader.exit_code:
-  dashed_name: process-parent-group-leader-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.parent.group_leader.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.parent.group_leader.group.domain:
-  dashed_name: process-parent-group-leader-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.group.id:
-  dashed_name: process-parent-group-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.group.name:
-  dashed_name: process-parent-group-leader-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.parent.group_leader.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.parent.group_leader.hash.md5:
-  dashed_name: process-parent-group-leader-hash-md5
-  description: MD5 hash.
-  flat_name: process.parent.group_leader.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.parent.group_leader.hash.sha1:
-  dashed_name: process-parent-group-leader-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.parent.group_leader.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.parent.group_leader.hash.sha256:
-  dashed_name: process-parent-group-leader-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.parent.group_leader.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.parent.group_leader.hash.sha384:
-  dashed_name: process-parent-group-leader-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.parent.group_leader.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.parent.group_leader.hash.sha512:
-  dashed_name: process-parent-group-leader-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.parent.group_leader.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.parent.group_leader.hash.ssdeep:
-  dashed_name: process-parent-group-leader-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.parent.group_leader.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.parent.group_leader.hash.tlsh:
-  dashed_name: process-parent-group-leader-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.parent.group_leader.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.parent.group_leader.interactive:
-  dashed_name: process-parent-group-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.parent.group_leader.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.parent.group_leader.io:
-  dashed_name: process-parent-group-leader-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.parent.group_leader.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.parent.group_leader.io.bytes_skipped:
-  dashed_name: process-parent-group-leader-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.parent.group_leader.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.parent.group_leader.io.bytes_skipped.length:
-  dashed_name: process-parent-group-leader-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.parent.group_leader.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.parent.group_leader.io.bytes_skipped.offset:
-  dashed_name: process-parent-group-leader-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.parent.group_leader.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.parent.group_leader.io.max_bytes_per_process_exceeded:
-  dashed_name: process-parent-group-leader-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.parent.group_leader.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.parent.group_leader.io.text:
-  dashed_name: process-parent-group-leader-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.parent.group_leader.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.parent.group_leader.io.total_bytes_captured:
-  dashed_name: process-parent-group-leader-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.parent.group_leader.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.parent.group_leader.io.total_bytes_skipped:
-  dashed_name: process-parent-group-leader-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.parent.group_leader.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.parent.group_leader.io.type:
-  dashed_name: process-parent-group-leader-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.parent.group_leader.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.parent.group_leader.macho.go_import_hash:
-  dashed_name: process-parent-group-leader-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.group_leader.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.parent.group_leader.macho.go_imports:
-  dashed_name: process-parent-group-leader-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.parent.group_leader.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.parent.group_leader.macho.go_imports_names_entropy:
-  dashed_name: process-parent-group-leader-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.group_leader.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.group_leader.macho.go_imports_names_var_entropy:
-  dashed_name: process-parent-group-leader-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.group_leader.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.group_leader.macho.go_stripped:
-  dashed_name: process-parent-group-leader-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.group_leader.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.parent.group_leader.macho.import_hash:
-  dashed_name: process-parent-group-leader-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.group_leader.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.parent.group_leader.macho.imports:
-  dashed_name: process-parent-group-leader-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.parent.group_leader.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.parent.group_leader.macho.imports_names_entropy:
-  dashed_name: process-parent-group-leader-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.parent.group_leader.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.parent.group_leader.macho.imports_names_var_entropy:
-  dashed_name: process-parent-group-leader-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.parent.group_leader.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.parent.group_leader.macho.sections:
-  dashed_name: process-parent-group-leader-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.parent.group_leader.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.parent.group_leader.macho.sections.entropy:
-  dashed_name: process-parent-group-leader-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.parent.group_leader.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.parent.group_leader.macho.sections.name:
-  dashed_name: process-parent-group-leader-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.parent.group_leader.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.parent.group_leader.macho.sections.physical_size:
-  dashed_name: process-parent-group-leader-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.parent.group_leader.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.parent.group_leader.macho.sections.var_entropy:
-  dashed_name: process-parent-group-leader-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.group_leader.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.parent.group_leader.macho.sections.virtual_size:
-  dashed_name: process-parent-group-leader-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.parent.group_leader.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.parent.group_leader.macho.symhash:
-  dashed_name: process-parent-group-leader-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.parent.group_leader.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.parent.group_leader.name:
-  dashed_name: process-parent-group-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.parent.group_leader.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.parent.group_leader.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.parent.group_leader.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.parent.group_leader.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.parent.group_leader.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.parent.group_leader.pe.architecture:
-  dashed_name: process-parent-group-leader-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.parent.group_leader.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.parent.group_leader.pe.company:
-  dashed_name: process-parent-group-leader-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.parent.group_leader.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.parent.group_leader.pe.description:
-  dashed_name: process-parent-group-leader-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.parent.group_leader.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.parent.group_leader.pe.file_version:
-  dashed_name: process-parent-group-leader-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.parent.group_leader.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.parent.group_leader.pe.go_import_hash:
-  dashed_name: process-parent-group-leader-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.group_leader.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.parent.group_leader.pe.go_imports:
-  dashed_name: process-parent-group-leader-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.parent.group_leader.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.parent.group_leader.pe.go_imports_names_entropy:
-  dashed_name: process-parent-group-leader-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.group_leader.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.group_leader.pe.go_imports_names_var_entropy:
-  dashed_name: process-parent-group-leader-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.group_leader.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.group_leader.pe.go_stripped:
-  dashed_name: process-parent-group-leader-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.group_leader.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.parent.group_leader.pe.imphash:
-  dashed_name: process-parent-group-leader-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.parent.group_leader.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.parent.group_leader.pe.import_hash:
-  dashed_name: process-parent-group-leader-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.group_leader.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.parent.group_leader.pe.imports:
-  dashed_name: process-parent-group-leader-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.parent.group_leader.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.parent.group_leader.pe.imports_names_entropy:
-  dashed_name: process-parent-group-leader-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.parent.group_leader.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.parent.group_leader.pe.imports_names_var_entropy:
-  dashed_name: process-parent-group-leader-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.parent.group_leader.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.parent.group_leader.pe.original_file_name:
-  dashed_name: process-parent-group-leader-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.parent.group_leader.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.parent.group_leader.pe.pehash:
-  dashed_name: process-parent-group-leader-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.parent.group_leader.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.parent.group_leader.pe.product:
-  dashed_name: process-parent-group-leader-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.parent.group_leader.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.parent.group_leader.pe.sections:
-  dashed_name: process-parent-group-leader-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.parent.group_leader.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.parent.group_leader.pe.sections.entropy:
-  dashed_name: process-parent-group-leader-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.parent.group_leader.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.parent.group_leader.pe.sections.name:
-  dashed_name: process-parent-group-leader-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.parent.group_leader.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.parent.group_leader.pe.sections.physical_size:
-  dashed_name: process-parent-group-leader-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.parent.group_leader.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.parent.group_leader.pe.sections.var_entropy:
-  dashed_name: process-parent-group-leader-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.group_leader.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.parent.group_leader.pe.sections.virtual_size:
-  dashed_name: process-parent-group-leader-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.parent.group_leader.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.parent.group_leader.pid:
-  dashed_name: process-parent-group-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.parent.group_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.parent.group_leader.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.parent.group_leader.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.parent.group_leader.real_group.domain:
-  dashed_name: process-parent-group-leader-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.real_group.id:
-  dashed_name: process-parent-group-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.real_group.name:
-  dashed_name: process-parent-group-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.real_user.domain:
-  dashed_name: process-parent-group-leader-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.group_leader.real_user.email:
-  dashed_name: process-parent-group-leader-real-user-email
-  description: User email address.
-  flat_name: process.parent.group_leader.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.group_leader.real_user.full_name:
-  dashed_name: process-parent-group-leader-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.group_leader.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.group_leader.real_user.group.domain:
-  dashed_name: process-parent-group-leader-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.real_user.group.id:
-  dashed_name: process-parent-group-leader-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.real_user.group.name:
-  dashed_name: process-parent-group-leader-real-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.real_user.hash:
-  dashed_name: process-parent-group-leader-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.group_leader.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.group_leader.real_user.id:
-  dashed_name: process-parent-group-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.group_leader.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.group_leader.real_user.name:
-  dashed_name: process-parent-group-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.group_leader.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.group_leader.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.group_leader.real_user.risk.calculated_level:
-  dashed_name: process-parent-group-leader-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.group_leader.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.group_leader.real_user.risk.calculated_score:
-  dashed_name: process-parent-group-leader-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.group_leader.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.group_leader.real_user.risk.calculated_score_norm:
-  dashed_name: process-parent-group-leader-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.group_leader.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.group_leader.real_user.risk.static_level:
-  dashed_name: process-parent-group-leader-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.group_leader.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.group_leader.real_user.risk.static_score:
-  dashed_name: process-parent-group-leader-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.group_leader.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.group_leader.real_user.risk.static_score_norm:
-  dashed_name: process-parent-group-leader-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.group_leader.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.group_leader.real_user.roles:
-  dashed_name: process-parent-group-leader-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.group_leader.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.same_as_process:
-  dashed_name: process-parent-group-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.parent.group_leader.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.parent.group_leader.saved_group.domain:
-  dashed_name: process-parent-group-leader-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.saved_group.id:
-  dashed_name: process-parent-group-leader-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.saved_group.name:
-  dashed_name: process-parent-group-leader-saved-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.saved_user.domain:
-  dashed_name: process-parent-group-leader-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.group_leader.saved_user.email:
-  dashed_name: process-parent-group-leader-saved-user-email
-  description: User email address.
-  flat_name: process.parent.group_leader.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.group_leader.saved_user.full_name:
-  dashed_name: process-parent-group-leader-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.group_leader.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.group_leader.saved_user.group.domain:
-  dashed_name: process-parent-group-leader-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.saved_user.group.id:
-  dashed_name: process-parent-group-leader-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.saved_user.group.name:
-  dashed_name: process-parent-group-leader-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.saved_user.hash:
-  dashed_name: process-parent-group-leader-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.group_leader.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.group_leader.saved_user.id:
-  dashed_name: process-parent-group-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.group_leader.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.group_leader.saved_user.name:
-  dashed_name: process-parent-group-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.group_leader.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.group_leader.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.group_leader.saved_user.risk.calculated_level:
-  dashed_name: process-parent-group-leader-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.group_leader.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.group_leader.saved_user.risk.calculated_score:
-  dashed_name: process-parent-group-leader-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.group_leader.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.group_leader.saved_user.risk.calculated_score_norm:
-  dashed_name: process-parent-group-leader-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.group_leader.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.group_leader.saved_user.risk.static_level:
-  dashed_name: process-parent-group-leader-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.group_leader.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.group_leader.saved_user.risk.static_score:
-  dashed_name: process-parent-group-leader-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.group_leader.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.group_leader.saved_user.risk.static_score_norm:
-  dashed_name: process-parent-group-leader-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.group_leader.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.group_leader.saved_user.roles:
-  dashed_name: process-parent-group-leader-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.group_leader.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.start:
-  dashed_name: process-parent-group-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.group_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.parent.group_leader.supplemental_groups.domain:
-  dashed_name: process-parent-group-leader-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.supplemental_groups.id:
-  dashed_name: process-parent-group-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.supplemental_groups.name:
-  dashed_name: process-parent-group-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.thread.capabilities.effective:
-  dashed_name: process-parent-group-leader-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.parent.group_leader.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.thread.capabilities.permitted:
-  dashed_name: process-parent-group-leader-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.parent.group_leader.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.thread.id:
-  dashed_name: process-parent-group-leader-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.parent.group_leader.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.parent.group_leader.thread.name:
-  dashed_name: process-parent-group-leader-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.parent.group_leader.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.parent.group_leader.title:
-  dashed_name: process-parent-group-leader-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.parent.group_leader.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.parent.group_leader.tty:
-  dashed_name: process-parent-group-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.parent.group_leader.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.parent.group_leader.tty.char_device.major:
-  dashed_name: process-parent-group-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.parent.group_leader.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.parent.group_leader.tty.char_device.minor:
-  dashed_name: process-parent-group-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.parent.group_leader.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.parent.group_leader.tty.columns:
-  dashed_name: process-parent-group-leader-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.parent.group_leader.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.parent.group_leader.tty.rows:
-  dashed_name: process-parent-group-leader-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.parent.group_leader.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.parent.group_leader.uptime:
-  dashed_name: process-parent-group-leader-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.parent.group_leader.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.parent.group_leader.user.domain:
-  dashed_name: process-parent-group-leader-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.group_leader.user.email:
-  dashed_name: process-parent-group-leader-user-email
-  description: User email address.
-  flat_name: process.parent.group_leader.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.group_leader.user.full_name:
-  dashed_name: process-parent-group-leader-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.group_leader.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.group_leader.user.group.domain:
-  dashed_name: process-parent-group-leader-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.user.group.id:
-  dashed_name: process-parent-group-leader-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.user.group.name:
-  dashed_name: process-parent-group-leader-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.user.hash:
-  dashed_name: process-parent-group-leader-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.group_leader.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.group_leader.user.id:
-  dashed_name: process-parent-group-leader-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.group_leader.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.group_leader.user.name:
-  dashed_name: process-parent-group-leader-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.group_leader.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.group_leader.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.group_leader.user.risk.calculated_level:
-  dashed_name: process-parent-group-leader-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.group_leader.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.group_leader.user.risk.calculated_score:
-  dashed_name: process-parent-group-leader-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.group_leader.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.group_leader.user.risk.calculated_score_norm:
-  dashed_name: process-parent-group-leader-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.group_leader.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.group_leader.user.risk.static_level:
-  dashed_name: process-parent-group-leader-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.group_leader.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.group_leader.user.risk.static_score:
-  dashed_name: process-parent-group-leader-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.group_leader.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.group_leader.user.risk.static_score_norm:
-  dashed_name: process-parent-group-leader-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.group_leader.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.group_leader.user.roles:
-  dashed_name: process-parent-group-leader-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.group_leader.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.vpid:
-  dashed_name: process-parent-group-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.parent.group_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.parent.group_leader.working_directory:
-  dashed_name: process-parent-group-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.parent.group_leader.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.parent.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.parent.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.parent.hash.md5:
-  dashed_name: process-parent-hash-md5
-  description: MD5 hash.
-  flat_name: process.parent.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.parent.hash.sha1:
-  dashed_name: process-parent-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.parent.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.parent.hash.sha256:
-  dashed_name: process-parent-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.parent.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.parent.hash.sha384:
-  dashed_name: process-parent-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.parent.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.parent.hash.sha512:
-  dashed_name: process-parent-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.parent.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.parent.hash.ssdeep:
-  dashed_name: process-parent-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.parent.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.parent.hash.tlsh:
-  dashed_name: process-parent-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.parent.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.parent.interactive:
-  dashed_name: process-parent-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.parent.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.parent.io:
-  dashed_name: process-parent-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.parent.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.parent.io.bytes_skipped:
-  dashed_name: process-parent-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.parent.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.parent.io.bytes_skipped.length:
-  dashed_name: process-parent-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.parent.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.parent.io.bytes_skipped.offset:
-  dashed_name: process-parent-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.parent.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.parent.io.max_bytes_per_process_exceeded:
-  dashed_name: process-parent-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.parent.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.parent.io.text:
-  dashed_name: process-parent-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.parent.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.parent.io.total_bytes_captured:
-  dashed_name: process-parent-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.parent.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.parent.io.total_bytes_skipped:
-  dashed_name: process-parent-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.parent.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.parent.io.type:
-  dashed_name: process-parent-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.parent.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.parent.macho.go_import_hash:
-  dashed_name: process-parent-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.parent.macho.go_imports:
-  dashed_name: process-parent-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.parent.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.parent.macho.go_imports_names_entropy:
-  dashed_name: process-parent-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.macho.go_imports_names_var_entropy:
-  dashed_name: process-parent-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.macho.go_stripped:
-  dashed_name: process-parent-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.parent.macho.import_hash:
-  dashed_name: process-parent-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.parent.macho.imports:
-  dashed_name: process-parent-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.parent.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.parent.macho.imports_names_entropy:
-  dashed_name: process-parent-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.parent.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.parent.macho.imports_names_var_entropy:
-  dashed_name: process-parent-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.parent.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.parent.macho.sections:
-  dashed_name: process-parent-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.parent.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.parent.macho.sections.entropy:
-  dashed_name: process-parent-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.parent.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.parent.macho.sections.name:
-  dashed_name: process-parent-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.parent.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.parent.macho.sections.physical_size:
-  dashed_name: process-parent-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.parent.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.parent.macho.sections.var_entropy:
-  dashed_name: process-parent-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.parent.macho.sections.virtual_size:
-  dashed_name: process-parent-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.parent.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.parent.macho.symhash:
-  dashed_name: process-parent-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.parent.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.parent.name:
-  dashed_name: process-parent-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.parent.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.parent.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.parent.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.parent.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.parent.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.parent.pe.architecture:
-  dashed_name: process-parent-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.parent.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.parent.pe.company:
-  dashed_name: process-parent-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.parent.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.parent.pe.description:
-  dashed_name: process-parent-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.parent.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.parent.pe.file_version:
-  dashed_name: process-parent-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.parent.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.parent.pe.go_import_hash:
-  dashed_name: process-parent-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.parent.pe.go_imports:
-  dashed_name: process-parent-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.parent.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.parent.pe.go_imports_names_entropy:
-  dashed_name: process-parent-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.pe.go_imports_names_var_entropy:
-  dashed_name: process-parent-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.pe.go_stripped:
-  dashed_name: process-parent-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.parent.pe.imphash:
-  dashed_name: process-parent-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.parent.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.parent.pe.import_hash:
-  dashed_name: process-parent-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.parent.pe.imports:
-  dashed_name: process-parent-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.parent.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.parent.pe.imports_names_entropy:
-  dashed_name: process-parent-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.parent.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.parent.pe.imports_names_var_entropy:
-  dashed_name: process-parent-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.parent.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.parent.pe.original_file_name:
-  dashed_name: process-parent-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.parent.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.parent.pe.pehash:
-  dashed_name: process-parent-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.parent.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.parent.pe.product:
-  dashed_name: process-parent-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.parent.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.parent.pe.sections:
-  dashed_name: process-parent-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.parent.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.parent.pe.sections.entropy:
-  dashed_name: process-parent-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.parent.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.parent.pe.sections.name:
-  dashed_name: process-parent-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.parent.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.parent.pe.sections.physical_size:
-  dashed_name: process-parent-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.parent.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.parent.pe.sections.var_entropy:
-  dashed_name: process-parent-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.parent.pe.sections.virtual_size:
-  dashed_name: process-parent-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.parent.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.parent.pid:
-  dashed_name: process-parent-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.parent.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.parent.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.parent.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.parent.real_group.domain:
-  dashed_name: process-parent-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.real_group.id:
-  dashed_name: process-parent-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.real_group.name:
-  dashed_name: process-parent-real-group-name
-  description: Name of the group.
-  flat_name: process.parent.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.real_user.domain:
-  dashed_name: process-parent-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.real_user.email:
-  dashed_name: process-parent-real-user-email
-  description: User email address.
-  flat_name: process.parent.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.real_user.full_name:
-  dashed_name: process-parent-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.real_user.group.domain:
-  dashed_name: process-parent-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.real_user.group.id:
-  dashed_name: process-parent-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.real_user.group.name:
-  dashed_name: process-parent-real-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.real_user.hash:
-  dashed_name: process-parent-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.real_user.id:
-  dashed_name: process-parent-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.real_user.name:
-  dashed_name: process-parent-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.real_user.risk.calculated_level:
-  dashed_name: process-parent-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.real_user.risk.calculated_score:
-  dashed_name: process-parent-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.real_user.risk.calculated_score_norm:
-  dashed_name: process-parent-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.real_user.risk.static_level:
-  dashed_name: process-parent-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.real_user.risk.static_score:
-  dashed_name: process-parent-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.real_user.risk.static_score_norm:
-  dashed_name: process-parent-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.real_user.roles:
-  dashed_name: process-parent-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.same_as_process:
-  dashed_name: process-parent-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.parent.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.parent.saved_group.domain:
-  dashed_name: process-parent-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.saved_group.id:
-  dashed_name: process-parent-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.saved_group.name:
-  dashed_name: process-parent-saved-group-name
-  description: Name of the group.
-  flat_name: process.parent.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.saved_user.domain:
-  dashed_name: process-parent-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.saved_user.email:
-  dashed_name: process-parent-saved-user-email
-  description: User email address.
-  flat_name: process.parent.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.saved_user.full_name:
-  dashed_name: process-parent-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.saved_user.group.domain:
-  dashed_name: process-parent-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.saved_user.group.id:
-  dashed_name: process-parent-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.saved_user.group.name:
-  dashed_name: process-parent-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.saved_user.hash:
-  dashed_name: process-parent-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.saved_user.id:
-  dashed_name: process-parent-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.saved_user.name:
-  dashed_name: process-parent-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.saved_user.risk.calculated_level:
-  dashed_name: process-parent-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.saved_user.risk.calculated_score:
-  dashed_name: process-parent-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.saved_user.risk.calculated_score_norm:
-  dashed_name: process-parent-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.saved_user.risk.static_level:
-  dashed_name: process-parent-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.saved_user.risk.static_score:
-  dashed_name: process-parent-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.saved_user.risk.static_score_norm:
-  dashed_name: process-parent-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.saved_user.roles:
-  dashed_name: process-parent-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.start:
-  dashed_name: process-parent-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.parent.supplemental_groups.domain:
-  dashed_name: process-parent-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.supplemental_groups.id:
-  dashed_name: process-parent-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.supplemental_groups.name:
-  dashed_name: process-parent-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.parent.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.thread.capabilities.effective:
-  dashed_name: process-parent-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.parent.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.thread.capabilities.permitted:
-  dashed_name: process-parent-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.parent.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.thread.id:
-  dashed_name: process-parent-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.parent.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.parent.thread.name:
-  dashed_name: process-parent-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.parent.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.parent.title:
-  dashed_name: process-parent-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.parent.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.parent.tty:
-  dashed_name: process-parent-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.parent.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.parent.tty.char_device.major:
-  dashed_name: process-parent-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.parent.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.parent.tty.char_device.minor:
-  dashed_name: process-parent-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.parent.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.parent.tty.columns:
-  dashed_name: process-parent-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.parent.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.parent.tty.rows:
-  dashed_name: process-parent-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.parent.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.parent.uptime:
-  dashed_name: process-parent-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.parent.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.parent.user.domain:
-  dashed_name: process-parent-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.user.email:
-  dashed_name: process-parent-user-email
-  description: User email address.
-  flat_name: process.parent.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.user.full_name:
-  dashed_name: process-parent-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.user.group.domain:
-  dashed_name: process-parent-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.user.group.id:
-  dashed_name: process-parent-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.user.group.name:
-  dashed_name: process-parent-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.user.hash:
-  dashed_name: process-parent-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.user.id:
-  dashed_name: process-parent-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.user.name:
-  dashed_name: process-parent-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.user.risk.calculated_level:
-  dashed_name: process-parent-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.user.risk.calculated_score:
-  dashed_name: process-parent-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.user.risk.calculated_score_norm:
-  dashed_name: process-parent-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.user.risk.static_level:
-  dashed_name: process-parent-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.user.risk.static_score:
-  dashed_name: process-parent-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.user.risk.static_score_norm:
-  dashed_name: process-parent-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.user.roles:
-  dashed_name: process-parent-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.vpid:
-  dashed_name: process-parent-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.parent.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.parent.working_directory:
-  dashed_name: process-parent-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.parent.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.pe.architecture:
-  dashed_name: process-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.pe.company:
-  dashed_name: process-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.pe.description:
-  dashed_name: process-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.pe.file_version:
-  dashed_name: process-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.pe.go_import_hash:
-  dashed_name: process-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.pe.go_imports:
-  dashed_name: process-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.pe.go_imports_names_entropy:
-  dashed_name: process-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.pe.go_imports_names_var_entropy:
-  dashed_name: process-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.pe.go_stripped:
-  dashed_name: process-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.pe.imphash:
-  dashed_name: process-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.pe.import_hash:
-  dashed_name: process-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.pe.imports:
-  dashed_name: process-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.pe.imports_names_entropy:
-  dashed_name: process-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.pe.imports_names_var_entropy:
-  dashed_name: process-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.pe.original_file_name:
-  dashed_name: process-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.pe.pehash:
-  dashed_name: process-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.pe.product:
-  dashed_name: process-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.pe.sections:
-  dashed_name: process-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.pe.sections.entropy:
-  dashed_name: process-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.pe.sections.name:
-  dashed_name: process-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.pe.sections.physical_size:
-  dashed_name: process-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.pe.sections.var_entropy:
-  dashed_name: process-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.pe.sections.virtual_size:
-  dashed_name: process-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.pid:
-  dashed_name: process-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  otel:
-  - relation: match
-    stability: development
-  short: Process id.
-  type: long
-process.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.previous.args:
-  dashed_name: process-previous-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.previous.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.previous.args_count:
-  dashed_name: process-previous-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.previous.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.previous.attested_groups.domain:
-  dashed_name: process-previous-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.attested_groups.id:
-  dashed_name: process-previous-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.attested_groups.name:
-  dashed_name: process-previous-attested-groups-name
-  description: Name of the group.
-  flat_name: process.previous.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.attested_user.domain:
-  dashed_name: process-previous-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.previous.attested_user.email:
-  dashed_name: process-previous-attested-user-email
-  description: User email address.
-  flat_name: process.previous.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.previous.attested_user.full_name:
-  dashed_name: process-previous-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.previous.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.previous.attested_user.group.domain:
-  dashed_name: process-previous-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.attested_user.group.id:
-  dashed_name: process-previous-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.attested_user.group.name:
-  dashed_name: process-previous-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.previous.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.attested_user.hash:
-  dashed_name: process-previous-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.previous.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.previous.attested_user.id:
-  dashed_name: process-previous-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.previous.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.previous.attested_user.name:
-  dashed_name: process-previous-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.previous.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.previous.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.previous.attested_user.risk.calculated_level:
-  dashed_name: process-previous-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.previous.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.previous.attested_user.risk.calculated_score:
-  dashed_name: process-previous-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.previous.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.previous.attested_user.risk.calculated_score_norm:
-  dashed_name: process-previous-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.previous.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.previous.attested_user.risk.static_level:
-  dashed_name: process-previous-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.previous.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.previous.attested_user.risk.static_score:
-  dashed_name: process-previous-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.previous.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.previous.attested_user.risk.static_score_norm:
-  dashed_name: process-previous-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.previous.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.previous.attested_user.roles:
-  dashed_name: process-previous-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.previous.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.code_signature.digest_algorithm:
-  dashed_name: process-previous-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.previous.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.previous.code_signature.exists:
-  dashed_name: process-previous-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.previous.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.previous.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.previous.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.previous.code_signature.signing_id:
-  dashed_name: process-previous-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.previous.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.previous.code_signature.status:
-  dashed_name: process-previous-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.previous.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.previous.code_signature.subject_name:
-  dashed_name: process-previous-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.previous.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.previous.code_signature.team_id:
-  dashed_name: process-previous-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.previous.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.previous.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.previous.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.previous.code_signature.timestamp:
-  dashed_name: process-previous-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.previous.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.previous.code_signature.trusted:
-  dashed_name: process-previous-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.previous.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.previous.code_signature.valid:
-  dashed_name: process-previous-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.previous.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.previous.command_line:
-  dashed_name: process-previous-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.previous.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.previous.elf.architecture:
-  dashed_name: process-previous-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.previous.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.previous.elf.byte_order:
-  dashed_name: process-previous-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.previous.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.previous.elf.cpu_type:
-  dashed_name: process-previous-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.previous.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.previous.elf.creation_date:
-  dashed_name: process-previous-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.previous.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.previous.elf.exports:
-  dashed_name: process-previous-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.previous.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.previous.elf.go_import_hash:
-  dashed_name: process-previous-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.previous.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.previous.elf.go_imports:
-  dashed_name: process-previous-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.previous.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.previous.elf.go_imports_names_entropy:
-  dashed_name: process-previous-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.previous.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.previous.elf.go_imports_names_var_entropy:
-  dashed_name: process-previous-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.previous.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.previous.elf.go_stripped:
-  dashed_name: process-previous-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.previous.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.previous.elf.header.abi_version:
-  dashed_name: process-previous-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.previous.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.previous.elf.header.class:
-  dashed_name: process-previous-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.previous.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.previous.elf.header.data:
-  dashed_name: process-previous-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.previous.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.previous.elf.header.entrypoint:
-  dashed_name: process-previous-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.previous.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.previous.elf.header.object_version:
-  dashed_name: process-previous-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.previous.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.previous.elf.header.os_abi:
-  dashed_name: process-previous-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.previous.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.previous.elf.header.type:
-  dashed_name: process-previous-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.previous.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.previous.elf.header.version:
-  dashed_name: process-previous-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.previous.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.previous.elf.import_hash:
-  dashed_name: process-previous-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.previous.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.previous.elf.imports:
-  dashed_name: process-previous-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.previous.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.previous.elf.imports_names_entropy:
-  dashed_name: process-previous-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.previous.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.previous.elf.imports_names_var_entropy:
-  dashed_name: process-previous-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.previous.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.previous.elf.sections:
-  dashed_name: process-previous-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.previous.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.previous.elf.sections.chi2:
-  dashed_name: process-previous-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.previous.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.previous.elf.sections.entropy:
-  dashed_name: process-previous-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.previous.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.previous.elf.sections.flags:
-  dashed_name: process-previous-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.previous.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.previous.elf.sections.name:
-  dashed_name: process-previous-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.previous.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.previous.elf.sections.physical_offset:
-  dashed_name: process-previous-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.previous.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.previous.elf.sections.physical_size:
-  dashed_name: process-previous-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.previous.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.previous.elf.sections.type:
-  dashed_name: process-previous-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.previous.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.previous.elf.sections.var_entropy:
-  dashed_name: process-previous-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.previous.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.previous.elf.sections.virtual_address:
-  dashed_name: process-previous-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.previous.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.previous.elf.sections.virtual_size:
-  dashed_name: process-previous-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.previous.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.previous.elf.segments:
-  dashed_name: process-previous-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.previous.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.previous.elf.segments.sections:
-  dashed_name: process-previous-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.previous.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.previous.elf.segments.type:
-  dashed_name: process-previous-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.previous.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.previous.elf.shared_libraries:
-  dashed_name: process-previous-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.previous.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.previous.elf.telfhash:
-  dashed_name: process-previous-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.previous.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.previous.end:
-  dashed_name: process-previous-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.previous.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.previous.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.previous.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.previous.entity_id:
-  dashed_name: process-previous-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.previous.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.previous.entry_meta.source.address:
-  dashed_name: process-previous-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.previous.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.previous.entry_meta.source.as.number:
-  dashed_name: process-previous-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.previous.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.previous.entry_meta.source.as.organization.name:
-  dashed_name: process-previous-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.previous.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.previous.entry_meta.source.bytes:
-  dashed_name: process-previous-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.previous.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.previous.entry_meta.source.domain:
-  dashed_name: process-previous-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.previous.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.previous.entry_meta.source.geo.city_name:
-  dashed_name: process-previous-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.previous.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.previous.entry_meta.source.geo.continent_code:
-  dashed_name: process-previous-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.previous.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.previous.entry_meta.source.geo.continent_name:
-  dashed_name: process-previous-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.previous.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.previous.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-previous-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.previous.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.previous.entry_meta.source.geo.country_name:
-  dashed_name: process-previous-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.previous.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.previous.entry_meta.source.geo.location:
-  dashed_name: process-previous-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.previous.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.previous.entry_meta.source.geo.name:
-  dashed_name: process-previous-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.previous.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.previous.entry_meta.source.geo.postal_code:
-  dashed_name: process-previous-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.previous.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.previous.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-previous-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.previous.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.previous.entry_meta.source.geo.region_name:
-  dashed_name: process-previous-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.previous.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.previous.entry_meta.source.geo.timezone:
-  dashed_name: process-previous-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.previous.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.previous.entry_meta.source.ip:
-  dashed_name: process-previous-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.previous.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.previous.entry_meta.source.mac:
-  dashed_name: process-previous-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.previous.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.previous.entry_meta.source.nat.ip:
-  dashed_name: process-previous-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.previous.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.previous.entry_meta.source.nat.port:
-  dashed_name: process-previous-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.previous.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.previous.entry_meta.source.packets:
-  dashed_name: process-previous-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.previous.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.previous.entry_meta.source.port:
-  dashed_name: process-previous-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.previous.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.previous.entry_meta.source.registered_domain:
-  dashed_name: process-previous-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.previous.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.previous.entry_meta.source.subdomain:
-  dashed_name: process-previous-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.previous.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.previous.entry_meta.source.top_level_domain:
-  dashed_name: process-previous-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.previous.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.previous.entry_meta.type:
-  dashed_name: process-previous-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.previous.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.previous.env_vars:
-  dashed_name: process-previous-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.previous.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.executable:
-  dashed_name: process-previous-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.previous.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.previous.exit_code:
-  dashed_name: process-previous-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.previous.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.previous.group.domain:
-  dashed_name: process-previous-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.group.id:
-  dashed_name: process-previous-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.group.name:
-  dashed_name: process-previous-group-name
-  description: Name of the group.
-  flat_name: process.previous.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.previous.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.previous.hash.md5:
-  dashed_name: process-previous-hash-md5
-  description: MD5 hash.
-  flat_name: process.previous.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.previous.hash.sha1:
-  dashed_name: process-previous-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.previous.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.previous.hash.sha256:
-  dashed_name: process-previous-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.previous.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.previous.hash.sha384:
-  dashed_name: process-previous-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.previous.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.previous.hash.sha512:
-  dashed_name: process-previous-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.previous.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.previous.hash.ssdeep:
-  dashed_name: process-previous-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.previous.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.previous.hash.tlsh:
-  dashed_name: process-previous-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.previous.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.previous.interactive:
-  dashed_name: process-previous-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.previous.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.previous.io:
-  dashed_name: process-previous-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.previous.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.previous.io.bytes_skipped:
-  dashed_name: process-previous-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.previous.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.previous.io.bytes_skipped.length:
-  dashed_name: process-previous-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.previous.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.previous.io.bytes_skipped.offset:
-  dashed_name: process-previous-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.previous.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.previous.io.max_bytes_per_process_exceeded:
-  dashed_name: process-previous-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.previous.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.previous.io.text:
-  dashed_name: process-previous-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.previous.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.previous.io.total_bytes_captured:
-  dashed_name: process-previous-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.previous.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.previous.io.total_bytes_skipped:
-  dashed_name: process-previous-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.previous.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.previous.io.type:
-  dashed_name: process-previous-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.previous.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.previous.macho.go_import_hash:
-  dashed_name: process-previous-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.previous.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.previous.macho.go_imports:
-  dashed_name: process-previous-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.previous.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.previous.macho.go_imports_names_entropy:
-  dashed_name: process-previous-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.previous.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.previous.macho.go_imports_names_var_entropy:
-  dashed_name: process-previous-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.previous.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.previous.macho.go_stripped:
-  dashed_name: process-previous-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.previous.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.previous.macho.import_hash:
-  dashed_name: process-previous-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.previous.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.previous.macho.imports:
-  dashed_name: process-previous-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.previous.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.previous.macho.imports_names_entropy:
-  dashed_name: process-previous-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.previous.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.previous.macho.imports_names_var_entropy:
-  dashed_name: process-previous-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.previous.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.previous.macho.sections:
-  dashed_name: process-previous-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.previous.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.previous.macho.sections.entropy:
-  dashed_name: process-previous-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.previous.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.previous.macho.sections.name:
-  dashed_name: process-previous-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.previous.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.previous.macho.sections.physical_size:
-  dashed_name: process-previous-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.previous.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.previous.macho.sections.var_entropy:
-  dashed_name: process-previous-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.previous.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.previous.macho.sections.virtual_size:
-  dashed_name: process-previous-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.previous.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.previous.macho.symhash:
-  dashed_name: process-previous-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.previous.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.previous.name:
-  dashed_name: process-previous-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.previous.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.previous.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.previous.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.previous.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.previous.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.previous.pe.architecture:
-  dashed_name: process-previous-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.previous.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.previous.pe.company:
-  dashed_name: process-previous-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.previous.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.previous.pe.description:
-  dashed_name: process-previous-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.previous.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.previous.pe.file_version:
-  dashed_name: process-previous-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.previous.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.previous.pe.go_import_hash:
-  dashed_name: process-previous-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.previous.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.previous.pe.go_imports:
-  dashed_name: process-previous-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.previous.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.previous.pe.go_imports_names_entropy:
-  dashed_name: process-previous-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.previous.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.previous.pe.go_imports_names_var_entropy:
-  dashed_name: process-previous-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.previous.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.previous.pe.go_stripped:
-  dashed_name: process-previous-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.previous.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.previous.pe.imphash:
-  dashed_name: process-previous-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.previous.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.previous.pe.import_hash:
-  dashed_name: process-previous-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.previous.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.previous.pe.imports:
-  dashed_name: process-previous-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.previous.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.previous.pe.imports_names_entropy:
-  dashed_name: process-previous-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.previous.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.previous.pe.imports_names_var_entropy:
-  dashed_name: process-previous-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.previous.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.previous.pe.original_file_name:
-  dashed_name: process-previous-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.previous.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.previous.pe.pehash:
-  dashed_name: process-previous-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.previous.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.previous.pe.product:
-  dashed_name: process-previous-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.previous.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.previous.pe.sections:
-  dashed_name: process-previous-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.previous.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.previous.pe.sections.entropy:
-  dashed_name: process-previous-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.previous.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.previous.pe.sections.name:
-  dashed_name: process-previous-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.previous.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.previous.pe.sections.physical_size:
-  dashed_name: process-previous-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.previous.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.previous.pe.sections.var_entropy:
-  dashed_name: process-previous-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.previous.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.previous.pe.sections.virtual_size:
-  dashed_name: process-previous-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.previous.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.previous.pid:
-  dashed_name: process-previous-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.previous.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.previous.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.previous.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.previous.real_group.domain:
-  dashed_name: process-previous-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.real_group.id:
-  dashed_name: process-previous-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.real_group.name:
-  dashed_name: process-previous-real-group-name
-  description: Name of the group.
-  flat_name: process.previous.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.real_user.domain:
-  dashed_name: process-previous-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.previous.real_user.email:
-  dashed_name: process-previous-real-user-email
-  description: User email address.
-  flat_name: process.previous.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.previous.real_user.full_name:
-  dashed_name: process-previous-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.previous.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.previous.real_user.group.domain:
-  dashed_name: process-previous-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.real_user.group.id:
-  dashed_name: process-previous-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.real_user.group.name:
-  dashed_name: process-previous-real-user-group-name
-  description: Name of the group.
-  flat_name: process.previous.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.real_user.hash:
-  dashed_name: process-previous-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.previous.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.previous.real_user.id:
-  dashed_name: process-previous-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.previous.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.previous.real_user.name:
-  dashed_name: process-previous-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.previous.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.previous.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.previous.real_user.risk.calculated_level:
-  dashed_name: process-previous-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.previous.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.previous.real_user.risk.calculated_score:
-  dashed_name: process-previous-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.previous.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.previous.real_user.risk.calculated_score_norm:
-  dashed_name: process-previous-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.previous.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.previous.real_user.risk.static_level:
-  dashed_name: process-previous-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.previous.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.previous.real_user.risk.static_score:
-  dashed_name: process-previous-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.previous.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.previous.real_user.risk.static_score_norm:
-  dashed_name: process-previous-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.previous.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.previous.real_user.roles:
-  dashed_name: process-previous-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.previous.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.same_as_process:
-  dashed_name: process-previous-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.previous.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.previous.saved_group.domain:
-  dashed_name: process-previous-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.saved_group.id:
-  dashed_name: process-previous-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.saved_group.name:
-  dashed_name: process-previous-saved-group-name
-  description: Name of the group.
-  flat_name: process.previous.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.saved_user.domain:
-  dashed_name: process-previous-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.previous.saved_user.email:
-  dashed_name: process-previous-saved-user-email
-  description: User email address.
-  flat_name: process.previous.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.previous.saved_user.full_name:
-  dashed_name: process-previous-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.previous.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.previous.saved_user.group.domain:
-  dashed_name: process-previous-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.saved_user.group.id:
-  dashed_name: process-previous-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.saved_user.group.name:
-  dashed_name: process-previous-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.previous.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.saved_user.hash:
-  dashed_name: process-previous-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.previous.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.previous.saved_user.id:
-  dashed_name: process-previous-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.previous.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.previous.saved_user.name:
-  dashed_name: process-previous-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.previous.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.previous.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.previous.saved_user.risk.calculated_level:
-  dashed_name: process-previous-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.previous.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.previous.saved_user.risk.calculated_score:
-  dashed_name: process-previous-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.previous.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.previous.saved_user.risk.calculated_score_norm:
-  dashed_name: process-previous-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.previous.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.previous.saved_user.risk.static_level:
-  dashed_name: process-previous-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.previous.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.previous.saved_user.risk.static_score:
-  dashed_name: process-previous-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.previous.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.previous.saved_user.risk.static_score_norm:
-  dashed_name: process-previous-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.previous.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.previous.saved_user.roles:
-  dashed_name: process-previous-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.previous.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.start:
-  dashed_name: process-previous-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.previous.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.previous.supplemental_groups.domain:
-  dashed_name: process-previous-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.supplemental_groups.id:
-  dashed_name: process-previous-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.supplemental_groups.name:
-  dashed_name: process-previous-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.previous.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.thread.capabilities.effective:
-  dashed_name: process-previous-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.previous.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.thread.capabilities.permitted:
-  dashed_name: process-previous-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.previous.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.thread.id:
-  dashed_name: process-previous-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.previous.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.previous.thread.name:
-  dashed_name: process-previous-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.previous.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.previous.title:
-  dashed_name: process-previous-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.previous.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.previous.tty:
-  dashed_name: process-previous-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.previous.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.previous.tty.char_device.major:
-  dashed_name: process-previous-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.previous.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.previous.tty.char_device.minor:
-  dashed_name: process-previous-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.previous.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.previous.tty.columns:
-  dashed_name: process-previous-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.previous.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.previous.tty.rows:
-  dashed_name: process-previous-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.previous.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.previous.uptime:
-  dashed_name: process-previous-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.previous.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.previous.user.domain:
-  dashed_name: process-previous-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.previous.user.email:
-  dashed_name: process-previous-user-email
-  description: User email address.
-  flat_name: process.previous.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.previous.user.full_name:
-  dashed_name: process-previous-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.previous.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.previous.user.group.domain:
-  dashed_name: process-previous-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.user.group.id:
-  dashed_name: process-previous-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.user.group.name:
-  dashed_name: process-previous-user-group-name
-  description: Name of the group.
-  flat_name: process.previous.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.user.hash:
-  dashed_name: process-previous-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.previous.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.previous.user.id:
-  dashed_name: process-previous-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.previous.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.previous.user.name:
-  dashed_name: process-previous-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.previous.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.previous.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.previous.user.risk.calculated_level:
-  dashed_name: process-previous-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.previous.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.previous.user.risk.calculated_score:
-  dashed_name: process-previous-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.previous.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.previous.user.risk.calculated_score_norm:
-  dashed_name: process-previous-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.previous.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.previous.user.risk.static_level:
-  dashed_name: process-previous-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.previous.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.previous.user.risk.static_score:
-  dashed_name: process-previous-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.previous.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.previous.user.risk.static_score_norm:
-  dashed_name: process-previous-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.previous.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.previous.user.roles:
-  dashed_name: process-previous-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.previous.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.vpid:
-  dashed_name: process-previous-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.previous.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.previous.working_directory:
-  dashed_name: process-previous-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.previous.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.real_group.domain:
-  dashed_name: process-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.real_group.id:
-  dashed_name: process-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.real_group.name:
-  dashed_name: process-real-group-name
-  description: Name of the group.
-  flat_name: process.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.real_user.domain:
-  dashed_name: process-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.real_user.email:
-  dashed_name: process-real-user-email
-  description: User email address.
-  flat_name: process.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.real_user.full_name:
-  dashed_name: process-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.real_user.group.domain:
-  dashed_name: process-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.real_user.group.id:
-  dashed_name: process-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.real_user.group.name:
-  dashed_name: process-real-user-group-name
-  description: Name of the group.
-  flat_name: process.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.real_user.hash:
-  dashed_name: process-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.real_user.id:
-  dashed_name: process-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
-  short: Unique identifier of the user.
-  type: keyword
-process.real_user.name:
-  dashed_name: process-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
-  short: Short name or login of the user.
-  type: keyword
-process.real_user.risk.calculated_level:
-  dashed_name: process-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.real_user.risk.calculated_score:
-  dashed_name: process-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.real_user.risk.calculated_score_norm:
-  dashed_name: process-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.real_user.risk.static_level:
-  dashed_name: process-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.real_user.risk.static_score:
-  dashed_name: process-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.real_user.risk.static_score_norm:
-  dashed_name: process-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.real_user.roles:
-  dashed_name: process-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.args:
-  dashed_name: process-responsible-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.responsible.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.responsible.args_count:
-  dashed_name: process-responsible-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.responsible.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.responsible.attested_groups.domain:
-  dashed_name: process-responsible-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.attested_groups.id:
-  dashed_name: process-responsible-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.attested_groups.name:
-  dashed_name: process-responsible-attested-groups-name
-  description: Name of the group.
-  flat_name: process.responsible.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.attested_user.domain:
-  dashed_name: process-responsible-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.responsible.attested_user.email:
-  dashed_name: process-responsible-attested-user-email
-  description: User email address.
-  flat_name: process.responsible.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.responsible.attested_user.full_name:
-  dashed_name: process-responsible-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.responsible.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.responsible.attested_user.group.domain:
-  dashed_name: process-responsible-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.attested_user.group.id:
-  dashed_name: process-responsible-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.attested_user.group.name:
-  dashed_name: process-responsible-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.responsible.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.attested_user.hash:
-  dashed_name: process-responsible-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.responsible.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.responsible.attested_user.id:
-  dashed_name: process-responsible-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.responsible.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.responsible.attested_user.name:
-  dashed_name: process-responsible-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.responsible.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.responsible.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.responsible.attested_user.risk.calculated_level:
-  dashed_name: process-responsible-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.responsible.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.responsible.attested_user.risk.calculated_score:
-  dashed_name: process-responsible-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.responsible.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.responsible.attested_user.risk.calculated_score_norm:
-  dashed_name: process-responsible-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.responsible.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.responsible.attested_user.risk.static_level:
-  dashed_name: process-responsible-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.responsible.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.responsible.attested_user.risk.static_score:
-  dashed_name: process-responsible-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.responsible.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.responsible.attested_user.risk.static_score_norm:
-  dashed_name: process-responsible-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.responsible.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.responsible.attested_user.roles:
-  dashed_name: process-responsible-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.responsible.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.code_signature.digest_algorithm:
-  dashed_name: process-responsible-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.responsible.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.responsible.code_signature.exists:
-  dashed_name: process-responsible-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.responsible.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.responsible.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.responsible.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.responsible.code_signature.signing_id:
-  dashed_name: process-responsible-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.responsible.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.responsible.code_signature.status:
-  dashed_name: process-responsible-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.responsible.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.responsible.code_signature.subject_name:
-  dashed_name: process-responsible-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.responsible.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.responsible.code_signature.team_id:
-  dashed_name: process-responsible-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.responsible.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.responsible.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.responsible.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.responsible.code_signature.timestamp:
-  dashed_name: process-responsible-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.responsible.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.responsible.code_signature.trusted:
-  dashed_name: process-responsible-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.responsible.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.responsible.code_signature.valid:
-  dashed_name: process-responsible-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.responsible.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.responsible.command_line:
-  dashed_name: process-responsible-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.responsible.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.responsible.elf.architecture:
-  dashed_name: process-responsible-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.responsible.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.responsible.elf.byte_order:
-  dashed_name: process-responsible-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.responsible.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.responsible.elf.cpu_type:
-  dashed_name: process-responsible-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.responsible.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.responsible.elf.creation_date:
-  dashed_name: process-responsible-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.responsible.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.responsible.elf.exports:
-  dashed_name: process-responsible-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.responsible.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.responsible.elf.go_import_hash:
-  dashed_name: process-responsible-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.responsible.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.responsible.elf.go_imports:
-  dashed_name: process-responsible-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.responsible.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.responsible.elf.go_imports_names_entropy:
-  dashed_name: process-responsible-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.responsible.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.responsible.elf.go_imports_names_var_entropy:
-  dashed_name: process-responsible-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.responsible.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.responsible.elf.go_stripped:
-  dashed_name: process-responsible-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.responsible.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.responsible.elf.header.abi_version:
-  dashed_name: process-responsible-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.responsible.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.responsible.elf.header.class:
-  dashed_name: process-responsible-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.responsible.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.responsible.elf.header.data:
-  dashed_name: process-responsible-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.responsible.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.responsible.elf.header.entrypoint:
-  dashed_name: process-responsible-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.responsible.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.responsible.elf.header.object_version:
-  dashed_name: process-responsible-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.responsible.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.responsible.elf.header.os_abi:
-  dashed_name: process-responsible-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.responsible.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.responsible.elf.header.type:
-  dashed_name: process-responsible-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.responsible.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.responsible.elf.header.version:
-  dashed_name: process-responsible-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.responsible.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.responsible.elf.import_hash:
-  dashed_name: process-responsible-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.responsible.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.responsible.elf.imports:
-  dashed_name: process-responsible-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.responsible.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.responsible.elf.imports_names_entropy:
-  dashed_name: process-responsible-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.responsible.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.responsible.elf.imports_names_var_entropy:
-  dashed_name: process-responsible-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.responsible.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.responsible.elf.sections:
-  dashed_name: process-responsible-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.responsible.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.responsible.elf.sections.chi2:
-  dashed_name: process-responsible-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.responsible.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.responsible.elf.sections.entropy:
-  dashed_name: process-responsible-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.responsible.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.responsible.elf.sections.flags:
-  dashed_name: process-responsible-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.responsible.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.responsible.elf.sections.name:
-  dashed_name: process-responsible-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.responsible.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.responsible.elf.sections.physical_offset:
-  dashed_name: process-responsible-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.responsible.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.responsible.elf.sections.physical_size:
-  dashed_name: process-responsible-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.responsible.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.responsible.elf.sections.type:
-  dashed_name: process-responsible-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.responsible.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.responsible.elf.sections.var_entropy:
-  dashed_name: process-responsible-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.responsible.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.responsible.elf.sections.virtual_address:
-  dashed_name: process-responsible-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.responsible.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.responsible.elf.sections.virtual_size:
-  dashed_name: process-responsible-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.responsible.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.responsible.elf.segments:
-  dashed_name: process-responsible-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.responsible.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.responsible.elf.segments.sections:
-  dashed_name: process-responsible-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.responsible.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.responsible.elf.segments.type:
-  dashed_name: process-responsible-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.responsible.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.responsible.elf.shared_libraries:
-  dashed_name: process-responsible-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.responsible.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.responsible.elf.telfhash:
-  dashed_name: process-responsible-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.responsible.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.responsible.end:
-  dashed_name: process-responsible-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.responsible.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.responsible.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.responsible.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.responsible.entity_id:
-  dashed_name: process-responsible-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.responsible.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.responsible.entry_meta.source.address:
-  dashed_name: process-responsible-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.responsible.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.responsible.entry_meta.source.as.number:
-  dashed_name: process-responsible-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.responsible.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.responsible.entry_meta.source.as.organization.name:
-  dashed_name: process-responsible-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.responsible.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.responsible.entry_meta.source.bytes:
-  dashed_name: process-responsible-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.responsible.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.responsible.entry_meta.source.domain:
-  dashed_name: process-responsible-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.responsible.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.responsible.entry_meta.source.geo.city_name:
-  dashed_name: process-responsible-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.responsible.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.responsible.entry_meta.source.geo.continent_code:
-  dashed_name: process-responsible-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.responsible.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.responsible.entry_meta.source.geo.continent_name:
-  dashed_name: process-responsible-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.responsible.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.responsible.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-responsible-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.responsible.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.responsible.entry_meta.source.geo.country_name:
-  dashed_name: process-responsible-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.responsible.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.responsible.entry_meta.source.geo.location:
-  dashed_name: process-responsible-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.responsible.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.responsible.entry_meta.source.geo.name:
-  dashed_name: process-responsible-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.responsible.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.responsible.entry_meta.source.geo.postal_code:
-  dashed_name: process-responsible-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.responsible.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.responsible.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-responsible-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.responsible.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.responsible.entry_meta.source.geo.region_name:
-  dashed_name: process-responsible-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.responsible.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.responsible.entry_meta.source.geo.timezone:
-  dashed_name: process-responsible-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.responsible.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.responsible.entry_meta.source.ip:
-  dashed_name: process-responsible-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.responsible.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.responsible.entry_meta.source.mac:
-  dashed_name: process-responsible-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.responsible.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.responsible.entry_meta.source.nat.ip:
-  dashed_name: process-responsible-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.responsible.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.responsible.entry_meta.source.nat.port:
-  dashed_name: process-responsible-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.responsible.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.responsible.entry_meta.source.packets:
-  dashed_name: process-responsible-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.responsible.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.responsible.entry_meta.source.port:
-  dashed_name: process-responsible-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.responsible.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.responsible.entry_meta.source.registered_domain:
-  dashed_name: process-responsible-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.responsible.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.responsible.entry_meta.source.subdomain:
-  dashed_name: process-responsible-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.responsible.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.responsible.entry_meta.source.top_level_domain:
-  dashed_name: process-responsible-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.responsible.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.responsible.entry_meta.type:
-  dashed_name: process-responsible-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.responsible.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.responsible.env_vars:
-  dashed_name: process-responsible-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.responsible.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.executable:
-  dashed_name: process-responsible-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.responsible.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.responsible.exit_code:
-  dashed_name: process-responsible-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.responsible.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.responsible.group.domain:
-  dashed_name: process-responsible-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.group.id:
-  dashed_name: process-responsible-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.group.name:
-  dashed_name: process-responsible-group-name
-  description: Name of the group.
-  flat_name: process.responsible.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.responsible.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.responsible.hash.md5:
-  dashed_name: process-responsible-hash-md5
-  description: MD5 hash.
-  flat_name: process.responsible.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.responsible.hash.sha1:
-  dashed_name: process-responsible-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.responsible.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.responsible.hash.sha256:
-  dashed_name: process-responsible-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.responsible.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.responsible.hash.sha384:
-  dashed_name: process-responsible-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.responsible.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.responsible.hash.sha512:
-  dashed_name: process-responsible-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.responsible.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.responsible.hash.ssdeep:
-  dashed_name: process-responsible-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.responsible.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.responsible.hash.tlsh:
-  dashed_name: process-responsible-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.responsible.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.responsible.interactive:
-  dashed_name: process-responsible-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.responsible.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.responsible.io:
-  dashed_name: process-responsible-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.responsible.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.responsible.io.bytes_skipped:
-  dashed_name: process-responsible-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.responsible.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.responsible.io.bytes_skipped.length:
-  dashed_name: process-responsible-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.responsible.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.responsible.io.bytes_skipped.offset:
-  dashed_name: process-responsible-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.responsible.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.responsible.io.max_bytes_per_process_exceeded:
-  dashed_name: process-responsible-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.responsible.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.responsible.io.text:
-  dashed_name: process-responsible-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.responsible.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.responsible.io.total_bytes_captured:
-  dashed_name: process-responsible-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.responsible.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.responsible.io.total_bytes_skipped:
-  dashed_name: process-responsible-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.responsible.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.responsible.io.type:
-  dashed_name: process-responsible-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.responsible.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.responsible.macho.go_import_hash:
-  dashed_name: process-responsible-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.responsible.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.responsible.macho.go_imports:
-  dashed_name: process-responsible-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.responsible.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.responsible.macho.go_imports_names_entropy:
-  dashed_name: process-responsible-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.responsible.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.responsible.macho.go_imports_names_var_entropy:
-  dashed_name: process-responsible-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.responsible.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.responsible.macho.go_stripped:
-  dashed_name: process-responsible-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.responsible.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.responsible.macho.import_hash:
-  dashed_name: process-responsible-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.responsible.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.responsible.macho.imports:
-  dashed_name: process-responsible-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.responsible.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.responsible.macho.imports_names_entropy:
-  dashed_name: process-responsible-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.responsible.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.responsible.macho.imports_names_var_entropy:
-  dashed_name: process-responsible-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.responsible.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.responsible.macho.sections:
-  dashed_name: process-responsible-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.responsible.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.responsible.macho.sections.entropy:
-  dashed_name: process-responsible-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.responsible.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.responsible.macho.sections.name:
-  dashed_name: process-responsible-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.responsible.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.responsible.macho.sections.physical_size:
-  dashed_name: process-responsible-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.responsible.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.responsible.macho.sections.var_entropy:
-  dashed_name: process-responsible-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.responsible.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.responsible.macho.sections.virtual_size:
-  dashed_name: process-responsible-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.responsible.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.responsible.macho.symhash:
-  dashed_name: process-responsible-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.responsible.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.responsible.name:
-  dashed_name: process-responsible-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.responsible.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.responsible.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.responsible.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.responsible.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.responsible.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.responsible.pe.architecture:
-  dashed_name: process-responsible-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.responsible.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.responsible.pe.company:
-  dashed_name: process-responsible-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.responsible.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.responsible.pe.description:
-  dashed_name: process-responsible-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.responsible.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.responsible.pe.file_version:
-  dashed_name: process-responsible-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.responsible.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.responsible.pe.go_import_hash:
-  dashed_name: process-responsible-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.responsible.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.responsible.pe.go_imports:
-  dashed_name: process-responsible-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.responsible.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.responsible.pe.go_imports_names_entropy:
-  dashed_name: process-responsible-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.responsible.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.responsible.pe.go_imports_names_var_entropy:
-  dashed_name: process-responsible-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.responsible.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.responsible.pe.go_stripped:
-  dashed_name: process-responsible-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.responsible.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.responsible.pe.imphash:
-  dashed_name: process-responsible-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.responsible.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.responsible.pe.import_hash:
-  dashed_name: process-responsible-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.responsible.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.responsible.pe.imports:
-  dashed_name: process-responsible-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.responsible.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.responsible.pe.imports_names_entropy:
-  dashed_name: process-responsible-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.responsible.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.responsible.pe.imports_names_var_entropy:
-  dashed_name: process-responsible-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.responsible.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.responsible.pe.original_file_name:
-  dashed_name: process-responsible-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.responsible.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.responsible.pe.pehash:
-  dashed_name: process-responsible-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.responsible.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.responsible.pe.product:
-  dashed_name: process-responsible-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.responsible.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.responsible.pe.sections:
-  dashed_name: process-responsible-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.responsible.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.responsible.pe.sections.entropy:
-  dashed_name: process-responsible-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.responsible.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.responsible.pe.sections.name:
-  dashed_name: process-responsible-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.responsible.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.responsible.pe.sections.physical_size:
-  dashed_name: process-responsible-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.responsible.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.responsible.pe.sections.var_entropy:
-  dashed_name: process-responsible-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.responsible.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.responsible.pe.sections.virtual_size:
-  dashed_name: process-responsible-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.responsible.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.responsible.pid:
-  dashed_name: process-responsible-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.responsible.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.responsible.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.responsible.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.responsible.real_group.domain:
-  dashed_name: process-responsible-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.real_group.id:
-  dashed_name: process-responsible-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.real_group.name:
-  dashed_name: process-responsible-real-group-name
-  description: Name of the group.
-  flat_name: process.responsible.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.real_user.domain:
-  dashed_name: process-responsible-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.responsible.real_user.email:
-  dashed_name: process-responsible-real-user-email
-  description: User email address.
-  flat_name: process.responsible.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.responsible.real_user.full_name:
-  dashed_name: process-responsible-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.responsible.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.responsible.real_user.group.domain:
-  dashed_name: process-responsible-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.real_user.group.id:
-  dashed_name: process-responsible-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.real_user.group.name:
-  dashed_name: process-responsible-real-user-group-name
-  description: Name of the group.
-  flat_name: process.responsible.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.real_user.hash:
-  dashed_name: process-responsible-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.responsible.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.responsible.real_user.id:
-  dashed_name: process-responsible-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.responsible.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.responsible.real_user.name:
-  dashed_name: process-responsible-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.responsible.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.responsible.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.responsible.real_user.risk.calculated_level:
-  dashed_name: process-responsible-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.responsible.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.responsible.real_user.risk.calculated_score:
-  dashed_name: process-responsible-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.responsible.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.responsible.real_user.risk.calculated_score_norm:
-  dashed_name: process-responsible-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.responsible.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.responsible.real_user.risk.static_level:
-  dashed_name: process-responsible-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.responsible.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.responsible.real_user.risk.static_score:
-  dashed_name: process-responsible-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.responsible.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.responsible.real_user.risk.static_score_norm:
-  dashed_name: process-responsible-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.responsible.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.responsible.real_user.roles:
-  dashed_name: process-responsible-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.responsible.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.same_as_process:
-  dashed_name: process-responsible-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.responsible.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.responsible.saved_group.domain:
-  dashed_name: process-responsible-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.saved_group.id:
-  dashed_name: process-responsible-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.saved_group.name:
-  dashed_name: process-responsible-saved-group-name
-  description: Name of the group.
-  flat_name: process.responsible.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.saved_user.domain:
-  dashed_name: process-responsible-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.responsible.saved_user.email:
-  dashed_name: process-responsible-saved-user-email
-  description: User email address.
-  flat_name: process.responsible.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.responsible.saved_user.full_name:
-  dashed_name: process-responsible-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.responsible.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.responsible.saved_user.group.domain:
-  dashed_name: process-responsible-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.saved_user.group.id:
-  dashed_name: process-responsible-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.saved_user.group.name:
-  dashed_name: process-responsible-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.responsible.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.saved_user.hash:
-  dashed_name: process-responsible-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.responsible.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.responsible.saved_user.id:
-  dashed_name: process-responsible-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.responsible.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.responsible.saved_user.name:
-  dashed_name: process-responsible-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.responsible.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.responsible.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.responsible.saved_user.risk.calculated_level:
-  dashed_name: process-responsible-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.responsible.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.responsible.saved_user.risk.calculated_score:
-  dashed_name: process-responsible-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.responsible.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.responsible.saved_user.risk.calculated_score_norm:
-  dashed_name: process-responsible-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.responsible.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.responsible.saved_user.risk.static_level:
-  dashed_name: process-responsible-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.responsible.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.responsible.saved_user.risk.static_score:
-  dashed_name: process-responsible-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.responsible.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.responsible.saved_user.risk.static_score_norm:
-  dashed_name: process-responsible-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.responsible.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.responsible.saved_user.roles:
-  dashed_name: process-responsible-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.responsible.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.start:
-  dashed_name: process-responsible-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.responsible.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.responsible.supplemental_groups.domain:
-  dashed_name: process-responsible-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.supplemental_groups.id:
-  dashed_name: process-responsible-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.supplemental_groups.name:
-  dashed_name: process-responsible-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.responsible.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.thread.capabilities.effective:
-  dashed_name: process-responsible-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.responsible.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.thread.capabilities.permitted:
-  dashed_name: process-responsible-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.responsible.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.thread.id:
-  dashed_name: process-responsible-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.responsible.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.responsible.thread.name:
-  dashed_name: process-responsible-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.responsible.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.responsible.title:
-  dashed_name: process-responsible-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.responsible.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.responsible.tty:
-  dashed_name: process-responsible-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.responsible.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.responsible.tty.char_device.major:
-  dashed_name: process-responsible-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.responsible.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.responsible.tty.char_device.minor:
-  dashed_name: process-responsible-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.responsible.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.responsible.tty.columns:
-  dashed_name: process-responsible-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.responsible.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.responsible.tty.rows:
-  dashed_name: process-responsible-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.responsible.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.responsible.uptime:
-  dashed_name: process-responsible-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.responsible.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.responsible.user.domain:
-  dashed_name: process-responsible-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.responsible.user.email:
-  dashed_name: process-responsible-user-email
-  description: User email address.
-  flat_name: process.responsible.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.responsible.user.full_name:
-  dashed_name: process-responsible-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.responsible.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.responsible.user.group.domain:
-  dashed_name: process-responsible-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.user.group.id:
-  dashed_name: process-responsible-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.user.group.name:
-  dashed_name: process-responsible-user-group-name
-  description: Name of the group.
-  flat_name: process.responsible.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.user.hash:
-  dashed_name: process-responsible-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.responsible.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.responsible.user.id:
-  dashed_name: process-responsible-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.responsible.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.responsible.user.name:
-  dashed_name: process-responsible-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.responsible.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.responsible.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.responsible.user.risk.calculated_level:
-  dashed_name: process-responsible-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.responsible.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.responsible.user.risk.calculated_score:
-  dashed_name: process-responsible-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.responsible.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.responsible.user.risk.calculated_score_norm:
-  dashed_name: process-responsible-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.responsible.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.responsible.user.risk.static_level:
-  dashed_name: process-responsible-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.responsible.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.responsible.user.risk.static_score:
-  dashed_name: process-responsible-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.responsible.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.responsible.user.risk.static_score_norm:
-  dashed_name: process-responsible-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.responsible.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.responsible.user.roles:
-  dashed_name: process-responsible-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.responsible.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.vpid:
-  dashed_name: process-responsible-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.responsible.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.responsible.working_directory:
-  dashed_name: process-responsible-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.responsible.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.same_as_process:
-  dashed_name: process-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.saved_group.domain:
-  dashed_name: process-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.saved_group.id:
-  dashed_name: process-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.saved_group.name:
-  dashed_name: process-saved-group-name
-  description: Name of the group.
-  flat_name: process.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.saved_user.domain:
-  dashed_name: process-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.saved_user.email:
-  dashed_name: process-saved-user-email
-  description: User email address.
-  flat_name: process.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.saved_user.full_name:
-  dashed_name: process-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.saved_user.group.domain:
-  dashed_name: process-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.saved_user.group.id:
-  dashed_name: process-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.saved_user.group.name:
-  dashed_name: process-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.saved_user.hash:
-  dashed_name: process-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.saved_user.id:
-  dashed_name: process-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
-  short: Unique identifier of the user.
-  type: keyword
-process.saved_user.name:
-  dashed_name: process-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
-  short: Short name or login of the user.
-  type: keyword
-process.saved_user.risk.calculated_level:
-  dashed_name: process-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.saved_user.risk.calculated_score:
-  dashed_name: process-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.saved_user.risk.calculated_score_norm:
-  dashed_name: process-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.saved_user.risk.static_level:
-  dashed_name: process-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.saved_user.risk.static_score:
-  dashed_name: process-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.saved_user.risk.static_score_norm:
-  dashed_name: process-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.saved_user.roles:
-  dashed_name: process-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.args:
-  dashed_name: process-session-leader-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.session_leader.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.session_leader.args_count:
-  dashed_name: process-session-leader-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.session_leader.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.session_leader.attested_groups.domain:
-  dashed_name: process-session-leader-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.attested_groups.id:
-  dashed_name: process-session-leader-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.attested_groups.name:
-  dashed_name: process-session-leader-attested-groups-name
-  description: Name of the group.
-  flat_name: process.session_leader.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.attested_user.domain:
-  dashed_name: process-session-leader-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.attested_user.email:
-  dashed_name: process-session-leader-attested-user-email
-  description: User email address.
-  flat_name: process.session_leader.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.attested_user.full_name:
-  dashed_name: process-session-leader-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.attested_user.group.domain:
-  dashed_name: process-session-leader-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.attested_user.group.id:
-  dashed_name: process-session-leader-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.attested_user.group.name:
-  dashed_name: process-session-leader-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.attested_user.hash:
-  dashed_name: process-session-leader-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.attested_user.id:
-  dashed_name: process-session-leader-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.attested_user.name:
-  dashed_name: process-session-leader-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.attested_user.risk.calculated_level:
-  dashed_name: process-session-leader-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.attested_user.risk.calculated_score:
-  dashed_name: process-session-leader-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.attested_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.attested_user.risk.static_level:
-  dashed_name: process-session-leader-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.attested_user.risk.static_score:
-  dashed_name: process-session-leader-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.attested_user.risk.static_score_norm:
-  dashed_name: process-session-leader-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.attested_user.roles:
-  dashed_name: process-session-leader-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.code_signature.digest_algorithm:
-  dashed_name: process-session-leader-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.session_leader.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.session_leader.code_signature.exists:
-  dashed_name: process-session-leader-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.session_leader.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.session_leader.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.session_leader.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.session_leader.code_signature.signing_id:
-  dashed_name: process-session-leader-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.session_leader.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.session_leader.code_signature.status:
-  dashed_name: process-session-leader-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.session_leader.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.session_leader.code_signature.subject_name:
-  dashed_name: process-session-leader-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.session_leader.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.session_leader.code_signature.team_id:
-  dashed_name: process-session-leader-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.session_leader.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.session_leader.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.session_leader.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.session_leader.code_signature.timestamp:
-  dashed_name: process-session-leader-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.session_leader.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.session_leader.code_signature.trusted:
-  dashed_name: process-session-leader-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.session_leader.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.session_leader.code_signature.valid:
-  dashed_name: process-session-leader-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.session_leader.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.session_leader.command_line:
-  dashed_name: process-session-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.session_leader.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.session_leader.elf.architecture:
-  dashed_name: process-session-leader-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.session_leader.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.session_leader.elf.byte_order:
-  dashed_name: process-session-leader-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.session_leader.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.session_leader.elf.cpu_type:
-  dashed_name: process-session-leader-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.session_leader.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.session_leader.elf.creation_date:
-  dashed_name: process-session-leader-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.session_leader.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.session_leader.elf.exports:
-  dashed_name: process-session-leader-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.session_leader.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.session_leader.elf.go_import_hash:
-  dashed_name: process-session-leader-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.session_leader.elf.go_imports:
-  dashed_name: process-session-leader-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.elf.go_imports_names_entropy:
-  dashed_name: process-session-leader-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.elf.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.elf.go_stripped:
-  dashed_name: process-session-leader-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.elf.header.abi_version:
-  dashed_name: process-session-leader-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.session_leader.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.session_leader.elf.header.class:
-  dashed_name: process-session-leader-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.session_leader.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.session_leader.elf.header.data:
-  dashed_name: process-session-leader-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.session_leader.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.session_leader.elf.header.entrypoint:
-  dashed_name: process-session-leader-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.session_leader.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.session_leader.elf.header.object_version:
-  dashed_name: process-session-leader-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.session_leader.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.session_leader.elf.header.os_abi:
-  dashed_name: process-session-leader-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.session_leader.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.session_leader.elf.header.type:
-  dashed_name: process-session-leader-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.session_leader.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.session_leader.elf.header.version:
-  dashed_name: process-session-leader-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.session_leader.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.session_leader.elf.import_hash:
-  dashed_name: process-session-leader-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.session_leader.elf.imports:
-  dashed_name: process-session-leader-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.elf.imports_names_entropy:
-  dashed_name: process-session-leader-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.elf.imports_names_var_entropy:
-  dashed_name: process-session-leader-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.elf.sections:
-  dashed_name: process-session-leader-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.session_leader.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.session_leader.elf.sections.chi2:
-  dashed_name: process-session-leader-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.session_leader.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.session_leader.elf.sections.entropy:
-  dashed_name: process-session-leader-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.elf.sections.flags:
-  dashed_name: process-session-leader-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.session_leader.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.session_leader.elf.sections.name:
-  dashed_name: process-session-leader-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.session_leader.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.session_leader.elf.sections.physical_offset:
-  dashed_name: process-session-leader-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.session_leader.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.session_leader.elf.sections.physical_size:
-  dashed_name: process-session-leader-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.session_leader.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.session_leader.elf.sections.type:
-  dashed_name: process-session-leader-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.session_leader.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.session_leader.elf.sections.var_entropy:
-  dashed_name: process-session-leader-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.elf.sections.virtual_address:
-  dashed_name: process-session-leader-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.session_leader.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.session_leader.elf.sections.virtual_size:
-  dashed_name: process-session-leader-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.session_leader.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.session_leader.elf.segments:
-  dashed_name: process-session-leader-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.session_leader.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.session_leader.elf.segments.sections:
-  dashed_name: process-session-leader-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.session_leader.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.session_leader.elf.segments.type:
-  dashed_name: process-session-leader-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.session_leader.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.session_leader.elf.shared_libraries:
-  dashed_name: process-session-leader-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.session_leader.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.session_leader.elf.telfhash:
-  dashed_name: process-session-leader-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.session_leader.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.session_leader.end:
-  dashed_name: process-session-leader-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.session_leader.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.session_leader.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.session_leader.entity_id:
-  dashed_name: process-session-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.session_leader.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.session_leader.entry_meta.source.address:
-  dashed_name: process-session-leader-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.session_leader.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.session_leader.entry_meta.source.as.number:
-  dashed_name: process-session-leader-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.session_leader.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.session_leader.entry_meta.source.as.organization.name:
-  dashed_name: process-session-leader-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.session_leader.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.session_leader.entry_meta.source.bytes:
-  dashed_name: process-session-leader-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.session_leader.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.session_leader.entry_meta.source.domain:
-  dashed_name: process-session-leader-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.session_leader.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.session_leader.entry_meta.source.geo.city_name:
-  dashed_name: process-session-leader-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.session_leader.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.session_leader.entry_meta.source.geo.continent_code:
-  dashed_name: process-session-leader-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.session_leader.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.session_leader.entry_meta.source.geo.continent_name:
-  dashed_name: process-session-leader-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.session_leader.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.session_leader.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-session-leader-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.session_leader.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.session_leader.entry_meta.source.geo.country_name:
-  dashed_name: process-session-leader-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.session_leader.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.session_leader.entry_meta.source.geo.location:
-  dashed_name: process-session-leader-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.session_leader.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.session_leader.entry_meta.source.geo.name:
-  dashed_name: process-session-leader-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.session_leader.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.session_leader.entry_meta.source.geo.postal_code:
-  dashed_name: process-session-leader-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.session_leader.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.session_leader.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-session-leader-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.session_leader.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.session_leader.entry_meta.source.geo.region_name:
-  dashed_name: process-session-leader-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.session_leader.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.session_leader.entry_meta.source.geo.timezone:
-  dashed_name: process-session-leader-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.session_leader.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.session_leader.entry_meta.source.ip:
-  dashed_name: process-session-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.session_leader.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.session_leader.entry_meta.source.mac:
-  dashed_name: process-session-leader-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.session_leader.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.session_leader.entry_meta.source.nat.ip:
-  dashed_name: process-session-leader-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.session_leader.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.session_leader.entry_meta.source.nat.port:
-  dashed_name: process-session-leader-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.session_leader.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.session_leader.entry_meta.source.packets:
-  dashed_name: process-session-leader-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.session_leader.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.session_leader.entry_meta.source.port:
-  dashed_name: process-session-leader-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.session_leader.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.session_leader.entry_meta.source.registered_domain:
-  dashed_name: process-session-leader-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.session_leader.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.session_leader.entry_meta.source.subdomain:
-  dashed_name: process-session-leader-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.session_leader.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.session_leader.entry_meta.source.top_level_domain:
-  dashed_name: process-session-leader-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.session_leader.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.session_leader.entry_meta.type:
-  dashed_name: process-session-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.session_leader.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.session_leader.env_vars:
-  dashed_name: process-session-leader-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.session_leader.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.executable:
-  dashed_name: process-session-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.session_leader.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.session_leader.exit_code:
-  dashed_name: process-session-leader-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.session_leader.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.session_leader.group.domain:
-  dashed_name: process-session-leader-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.group.id:
-  dashed_name: process-session-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.group.name:
-  dashed_name: process-session-leader-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.session_leader.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.session_leader.hash.md5:
-  dashed_name: process-session-leader-hash-md5
-  description: MD5 hash.
-  flat_name: process.session_leader.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.session_leader.hash.sha1:
-  dashed_name: process-session-leader-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.session_leader.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.session_leader.hash.sha256:
-  dashed_name: process-session-leader-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.session_leader.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.session_leader.hash.sha384:
-  dashed_name: process-session-leader-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.session_leader.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.session_leader.hash.sha512:
-  dashed_name: process-session-leader-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.session_leader.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.session_leader.hash.ssdeep:
-  dashed_name: process-session-leader-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.session_leader.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.session_leader.hash.tlsh:
-  dashed_name: process-session-leader-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.session_leader.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.session_leader.interactive:
-  dashed_name: process-session-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.session_leader.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.session_leader.io:
-  dashed_name: process-session-leader-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.session_leader.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.session_leader.io.bytes_skipped:
-  dashed_name: process-session-leader-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.session_leader.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.session_leader.io.bytes_skipped.length:
-  dashed_name: process-session-leader-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.session_leader.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.session_leader.io.bytes_skipped.offset:
-  dashed_name: process-session-leader-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.session_leader.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.session_leader.io.max_bytes_per_process_exceeded:
-  dashed_name: process-session-leader-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.session_leader.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.session_leader.io.text:
-  dashed_name: process-session-leader-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.session_leader.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.session_leader.io.total_bytes_captured:
-  dashed_name: process-session-leader-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.session_leader.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.session_leader.io.total_bytes_skipped:
-  dashed_name: process-session-leader-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.session_leader.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.session_leader.io.type:
-  dashed_name: process-session-leader-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.session_leader.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.session_leader.macho.go_import_hash:
-  dashed_name: process-session-leader-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.session_leader.macho.go_imports:
-  dashed_name: process-session-leader-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.macho.go_imports_names_entropy:
-  dashed_name: process-session-leader-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.macho.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.macho.go_stripped:
-  dashed_name: process-session-leader-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.macho.import_hash:
-  dashed_name: process-session-leader-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.session_leader.macho.imports:
-  dashed_name: process-session-leader-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.macho.imports_names_entropy:
-  dashed_name: process-session-leader-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.macho.imports_names_var_entropy:
-  dashed_name: process-session-leader-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.macho.sections:
-  dashed_name: process-session-leader-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.session_leader.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.session_leader.macho.sections.entropy:
-  dashed_name: process-session-leader-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.macho.sections.name:
-  dashed_name: process-session-leader-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.session_leader.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.session_leader.macho.sections.physical_size:
-  dashed_name: process-session-leader-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.session_leader.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.session_leader.macho.sections.var_entropy:
-  dashed_name: process-session-leader-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.macho.sections.virtual_size:
-  dashed_name: process-session-leader-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.session_leader.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.session_leader.macho.symhash:
-  dashed_name: process-session-leader-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.session_leader.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.session_leader.name:
-  dashed_name: process-session-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.session_leader.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.session_leader.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.session_leader.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.session_leader.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.session_leader.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.session_leader.parent.args:
-  dashed_name: process-session-leader-parent-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.session_leader.parent.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.session_leader.parent.args_count:
-  dashed_name: process-session-leader-parent-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.session_leader.parent.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.session_leader.parent.attested_groups.domain:
-  dashed_name: process-session-leader-parent-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.attested_groups.id:
-  dashed_name: process-session-leader-parent-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.attested_groups.name:
-  dashed_name: process-session-leader-parent-attested-groups-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.attested_user.domain:
-  dashed_name: process-session-leader-parent-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.attested_user.email:
-  dashed_name: process-session-leader-parent-attested-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.attested_user.full_name:
-  dashed_name: process-session-leader-parent-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.attested_user.group.domain:
-  dashed_name: process-session-leader-parent-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.attested_user.group.id:
-  dashed_name: process-session-leader-parent-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.attested_user.group.name:
-  dashed_name: process-session-leader-parent-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.attested_user.hash:
-  dashed_name: process-session-leader-parent-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.attested_user.id:
-  dashed_name: process-session-leader-parent-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.parent.attested_user.name:
-  dashed_name: process-session-leader-parent-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.parent.attested_user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.attested_user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.attested_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.attested_user.risk.static_level:
-  dashed_name: process-session-leader-parent-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.attested_user.risk.static_score:
-  dashed_name: process-session-leader-parent-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.attested_user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.attested_user.roles:
-  dashed_name: process-session-leader-parent-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.code_signature.digest_algorithm:
-  dashed_name: process-session-leader-parent-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.session_leader.parent.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.session_leader.parent.code_signature.exists:
-  dashed_name: process-session-leader-parent-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.session_leader.parent.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.session_leader.parent.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.session_leader.parent.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.session_leader.parent.code_signature.signing_id:
-  dashed_name: process-session-leader-parent-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.session_leader.parent.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.session_leader.parent.code_signature.status:
-  dashed_name: process-session-leader-parent-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.session_leader.parent.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.session_leader.parent.code_signature.subject_name:
-  dashed_name: process-session-leader-parent-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.session_leader.parent.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.session_leader.parent.code_signature.team_id:
-  dashed_name: process-session-leader-parent-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.session_leader.parent.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.session_leader.parent.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.session_leader.parent.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.session_leader.parent.code_signature.timestamp:
-  dashed_name: process-session-leader-parent-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.session_leader.parent.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.session_leader.parent.code_signature.trusted:
-  dashed_name: process-session-leader-parent-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.session_leader.parent.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.session_leader.parent.code_signature.valid:
-  dashed_name: process-session-leader-parent-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.session_leader.parent.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.session_leader.parent.command_line:
-  dashed_name: process-session-leader-parent-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.session_leader.parent.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.session_leader.parent.elf.architecture:
-  dashed_name: process-session-leader-parent-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.session_leader.parent.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.session_leader.parent.elf.byte_order:
-  dashed_name: process-session-leader-parent-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.session_leader.parent.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.session_leader.parent.elf.cpu_type:
-  dashed_name: process-session-leader-parent-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.session_leader.parent.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.session_leader.parent.elf.creation_date:
-  dashed_name: process-session-leader-parent-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.session_leader.parent.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.session_leader.parent.elf.exports:
-  dashed_name: process-session-leader-parent-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.session_leader.parent.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.session_leader.parent.elf.go_import_hash:
-  dashed_name: process-session-leader-parent-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.parent.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.session_leader.parent.elf.go_imports:
-  dashed_name: process-session-leader-parent-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.parent.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.parent.elf.go_imports_names_entropy:
-  dashed_name: process-session-leader-parent-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.elf.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.elf.go_stripped:
-  dashed_name: process-session-leader-parent-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.parent.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.parent.elf.header.abi_version:
-  dashed_name: process-session-leader-parent-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.session_leader.parent.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.session_leader.parent.elf.header.class:
-  dashed_name: process-session-leader-parent-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.session_leader.parent.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.session_leader.parent.elf.header.data:
-  dashed_name: process-session-leader-parent-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.session_leader.parent.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.session_leader.parent.elf.header.entrypoint:
-  dashed_name: process-session-leader-parent-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.session_leader.parent.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.session_leader.parent.elf.header.object_version:
-  dashed_name: process-session-leader-parent-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.session_leader.parent.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.session_leader.parent.elf.header.os_abi:
-  dashed_name: process-session-leader-parent-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.session_leader.parent.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.session_leader.parent.elf.header.type:
-  dashed_name: process-session-leader-parent-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.session_leader.parent.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.session_leader.parent.elf.header.version:
-  dashed_name: process-session-leader-parent-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.session_leader.parent.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.session_leader.parent.elf.import_hash:
-  dashed_name: process-session-leader-parent-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.parent.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.session_leader.parent.elf.imports:
-  dashed_name: process-session-leader-parent-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.parent.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.parent.elf.imports_names_entropy:
-  dashed_name: process-session-leader-parent-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.parent.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.parent.elf.imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.parent.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.parent.elf.sections:
-  dashed_name: process-session-leader-parent-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.session_leader.parent.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.session_leader.parent.elf.sections.chi2:
-  dashed_name: process-session-leader-parent-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.session_leader.parent.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.session_leader.parent.elf.sections.entropy:
-  dashed_name: process-session-leader-parent-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.elf.sections.flags:
-  dashed_name: process-session-leader-parent-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.session_leader.parent.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.session_leader.parent.elf.sections.name:
-  dashed_name: process-session-leader-parent-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.session_leader.parent.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.session_leader.parent.elf.sections.physical_offset:
-  dashed_name: process-session-leader-parent-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.session_leader.parent.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.session_leader.parent.elf.sections.physical_size:
-  dashed_name: process-session-leader-parent-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.session_leader.parent.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.session_leader.parent.elf.sections.type:
-  dashed_name: process-session-leader-parent-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.session_leader.parent.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.session_leader.parent.elf.sections.var_entropy:
-  dashed_name: process-session-leader-parent-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.elf.sections.virtual_address:
-  dashed_name: process-session-leader-parent-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.session_leader.parent.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.session_leader.parent.elf.sections.virtual_size:
-  dashed_name: process-session-leader-parent-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.session_leader.parent.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.session_leader.parent.elf.segments:
-  dashed_name: process-session-leader-parent-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.session_leader.parent.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.session_leader.parent.elf.segments.sections:
-  dashed_name: process-session-leader-parent-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.session_leader.parent.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.session_leader.parent.elf.segments.type:
-  dashed_name: process-session-leader-parent-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.session_leader.parent.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.session_leader.parent.elf.shared_libraries:
-  dashed_name: process-session-leader-parent-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.session_leader.parent.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.session_leader.parent.elf.telfhash:
-  dashed_name: process-session-leader-parent-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.session_leader.parent.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.session_leader.parent.end:
-  dashed_name: process-session-leader-parent-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.parent.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.session_leader.parent.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.session_leader.parent.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.session_leader.parent.entity_id:
-  dashed_name: process-session-leader-parent-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.session_leader.parent.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.session_leader.parent.entry_meta.source.address:
-  dashed_name: process-session-leader-parent-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.session_leader.parent.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.session_leader.parent.entry_meta.source.as.number:
-  dashed_name: process-session-leader-parent-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.session_leader.parent.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.session_leader.parent.entry_meta.source.as.organization.name:
-  dashed_name: process-session-leader-parent-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.session_leader.parent.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.session_leader.parent.entry_meta.source.bytes:
-  dashed_name: process-session-leader-parent-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.session_leader.parent.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.session_leader.parent.entry_meta.source.domain:
-  dashed_name: process-session-leader-parent-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.session_leader.parent.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.city_name:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.session_leader.parent.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.continent_code:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.session_leader.parent.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.continent_name:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.session_leader.parent.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.session_leader.parent.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.country_name:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.session_leader.parent.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.location:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.session_leader.parent.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.session_leader.parent.entry_meta.source.geo.name:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.session_leader.parent.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.postal_code:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.session_leader.parent.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.session_leader.parent.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.region_name:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.session_leader.parent.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.timezone:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.session_leader.parent.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.session_leader.parent.entry_meta.source.ip:
-  dashed_name: process-session-leader-parent-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.session_leader.parent.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.session_leader.parent.entry_meta.source.mac:
-  dashed_name: process-session-leader-parent-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.session_leader.parent.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.session_leader.parent.entry_meta.source.nat.ip:
-  dashed_name: process-session-leader-parent-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.session_leader.parent.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.session_leader.parent.entry_meta.source.nat.port:
-  dashed_name: process-session-leader-parent-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.session_leader.parent.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.session_leader.parent.entry_meta.source.packets:
-  dashed_name: process-session-leader-parent-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.session_leader.parent.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.session_leader.parent.entry_meta.source.port:
-  dashed_name: process-session-leader-parent-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.session_leader.parent.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.session_leader.parent.entry_meta.source.registered_domain:
-  dashed_name: process-session-leader-parent-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.session_leader.parent.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.session_leader.parent.entry_meta.source.subdomain:
-  dashed_name: process-session-leader-parent-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.session_leader.parent.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.session_leader.parent.entry_meta.source.top_level_domain:
-  dashed_name: process-session-leader-parent-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.session_leader.parent.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.session_leader.parent.entry_meta.type:
-  dashed_name: process-session-leader-parent-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.session_leader.parent.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.session_leader.parent.env_vars:
-  dashed_name: process-session-leader-parent-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.session_leader.parent.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.executable:
-  dashed_name: process-session-leader-parent-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.session_leader.parent.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.session_leader.parent.exit_code:
-  dashed_name: process-session-leader-parent-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.session_leader.parent.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.session_leader.parent.group.domain:
-  dashed_name: process-session-leader-parent-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.group.id:
-  dashed_name: process-session-leader-parent-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.group.name:
-  dashed_name: process-session-leader-parent-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.session_leader.parent.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.session_leader.parent.hash.md5:
-  dashed_name: process-session-leader-parent-hash-md5
-  description: MD5 hash.
-  flat_name: process.session_leader.parent.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.session_leader.parent.hash.sha1:
-  dashed_name: process-session-leader-parent-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.session_leader.parent.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.session_leader.parent.hash.sha256:
-  dashed_name: process-session-leader-parent-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.session_leader.parent.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.session_leader.parent.hash.sha384:
-  dashed_name: process-session-leader-parent-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.session_leader.parent.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.session_leader.parent.hash.sha512:
-  dashed_name: process-session-leader-parent-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.session_leader.parent.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.session_leader.parent.hash.ssdeep:
-  dashed_name: process-session-leader-parent-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.session_leader.parent.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.session_leader.parent.hash.tlsh:
-  dashed_name: process-session-leader-parent-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.session_leader.parent.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.session_leader.parent.interactive:
-  dashed_name: process-session-leader-parent-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.session_leader.parent.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.session_leader.parent.io:
-  dashed_name: process-session-leader-parent-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.session_leader.parent.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.session_leader.parent.io.bytes_skipped:
-  dashed_name: process-session-leader-parent-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.session_leader.parent.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.session_leader.parent.io.bytes_skipped.length:
-  dashed_name: process-session-leader-parent-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.session_leader.parent.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.session_leader.parent.io.bytes_skipped.offset:
-  dashed_name: process-session-leader-parent-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.session_leader.parent.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.session_leader.parent.io.max_bytes_per_process_exceeded:
-  dashed_name: process-session-leader-parent-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.session_leader.parent.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.session_leader.parent.io.text:
-  dashed_name: process-session-leader-parent-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.session_leader.parent.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.session_leader.parent.io.total_bytes_captured:
-  dashed_name: process-session-leader-parent-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.session_leader.parent.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.session_leader.parent.io.total_bytes_skipped:
-  dashed_name: process-session-leader-parent-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.session_leader.parent.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.session_leader.parent.io.type:
-  dashed_name: process-session-leader-parent-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.session_leader.parent.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.session_leader.parent.macho.go_import_hash:
-  dashed_name: process-session-leader-parent-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.parent.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.session_leader.parent.macho.go_imports:
-  dashed_name: process-session-leader-parent-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.parent.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.parent.macho.go_imports_names_entropy:
-  dashed_name: process-session-leader-parent-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.macho.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.macho.go_stripped:
-  dashed_name: process-session-leader-parent-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.parent.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.parent.macho.import_hash:
-  dashed_name: process-session-leader-parent-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.parent.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.session_leader.parent.macho.imports:
-  dashed_name: process-session-leader-parent-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.parent.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.parent.macho.imports_names_entropy:
-  dashed_name: process-session-leader-parent-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.parent.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.parent.macho.imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.parent.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.parent.macho.sections:
-  dashed_name: process-session-leader-parent-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.session_leader.parent.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.session_leader.parent.macho.sections.entropy:
-  dashed_name: process-session-leader-parent-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.macho.sections.name:
-  dashed_name: process-session-leader-parent-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.session_leader.parent.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.session_leader.parent.macho.sections.physical_size:
-  dashed_name: process-session-leader-parent-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.session_leader.parent.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.session_leader.parent.macho.sections.var_entropy:
-  dashed_name: process-session-leader-parent-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.macho.sections.virtual_size:
-  dashed_name: process-session-leader-parent-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.session_leader.parent.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.session_leader.parent.macho.symhash:
-  dashed_name: process-session-leader-parent-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.session_leader.parent.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.session_leader.parent.name:
-  dashed_name: process-session-leader-parent-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.session_leader.parent.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.session_leader.parent.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.session_leader.parent.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.session_leader.parent.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.session_leader.parent.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.session_leader.parent.pe.architecture:
-  dashed_name: process-session-leader-parent-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.session_leader.parent.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.session_leader.parent.pe.company:
-  dashed_name: process-session-leader-parent-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.session_leader.parent.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.pe.description:
-  dashed_name: process-session-leader-parent-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.session_leader.parent.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.pe.file_version:
-  dashed_name: process-session-leader-parent-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.session_leader.parent.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.session_leader.parent.pe.go_import_hash:
-  dashed_name: process-session-leader-parent-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.parent.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.session_leader.parent.pe.go_imports:
-  dashed_name: process-session-leader-parent-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.parent.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.parent.pe.go_imports_names_entropy:
-  dashed_name: process-session-leader-parent-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.pe.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.pe.go_stripped:
-  dashed_name: process-session-leader-parent-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.parent.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.parent.pe.imphash:
-  dashed_name: process-session-leader-parent-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.session_leader.parent.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.session_leader.parent.pe.import_hash:
-  dashed_name: process-session-leader-parent-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.parent.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.session_leader.parent.pe.imports:
-  dashed_name: process-session-leader-parent-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.parent.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.parent.pe.imports_names_entropy:
-  dashed_name: process-session-leader-parent-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.parent.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.parent.pe.imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.parent.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.parent.pe.original_file_name:
-  dashed_name: process-session-leader-parent-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.session_leader.parent.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.pe.pehash:
-  dashed_name: process-session-leader-parent-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.session_leader.parent.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.session_leader.parent.pe.product:
-  dashed_name: process-session-leader-parent-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.session_leader.parent.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.pe.sections:
-  dashed_name: process-session-leader-parent-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.session_leader.parent.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.session_leader.parent.pe.sections.entropy:
-  dashed_name: process-session-leader-parent-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.pe.sections.name:
-  dashed_name: process-session-leader-parent-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.session_leader.parent.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.session_leader.parent.pe.sections.physical_size:
-  dashed_name: process-session-leader-parent-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.session_leader.parent.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.session_leader.parent.pe.sections.var_entropy:
-  dashed_name: process-session-leader-parent-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.pe.sections.virtual_size:
-  dashed_name: process-session-leader-parent-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.session_leader.parent.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.session_leader.parent.pid:
-  dashed_name: process-session-leader-parent-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.session_leader.parent.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.session_leader.parent.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.session_leader.parent.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.session_leader.parent.real_group.domain:
-  dashed_name: process-session-leader-parent-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.real_group.id:
-  dashed_name: process-session-leader-parent-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.real_group.name:
-  dashed_name: process-session-leader-parent-real-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.real_user.domain:
-  dashed_name: process-session-leader-parent-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.real_user.email:
-  dashed_name: process-session-leader-parent-real-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.real_user.full_name:
-  dashed_name: process-session-leader-parent-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.real_user.group.domain:
-  dashed_name: process-session-leader-parent-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.real_user.group.id:
-  dashed_name: process-session-leader-parent-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.real_user.group.name:
-  dashed_name: process-session-leader-parent-real-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.real_user.hash:
-  dashed_name: process-session-leader-parent-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.real_user.id:
-  dashed_name: process-session-leader-parent-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.parent.real_user.name:
-  dashed_name: process-session-leader-parent-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.parent.real_user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.real_user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.real_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.real_user.risk.static_level:
-  dashed_name: process-session-leader-parent-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.real_user.risk.static_score:
-  dashed_name: process-session-leader-parent-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.real_user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.real_user.roles:
-  dashed_name: process-session-leader-parent-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.same_as_process:
-  dashed_name: process-session-leader-parent-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.session_leader.parent.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.session_leader.parent.saved_group.domain:
-  dashed_name: process-session-leader-parent-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.saved_group.id:
-  dashed_name: process-session-leader-parent-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.saved_group.name:
-  dashed_name: process-session-leader-parent-saved-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.saved_user.domain:
-  dashed_name: process-session-leader-parent-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.saved_user.email:
-  dashed_name: process-session-leader-parent-saved-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.saved_user.full_name:
-  dashed_name: process-session-leader-parent-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.saved_user.group.domain:
-  dashed_name: process-session-leader-parent-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.saved_user.group.id:
-  dashed_name: process-session-leader-parent-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.saved_user.group.name:
-  dashed_name: process-session-leader-parent-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.saved_user.hash:
-  dashed_name: process-session-leader-parent-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.saved_user.id:
-  dashed_name: process-session-leader-parent-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.parent.saved_user.name:
-  dashed_name: process-session-leader-parent-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.parent.saved_user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.saved_user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.saved_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.saved_user.risk.static_level:
-  dashed_name: process-session-leader-parent-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.saved_user.risk.static_score:
-  dashed_name: process-session-leader-parent-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.saved_user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.saved_user.roles:
-  dashed_name: process-session-leader-parent-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.args:
-  dashed_name: process-session-leader-parent-session-leader-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.session_leader.parent.session_leader.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.session_leader.parent.session_leader.args_count:
-  dashed_name: process-session-leader-parent-session-leader-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.session_leader.parent.session_leader.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.session_leader.parent.session_leader.attested_groups.domain:
-  dashed_name: process-session-leader-parent-session-leader-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.attested_groups.id:
-  dashed_name: process-session-leader-parent-session-leader-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.attested_groups.name:
-  dashed_name: process-session-leader-parent-session-leader-attested-groups-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.domain:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.email:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.session_leader.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.full_name:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.session_leader.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.group.domain:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.group.id:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.group.name:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.hash:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.session_leader.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.id:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.session_leader.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.name:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-name
+process.entry_leader.real_user.name:
+  dashed_name: process-entry-leader-real-user-name
   description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.session_leader.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.session_leader.attested_user.risk.static_level:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.risk.static_score:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.session_leader.attested_user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.session_leader.attested_user.roles:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.session_leader.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.digest_algorithm:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.session_leader.parent.session_leader.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.exists:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.session_leader.parent.session_leader.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.session_leader.parent.session_leader.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.session_leader.parent.session_leader.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.signing_id:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.session_leader.parent.session_leader.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.status:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.session_leader.parent.session_leader.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.subject_name:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.session_leader.parent.session_leader.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.team_id:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.session_leader.parent.session_leader.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.session_leader.parent.session_leader.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.timestamp:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.session_leader.parent.session_leader.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.session_leader.parent.session_leader.code_signature.trusted:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.session_leader.parent.session_leader.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.session_leader.parent.session_leader.code_signature.valid:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.session_leader.parent.session_leader.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.session_leader.parent.session_leader.command_line:
-  dashed_name: process-session-leader-parent-session-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.session_leader.parent.session_leader.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.session_leader.parent.session_leader.elf.architecture:
-  dashed_name: process-session-leader-parent-session-leader-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.session_leader.parent.session_leader.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.session_leader.parent.session_leader.elf.byte_order:
-  dashed_name: process-session-leader-parent-session-leader-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.session_leader.parent.session_leader.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.session_leader.parent.session_leader.elf.cpu_type:
-  dashed_name: process-session-leader-parent-session-leader-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.session_leader.parent.session_leader.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.session_leader.parent.session_leader.elf.creation_date:
-  dashed_name: process-session-leader-parent-session-leader-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.session_leader.parent.session_leader.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.session_leader.parent.session_leader.elf.exports:
-  dashed_name: process-session-leader-parent-session-leader-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.session_leader.parent.session_leader.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.session_leader.parent.session_leader.elf.go_import_hash:
-  dashed_name: process-session-leader-parent-session-leader-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.parent.session_leader.elf.go_import_hash
+  example: a.einstein
+  flat_name: process.entry_leader.real_user.name
   ignore_above: 1024
-  level: extended
-  name: go_import_hash
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
+  original_fieldset: user
+  short: Short name or login of the user.
   type: keyword
-process.session_leader.parent.session_leader.elf.go_imports:
-  dashed_name: process-session-leader-parent-session-leader-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.parent.session_leader.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.parent.session_leader.elf.go_imports_names_entropy:
-  dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.session_leader.elf.go_stripped:
-  dashed_name: process-session-leader-parent-session-leader-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.parent.session_leader.elf.go_stripped
+process.entry_leader.same_as_process:
+  dashed_name: process-entry-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.entry_leader.same_as_process
   level: extended
-  name: go_stripped
+  name: same_as_process
   normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
   type: boolean
-process.session_leader.parent.session_leader.elf.header.abi_version:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.session_leader.parent.session_leader.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.session_leader.parent.session_leader.elf.header.class:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.session_leader.parent.session_leader.elf.header.class
+process.entry_leader.saved_group.id:
+  dashed_name: process-entry-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.saved_group.id
   ignore_above: 1024
   level: extended
-  name: header.class
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.parent.session_leader.elf.header.data:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.session_leader.parent.session_leader.elf.header.data
+process.entry_leader.saved_group.name:
+  dashed_name: process-entry-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.saved_group.name
   ignore_above: 1024
   level: extended
-  name: header.data
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.session_leader.parent.session_leader.elf.header.entrypoint:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.session_leader.parent.session_leader.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.session_leader.parent.session_leader.elf.header.object_version:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.session_leader.parent.session_leader.elf.header.object_version
+process.entry_leader.saved_user.id:
+  dashed_name: process-entry-leader-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.saved_user.id
   ignore_above: 1024
-  level: extended
-  name: header.object_version
+  level: core
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.session_leader.parent.session_leader.elf.header.os_abi:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.session_leader.parent.session_leader.elf.header.os_abi
+process.entry_leader.saved_user.name:
+  dashed_name: process-entry-leader-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.saved_user.name
   ignore_above: 1024
-  level: extended
-  name: header.os_abi
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
+  original_fieldset: user
+  short: Short name or login of the user.
   type: keyword
-process.session_leader.parent.session_leader.elf.header.type:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.session_leader.parent.session_leader.elf.header.type
-  ignore_above: 1024
+process.entry_leader.start:
+  dashed_name: process-entry-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.start
   level: extended
-  name: header.type
+  name: start
   normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.session_leader.parent.session_leader.elf.header.version:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.session_leader.parent.session_leader.elf.header.version
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.entry_leader.supplemental_groups.id:
+  dashed_name: process-entry-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.supplemental_groups.id
   ignore_above: 1024
   level: extended
-  name: header.version
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.parent.session_leader.elf.import_hash:
-  dashed_name: process-session-leader-parent-session-leader-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.parent.session_leader.elf.import_hash
+process.entry_leader.supplemental_groups.name:
+  dashed_name: process-entry-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.supplemental_groups.name
   ignore_above: 1024
   level: extended
-  name: import_hash
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.session_leader.parent.session_leader.elf.imports:
-  dashed_name: process-session-leader-parent-session-leader-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.parent.session_leader.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.parent.session_leader.elf.imports_names_entropy:
-  dashed_name: process-session-leader-parent-session-leader-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.parent.session_leader.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.parent.session_leader.elf.imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.parent.session_leader.elf.imports_names_var_entropy
-  format: number
+process.entry_leader.tty:
+  dashed_name: process-entry-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.entry_leader.tty
   level: extended
-  name: imports_names_var_entropy
+  name: tty
   normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.parent.session_leader.elf.sections:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.session_leader.parent.session_leader.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.session_leader.parent.session_leader.elf.sections.chi2:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.chi2
-  format: number
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.entry_leader.tty.char_device.major:
+  dashed_name: process-entry-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.entry_leader.tty.char_device.major
   level: extended
-  name: sections.chi2
+  name: tty.char_device.major
   normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
+  original_fieldset: process
+  short: The TTY character device's major number.
   type: long
-process.session_leader.parent.session_leader.elf.sections.entropy:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.entropy
-  format: number
+process.entry_leader.tty.char_device.minor:
+  dashed_name: process-entry-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.entry_leader.tty.char_device.minor
   level: extended
-  name: sections.entropy
+  name: tty.char_device.minor
   normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
+  original_fieldset: process
+  short: The TTY character device's minor number.
   type: long
-process.session_leader.parent.session_leader.elf.sections.flags:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.session_leader.parent.session_leader.elf.sections.name:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.name
+process.entry_leader.user.id:
+  dashed_name: process-entry-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.user.id
   ignore_above: 1024
-  level: extended
-  name: sections.name
+  level: core
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.session_leader.parent.session_leader.elf.sections.physical_offset:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.physical_offset
+process.entry_leader.user.name:
+  dashed_name: process-entry-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.user.name
   ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.user.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
+  original_fieldset: user
+  short: Short name or login of the user.
   type: keyword
-process.session_leader.parent.session_leader.elf.sections.physical_size:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
+process.entry_leader.vpid:
+  dashed_name: process-entry-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.vpid
+  format: string
+  level: core
+  name: vpid
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
+  original_fieldset: process
+  short: Virtual process id.
   type: long
-process.session_leader.parent.session_leader.elf.sections.type:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.type
+process.entry_leader.working_directory:
+  dashed_name: process-entry-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.entry_leader.working_directory
   ignore_above: 1024
   level: extended
-  name: sections.type
+  multi_fields:
+  - flat_name: process.entry_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
+  original_fieldset: process
+  short: The working directory of the process.
   type: keyword
-process.session_leader.parent.session_leader.elf.sections.var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.var_entropy
-  format: number
+process.env_vars:
+  dashed_name: process-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.env_vars
+  ignore_above: 1024
   level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.session_leader.elf.sections.virtual_address:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_address
-  format: string
+  name: env_vars
+  normalize:
+  - array
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.executable:
+  dashed_name: process-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.executable
+  ignore_above: 1024
   level: extended
-  name: sections.virtual_address
+  multi_fields:
+  - flat_name: process.executable.text
+    name: text
+    type: match_only_text
+  name: executable
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.session_leader.parent.session_leader.elf.sections.virtual_size:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_size
-  format: string
+  otel:
+  - attribute: process.executable.path
+    relation: equivalent
+    stability: development
+  short: Absolute path to the process executable.
+  type: keyword
+process.exit_code:
+  dashed_name: process-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.exit_code
   level: extended
-  name: sections.virtual_size
+  name: exit_code
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
+  short: The exit code of the process.
   type: long
-process.session_leader.parent.session_leader.elf.segments:
-  dashed_name: process-session-leader-parent-session-leader-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.session_leader.parent.session_leader.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.session_leader.parent.session_leader.elf.segments.sections:
-  dashed_name: process-session-leader-parent-session-leader-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.session_leader.parent.session_leader.elf.segments.sections
+process.group.id:
+  dashed_name: process-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group.id
   ignore_above: 1024
   level: extended
-  name: segments.sections
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.parent.session_leader.elf.segments.type:
-  dashed_name: process-session-leader-parent-session-leader-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.session_leader.parent.session_leader.elf.segments.type
+process.group.name:
+  dashed_name: process-group-name
+  description: Name of the group.
+  flat_name: process.group.name
   ignore_above: 1024
   level: extended
-  name: segments.type
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.session_leader.parent.session_leader.elf.shared_libraries:
-  dashed_name: process-session-leader-parent-session-leader-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.session_leader.parent.session_leader.elf.shared_libraries
+process.group_leader.args:
+  dashed_name: process-group-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.group_leader.args
   ignore_above: 1024
   level: extended
-  name: shared_libraries
+  name: args
   normalize:
   - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.session_leader.parent.session_leader.elf.telfhash:
-  dashed_name: process-session-leader-parent-session-leader-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.session_leader.parent.session_leader.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
+  original_fieldset: process
+  short: Array of process arguments.
   type: keyword
-process.session_leader.parent.session_leader.end:
-  dashed_name: process-session-leader-parent-session-leader-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.parent.session_leader.end
+process.group_leader.args_count:
+  dashed_name: process-group-leader-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.group_leader.args_count
   level: extended
-  name: end
+  name: args_count
   normalize: []
   original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.session_leader.parent.session_leader.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.session_leader.parent.session_leader.endpoint_security_client
+  short: Length of the process.args array.
+  type: long
+process.group_leader.command_line:
+  dashed_name: process-group-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.group_leader.command_line
   level: extended
-  name: endpoint_security_client
+  multi_fields:
+  - flat_name: process.group_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
   normalize: []
   original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.session_leader.parent.session_leader.entity_id:
-  dashed_name: process-session-leader-parent-session-leader-entity-id
+  short: Full command line that started the process.
+  type: wildcard
+process.group_leader.entity_id:
+  dashed_name: process-group-leader-entity-id
   description: 'Unique identifier for the process.
 
     The implementation of this is specified by the data source, but some examples
@@ -42214,459 +10460,375 @@ process.session_leader.parent.session_leader.entity_id:
     reuse as well as to identify a specific process over time, across multiple monitored
     hosts.'
   example: c2c455d9f99375d
-  flat_name: process.session_leader.parent.session_leader.entity_id
+  flat_name: process.group_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.group_leader.executable:
+  dashed_name: process-group-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.group_leader.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.group_leader.group.id:
+  dashed_name: process-group-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.group.id
   ignore_above: 1024
   level: extended
-  name: entity_id
+  name: id
   normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.address:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.address
+process.group_leader.group.name:
+  dashed_name: process-group-leader-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.group.name
   ignore_above: 1024
   level: extended
-  name: address
+  name: name
   normalize: []
-  original_fieldset: source
-  short: Source network address.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.as.number:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.number
+process.group_leader.interactive:
+  dashed_name: process-group-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.group_leader.interactive
   level: extended
-  name: number
+  name: interactive
   normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.session_leader.parent.session_leader.entry_meta.source.as.organization.name:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.group_leader.name:
+  dashed_name: process-group-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.group_leader.name
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text
+  - flat_name: process.group_leader.name.text
     name: text
     type: match_only_text
-  name: organization.name
+  name: name
   normalize: []
-  original_fieldset: as
-  short: Organization name.
+  original_fieldset: process
+  short: Process name.
   type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.bytes:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.bytes
-  format: bytes
+process.group_leader.pid:
+  dashed_name: process-group-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.group_leader.pid
+  format: string
   level: core
-  name: bytes
+  name: pid
   normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
+  original_fieldset: process
+  otel:
+  - relation: match
+    stability: development
+  short: Process id.
   type: long
-process.session_leader.parent.session_leader.entry_meta.source.domain:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.city_name:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code
+process.group_leader.real_group.id:
+  dashed_name: process-group-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.real_group.id
   ignore_above: 1024
-  level: core
-  name: continent_code
+  level: extended
+  name: id
   normalize: []
-  original_fieldset: geo
-  short: Continent code.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name
+process.group_leader.real_group.name:
+  dashed_name: process-group-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.real_group.name
   ignore_above: 1024
-  level: core
-  name: continent_name
+  level: extended
+  name: name
   normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+process.group_leader.real_user.id:
+  dashed_name: process-group-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.real_user.id
   ignore_above: 1024
   level: core
-  name: country_iso_code
+  name: id
   normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.country_name:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_name
+process.group_leader.real_user.name:
+  dashed_name: process-group-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.real_user.name
   ignore_above: 1024
   level: core
-  name: country_name
+  multi_fields:
+  - flat_name: process.group_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
-  original_fieldset: geo
-  short: Country name.
+  original_fieldset: user
+  short: Short name or login of the user.
   type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.location:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.session_leader.parent.session_leader.entry_meta.source.geo.name:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
+process.group_leader.same_as_process:
+  dashed_name: process-group-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
 
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
 
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
 
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.group_leader.same_as_process
+  level: extended
+  name: same_as_process
   normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.group_leader.saved_group.id:
+  dashed_name: process-group-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.saved_group.id
   ignore_above: 1024
-  level: core
-  name: region_iso_code
+  level: extended
+  name: id
   normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.region_name:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_name
+process.group_leader.saved_group.name:
+  dashed_name: process-group-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.saved_group.name
   ignore_above: 1024
-  level: core
-  name: region_name
+  level: extended
+  name: name
   normalize: []
-  original_fieldset: geo
-  short: Region name.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.timezone:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.timezone
+process.group_leader.saved_user.id:
+  dashed_name: process-group-leader-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.saved_user.id
   ignore_above: 1024
   level: core
-  name: timezone
+  name: id
   normalize: []
-  original_fieldset: geo
-  short: Time zone.
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.ip:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.session_leader.parent.session_leader.entry_meta.source.mac:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.mac
+process.group_leader.saved_user.name:
+  dashed_name: process-group-leader-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.saved_user.name
   ignore_above: 1024
   level: core
-  name: mac
+  multi_fields:
+  - flat_name: process.group_leader.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
+  original_fieldset: user
+  short: Short name or login of the user.
   type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.nat.ip:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.session_leader.parent.session_leader.entry_meta.source.nat.port:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.port
-  format: string
+process.group_leader.start:
+  dashed_name: process-group-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.group_leader.start
   level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.session_leader.parent.session_leader.entry_meta.source.packets:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.session_leader.parent.session_leader.entry_meta.source.port:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.port
-  format: string
-  level: core
-  name: port
+  name: start
   normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.session_leader.parent.session_leader.entry_meta.source.registered_domain:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.registered_domain
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.group_leader.supplemental_groups.id:
+  dashed_name: process-group-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.supplemental_groups.id
   ignore_above: 1024
   level: extended
-  name: registered_domain
+  name: id
   normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.subdomain:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.subdomain
+process.group_leader.supplemental_groups.name:
+  dashed_name: process-group-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.group_leader.supplemental_groups.name
   ignore_above: 1024
   level: extended
-  name: subdomain
+  name: name
   normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.top_level_domain:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.top_level_domain
-  ignore_above: 1024
+process.group_leader.tty:
+  dashed_name: process-group-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.group_leader.tty
   level: extended
-  name: top_level_domain
+  name: tty
   normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.type:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.session_leader.parent.session_leader.entry_meta.type
-  ignore_above: 1024
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.group_leader.tty.char_device.major:
+  dashed_name: process-group-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.group_leader.tty.char_device.major
   level: extended
-  name: entry_meta.type
+  name: tty.char_device.major
   normalize: []
   original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.session_leader.parent.session_leader.env_vars:
-  dashed_name: process-session-leader-parent-session-leader-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.session_leader.parent.session_leader.env_vars
-  ignore_above: 1024
+  short: The TTY character device's major number.
+  type: long
+process.group_leader.tty.char_device.minor:
+  dashed_name: process-group-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.group_leader.tty.char_device.minor
   level: extended
-  name: env_vars
-  normalize:
-  - array
+  name: tty.char_device.minor
+  normalize: []
   original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
+  short: The TTY character device's minor number.
+  type: long
+process.group_leader.user.id:
+  dashed_name: process-group-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.session_leader.parent.session_leader.executable:
-  dashed_name: process-session-leader-parent-session-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.session_leader.parent.session_leader.executable
+process.group_leader.user.name:
+  dashed_name: process-group-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.user.name
   ignore_above: 1024
-  level: extended
+  level: core
   multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.executable.text
+  - flat_name: process.group_leader.user.name.text
     name: text
     type: match_only_text
-  name: executable
+  name: name
   normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
+  original_fieldset: user
+  short: Short name or login of the user.
   type: keyword
-process.session_leader.parent.session_leader.exit_code:
-  dashed_name: process-session-leader-parent-session-leader-exit-code
-  description: 'The exit code of the process, if this is a termination event.
+process.group_leader.vpid:
+  dashed_name: process-group-leader-vpid
+  description: 'Virtual process id.
 
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.session_leader.parent.session_leader.exit_code
-  level: extended
-  name: exit_code
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.group_leader.vpid
+  format: string
+  level: core
+  name: vpid
   normalize: []
   original_fieldset: process
-  short: The exit code of the process.
+  short: Virtual process id.
   type: long
-process.session_leader.parent.session_leader.group.domain:
-  dashed_name: process-session-leader-parent-session-leader-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.group.id:
-  dashed_name: process-session-leader-parent-session-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.group.name:
-  dashed_name: process-session-leader-parent-session-leader-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.group.name
+process.group_leader.working_directory:
+  dashed_name: process-group-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.group_leader.working_directory
   ignore_above: 1024
   level: extended
-  name: name
+  multi_fields:
+  - flat_name: process.group_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: process
+  short: The working directory of the process.
   type: keyword
-process.session_leader.parent.session_leader.hash.cdhash:
+process.hash.cdhash:
   beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-hash-cdhash
+  dashed_name: process-hash-cdhash
   description: Code directory hash, utilized to uniquely identify and authenticate
     the integrity of the executable code.
   example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.session_leader.parent.session_leader.hash.cdhash
+  flat_name: process.hash.cdhash
   ignore_above: 1024
   level: extended
   name: cdhash
@@ -42674,10 +10836,10 @@ process.session_leader.parent.session_leader.hash.cdhash:
   original_fieldset: hash
   short: The Code Directory (CD) hash of an executable.
   type: keyword
-process.session_leader.parent.session_leader.hash.md5:
-  dashed_name: process-session-leader-parent-session-leader-hash-md5
+process.hash.md5:
+  dashed_name: process-hash-md5
   description: MD5 hash.
-  flat_name: process.session_leader.parent.session_leader.hash.md5
+  flat_name: process.hash.md5
   ignore_above: 1024
   level: extended
   name: md5
@@ -42685,10 +10847,10 @@ process.session_leader.parent.session_leader.hash.md5:
   original_fieldset: hash
   short: MD5 hash.
   type: keyword
-process.session_leader.parent.session_leader.hash.sha1:
-  dashed_name: process-session-leader-parent-session-leader-hash-sha1
+process.hash.sha1:
+  dashed_name: process-hash-sha1
   description: SHA1 hash.
-  flat_name: process.session_leader.parent.session_leader.hash.sha1
+  flat_name: process.hash.sha1
   ignore_above: 1024
   level: extended
   name: sha1
@@ -42696,10 +10858,10 @@ process.session_leader.parent.session_leader.hash.sha1:
   original_fieldset: hash
   short: SHA1 hash.
   type: keyword
-process.session_leader.parent.session_leader.hash.sha256:
-  dashed_name: process-session-leader-parent-session-leader-hash-sha256
+process.hash.sha256:
+  dashed_name: process-hash-sha256
   description: SHA256 hash.
-  flat_name: process.session_leader.parent.session_leader.hash.sha256
+  flat_name: process.hash.sha256
   ignore_above: 1024
   level: extended
   name: sha256
@@ -42707,10 +10869,10 @@ process.session_leader.parent.session_leader.hash.sha256:
   original_fieldset: hash
   short: SHA256 hash.
   type: keyword
-process.session_leader.parent.session_leader.hash.sha384:
-  dashed_name: process-session-leader-parent-session-leader-hash-sha384
+process.hash.sha384:
+  dashed_name: process-hash-sha384
   description: SHA384 hash.
-  flat_name: process.session_leader.parent.session_leader.hash.sha384
+  flat_name: process.hash.sha384
   ignore_above: 1024
   level: extended
   name: sha384
@@ -42718,10 +10880,10 @@ process.session_leader.parent.session_leader.hash.sha384:
   original_fieldset: hash
   short: SHA384 hash.
   type: keyword
-process.session_leader.parent.session_leader.hash.sha512:
-  dashed_name: process-session-leader-parent-session-leader-hash-sha512
+process.hash.sha512:
+  dashed_name: process-hash-sha512
   description: SHA512 hash.
-  flat_name: process.session_leader.parent.session_leader.hash.sha512
+  flat_name: process.hash.sha512
   ignore_above: 1024
   level: extended
   name: sha512
@@ -42729,10 +10891,10 @@ process.session_leader.parent.session_leader.hash.sha512:
   original_fieldset: hash
   short: SHA512 hash.
   type: keyword
-process.session_leader.parent.session_leader.hash.ssdeep:
-  dashed_name: process-session-leader-parent-session-leader-hash-ssdeep
+process.hash.ssdeep:
+  dashed_name: process-hash-ssdeep
   description: SSDEEP hash.
-  flat_name: process.session_leader.parent.session_leader.hash.ssdeep
+  flat_name: process.hash.ssdeep
   ignore_above: 1024
   level: extended
   name: ssdeep
@@ -42740,10 +10902,10 @@ process.session_leader.parent.session_leader.hash.ssdeep:
   original_fieldset: hash
   short: SSDEEP hash.
   type: keyword
-process.session_leader.parent.session_leader.hash.tlsh:
-  dashed_name: process-session-leader-parent-session-leader-hash-tlsh
+process.hash.tlsh:
+  dashed_name: process-hash-tlsh
   description: TLSH hash.
-  flat_name: process.session_leader.parent.session_leader.hash.tlsh
+  flat_name: process.hash.tlsh
   ignore_above: 1024
   level: extended
   name: tlsh
@@ -42751,8 +10913,8 @@ process.session_leader.parent.session_leader.hash.tlsh:
   original_fieldset: hash
   short: TLSH hash.
   type: keyword
-process.session_leader.parent.session_leader.interactive:
-  dashed_name: process-session-leader-parent-session-leader-interactive
+process.interactive:
+  dashed_name: process-interactive
   description: 'Whether the process is connected to an interactive shell.
 
     Process interactivity is inferred from the processes file descriptors. If the
@@ -42765,127 +10927,593 @@ process.session_leader.parent.session_leader.interactive:
     is still considered interactive if stdin and stderr are connected to the controlling
     TTY.'
   example: true
-  flat_name: process.session_leader.parent.session_leader.interactive
+  flat_name: process.interactive
   level: extended
   name: interactive
   normalize: []
-  original_fieldset: process
+  otel:
+  - relation: match
+    stability: development
   short: Whether the process is connected to an interactive shell.
   type: boolean
-process.session_leader.parent.session_leader.io:
-  dashed_name: process-session-leader-parent-session-leader-io
+process.io:
+  dashed_name: process-io
   description: 'A chunk of input or output (IO) from a single process.
 
     This field only appears on the top level process object, which is the process
     that wrote the output or read the input.'
-  flat_name: process.session_leader.parent.session_leader.io
+  flat_name: process.io
   level: extended
   name: io
   normalize: []
-  original_fieldset: process
   short: A chunk of input or output (IO) from a single process.
   type: object
-process.session_leader.parent.session_leader.io.bytes_skipped:
-  dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped
+process.io.bytes_skipped:
+  dashed_name: process-io-bytes-skipped
   description: An array of byte offsets and lengths denoting where IO data has been
     skipped.
-  flat_name: process.session_leader.parent.session_leader.io.bytes_skipped
+  flat_name: process.io.bytes_skipped
   level: extended
   name: io.bytes_skipped
   normalize:
   - array
-  original_fieldset: process
   short: An array of byte offsets and lengths denoting where IO data has been skipped.
   type: object
-process.session_leader.parent.session_leader.io.bytes_skipped.length:
-  dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-length
+process.io.bytes_skipped.length:
+  dashed_name: process-io-bytes-skipped-length
   description: The length of bytes skipped.
-  flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.length
+  flat_name: process.io.bytes_skipped.length
   level: extended
   name: io.bytes_skipped.length
   normalize: []
-  original_fieldset: process
   short: The length of bytes skipped.
   type: long
-process.session_leader.parent.session_leader.io.bytes_skipped.offset:
-  dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-offset
+process.io.bytes_skipped.offset:
+  dashed_name: process-io-bytes-skipped-offset
   description: The byte offset into this event's io.text (or io.bytes in the future)
     where length bytes were skipped.
-  flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.offset
+  flat_name: process.io.bytes_skipped.offset
   level: extended
   name: io.bytes_skipped.offset
   normalize: []
-  original_fieldset: process
   short: The byte offset into this event's io.text (or io.bytes in the future) where
     length bytes were skipped.
   type: long
-process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
-  dashed_name: process-session-leader-parent-session-leader-io-max-bytes-per-process-exceeded
+process.io.max_bytes_per_process_exceeded:
+  dashed_name: process-io-max-bytes-per-process-exceeded
   description: If true, the process producing the output has exceeded the max_kilobytes_per_process
     configuration setting.
-  flat_name: process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+  flat_name: process.io.max_bytes_per_process_exceeded
   level: extended
   name: io.max_bytes_per_process_exceeded
   normalize: []
-  original_fieldset: process
   short: If true, the process producing the output has exceeded the max_kilobytes_per_process
     configuration setting.
   type: boolean
-process.session_leader.parent.session_leader.io.text:
-  dashed_name: process-session-leader-parent-session-leader-io-text
+process.io.text:
+  dashed_name: process-io-text
   description: 'A chunk of output or input sanitized to UTF-8.
 
     Best efforts are made to ensure complete lines are captured in these events. Assumptions
     should NOT be made that multiple lines will appear in the same event. TTY output
     may contain terminal control codes such as for cursor movement, so some string
     queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.session_leader.parent.session_leader.io.text
+  flat_name: process.io.text
   level: extended
   name: io.text
   normalize: []
-  original_fieldset: process
   short: A chunk of output or input sanitized to UTF-8.
   type: wildcard
-process.session_leader.parent.session_leader.io.total_bytes_captured:
-  dashed_name: process-session-leader-parent-session-leader-io-total-bytes-captured
+process.io.total_bytes_captured:
+  dashed_name: process-io-total-bytes-captured
   description: The total number of bytes captured in this event.
-  flat_name: process.session_leader.parent.session_leader.io.total_bytes_captured
+  flat_name: process.io.total_bytes_captured
   level: extended
   name: io.total_bytes_captured
   normalize: []
-  original_fieldset: process
   short: The total number of bytes captured in this event.
   type: long
-process.session_leader.parent.session_leader.io.total_bytes_skipped:
-  dashed_name: process-session-leader-parent-session-leader-io-total-bytes-skipped
+process.io.total_bytes_skipped:
+  dashed_name: process-io-total-bytes-skipped
   description: The total number of bytes that were not captured due to implementation
     restrictions such as buffer size limits. Implementors should strive to ensure
     this value is always zero
-  flat_name: process.session_leader.parent.session_leader.io.total_bytes_skipped
+  flat_name: process.io.total_bytes_skipped
   level: extended
   name: io.total_bytes_skipped
   normalize: []
-  original_fieldset: process
   short: The total number of bytes that were not captured due to implementation restrictions
     such as buffer size limits.
   type: long
-process.session_leader.parent.session_leader.io.type:
-  dashed_name: process-session-leader-parent-session-leader-io-type
+process.io.type:
+  dashed_name: process-io-type
   description: 'The type of object on which the IO action (read or write) was taken.
 
     Currently only ''tty'' is supported. Other types may be added in the future for
     ''file'' and ''socket'' support.'
-  flat_name: process.session_leader.parent.session_leader.io.type
+  flat_name: process.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.macho.go_import_hash:
+  dashed_name: process-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.macho.go_imports:
+  dashed_name: process-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.macho.go_imports_names_entropy:
+  dashed_name: process-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.macho.go_imports_names_var_entropy:
+  dashed_name: process-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.macho.go_stripped:
+  dashed_name: process-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.macho.import_hash:
+  dashed_name: process-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.macho.imports:
+  dashed_name: process-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.macho.imports_names_entropy:
+  dashed_name: process-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.macho.imports_names_var_entropy:
+  dashed_name: process-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.macho.sections:
+  dashed_name: process-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.macho.sections.entropy:
+  dashed_name: process-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.macho.sections.name:
+  dashed_name: process-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.macho.sections.physical_size:
+  dashed_name: process-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.macho.sections.var_entropy:
+  dashed_name: process-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.macho.sections.virtual_size:
+  dashed_name: process-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.macho.symhash:
+  dashed_name: process-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.name:
+  dashed_name: process-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  short: Process name.
+  type: keyword
+process.parent.args:
+  dashed_name: process-parent-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.parent.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.parent.args_count:
+  dashed_name: process-parent-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.parent.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.parent.code_signature.digest_algorithm:
+  dashed_name: process-parent-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.parent.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.parent.code_signature.exists:
+  dashed_name: process-parent-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.parent.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.parent.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.parent.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.parent.code_signature.signing_id:
+  dashed_name: process-parent-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.parent.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.parent.code_signature.status:
+  dashed_name: process-parent-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.parent.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.parent.code_signature.subject_name:
+  dashed_name: process-parent-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.parent.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.parent.code_signature.team_id:
+  dashed_name: process-parent-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.parent.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.parent.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.parent.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.parent.code_signature.timestamp:
+  dashed_name: process-parent-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.parent.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.parent.code_signature.trusted:
+  dashed_name: process-parent-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.parent.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.parent.code_signature.valid:
+  dashed_name: process-parent-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.parent.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.parent.command_line:
+  dashed_name: process-parent-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.parent.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.parent.elf.architecture:
+  dashed_name: process-parent-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.parent.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.parent.elf.byte_order:
+  dashed_name: process-parent-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.parent.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.parent.elf.cpu_type:
+  dashed_name: process-parent-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.parent.elf.cpu_type
   ignore_above: 1024
   level: extended
-  name: io.type
+  name: cpu_type
   normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
+  original_fieldset: elf
+  short: CPU type of the ELF file.
   type: keyword
-process.session_leader.parent.session_leader.macho.go_import_hash:
-  dashed_name: process-session-leader-parent-session-leader-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+process.parent.elf.creation_date:
+  dashed_name: process-parent-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.parent.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.parent.elf.exports:
+  dashed_name: process-parent-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.parent.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.parent.elf.go_import_hash:
+  dashed_name: process-parent-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
     library imports. An import hash can be used to fingerprint binaries even after
     recompilation or other code-level transformations have occurred, which would change
     more traditional hash values.
@@ -42893,289 +11521,637 @@ process.session_leader.parent.session_leader.macho.go_import_hash:
     The algorithm used to calculate the Go symbol hash and a reference implementation
     are available here: https://github.com/elastic/toutoumomoma'
   example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.parent.session_leader.macho.go_import_hash
+  flat_name: process.parent.elf.go_import_hash
   ignore_above: 1024
   level: extended
   name: go_import_hash
   normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
   type: keyword
-process.session_leader.parent.session_leader.macho.go_imports:
-  dashed_name: process-session-leader-parent-session-leader-macho-go-imports
+process.parent.elf.go_imports:
+  dashed_name: process-parent-elf-go-imports
   description: List of imported Go language element names and types.
-  flat_name: process.session_leader.parent.session_leader.macho.go_imports
+  flat_name: process.parent.elf.go_imports
   level: extended
   name: go_imports
   normalize: []
-  original_fieldset: macho
+  original_fieldset: elf
   short: List of imported Go language element names and types.
   type: flattened
-process.session_leader.parent.session_leader.macho.go_imports_names_entropy:
-  dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-entropy
+process.parent.elf.go_imports_names_entropy:
+  dashed_name: process-parent-elf-go-imports-names-entropy
   description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_entropy
+  flat_name: process.parent.elf.go_imports_names_entropy
   format: number
   level: extended
   name: go_imports_names_entropy
   normalize: []
-  original_fieldset: macho
+  original_fieldset: elf
   short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-var-entropy
+process.parent.elf.go_imports_names_var_entropy:
+  dashed_name: process-parent-elf-go-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy
+  flat_name: process.parent.elf.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
   normalize: []
-  original_fieldset: macho
+  original_fieldset: elf
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.session_leader.parent.session_leader.macho.go_stripped:
-  dashed_name: process-session-leader-parent-session-leader-macho-go-stripped
+process.parent.elf.go_stripped:
+  dashed_name: process-parent-elf-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.parent.session_leader.macho.go_stripped
+  flat_name: process.parent.elf.go_stripped
   level: extended
   name: go_stripped
   normalize: []
-  original_fieldset: macho
+  original_fieldset: elf
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.session_leader.parent.session_leader.macho.import_hash:
-  dashed_name: process-session-leader-parent-session-leader-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
+process.parent.elf.header.abi_version:
+  dashed_name: process-parent-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.parent.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.parent.elf.header.class:
+  dashed_name: process-parent-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.parent.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.parent.elf.header.data:
+  dashed_name: process-parent-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.parent.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.parent.elf.header.entrypoint:
+  dashed_name: process-parent-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.parent.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.parent.elf.header.object_version:
+  dashed_name: process-parent-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.parent.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.parent.elf.header.os_abi:
+  dashed_name: process-parent-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.parent.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.parent.elf.header.type:
+  dashed_name: process-parent-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.parent.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.parent.elf.header.version:
+  dashed_name: process-parent-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.parent.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.parent.elf.import_hash:
+  dashed_name: process-parent-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
-    This is a synonym for symhash.'
+    This is an ELF implementation of the Windows PE imphash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.parent.session_leader.macho.import_hash
+  flat_name: process.parent.elf.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
   normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
   type: keyword
-process.session_leader.parent.session_leader.macho.imports:
-  dashed_name: process-session-leader-parent-session-leader-macho-imports
+process.parent.elf.imports:
+  dashed_name: process-parent-elf-imports
   description: List of imported element names and types.
-  flat_name: process.session_leader.parent.session_leader.macho.imports
+  flat_name: process.parent.elf.imports
   level: extended
   name: imports
   normalize:
   - array
-  original_fieldset: macho
+  original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
-process.session_leader.parent.session_leader.macho.imports_names_entropy:
-  dashed_name: process-session-leader-parent-session-leader-macho-imports-names-entropy
+process.parent.elf.imports_names_entropy:
+  dashed_name: process-parent-elf-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.session_leader.parent.session_leader.macho.imports_names_entropy
+  flat_name: process.parent.elf.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
   normalize: []
-  original_fieldset: macho
+  original_fieldset: elf
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.session_leader.parent.session_leader.macho.imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-macho-imports-names-var-entropy
+process.parent.elf.imports_names_var_entropy:
+  dashed_name: process-parent-elf-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.session_leader.parent.session_leader.macho.imports_names_var_entropy
+  flat_name: process.parent.elf.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
   normalize: []
-  original_fieldset: macho
+  original_fieldset: elf
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.session_leader.parent.session_leader.macho.sections:
-  dashed_name: process-session-leader-parent-session-leader-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
+process.parent.elf.sections:
+  dashed_name: process-parent-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.session_leader.parent.session_leader.macho.sections
+    `elf.sections.*`.'
+  flat_name: process.parent.elf.sections
   level: extended
   name: sections
   normalize:
   - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
+  original_fieldset: elf
+  short: Section information of the ELF file.
   type: nested
-process.session_leader.parent.session_leader.macho.sections.entropy:
-  dashed_name: process-session-leader-parent-session-leader-macho-sections-entropy
+process.parent.elf.sections.chi2:
+  dashed_name: process-parent-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.parent.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.parent.elf.sections.entropy:
+  dashed_name: process-parent-elf-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.session_leader.macho.sections.entropy
+  flat_name: process.parent.elf.sections.entropy
   format: number
   level: extended
   name: sections.entropy
   normalize: []
-  original_fieldset: macho
+  original_fieldset: elf
   short: Shannon entropy calculation from the section.
   type: long
-process.session_leader.parent.session_leader.macho.sections.name:
-  dashed_name: process-session-leader-parent-session-leader-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.session_leader.parent.session_leader.macho.sections.name
+process.parent.elf.sections.flags:
+  dashed_name: process-parent-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.parent.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.parent.elf.sections.name:
+  dashed_name: process-parent-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.parent.elf.sections.name
   ignore_above: 1024
   level: extended
   name: sections.name
   normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
+  original_fieldset: elf
+  short: ELF Section List name.
   type: keyword
-process.session_leader.parent.session_leader.macho.sections.physical_size:
-  dashed_name: process-session-leader-parent-session-leader-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.session_leader.parent.session_leader.macho.sections.physical_size
+process.parent.elf.sections.physical_offset:
+  dashed_name: process-parent-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.parent.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.parent.elf.sections.physical_size:
+  dashed_name: process-parent-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.parent.elf.sections.physical_size
   format: bytes
   level: extended
   name: sections.physical_size
   normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
+  original_fieldset: elf
+  short: ELF Section List physical size.
   type: long
-process.session_leader.parent.session_leader.macho.sections.var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-macho-sections-var-entropy
+process.parent.elf.sections.type:
+  dashed_name: process-parent-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.parent.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.parent.elf.sections.var_entropy:
+  dashed_name: process-parent-elf-sections-var-entropy
   description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.session_leader.macho.sections.var_entropy
+  flat_name: process.parent.elf.sections.var_entropy
   format: number
   level: extended
   name: sections.var_entropy
   normalize: []
-  original_fieldset: macho
+  original_fieldset: elf
   short: Variance for Shannon entropy calculation from the section.
   type: long
-process.session_leader.parent.session_leader.macho.sections.virtual_size:
-  dashed_name: process-session-leader-parent-session-leader-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.session_leader.parent.session_leader.macho.sections.virtual_size
+process.parent.elf.sections.virtual_address:
+  dashed_name: process-parent-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.parent.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.parent.elf.sections.virtual_size:
+  dashed_name: process-parent-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.parent.elf.sections.virtual_size
   format: string
   level: extended
   name: sections.virtual_size
   normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  original_fieldset: elf
+  short: ELF Section List virtual size.
   type: long
-process.session_leader.parent.session_leader.macho.symhash:
-  dashed_name: process-session-leader-parent-session-leader-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
+process.parent.elf.segments:
+  dashed_name: process-parent-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
 
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.session_leader.parent.session_leader.macho.symhash
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.parent.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.parent.elf.segments.sections:
+  dashed_name: process-parent-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.parent.elf.segments.sections
   ignore_above: 1024
   level: extended
-  name: symhash
+  name: segments.sections
   normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
+  original_fieldset: elf
+  short: ELF object segment sections.
   type: keyword
-process.session_leader.parent.session_leader.name:
-  dashed_name: process-session-leader-parent-session-leader-name
-  description: 'Process name.
+process.parent.elf.segments.type:
+  dashed_name: process-parent-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.parent.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.parent.elf.shared_libraries:
+  dashed_name: process-parent-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.parent.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.parent.elf.telfhash:
+  dashed_name: process-parent-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.parent.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.parent.end:
+  dashed_name: process-parent-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.parent.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.parent.entity_id:
+  dashed_name: process-parent-entity-id
+  description: 'Unique identifier for the process.
 
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.session_leader.parent.session_leader.name
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.parent.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.parent.executable:
+  dashed_name: process-parent-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.parent.executable
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.name.text
+  - flat_name: process.parent.executable.text
     name: text
     type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.parent.exit_code:
+  dashed_name: process-parent-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.parent.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.parent.group.id:
+  dashed_name: process-parent-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group.name:
+  dashed_name: process-parent-group-name
+  description: Name of the group.
+  flat_name: process.parent.group.name
+  ignore_above: 1024
+  level: extended
   name: name
   normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.entity_id:
+  dashed_name: process-parent-group-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.parent.group_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
   original_fieldset: process
-  short: Process name.
+  short: Unique identifier for the process.
   type: keyword
-process.session_leader.parent.session_leader.origin_referrer_url:
+process.parent.group_leader.pid:
+  dashed_name: process-parent-group-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.parent.group_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.parent.group_leader.start:
+  dashed_name: process-parent-group-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.parent.group_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.parent.group_leader.vpid:
+  dashed_name: process-parent-group-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.parent.group_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.parent.hash.cdhash:
   beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.session_leader.parent.session_leader.origin_referrer_url
-  ignore_above: 8192
+  dashed_name: process-parent-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.parent.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.parent.hash.md5:
+  dashed_name: process-parent-hash-md5
+  description: MD5 hash.
+  flat_name: process.parent.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.parent.hash.sha1:
+  dashed_name: process-parent-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.parent.hash.sha1
+  ignore_above: 1024
   level: extended
-  name: origin_referrer_url
+  name: sha1
   normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
+  original_fieldset: hash
+  short: SHA1 hash.
   type: keyword
-process.session_leader.parent.session_leader.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.session_leader.parent.session_leader.origin_url
-  ignore_above: 8192
+process.parent.hash.sha256:
+  dashed_name: process-parent-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.parent.hash.sha256
+  ignore_above: 1024
   level: extended
-  name: origin_url
+  name: sha256
   normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
+  original_fieldset: hash
+  short: SHA256 hash.
   type: keyword
-process.session_leader.parent.session_leader.pe.architecture:
-  dashed_name: process-session-leader-parent-session-leader-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.session_leader.parent.session_leader.pe.architecture
+process.parent.hash.sha384:
+  dashed_name: process-parent-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.parent.hash.sha384
   ignore_above: 1024
   level: extended
-  name: architecture
+  name: sha384
   normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
+  original_fieldset: hash
+  short: SHA384 hash.
   type: keyword
-process.session_leader.parent.session_leader.pe.company:
-  dashed_name: process-session-leader-parent-session-leader-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.session_leader.parent.session_leader.pe.company
+process.parent.hash.sha512:
+  dashed_name: process-parent-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.parent.hash.sha512
   ignore_above: 1024
   level: extended
-  name: company
+  name: sha512
   normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
+  original_fieldset: hash
+  short: SHA512 hash.
   type: keyword
-process.session_leader.parent.session_leader.pe.description:
-  dashed_name: process-session-leader-parent-session-leader-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.session_leader.parent.session_leader.pe.description
+process.parent.hash.ssdeep:
+  dashed_name: process-parent-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.parent.hash.ssdeep
   ignore_above: 1024
   level: extended
-  name: description
+  name: ssdeep
   normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
+  original_fieldset: hash
+  short: SSDEEP hash.
   type: keyword
-process.session_leader.parent.session_leader.pe.file_version:
-  dashed_name: process-session-leader-parent-session-leader-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.session_leader.parent.session_leader.pe.file_version
+process.parent.hash.tlsh:
+  dashed_name: process-parent-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.parent.hash.tlsh
   ignore_above: 1024
   level: extended
-  name: file_version
+  name: tlsh
   normalize: []
-  original_fieldset: pe
-  short: Process name.
+  original_fieldset: hash
+  short: TLSH hash.
   type: keyword
-process.session_leader.parent.session_leader.pe.go_import_hash:
-  dashed_name: process-session-leader-parent-session-leader-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
+process.parent.interactive:
+  dashed_name: process-parent-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.parent.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.parent.macho.go_import_hash:
+  dashed_name: process-parent-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
     library imports. An import hash can be used to fingerprint binaries even after
     recompilation or other code-level transformations have occurred, which would change
     more traditional hash values.
@@ -43183,1038 +12159,514 @@ process.session_leader.parent.session_leader.pe.go_import_hash:
     The algorithm used to calculate the Go symbol hash and a reference implementation
     are available here: https://github.com/elastic/toutoumomoma'
   example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.parent.session_leader.pe.go_import_hash
+  flat_name: process.parent.macho.go_import_hash
   ignore_above: 1024
   level: extended
   name: go_import_hash
   normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
   type: keyword
-process.session_leader.parent.session_leader.pe.go_imports:
-  dashed_name: process-session-leader-parent-session-leader-pe-go-imports
+process.parent.macho.go_imports:
+  dashed_name: process-parent-macho-go-imports
   description: List of imported Go language element names and types.
-  flat_name: process.session_leader.parent.session_leader.pe.go_imports
+  flat_name: process.parent.macho.go_imports
   level: extended
   name: go_imports
   normalize: []
-  original_fieldset: pe
+  original_fieldset: macho
   short: List of imported Go language element names and types.
   type: flattened
-process.session_leader.parent.session_leader.pe.go_imports_names_entropy:
-  dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-entropy
+process.parent.macho.go_imports_names_entropy:
+  dashed_name: process-parent-macho-go-imports-names-entropy
   description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_entropy
+  flat_name: process.parent.macho.go_imports_names_entropy
   format: number
   level: extended
   name: go_imports_names_entropy
   normalize: []
-  original_fieldset: pe
+  original_fieldset: macho
   short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-var-entropy
+process.parent.macho.go_imports_names_var_entropy:
+  dashed_name: process-parent-macho-go-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy
+  flat_name: process.parent.macho.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
   normalize: []
-  original_fieldset: pe
+  original_fieldset: macho
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.session_leader.parent.session_leader.pe.go_stripped:
-  dashed_name: process-session-leader-parent-session-leader-pe-go-stripped
+process.parent.macho.go_stripped:
+  dashed_name: process-parent-macho-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.parent.session_leader.pe.go_stripped
+  flat_name: process.parent.macho.go_stripped
   level: extended
   name: go_stripped
   normalize: []
-  original_fieldset: pe
+  original_fieldset: macho
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.session_leader.parent.session_leader.pe.imphash:
-  dashed_name: process-session-leader-parent-session-leader-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.session_leader.parent.session_leader.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.session_leader.parent.session_leader.pe.import_hash:
-  dashed_name: process-session-leader-parent-session-leader-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
+process.parent.macho.import_hash:
+  dashed_name: process-parent-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
-    This is a synonym for imphash.'
+    This is a synonym for symhash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.parent.session_leader.pe.import_hash
+  flat_name: process.parent.macho.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
   normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
   type: keyword
-process.session_leader.parent.session_leader.pe.imports:
-  dashed_name: process-session-leader-parent-session-leader-pe-imports
+process.parent.macho.imports:
+  dashed_name: process-parent-macho-imports
   description: List of imported element names and types.
-  flat_name: process.session_leader.parent.session_leader.pe.imports
+  flat_name: process.parent.macho.imports
   level: extended
   name: imports
   normalize:
   - array
-  original_fieldset: pe
+  original_fieldset: macho
   short: List of imported element names and types.
   type: flattened
-process.session_leader.parent.session_leader.pe.imports_names_entropy:
-  dashed_name: process-session-leader-parent-session-leader-pe-imports-names-entropy
+process.parent.macho.imports_names_entropy:
+  dashed_name: process-parent-macho-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.session_leader.parent.session_leader.pe.imports_names_entropy
+  flat_name: process.parent.macho.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
   normalize: []
-  original_fieldset: pe
+  original_fieldset: macho
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.session_leader.parent.session_leader.pe.imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-pe-imports-names-var-entropy
+process.parent.macho.imports_names_var_entropy:
+  dashed_name: process-parent-macho-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.session_leader.parent.session_leader.pe.imports_names_var_entropy
+  flat_name: process.parent.macho.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
   normalize: []
-  original_fieldset: pe
+  original_fieldset: macho
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.session_leader.parent.session_leader.pe.original_file_name:
-  dashed_name: process-session-leader-parent-session-leader-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.session_leader.parent.session_leader.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.session_leader.pe.pehash:
-  dashed_name: process-session-leader-parent-session-leader-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.session_leader.parent.session_leader.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.session_leader.parent.session_leader.pe.product:
-  dashed_name: process-session-leader-parent-session-leader-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.session_leader.parent.session_leader.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.session_leader.pe.sections:
-  dashed_name: process-session-leader-parent-session-leader-pe-sections
-  description: 'An array containing an object for each section of the PE file.
+process.parent.macho.sections:
+  dashed_name: process-parent-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.session_leader.parent.session_leader.pe.sections
+    `macho.sections.*`.'
+  flat_name: process.parent.macho.sections
   level: extended
   name: sections
   normalize:
   - array
-  original_fieldset: pe
-  short: Section information of the PE file.
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
   type: nested
-process.session_leader.parent.session_leader.pe.sections.entropy:
-  dashed_name: process-session-leader-parent-session-leader-pe-sections-entropy
+process.parent.macho.sections.entropy:
+  dashed_name: process-parent-macho-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.session_leader.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.session_leader.pe.sections.name:
-  dashed_name: process-session-leader-parent-session-leader-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.session_leader.parent.session_leader.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.session_leader.parent.session_leader.pe.sections.physical_size:
-  dashed_name: process-session-leader-parent-session-leader-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.session_leader.parent.session_leader.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.session_leader.parent.session_leader.pe.sections.var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.session_leader.pe.sections.var_entropy
+  flat_name: process.parent.macho.sections.entropy
   format: number
   level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.session_leader.pe.sections.virtual_size:
-  dashed_name: process-session-leader-parent-session-leader-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.session_leader.parent.session_leader.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.session_leader.parent.session_leader.pid:
-  dashed_name: process-session-leader-parent-session-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.session_leader.parent.session_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.session_leader.parent.session_leader.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.session_leader.parent.session_leader.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.session_leader.parent.session_leader.real_group.domain:
-  dashed_name: process-session-leader-parent-session-leader-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.real_group.id:
-  dashed_name: process-session-leader-parent-session-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.real_group.name:
-  dashed_name: process-session-leader-parent-session-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.domain:
-  dashed_name: process-session-leader-parent-session-leader-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.email:
-  dashed_name: process-session-leader-parent-session-leader-real-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.session_leader.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.full_name:
-  dashed_name: process-session-leader-parent-session-leader-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.session_leader.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.group.domain:
-  dashed_name: process-session-leader-parent-session-leader-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.group.id:
-  dashed_name: process-session-leader-parent-session-leader-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.group.name:
-  dashed_name: process-session-leader-parent-session-leader-real-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.hash:
-  dashed_name: process-session-leader-parent-session-leader-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.session_leader.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.id:
-  dashed_name: process-session-leader-parent-session-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.session_leader.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.name:
-  dashed_name: process-session-leader-parent-session-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.session_leader.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.session_leader.real_user.risk.static_level:
-  dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.risk.static_score:
-  dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.session_leader.real_user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.session_leader.real_user.roles:
-  dashed_name: process-session-leader-parent-session-leader-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.session_leader.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.same_as_process:
-  dashed_name: process-session-leader-parent-session-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.session_leader.parent.session_leader.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.session_leader.parent.session_leader.saved_group.domain:
-  dashed_name: process-session-leader-parent-session-leader-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.saved_group.id:
-  dashed_name: process-session-leader-parent-session-leader-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.saved_group.name:
-  dashed_name: process-session-leader-parent-session-leader-saved-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.domain:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.email:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.session_leader.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
+  name: sections.entropy
   normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.full_name:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.session_leader.saved_user.full_name
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.macho.sections.name:
+  dashed_name: process-parent-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.parent.macho.sections.name
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
+  name: sections.name
   normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
+  original_fieldset: macho
+  short: Mach-O Section List name.
   type: keyword
-process.session_leader.parent.session_leader.saved_user.group.domain:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.saved_user.group.domain
-  ignore_above: 1024
+process.parent.macho.sections.physical_size:
+  dashed_name: process-parent-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.parent.macho.sections.physical_size
+  format: bytes
   level: extended
-  name: domain
+  name: sections.physical_size
   normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.group.id:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.saved_user.group.id
-  ignore_above: 1024
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.parent.macho.sections.var_entropy:
+  dashed_name: process-parent-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.macho.sections.var_entropy
+  format: number
   level: extended
-  name: id
+  name: sections.var_entropy
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.group.name:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.saved_user.group.name
-  ignore_above: 1024
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.macho.sections.virtual_size:
+  dashed_name: process-parent-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.macho.sections.virtual_size
+  format: string
   level: extended
-  name: name
+  name: sections.virtual_size
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.hash:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.parent.macho.symhash:
+  dashed_name: process-parent-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
 
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.session_leader.saved_user.hash
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.parent.macho.symhash
   ignore_above: 1024
   level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.id:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.session_leader.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
+  name: symhash
   normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
   type: keyword
-process.session_leader.parent.session_leader.saved_user.name:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.session_leader.saved_user.name
+process.parent.name:
+  dashed_name: process-parent-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.parent.name
   ignore_above: 1024
-  level: core
+  level: extended
   multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.saved_user.name.text
+  - flat_name: process.parent.name.text
     name: text
     type: match_only_text
   name: name
   normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
+  original_fieldset: process
+  short: Process name.
   type: keyword
-process.session_leader.parent.session_leader.saved_user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_level
+process.parent.pe.architecture:
+  dashed_name: process-parent-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.parent.pe.architecture
   ignore_above: 1024
   level: extended
-  name: calculated_level
+  name: architecture
   normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
+  original_fieldset: pe
+  short: CPU architecture target for the file.
   type: keyword
-process.session_leader.parent.session_leader.saved_user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score
+process.parent.pe.company:
+  dashed_name: process-parent-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.parent.pe.company
+  ignore_above: 1024
   level: extended
-  name: calculated_score
+  name: company
   normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.parent.pe.description:
+  dashed_name: process-parent-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.parent.pe.description
+  ignore_above: 1024
   level: extended
-  name: calculated_score_norm
+  name: description
   normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.session_leader.saved_user.risk.static_level:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_level
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.parent.pe.file_version:
+  dashed_name: process-parent-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.parent.pe.file_version
   ignore_above: 1024
   level: extended
-  name: static_level
+  name: file_version
   normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
+  original_fieldset: pe
+  short: Process name.
   type: keyword
-process.session_leader.parent.session_leader.saved_user.risk.static_score:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score
+process.parent.pe.go_import_hash:
+  dashed_name: process-parent-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.pe.go_import_hash
+  ignore_above: 1024
   level: extended
-  name: static_score
+  name: go_import_hash
   normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.session_leader.saved_user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score_norm
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.parent.pe.go_imports:
+  dashed_name: process-parent-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.pe.go_imports
   level: extended
-  name: static_score_norm
+  name: go_imports
   normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.session_leader.saved_user.roles:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.session_leader.saved_user.roles
-  ignore_above: 1024
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.pe.go_imports_names_entropy:
+  dashed_name: process-parent-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.pe.go_imports_names_entropy
+  format: number
   level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.start:
-  dashed_name: process-session-leader-parent-session-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.parent.session_leader.start
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.pe.go_imports_names_var_entropy:
+  dashed_name: process-parent-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.pe.go_imports_names_var_entropy
+  format: number
   level: extended
-  name: start
+  name: go_imports_names_var_entropy
   normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.session_leader.parent.session_leader.supplemental_groups.domain:
-  dashed_name: process-session-leader-parent-session-leader-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.supplemental_groups.domain
-  ignore_above: 1024
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.pe.go_stripped:
+  dashed_name: process-parent-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.pe.go_stripped
   level: extended
-  name: domain
+  name: go_stripped
   normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.supplemental_groups.id:
-  dashed_name: process-session-leader-parent-session-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.supplemental_groups.id
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.pe.imphash:
+  dashed_name: process-parent-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.parent.pe.imphash
   ignore_above: 1024
   level: extended
-  name: id
+  name: imphash
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
   type: keyword
-process.session_leader.parent.session_leader.supplemental_groups.name:
-  dashed_name: process-session-leader-parent-session-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.supplemental_groups.name
+process.parent.pe.import_hash:
+  dashed_name: process-parent-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.pe.import_hash
   ignore_above: 1024
   level: extended
-  name: name
+  name: import_hash
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
   type: keyword
-process.session_leader.parent.session_leader.thread.capabilities.effective:
-  dashed_name: process-session-leader-parent-session-leader-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.session_leader.parent.session_leader.thread.capabilities.effective
-  ignore_above: 1024
+process.parent.pe.imports:
+  dashed_name: process-parent-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.pe.imports
   level: extended
-  name: thread.capabilities.effective
+  name: imports
   normalize:
   - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.thread.capabilities.permitted:
-  dashed_name: process-session-leader-parent-session-leader-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.session_leader.parent.session_leader.thread.capabilities.permitted
-  ignore_above: 1024
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.parent.pe.imports_names_entropy:
+  dashed_name: process-parent-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.pe.imports_names_entropy
+  format: number
   level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.thread.id:
-  dashed_name: process-session-leader-parent-session-leader-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.session_leader.parent.session_leader.thread.id
-  format: string
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.pe.imports_names_var_entropy:
+  dashed_name: process-parent-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.pe.imports_names_var_entropy
+  format: number
   level: extended
-  name: thread.id
+  name: imports_names_var_entropy
   normalize: []
-  original_fieldset: process
-  short: Thread ID.
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
   type: long
-process.session_leader.parent.session_leader.thread.name:
-  dashed_name: process-session-leader-parent-session-leader-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.session_leader.parent.session_leader.thread.name
+process.parent.pe.original_file_name:
+  dashed_name: process-parent-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.parent.pe.original_file_name
   ignore_above: 1024
   level: extended
-  name: thread.name
+  name: original_file_name
   normalize: []
-  original_fieldset: process
-  short: Thread name.
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
   type: keyword
-process.session_leader.parent.session_leader.title:
-  dashed_name: process-session-leader-parent-session-leader-title
-  description: 'Process title.
+process.parent.pe.pehash:
+  dashed_name: process-parent-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
 
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.session_leader.parent.session_leader.title
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.parent.pe.pehash
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.title.text
-    name: text
-    type: match_only_text
-  name: title
+  name: pehash
   normalize: []
-  original_fieldset: process
-  short: Process title.
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
   type: keyword
-process.session_leader.parent.session_leader.tty:
-  dashed_name: process-session-leader-parent-session-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.session_leader.parent.session_leader.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.session_leader.parent.session_leader.tty.char_device.major:
-  dashed_name: process-session-leader-parent-session-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.session_leader.parent.session_leader.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.session_leader.parent.session_leader.tty.char_device.minor:
-  dashed_name: process-session-leader-parent-session-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.session_leader.parent.session_leader.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.session_leader.parent.session_leader.tty.columns:
-  dashed_name: process-session-leader-parent-session-leader-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.session_leader.parent.session_leader.tty.columns
+process.parent.pe.product:
+  dashed_name: process-parent-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.parent.pe.product
+  ignore_above: 1024
   level: extended
-  name: tty.columns
+  name: product
   normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.session_leader.parent.session_leader.tty.rows:
-  dashed_name: process-session-leader-parent-session-leader-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.parent.pe.sections:
+  dashed_name: process-parent-pe-sections
+  description: 'An array containing an object for each section of the PE file.
 
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.session_leader.parent.session_leader.tty.rows
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.parent.pe.sections
   level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.session_leader.parent.session_leader.uptime:
-  dashed_name: process-session-leader-parent-session-leader-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.session_leader.parent.session_leader.uptime
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.parent.pe.sections.entropy:
+  dashed_name: process-parent-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.pe.sections.entropy
+  format: number
   level: extended
-  name: uptime
+  name: sections.entropy
   normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
   type: long
-process.session_leader.parent.session_leader.user.domain:
-  dashed_name: process-session-leader-parent-session-leader-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.user.domain
+process.parent.pe.sections.name:
+  dashed_name: process-parent-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.parent.pe.sections.name
   ignore_above: 1024
   level: extended
-  name: domain
+  name: sections.name
   normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
+  original_fieldset: pe
+  short: PE Section List name.
   type: keyword
-process.session_leader.parent.session_leader.user.email:
-  dashed_name: process-session-leader-parent-session-leader-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.session_leader.user.email
-  ignore_above: 1024
+process.parent.pe.sections.physical_size:
+  dashed_name: process-parent-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.parent.pe.sections.physical_size
+  format: bytes
   level: extended
-  name: email
+  name: sections.physical_size
   normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.session_leader.user.full_name:
-  dashed_name: process-session-leader-parent-session-leader-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.session_leader.user.full_name
-  ignore_above: 1024
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.parent.pe.sections.var_entropy:
+  dashed_name: process-parent-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.pe.sections.var_entropy
+  format: number
   level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
+  name: sections.var_entropy
   normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.session_leader.user.group.domain:
-  dashed_name: process-session-leader-parent-session-leader-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.user.group.domain
-  ignore_above: 1024
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.pe.sections.virtual_size:
+  dashed_name: process-parent-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.pe.sections.virtual_size
+  format: string
   level: extended
-  name: domain
+  name: sections.virtual_size
   normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.user.group.id:
-  dashed_name: process-session-leader-parent-session-leader-user-group-id
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.parent.pid:
+  dashed_name: process-parent-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.parent.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.parent.real_group.id:
+  dashed_name: process-parent-real-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.user.group.id
+  flat_name: process.parent.real_group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -44222,10 +12674,10 @@ process.session_leader.parent.session_leader.user.group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.parent.session_leader.user.group.name:
-  dashed_name: process-session-leader-parent-session-leader-user-group-name
+process.parent.real_group.name:
+  dashed_name: process-parent-real-group-name
   description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.user.group.name
+  flat_name: process.parent.real_group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -44233,26 +12685,11 @@ process.session_leader.parent.session_leader.user.group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.session_leader.parent.session_leader.user.hash:
-  dashed_name: process-session-leader-parent-session-leader-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.session_leader.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.session_leader.user.id:
-  dashed_name: process-session-leader-parent-session-leader-user-id
+process.parent.real_user.id:
+  dashed_name: process-parent-real-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.session_leader.user.id
+  flat_name: process.parent.real_user.id
   ignore_above: 1024
   level: core
   name: id
@@ -44260,15 +12697,15 @@ process.session_leader.parent.session_leader.user.id:
   original_fieldset: user
   short: Unique identifier of the user.
   type: keyword
-process.session_leader.parent.session_leader.user.name:
-  dashed_name: process-session-leader-parent-session-leader-user-name
+process.parent.real_user.name:
+  dashed_name: process-parent-real-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.session_leader.parent.session_leader.user.name
+  flat_name: process.parent.real_user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.user.name.text
+  - flat_name: process.parent.real_user.name.text
     name: text
     type: match_only_text
   name: name
@@ -44276,160 +12713,71 @@ process.session_leader.parent.session_leader.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.session_leader.parent.session_leader.user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.user.risk.calculated_level
+process.parent.saved_group.id:
+  dashed_name: process-parent-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.saved_group.id
   ignore_above: 1024
   level: extended
-  name: calculated_level
+  name: id
   normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.parent.session_leader.user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.session_leader.user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.session_leader.user.risk.static_level:
-  dashed_name: process-session-leader-parent-session-leader-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.user.risk.static_level
+process.parent.saved_group.name:
+  dashed_name: process-parent-saved-group-name
+  description: Name of the group.
+  flat_name: process.parent.saved_group.name
   ignore_above: 1024
   level: extended
-  name: static_level
+  name: name
   normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.session_leader.parent.session_leader.user.risk.static_score:
-  dashed_name: process-session-leader-parent-session-leader-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.session_leader.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.session_leader.user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.session_leader.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.session_leader.user.roles:
-  dashed_name: process-session-leader-parent-session-leader-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.session_leader.user.roles
+process.parent.saved_user.id:
+  dashed_name: process-parent-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.saved_user.id
   ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.vpid:
-  dashed_name: process-session-leader-parent-session-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.session_leader.parent.session_leader.vpid
-  format: string
   level: core
-  name: vpid
+  name: id
   normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.session_leader.parent.session_leader.working_directory:
-  dashed_name: process-session-leader-parent-session-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.session_leader.parent.session_leader.working_directory
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.saved_user.name:
+  dashed_name: process-parent-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.saved_user.name
   ignore_above: 1024
-  level: extended
+  level: core
   multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.working_directory.text
+  - flat_name: process.parent.saved_user.name.text
     name: text
     type: match_only_text
-  name: working_directory
+  name: name
   normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
+  original_fieldset: user
+  short: Short name or login of the user.
   type: keyword
-process.session_leader.parent.start:
-  dashed_name: process-session-leader-parent-start
+process.parent.start:
+  dashed_name: process-parent-start
   description: The time the process started.
   example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.parent.start
+  flat_name: process.parent.start
   level: extended
   name: start
   normalize: []
   original_fieldset: process
   short: The time the process started.
   type: date
-process.session_leader.parent.supplemental_groups.domain:
-  dashed_name: process-session-leader-parent-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.supplemental_groups.id:
-  dashed_name: process-session-leader-parent-supplemental-groups-id
+process.parent.supplemental_groups.id:
+  dashed_name: process-parent-supplemental-groups-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.supplemental_groups.id
+  flat_name: process.parent.supplemental_groups.id
   ignore_above: 1024
   level: extended
   name: id
@@ -44437,10 +12785,10 @@ process.session_leader.parent.supplemental_groups.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.parent.supplemental_groups.name:
-  dashed_name: process-session-leader-parent-supplemental-groups-name
+process.parent.supplemental_groups.name:
+  dashed_name: process-parent-supplemental-groups-name
   description: Name of the group.
-  flat_name: process.session_leader.parent.supplemental_groups.name
+  flat_name: process.parent.supplemental_groups.name
   ignore_above: 1024
   level: extended
   name: name
@@ -44448,12 +12796,12 @@ process.session_leader.parent.supplemental_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.session_leader.parent.thread.capabilities.effective:
-  dashed_name: process-session-leader-parent-thread-capabilities-effective
+process.parent.thread.capabilities.effective:
+  dashed_name: process-parent-thread-capabilities-effective
   description: This is the set of capabilities used by the kernel to perform permission
     checks for the thread.
   example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.session_leader.parent.thread.capabilities.effective
+  flat_name: process.parent.thread.capabilities.effective
   ignore_above: 1024
   level: extended
   name: thread.capabilities.effective
@@ -44464,12 +12812,12 @@ process.session_leader.parent.thread.capabilities.effective:
   short: Array of capabilities used for permission checks.
   synthetic_source_keep: none
   type: keyword
-process.session_leader.parent.thread.capabilities.permitted:
-  dashed_name: process-session-leader-parent-thread-capabilities-permitted
+process.parent.thread.capabilities.permitted:
+  dashed_name: process-parent-thread-capabilities-permitted
   description: This is a limiting superset for the effective capabilities that the
     thread may assume.
   example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.session_leader.parent.thread.capabilities.permitted
+  flat_name: process.parent.thread.capabilities.permitted
   ignore_above: 1024
   level: extended
   name: thread.capabilities.permitted
@@ -44480,11 +12828,11 @@ process.session_leader.parent.thread.capabilities.permitted:
   short: Array of capabilities a thread could assume.
   synthetic_source_keep: none
   type: keyword
-process.session_leader.parent.thread.id:
-  dashed_name: process-session-leader-parent-thread-id
+process.parent.thread.id:
+  dashed_name: process-parent-thread-id
   description: Thread ID.
   example: 4242
-  flat_name: process.session_leader.parent.thread.id
+  flat_name: process.parent.thread.id
   format: string
   level: extended
   name: thread.id
@@ -44492,11 +12840,11 @@ process.session_leader.parent.thread.id:
   original_fieldset: process
   short: Thread ID.
   type: long
-process.session_leader.parent.thread.name:
-  dashed_name: process-session-leader-parent-thread-name
+process.parent.thread.name:
+  dashed_name: process-parent-thread-name
   description: Thread name.
   example: thread-0
-  flat_name: process.session_leader.parent.thread.name
+  flat_name: process.parent.thread.name
   ignore_above: 1024
   level: extended
   name: thread.name
@@ -44504,17 +12852,17 @@ process.session_leader.parent.thread.name:
   original_fieldset: process
   short: Thread name.
   type: keyword
-process.session_leader.parent.title:
-  dashed_name: process-session-leader-parent-title
+process.parent.title:
+  dashed_name: process-parent-title
   description: 'Process title.
 
     The proctitle, some times the same as process name. Can also be different: for
     example a browser setting its title to the web page currently opened.'
-  flat_name: process.session_leader.parent.title
+  flat_name: process.parent.title
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.session_leader.parent.title.text
+  - flat_name: process.parent.title.text
     name: text
     type: match_only_text
   name: title
@@ -44522,179 +12870,61 @@ process.session_leader.parent.title:
   original_fieldset: process
   short: Process title.
   type: keyword
-process.session_leader.parent.tty:
-  dashed_name: process-session-leader-parent-tty
+process.parent.tty:
+  dashed_name: process-parent-tty
   description: Information about the controlling TTY device. If set, the process belongs
     to an interactive session.
-  flat_name: process.session_leader.parent.tty
+  flat_name: process.parent.tty
   level: extended
   name: tty
   normalize: []
   original_fieldset: process
   short: Information about the controlling TTY device.
   type: object
-process.session_leader.parent.tty.char_device.major:
-  dashed_name: process-session-leader-parent-tty-char-device-major
+process.parent.tty.char_device.major:
+  dashed_name: process-parent-tty-char-device-major
   description: The major number identifies the driver associated with the device.
     The character device's major and minor numbers can be algorithmically combined
     to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
     For more details, please refer to the Linux kernel documentation.
   example: 4
-  flat_name: process.session_leader.parent.tty.char_device.major
+  flat_name: process.parent.tty.char_device.major
   level: extended
   name: tty.char_device.major
   normalize: []
   original_fieldset: process
   short: The TTY character device's major number.
   type: long
-process.session_leader.parent.tty.char_device.minor:
-  dashed_name: process-session-leader-parent-tty-char-device-minor
+process.parent.tty.char_device.minor:
+  dashed_name: process-parent-tty-char-device-minor
   description: The minor number is used only by the driver specified by the major
     number; other parts of the kernel don’t use it, and merely pass it along to the
     driver. It is common for a driver to control several devices; the minor number
     provides a way for the driver to differentiate among them.
   example: 1
-  flat_name: process.session_leader.parent.tty.char_device.minor
+  flat_name: process.parent.tty.char_device.minor
   level: extended
   name: tty.char_device.minor
   normalize: []
   original_fieldset: process
   short: The TTY character device's minor number.
   type: long
-process.session_leader.parent.tty.columns:
-  dashed_name: process-session-leader-parent-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.session_leader.parent.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.session_leader.parent.tty.rows:
-  dashed_name: process-session-leader-parent-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.session_leader.parent.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.session_leader.parent.uptime:
-  dashed_name: process-session-leader-parent-uptime
+process.parent.uptime:
+  dashed_name: process-parent-uptime
   description: Seconds the process has been up.
   example: 1325
-  flat_name: process.session_leader.parent.uptime
+  flat_name: process.parent.uptime
   level: extended
   name: uptime
   normalize: []
   original_fieldset: process
   short: Seconds the process has been up.
   type: long
-process.session_leader.parent.user.domain:
-  dashed_name: process-session-leader-parent-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.user.email:
-  dashed_name: process-session-leader-parent-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.user.full_name:
-  dashed_name: process-session-leader-parent-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.user.group.domain:
-  dashed_name: process-session-leader-parent-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.user.group.id:
-  dashed_name: process-session-leader-parent-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.user.group.name:
-  dashed_name: process-session-leader-parent-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.user.hash:
-  dashed_name: process-session-leader-parent-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.user.id:
-  dashed_name: process-session-leader-parent-user-id
+process.parent.user.id:
+  dashed_name: process-parent-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.user.id
+  flat_name: process.parent.user.id
   ignore_above: 1024
   level: core
   name: id
@@ -44702,15 +12932,15 @@ process.session_leader.parent.user.id:
   original_fieldset: user
   short: Unique identifier of the user.
   type: keyword
-process.session_leader.parent.user.name:
-  dashed_name: process-session-leader-parent-user-name
+process.parent.user.name:
+  dashed_name: process-parent-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.session_leader.parent.user.name
+  flat_name: process.parent.user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.session_leader.parent.user.name.text
+  - flat_name: process.parent.user.name.text
     name: text
     type: match_only_text
   name: name
@@ -44718,109 +12948,15 @@ process.session_leader.parent.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.session_leader.parent.user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.user.risk.static_level:
-  dashed_name: process-session-leader-parent-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.user.risk.static_score:
-  dashed_name: process-session-leader-parent-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.user.roles:
-  dashed_name: process-session-leader-parent-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.vpid:
-  dashed_name: process-session-leader-parent-vpid
+process.parent.vpid:
+  dashed_name: process-parent-vpid
   description: 'Virtual process id.
 
     The process id within a pid namespace. This is not necessarily unique across all
     processes on the host but it is unique within the process namespace that the process
     exists within.'
   example: 4242
-  flat_name: process.session_leader.parent.vpid
+  flat_name: process.parent.vpid
   format: string
   level: core
   name: vpid
@@ -44828,15 +12964,15 @@ process.session_leader.parent.vpid:
   original_fieldset: process
   short: Virtual process id.
   type: long
-process.session_leader.parent.working_directory:
-  dashed_name: process-session-leader-parent-working-directory
+process.parent.working_directory:
+  dashed_name: process-parent-working-directory
   description: The working directory of the process.
   example: /home/alice
-  flat_name: process.session_leader.parent.working_directory
+  flat_name: process.parent.working_directory
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.session_leader.parent.working_directory.text
+  - flat_name: process.parent.working_directory.text
     name: text
     type: match_only_text
   name: working_directory
@@ -44844,11 +12980,11 @@ process.session_leader.parent.working_directory:
   original_fieldset: process
   short: The working directory of the process.
   type: keyword
-process.session_leader.pe.architecture:
-  dashed_name: process-session-leader-pe-architecture
+process.pe.architecture:
+  dashed_name: process-pe-architecture
   description: CPU architecture target for the file.
   example: x64
-  flat_name: process.session_leader.pe.architecture
+  flat_name: process.pe.architecture
   ignore_above: 1024
   level: extended
   name: architecture
@@ -44856,11 +12992,11 @@ process.session_leader.pe.architecture:
   original_fieldset: pe
   short: CPU architecture target for the file.
   type: keyword
-process.session_leader.pe.company:
-  dashed_name: process-session-leader-pe-company
+process.pe.company:
+  dashed_name: process-pe-company
   description: Internal company name of the file, provided at compile-time.
   example: Microsoft Corporation
-  flat_name: process.session_leader.pe.company
+  flat_name: process.pe.company
   ignore_above: 1024
   level: extended
   name: company
@@ -44868,11 +13004,11 @@ process.session_leader.pe.company:
   original_fieldset: pe
   short: Internal company name of the file, provided at compile-time.
   type: keyword
-process.session_leader.pe.description:
-  dashed_name: process-session-leader-pe-description
+process.pe.description:
+  dashed_name: process-pe-description
   description: Internal description of the file, provided at compile-time.
   example: Paint
-  flat_name: process.session_leader.pe.description
+  flat_name: process.pe.description
   ignore_above: 1024
   level: extended
   name: description
@@ -44880,11 +13016,11 @@ process.session_leader.pe.description:
   original_fieldset: pe
   short: Internal description of the file, provided at compile-time.
   type: keyword
-process.session_leader.pe.file_version:
-  dashed_name: process-session-leader-pe-file-version
+process.pe.file_version:
+  dashed_name: process-pe-file-version
   description: Internal version of the file, provided at compile-time.
   example: 6.3.9600.17415
-  flat_name: process.session_leader.pe.file_version
+  flat_name: process.pe.file_version
   ignore_above: 1024
   level: extended
   name: file_version
@@ -44892,8 +13028,8 @@ process.session_leader.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
-process.session_leader.pe.go_import_hash:
-  dashed_name: process-session-leader-pe-go-import-hash
+process.pe.go_import_hash:
+  dashed_name: process-pe-go-import-hash
   description: 'A hash of the Go language imports in a PE file excluding standard
     library imports. An import hash can be used to fingerprint binaries even after
     recompilation or other code-level transformations have occurred, which would change
@@ -44902,7 +13038,7 @@ process.session_leader.pe.go_import_hash:
     The algorithm used to calculate the Go symbol hash and a reference implementation
     are available here: https://github.com/elastic/toutoumomoma'
   example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.pe.go_import_hash
+  flat_name: process.pe.go_import_hash
   ignore_above: 1024
   level: extended
   name: go_import_hash
@@ -44910,20 +13046,20 @@ process.session_leader.pe.go_import_hash:
   original_fieldset: pe
   short: A hash of the Go language imports in a PE file.
   type: keyword
-process.session_leader.pe.go_imports:
-  dashed_name: process-session-leader-pe-go-imports
+process.pe.go_imports:
+  dashed_name: process-pe-go-imports
   description: List of imported Go language element names and types.
-  flat_name: process.session_leader.pe.go_imports
+  flat_name: process.pe.go_imports
   level: extended
   name: go_imports
   normalize: []
   original_fieldset: pe
   short: List of imported Go language element names and types.
   type: flattened
-process.session_leader.pe.go_imports_names_entropy:
-  dashed_name: process-session-leader-pe-go-imports-names-entropy
+process.pe.go_imports_names_entropy:
+  dashed_name: process-pe-go-imports-names-entropy
   description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.pe.go_imports_names_entropy
+  flat_name: process.pe.go_imports_names_entropy
   format: number
   level: extended
   name: go_imports_names_entropy
@@ -44931,10 +13067,10 @@ process.session_leader.pe.go_imports_names_entropy:
   original_fieldset: pe
   short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.session_leader.pe.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-pe-go-imports-names-var-entropy
+process.pe.go_imports_names_var_entropy:
+  dashed_name: process-pe-go-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.pe.go_imports_names_var_entropy
+  flat_name: process.pe.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
@@ -44942,26 +13078,26 @@ process.session_leader.pe.go_imports_names_var_entropy:
   original_fieldset: pe
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.session_leader.pe.go_stripped:
-  dashed_name: process-session-leader-pe-go-stripped
+process.pe.go_stripped:
+  dashed_name: process-pe-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.pe.go_stripped
+  flat_name: process.pe.go_stripped
   level: extended
   name: go_stripped
   normalize: []
   original_fieldset: pe
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.session_leader.pe.imphash:
-  dashed_name: process-session-leader-pe-imphash
+process.pe.imphash:
+  dashed_name: process-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
     can be used to fingerprint binaries even after recompilation or other code-level
     transformations have occurred, which would change more traditional hash values.
 
     Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
   example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.session_leader.pe.imphash
+  flat_name: process.pe.imphash
   ignore_above: 1024
   level: extended
   name: imphash
@@ -44969,15 +13105,15 @@ process.session_leader.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
-process.session_leader.pe.import_hash:
-  dashed_name: process-session-leader-pe-import-hash
+process.pe.import_hash:
+  dashed_name: process-pe-import-hash
   description: 'A hash of the imports in a PE file. An import hash can be used to
     fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a synonym for imphash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.pe.import_hash
+  flat_name: process.pe.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
@@ -44985,10 +13121,10 @@ process.session_leader.pe.import_hash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
-process.session_leader.pe.imports:
-  dashed_name: process-session-leader-pe-imports
+process.pe.imports:
+  dashed_name: process-pe-imports
   description: List of imported element names and types.
-  flat_name: process.session_leader.pe.imports
+  flat_name: process.pe.imports
   level: extended
   name: imports
   normalize:
@@ -44996,11 +13132,11 @@ process.session_leader.pe.imports:
   original_fieldset: pe
   short: List of imported element names and types.
   type: flattened
-process.session_leader.pe.imports_names_entropy:
-  dashed_name: process-session-leader-pe-imports-names-entropy
+process.pe.imports_names_entropy:
+  dashed_name: process-pe-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.session_leader.pe.imports_names_entropy
+  flat_name: process.pe.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
@@ -45008,11 +13144,11 @@ process.session_leader.pe.imports_names_entropy:
   original_fieldset: pe
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.session_leader.pe.imports_names_var_entropy:
-  dashed_name: process-session-leader-pe-imports-names-var-entropy
+process.pe.imports_names_var_entropy:
+  dashed_name: process-pe-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.session_leader.pe.imports_names_var_entropy
+  flat_name: process.pe.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
@@ -45021,11 +13157,11 @@ process.session_leader.pe.imports_names_var_entropy:
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.session_leader.pe.original_file_name:
-  dashed_name: process-session-leader-pe-original-file-name
+process.pe.original_file_name:
+  dashed_name: process-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
-  flat_name: process.session_leader.pe.original_file_name
+  flat_name: process.pe.original_file_name
   ignore_above: 1024
   level: extended
   name: original_file_name
@@ -45033,15 +13169,15 @@ process.session_leader.pe.original_file_name:
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
   type: keyword
-process.session_leader.pe.pehash:
-  dashed_name: process-session-leader-pe-pehash
+process.pe.pehash:
+  dashed_name: process-pe-pehash
   description: 'A hash of the PE header and data from one or more PE sections. An
     pehash can be used to cluster files by transforming structural information about
     a file into a hash value.
 
     Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
   example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.session_leader.pe.pehash
+  flat_name: process.pe.pehash
   ignore_above: 1024
   level: extended
   name: pehash
@@ -45049,11 +13185,11 @@ process.session_leader.pe.pehash:
   original_fieldset: pe
   short: A hash of the PE header and data from one or more PE sections.
   type: keyword
-process.session_leader.pe.product:
-  dashed_name: process-session-leader-pe-product
+process.pe.product:
+  dashed_name: process-pe-product
   description: Internal product name of the file, provided at compile-time.
   example: Microsoft® Windows® Operating System
-  flat_name: process.session_leader.pe.product
+  flat_name: process.pe.product
   ignore_above: 1024
   level: extended
   name: product
@@ -45061,13 +13197,13 @@ process.session_leader.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
-process.session_leader.pe.sections:
-  dashed_name: process-session-leader-pe-sections
+process.pe.sections:
+  dashed_name: process-pe-sections
   description: 'An array containing an object for each section of the PE file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `pe.sections.*`.'
-  flat_name: process.session_leader.pe.sections
+  flat_name: process.pe.sections
   level: extended
   name: sections
   normalize:
@@ -45075,10 +13211,10 @@ process.session_leader.pe.sections:
   original_fieldset: pe
   short: Section information of the PE file.
   type: nested
-process.session_leader.pe.sections.entropy:
-  dashed_name: process-session-leader-pe-sections-entropy
+process.pe.sections.entropy:
+  dashed_name: process-pe-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.pe.sections.entropy
+  flat_name: process.pe.sections.entropy
   format: number
   level: extended
   name: sections.entropy
@@ -45086,10 +13222,10 @@ process.session_leader.pe.sections.entropy:
   original_fieldset: pe
   short: Shannon entropy calculation from the section.
   type: long
-process.session_leader.pe.sections.name:
-  dashed_name: process-session-leader-pe-sections-name
+process.pe.sections.name:
+  dashed_name: process-pe-sections-name
   description: PE Section List name.
-  flat_name: process.session_leader.pe.sections.name
+  flat_name: process.pe.sections.name
   ignore_above: 1024
   level: extended
   name: sections.name
@@ -45097,10 +13233,10 @@ process.session_leader.pe.sections.name:
   original_fieldset: pe
   short: PE Section List name.
   type: keyword
-process.session_leader.pe.sections.physical_size:
-  dashed_name: process-session-leader-pe-sections-physical-size
+process.pe.sections.physical_size:
+  dashed_name: process-pe-sections-physical-size
   description: PE Section List physical size.
-  flat_name: process.session_leader.pe.sections.physical_size
+  flat_name: process.pe.sections.physical_size
   format: bytes
   level: extended
   name: sections.physical_size
@@ -45108,10 +13244,10 @@ process.session_leader.pe.sections.physical_size:
   original_fieldset: pe
   short: PE Section List physical size.
   type: long
-process.session_leader.pe.sections.var_entropy:
-  dashed_name: process-session-leader-pe-sections-var-entropy
+process.pe.sections.var_entropy:
+  dashed_name: process-pe-sections-var-entropy
   description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.pe.sections.var_entropy
+  flat_name: process.pe.sections.var_entropy
   format: number
   level: extended
   name: sections.var_entropy
@@ -45119,10 +13255,10 @@ process.session_leader.pe.sections.var_entropy:
   original_fieldset: pe
   short: Variance for Shannon entropy calculation from the section.
   type: long
-process.session_leader.pe.sections.virtual_size:
-  dashed_name: process-session-leader-pe-sections-virtual-size
+process.pe.sections.virtual_size:
+  dashed_name: process-pe-sections-virtual-size
   description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.session_leader.pe.sections.virtual_size
+  flat_name: process.pe.sections.virtual_size
   format: string
   level: extended
   name: sections.virtual_size
@@ -45130,51 +13266,71 @@ process.session_leader.pe.sections.virtual_size:
   original_fieldset: pe
   short: PE Section List virtual size. This is always the same as `physical_size`.
   type: long
-process.session_leader.pid:
-  dashed_name: process-session-leader-pid
+process.pid:
+  dashed_name: process-pid
   description: Process id.
   example: 4242
-  flat_name: process.session_leader.pid
+  flat_name: process.pid
   format: string
   level: core
   name: pid
   normalize: []
-  original_fieldset: process
   otel:
   - relation: match
     stability: development
   short: Process id.
   type: long
-process.session_leader.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.session_leader.platform_binary
+process.previous.args:
+  dashed_name: process-previous-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.previous.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.previous.args_count:
+  dashed_name: process-previous-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.previous.args_count
   level: extended
-  name: platform_binary
+  name: args_count
   normalize: []
   original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.session_leader.real_group.domain:
-  dashed_name: process-session-leader-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.real_group.domain
+  short: Length of the process.args array.
+  type: long
+process.previous.executable:
+  dashed_name: process-previous-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.previous.executable
   ignore_above: 1024
   level: extended
-  name: domain
+  multi_fields:
+  - flat_name: process.previous.executable.text
+    name: text
+    type: match_only_text
+  name: executable
   normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
+  original_fieldset: process
+  short: Absolute path to the process executable.
   type: keyword
-process.session_leader.real_group.id:
-  dashed_name: process-session-leader-real-group-id
+process.real_group.id:
+  dashed_name: process-real-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.real_group.id
+  flat_name: process.real_group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -45182,10 +13338,10 @@ process.session_leader.real_group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.real_group.name:
-  dashed_name: process-session-leader-real-group-name
+process.real_group.name:
+  dashed_name: process-real-group-name
   description: Name of the group.
-  flat_name: process.session_leader.real_group.name
+  flat_name: process.real_group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -45193,63 +13349,44 @@ process.session_leader.real_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.session_leader.real_user.domain:
-  dashed_name: process-session-leader-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.real_user.email:
-  dashed_name: process-session-leader-real-user-email
-  description: User email address.
-  flat_name: process.session_leader.real_user.email
+process.real_user.id:
+  dashed_name: process-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.real_user.id
   ignore_above: 1024
-  level: extended
-  name: email
+  level: core
+  name: id
   normalize: []
   original_fieldset: user
-  short: User email address.
+  otel:
+  - relation: match
+    stability: development
+  short: Unique identifier of the user.
   type: keyword
-process.session_leader.real_user.full_name:
-  dashed_name: process-session-leader-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.real_user.full_name
+process.real_user.name:
+  dashed_name: process-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.real_user.name
   ignore_above: 1024
-  level: extended
+  level: core
   multi_fields:
-  - flat_name: process.session_leader.real_user.full_name.text
+  - flat_name: process.real_user.name.text
     name: text
     type: match_only_text
-  name: full_name
+  name: name
   normalize: []
   original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.real_user.group.domain:
-  dashed_name: process-session-leader-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
+  otel:
+  - relation: match
+    stability: development
+  short: Short name or login of the user.
   type: keyword
-process.session_leader.real_user.group.id:
-  dashed_name: process-session-leader-real-user-group-id
+process.saved_group.id:
+  dashed_name: process-saved-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.real_user.group.id
+  flat_name: process.saved_group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -45257,10 +13394,10 @@ process.session_leader.real_user.group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.real_user.group.name:
-  dashed_name: process-session-leader-real-user-group-name
+process.saved_group.name:
+  dashed_name: process-saved-group-name
   description: Name of the group.
-  flat_name: process.session_leader.real_user.group.name
+  flat_name: process.saved_group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -45268,190 +13405,323 @@ process.session_leader.real_user.group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.session_leader.real_user.hash:
-  dashed_name: process-session-leader-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.real_user.id:
-  dashed_name: process-session-leader-real-user-id
+process.saved_user.id:
+  dashed_name: process-saved-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.real_user.id
+  flat_name: process.saved_user.id
   ignore_above: 1024
   level: core
   name: id
   normalize: []
   original_fieldset: user
+  otel:
+  - relation: match
+    stability: development
   short: Unique identifier of the user.
   type: keyword
-process.session_leader.real_user.name:
-  dashed_name: process-session-leader-real-user-name
+process.saved_user.name:
+  dashed_name: process-saved-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.session_leader.real_user.name
+  flat_name: process.saved_user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.session_leader.real_user.name.text
+  - flat_name: process.saved_user.name.text
     name: text
     type: match_only_text
   name: name
   normalize: []
   original_fieldset: user
+  otel:
+  - relation: match
+    stability: development
   short: Short name or login of the user.
   type: keyword
-process.session_leader.real_user.risk.calculated_level:
-  dashed_name: process-session-leader-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.real_user.risk.calculated_level
+process.session_leader.args:
+  dashed_name: process-session-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.session_leader.args
   ignore_above: 1024
   level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
   type: keyword
-process.session_leader.real_user.risk.calculated_score:
-  dashed_name: process-session-leader-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.real_user.risk.calculated_score
+process.session_leader.args_count:
+  dashed_name: process-session-leader-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.session_leader.args_count
   level: extended
-  name: calculated_score
+  name: args_count
   normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.real_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.real_user.risk.calculated_score_norm
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.session_leader.command_line:
+  dashed_name: process-session-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.session_leader.command_line
   level: extended
-  name: calculated_score_norm
+  multi_fields:
+  - flat_name: process.session_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
   normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.real_user.risk.static_level:
-  dashed_name: process-session-leader-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.real_user.risk.static_level
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.session_leader.entity_id:
+  dashed_name: process-session-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.session_leader.entity_id
   ignore_above: 1024
   level: extended
-  name: static_level
+  name: entity_id
   normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
+  original_fieldset: process
+  short: Unique identifier for the process.
   type: keyword
-process.session_leader.real_user.risk.static_score:
-  dashed_name: process-session-leader-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.real_user.risk.static_score
+process.session_leader.executable:
+  dashed_name: process-session-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.session_leader.executable
+  ignore_above: 1024
   level: extended
-  name: static_score
+  multi_fields:
+  - flat_name: process.session_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
   normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.real_user.risk.static_score_norm:
-  dashed_name: process-session-leader-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.real_user.risk.static_score_norm
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.session_leader.group.id:
+  dashed_name: process-session-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.group.id
+  ignore_above: 1024
   level: extended
-  name: static_score_norm
+  name: id
   normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.real_user.roles:
-  dashed_name: process-session-leader-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.real_user.roles
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.group.name:
+  dashed_name: process-session-leader-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.group.name
   ignore_above: 1024
   level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.session_leader.same_as_process:
-  dashed_name: process-session-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
+process.session_leader.interactive:
+  dashed_name: process-session-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
 
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
 
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
   example: true
-  flat_name: process.session_leader.same_as_process
+  flat_name: process.session_leader.interactive
   level: extended
-  name: same_as_process
+  name: interactive
   normalize: []
   original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
+  short: Whether the process is connected to an interactive shell.
   type: boolean
-process.session_leader.saved_group.domain:
-  dashed_name: process-session-leader-saved-group-domain
-  description: 'Name of the directory the group is a member of.
+process.session_leader.name:
+  dashed_name: process-session-leader-name
+  description: 'Process name.
 
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.saved_group.domain
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.session_leader.name
   ignore_above: 1024
   level: extended
-  name: domain
+  multi_fields:
+  - flat_name: process.session_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
+  original_fieldset: process
+  short: Process name.
   type: keyword
-process.session_leader.saved_group.id:
-  dashed_name: process-session-leader-saved-group-id
+process.session_leader.parent.entity_id:
+  dashed_name: process-session-leader-parent-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.session_leader.parent.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.session_leader.parent.pid:
+  dashed_name: process-session-leader-parent-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.session_leader.parent.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.session_leader.parent.session_leader.entity_id:
+  dashed_name: process-session-leader-parent-session-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.session_leader.parent.session_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.session_leader.parent.session_leader.pid:
+  dashed_name: process-session-leader-parent-session-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.session_leader.parent.session_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.session_leader.parent.session_leader.start:
+  dashed_name: process-session-leader-parent-session-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.parent.session_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.session_leader.parent.session_leader.vpid:
+  dashed_name: process-session-leader-parent-session-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.parent.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.session_leader.parent.start:
+  dashed_name: process-session-leader-parent-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.parent.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.session_leader.parent.vpid:
+  dashed_name: process-session-leader-parent-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.session_leader.pid:
+  dashed_name: process-session-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.session_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  otel:
+  - relation: match
+    stability: development
+  short: Process id.
+  type: long
+process.session_leader.real_group.id:
+  dashed_name: process-session-leader-real-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.saved_group.id
+  flat_name: process.session_leader.real_group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -45459,10 +13729,10 @@ process.session_leader.saved_group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.saved_group.name:
-  dashed_name: process-session-leader-saved-group-name
+process.session_leader.real_group.name:
+  dashed_name: process-session-leader-real-group-name
   description: Name of the group.
-  flat_name: process.session_leader.saved_group.name
+  flat_name: process.session_leader.real_group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -45470,63 +13740,68 @@ process.session_leader.saved_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.session_leader.saved_user.domain:
-  dashed_name: process-session-leader-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.saved_user.email:
-  dashed_name: process-session-leader-saved-user-email
-  description: User email address.
-  flat_name: process.session_leader.saved_user.email
+process.session_leader.real_user.id:
+  dashed_name: process-session-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.real_user.id
   ignore_above: 1024
-  level: extended
-  name: email
+  level: core
+  name: id
   normalize: []
   original_fieldset: user
-  short: User email address.
+  short: Unique identifier of the user.
   type: keyword
-process.session_leader.saved_user.full_name:
-  dashed_name: process-session-leader-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.saved_user.full_name
+process.session_leader.real_user.name:
+  dashed_name: process-session-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.real_user.name
   ignore_above: 1024
-  level: extended
+  level: core
   multi_fields:
-  - flat_name: process.session_leader.saved_user.full_name.text
+  - flat_name: process.session_leader.real_user.name.text
     name: text
     type: match_only_text
-  name: full_name
+  name: name
   normalize: []
   original_fieldset: user
-  short: User's full name, if available.
+  short: Short name or login of the user.
   type: keyword
-process.session_leader.saved_user.group.domain:
-  dashed_name: process-session-leader-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
+process.session_leader.same_as_process:
+  dashed_name: process-session-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
 
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.saved_user.group.domain
-  ignore_above: 1024
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.session_leader.same_as_process
   level: extended
-  name: domain
+  name: same_as_process
   normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.saved_user.group.id:
-  dashed_name: process-session-leader-saved-user-group-id
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.session_leader.saved_group.id:
+  dashed_name: process-session-leader-saved-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.saved_user.group.id
+  flat_name: process.session_leader.saved_group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -45534,10 +13809,10 @@ process.session_leader.saved_user.group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.saved_user.group.name:
-  dashed_name: process-session-leader-saved-user-group-name
+process.session_leader.saved_group.name:
+  dashed_name: process-session-leader-saved-group-name
   description: Name of the group.
-  flat_name: process.session_leader.saved_user.group.name
+  flat_name: process.session_leader.saved_group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -45545,21 +13820,6 @@ process.session_leader.saved_user.group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.session_leader.saved_user.hash:
-  dashed_name: process-session-leader-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
 process.session_leader.saved_user.id:
   dashed_name: process-session-leader-saved-user-id
   description: Unique identifier of the user.
@@ -45588,100 +13848,6 @@ process.session_leader.saved_user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.session_leader.saved_user.risk.calculated_level:
-  dashed_name: process-session-leader-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.saved_user.risk.calculated_score:
-  dashed_name: process-session-leader-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.saved_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.saved_user.risk.static_level:
-  dashed_name: process-session-leader-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.saved_user.risk.static_score:
-  dashed_name: process-session-leader-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.saved_user.risk.static_score_norm:
-  dashed_name: process-session-leader-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.saved_user.roles:
-  dashed_name: process-session-leader-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
 process.session_leader.start:
   dashed_name: process-session-leader-start
   description: The time the process started.
@@ -45693,19 +13859,6 @@ process.session_leader.start:
   original_fieldset: process
   short: The time the process started.
   type: date
-process.session_leader.supplemental_groups.domain:
-  dashed_name: process-session-leader-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
 process.session_leader.supplemental_groups.id:
   dashed_name: process-session-leader-supplemental-groups-id
   description: Unique identifier for the group on the system/platform.
@@ -45728,80 +13881,6 @@ process.session_leader.supplemental_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.session_leader.thread.capabilities.effective:
-  dashed_name: process-session-leader-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.session_leader.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.thread.capabilities.permitted:
-  dashed_name: process-session-leader-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.session_leader.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.thread.id:
-  dashed_name: process-session-leader-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.session_leader.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.session_leader.thread.name:
-  dashed_name: process-session-leader-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.session_leader.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.session_leader.title:
-  dashed_name: process-session-leader-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.session_leader.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
 process.session_leader.tty:
   dashed_name: process-session-leader-tty
   description: Information about the controlling TTY device. If set, the process belongs
@@ -45841,135 +13920,6 @@ process.session_leader.tty.char_device.minor:
   original_fieldset: process
   short: The TTY character device's minor number.
   type: long
-process.session_leader.tty.columns:
-  dashed_name: process-session-leader-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.session_leader.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.session_leader.tty.rows:
-  dashed_name: process-session-leader-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.session_leader.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.session_leader.uptime:
-  dashed_name: process-session-leader-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.session_leader.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.session_leader.user.domain:
-  dashed_name: process-session-leader-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.user.email:
-  dashed_name: process-session-leader-user-email
-  description: User email address.
-  flat_name: process.session_leader.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.user.full_name:
-  dashed_name: process-session-leader-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.user.group.domain:
-  dashed_name: process-session-leader-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.user.group.id:
-  dashed_name: process-session-leader-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.user.group.name:
-  dashed_name: process-session-leader-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.user.hash:
-  dashed_name: process-session-leader-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
 process.session_leader.user.id:
   dashed_name: process-session-leader-user-id
   description: Unique identifier of the user.
@@ -45998,100 +13948,6 @@ process.session_leader.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.session_leader.user.risk.calculated_level:
-  dashed_name: process-session-leader-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.user.risk.calculated_score:
-  dashed_name: process-session-leader-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.user.risk.static_level:
-  dashed_name: process-session-leader-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.user.risk.static_score:
-  dashed_name: process-session-leader-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.user.risk.static_score_norm:
-  dashed_name: process-session-leader-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.user.roles:
-  dashed_name: process-session-leader-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
 process.session_leader.vpid:
   dashed_name: process-session-leader-vpid
   description: 'Virtual process id.
@@ -46134,19 +13990,6 @@ process.start:
   normalize: []
   short: The time the process started.
   type: date
-process.supplemental_groups.domain:
-  dashed_name: process-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
 process.supplemental_groups.id:
   dashed_name: process-supplemental-groups-id
   description: Unique identifier for the group on the system/platform.
@@ -46317,96 +14160,6 @@ process.uptime:
     stability: development
   short: Seconds the process has been up.
   type: long
-process.user.domain:
-  dashed_name: process-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.user.email:
-  dashed_name: process-user-email
-  description: User email address.
-  flat_name: process.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.user.full_name:
-  dashed_name: process-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.user.group.domain:
-  dashed_name: process-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.user.group.id:
-  dashed_name: process-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.user.group.name:
-  dashed_name: process-user-group-name
-  description: Name of the group.
-  flat_name: process.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.user.hash:
-  dashed_name: process-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
 process.user.id:
   dashed_name: process-user-id
   description: Unique identifier of the user.
@@ -46441,100 +14194,6 @@ process.user.name:
     stability: development
   short: Short name or login of the user.
   type: keyword
-process.user.risk.calculated_level:
-  dashed_name: process-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.user.risk.calculated_score:
-  dashed_name: process-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.user.risk.calculated_score_norm:
-  dashed_name: process-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.user.risk.static_level:
-  dashed_name: process-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.user.risk.static_score:
-  dashed_name: process-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.user.risk.static_score_norm:
-  dashed_name: process-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.user.roles:
-  dashed_name: process-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
 process.vpid:
   dashed_name: process-vpid
   description: 'Virtual process id.
@@ -47294,86 +14953,6 @@ server.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-server.user.risk.calculated_level:
-  dashed_name: server-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: server.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-server.user.risk.calculated_score:
-  dashed_name: server-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: server.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-server.user.risk.calculated_score_norm:
-  dashed_name: server-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: server.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-server.user.risk.static_level:
-  dashed_name: server-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: server.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-server.user.risk.static_score:
-  dashed_name: server-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: server.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-server.user.risk.static_score_norm:
-  dashed_name: server-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: server.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 server.user.roles:
   dashed_name: server-user-roles
   description: Array of user roles at the time of the event.
@@ -48695,86 +16274,6 @@ source.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-source.user.risk.calculated_level:
-  dashed_name: source-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: source.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-source.user.risk.calculated_score:
-  dashed_name: source-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: source.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-source.user.risk.calculated_score_norm:
-  dashed_name: source-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: source.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-source.user.risk.static_level:
-  dashed_name: source-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: source.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-source.user.risk.static_score:
-  dashed_name: source-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: source.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-source.user.risk.static_score_norm:
-  dashed_name: source-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: source.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 source.user.roles:
   dashed_name: source-user-roles
   description: Array of user roles at the time of the event.
@@ -55901,86 +23400,6 @@ user.changes.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-user.changes.risk.calculated_level:
-  dashed_name: user-changes-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: user.changes.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-user.changes.risk.calculated_score:
-  dashed_name: user-changes-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: user.changes.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-user.changes.risk.calculated_score_norm:
-  dashed_name: user-changes-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: user.changes.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-user.changes.risk.static_level:
-  dashed_name: user-changes-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: user.changes.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-user.changes.risk.static_score:
-  dashed_name: user-changes-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: user.changes.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-user.changes.risk.static_score_norm:
-  dashed_name: user-changes-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: user.changes.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 user.changes.roles:
   dashed_name: user-changes-roles
   description: Array of user roles at the time of the event.
@@ -56125,86 +23544,6 @@ user.effective.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-user.effective.risk.calculated_level:
-  dashed_name: user-effective-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: user.effective.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-user.effective.risk.calculated_score:
-  dashed_name: user-effective-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: user.effective.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-user.effective.risk.calculated_score_norm:
-  dashed_name: user-effective-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: user.effective.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-user.effective.risk.static_level:
-  dashed_name: user-effective-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: user.effective.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-user.effective.risk.static_score:
-  dashed_name: user-effective-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: user.effective.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-user.effective.risk.static_score_norm:
-  dashed_name: user-effective-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: user.effective.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 user.effective.roles:
   dashed_name: user-effective-roles
   description: Array of user roles at the time of the event.
@@ -56798,86 +24137,6 @@ user.target.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-user.target.risk.calculated_level:
-  dashed_name: user-target-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: user.target.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-user.target.risk.calculated_score:
-  dashed_name: user-target-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: user.target.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-user.target.risk.calculated_score_norm:
-  dashed_name: user-target-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: user.target.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-user.target.risk.static_level:
-  dashed_name: user-target-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: user.target.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-user.target.risk.static_score:
-  dashed_name: user-target-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: user.target.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-user.target.risk.static_score_norm:
-  dashed_name: user-target-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: user.target.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 user.target.roles:
   dashed_name: user-target-roles
   description: Array of user roles at the time of the event.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index d17bf5383a..749922c0a1 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -735,86 +735,6 @@ client:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    client.user.risk.calculated_level:
-      dashed_name: client-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: client.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    client.user.risk.calculated_score:
-      dashed_name: client-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: client.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    client.user.risk.calculated_score_norm:
-      dashed_name: client-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: client.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    client.user.risk.static_level:
-      dashed_name: client-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: client.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    client.user.risk.static_score:
-      dashed_name: client-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: client.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    client.user.risk.static_score_norm:
-      dashed_name: client-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: client.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     client.user.roles:
       dashed_name: client-user-roles
       description: Array of user roles at the time of the event.
@@ -2497,86 +2417,6 @@ destination:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    destination.user.risk.calculated_level:
-      dashed_name: destination-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: destination.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    destination.user.risk.calculated_score:
-      dashed_name: destination-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: destination.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    destination.user.risk.calculated_score_norm:
-      dashed_name: destination-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: destination.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    destination.user.risk.static_level:
-      dashed_name: destination-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: destination.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    destination.user.risk.static_score:
-      dashed_name: destination-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: destination.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    destination.user.risk.static_score_norm:
-      dashed_name: destination-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: destination.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     destination.user.roles:
       dashed_name: destination-user-roles
       description: Array of user roles at the time of the event.
@@ -11552,253 +11392,6 @@ process:
         stability: development
       short: Length of the process.args array.
       type: long
-    process.attested_groups.domain:
-      dashed_name: process-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.attested_groups.id:
-      dashed_name: process-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.attested_groups.name:
-      dashed_name: process-attested-groups-name
-      description: Name of the group.
-      flat_name: process.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.attested_user.domain:
-      dashed_name: process-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.attested_user.email:
-      dashed_name: process-attested-user-email
-      description: User email address.
-      flat_name: process.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.attested_user.full_name:
-      dashed_name: process-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.attested_user.group.domain:
-      dashed_name: process-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.attested_user.group.id:
-      dashed_name: process-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.attested_user.group.name:
-      dashed_name: process-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.attested_user.hash:
-      dashed_name: process-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.attested_user.id:
-      dashed_name: process-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.attested_user.name:
-      dashed_name: process-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.attested_user.risk.calculated_level:
-      dashed_name: process-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.attested_user.risk.calculated_score:
-      dashed_name: process-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.attested_user.risk.calculated_score_norm:
-      dashed_name: process-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.attested_user.risk.static_level:
-      dashed_name: process-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.attested_user.risk.static_score:
-      dashed_name: process-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.attested_user.risk.static_score_norm:
-      dashed_name: process-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.attested_user.roles:
-      dashed_name: process-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
     process.code_signature.digest_algorithm:
       dashed_name: process-code-signature-digest-algorithm
       description: 'The hashing algorithm used to sign the process.
@@ -12423,17 +12016,6 @@ process:
       normalize: []
       short: The time the process ended.
       type: date
-    process.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
     process.entity_id:
       dashed_name: process-entity-id
       description: 'Unique identifier for the process.
@@ -12484,30 +12066,6 @@ process:
       original_fieldset: process
       short: Length of the process.args array.
       type: long
-    process.entry_leader.attested_groups.domain:
-      dashed_name: process-entry-leader-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.attested_groups.id:
-      dashed_name: process-entry-leader-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
     process.entry_leader.attested_groups.name:
       dashed_name: process-entry-leader-attested-groups-name
       description: Name of the group.
@@ -12519,96 +12077,6 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.entry_leader.attested_user.domain:
-      dashed_name: process-entry-leader-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.attested_user.email:
-      dashed_name: process-entry-leader-attested-user-email
-      description: User email address.
-      flat_name: process.entry_leader.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.attested_user.full_name:
-      dashed_name: process-entry-leader-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.attested_user.group.domain:
-      dashed_name: process-entry-leader-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.attested_user.group.id:
-      dashed_name: process-entry-leader-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.attested_user.group.name:
-      dashed_name: process-entry-leader-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.attested_user.hash:
-      dashed_name: process-entry-leader-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
     process.entry_leader.attested_user.id:
       dashed_name: process-entry-leader-attested-user-id
       description: Unique identifier of the user.
@@ -12637,31978 +12105,658 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.entry_leader.attested_user.risk.calculated_level:
-      dashed_name: process-entry-leader-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.attested_user.risk.calculated_score:
-      dashed_name: process-entry-leader-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.attested_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.attested_user.risk.calculated_score_norm
+    process.entry_leader.command_line:
+      dashed_name: process-entry-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.entry_leader.command_line
       level: extended
-      name: calculated_score_norm
+      multi_fields:
+      - flat_name: process.entry_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
       normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.attested_user.risk.static_level:
-      dashed_name: process-entry-leader-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.attested_user.risk.static_level
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.entry_leader.entity_id:
+      dashed_name: process-entry-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.entry_leader.entity_id
       ignore_above: 1024
       level: extended
-      name: static_level
+      name: entity_id
       normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
+      original_fieldset: process
+      short: Unique identifier for the process.
       type: keyword
-    process.entry_leader.attested_user.risk.static_score:
-      dashed_name: process-entry-leader-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.attested_user.risk.static_score
-      level: extended
-      name: static_score
+    process.entry_leader.entry_meta.source.ip:
+      dashed_name: process-entry-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.entry_leader.entry_meta.source.ip
+      level: core
+      name: ip
       normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.attested_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.attested_user.risk.static_score_norm
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.entry_leader.entry_meta.type:
+      dashed_name: process-entry-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.entry_leader.entry_meta.type
+      ignore_above: 1024
       level: extended
-      name: static_score_norm
+      name: entry_meta.type
       normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.attested_user.roles:
-      dashed_name: process-entry-leader-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.attested_user.roles
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.entry_leader.executable:
+      dashed_name: process-entry-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.entry_leader.executable
       ignore_above: 1024
       level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
+      multi_fields:
+      - flat_name: process.entry_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
       type: keyword
-    process.entry_leader.code_signature.digest_algorithm:
-      dashed_name: process-entry-leader-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.entry_leader.code_signature.digest_algorithm
+    process.entry_leader.group.id:
+      dashed_name: process-entry-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.group.id
       ignore_above: 1024
       level: extended
-      name: digest_algorithm
+      name: id
       normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.entry_leader.code_signature.exists:
-      dashed_name: process-entry-leader-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.entry_leader.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.entry_leader.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.entry_leader.code_signature.flags
+    process.entry_leader.group.name:
+      dashed_name: process-entry-leader-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.group.name
       ignore_above: 1024
       level: extended
-      name: flags
+      name: name
       normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.entry_leader.code_signature.signing_id:
-      dashed_name: process-entry-leader-code-signature-signing-id
-      description: 'The identifier used to sign the process.
+    process.entry_leader.interactive:
+      dashed_name: process-entry-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
 
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.entry_leader.code_signature.signing_id
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.entry_leader.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.entry_leader.name:
+      dashed_name: process-entry-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.entry_leader.name
       ignore_above: 1024
       level: extended
-      name: signing_id
+      multi_fields:
+      - flat_name: process.entry_leader.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
+      original_fieldset: process
+      short: Process name.
       type: keyword
-    process.entry_leader.code_signature.status:
-      dashed_name: process-entry-leader-code-signature-status
-      description: 'Additional information about the certificate status.
+    process.entry_leader.parent.entity_id:
+      dashed_name: process-entry-leader-parent-entity-id
+      description: 'Unique identifier for the process.
 
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.entry_leader.code_signature.status
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.entry_leader.parent.entity_id
       ignore_above: 1024
       level: extended
-      name: status
+      name: entity_id
       normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
+      original_fieldset: process
+      short: Unique identifier for the process.
       type: keyword
-    process.entry_leader.code_signature.subject_name:
-      dashed_name: process-entry-leader-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.entry_leader.code_signature.subject_name
-      ignore_above: 1024
+    process.entry_leader.parent.pid:
+      dashed_name: process-entry-leader-parent-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.entry_leader.parent.pid
+      format: string
       level: core
-      name: subject_name
+      name: pid
       normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.entry_leader.code_signature.team_id:
-      dashed_name: process-entry-leader-code-signature-team-id
-      description: 'The team identifier used to sign the process.
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.entry_leader.parent.session_leader.entity_id:
+      dashed_name: process-entry-leader-parent-session-leader-entity-id
+      description: 'Unique identifier for the process.
 
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.entry_leader.code_signature.team_id
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.entry_leader.parent.session_leader.entity_id
       ignore_above: 1024
       level: extended
-      name: team_id
+      name: entity_id
       normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
+      original_fieldset: process
+      short: Unique identifier for the process.
       type: keyword
-    process.entry_leader.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.entry_leader.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
+    process.entry_leader.parent.session_leader.pid:
+      dashed_name: process-entry-leader-parent-session-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.entry_leader.parent.session_leader.pid
+      format: string
+      level: core
+      name: pid
       normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.entry_leader.code_signature.timestamp:
-      dashed_name: process-entry-leader-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.entry_leader.code_signature.timestamp
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.entry_leader.parent.session_leader.start:
+      dashed_name: process-entry-leader-parent-session-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.parent.session_leader.start
       level: extended
-      name: timestamp
+      name: start
       normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
+      original_fieldset: process
+      short: The time the process started.
       type: date
-    process.entry_leader.code_signature.trusted:
-      dashed_name: process-entry-leader-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
+    process.entry_leader.parent.session_leader.vpid:
+      dashed_name: process-entry-leader-parent-session-leader-vpid
+      description: 'Virtual process id.
 
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.entry_leader.code_signature.trusted
-      level: extended
-      name: trusted
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.parent.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
       normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.entry_leader.code_signature.valid:
-      dashed_name: process-entry-leader-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.entry_leader.code_signature.valid
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.entry_leader.parent.start:
+      dashed_name: process-entry-leader-parent-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.parent.start
       level: extended
-      name: valid
+      name: start
       normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.entry_leader.command_line:
-      dashed_name: process-entry-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.entry_leader.parent.vpid:
+      dashed_name: process-entry-leader-parent-vpid
+      description: 'Virtual process id.
 
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.entry_leader.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.parent.vpid
+      format: string
+      level: core
+      name: vpid
       normalize: []
       original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.entry_leader.elf.architecture:
-      dashed_name: process-entry-leader-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.entry_leader.elf.architecture
+      short: Virtual process id.
+      type: long
+    process.entry_leader.pid:
+      dashed_name: process-entry-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.entry_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.entry_leader.real_group.id:
+      dashed_name: process-entry-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.real_group.id
       ignore_above: 1024
       level: extended
-      name: architecture
+      name: id
       normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.entry_leader.elf.byte_order:
-      dashed_name: process-entry-leader-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.entry_leader.elf.byte_order
+    process.entry_leader.real_group.name:
+      dashed_name: process-entry-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.real_group.name
       ignore_above: 1024
       level: extended
-      name: byte_order
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.entry_leader.elf.cpu_type:
-      dashed_name: process-entry-leader-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.entry_leader.elf.cpu_type
+    process.entry_leader.real_user.id:
+      dashed_name: process-entry-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.real_user.id
       ignore_above: 1024
-      level: extended
-      name: cpu_type
+      level: core
+      name: id
       normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
+      original_fieldset: user
+      short: Unique identifier of the user.
       type: keyword
-    process.entry_leader.elf.creation_date:
-      dashed_name: process-entry-leader-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.entry_leader.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.entry_leader.elf.exports:
-      dashed_name: process-entry-leader-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.entry_leader.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.entry_leader.elf.go_import_hash:
-      dashed_name: process-entry-leader-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.entry_leader.elf.go_imports:
-      dashed_name: process-entry-leader-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.elf.go_imports_names_entropy:
-      dashed_name: process-entry-leader-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.elf.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.elf.go_stripped:
-      dashed_name: process-entry-leader-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.entry_leader.elf.header.abi_version:
-      dashed_name: process-entry-leader-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.entry_leader.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.entry_leader.elf.header.class:
-      dashed_name: process-entry-leader-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.entry_leader.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.entry_leader.elf.header.data:
-      dashed_name: process-entry-leader-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.entry_leader.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.entry_leader.elf.header.entrypoint:
-      dashed_name: process-entry-leader-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.entry_leader.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.entry_leader.elf.header.object_version:
-      dashed_name: process-entry-leader-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.entry_leader.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.entry_leader.elf.header.os_abi:
-      dashed_name: process-entry-leader-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.entry_leader.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.entry_leader.elf.header.type:
-      dashed_name: process-entry-leader-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.entry_leader.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.entry_leader.elf.header.version:
-      dashed_name: process-entry-leader-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.entry_leader.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.entry_leader.elf.import_hash:
-      dashed_name: process-entry-leader-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.entry_leader.elf.imports:
-      dashed_name: process-entry-leader-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.elf.imports_names_entropy:
-      dashed_name: process-entry-leader-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.elf.imports_names_var_entropy:
-      dashed_name: process-entry-leader-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.elf.sections:
-      dashed_name: process-entry-leader-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.entry_leader.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.entry_leader.elf.sections.chi2:
-      dashed_name: process-entry-leader-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.entry_leader.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.entry_leader.elf.sections.entropy:
-      dashed_name: process-entry-leader-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.elf.sections.flags:
-      dashed_name: process-entry-leader-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.entry_leader.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.entry_leader.elf.sections.name:
-      dashed_name: process-entry-leader-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.entry_leader.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.entry_leader.elf.sections.physical_offset:
-      dashed_name: process-entry-leader-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.entry_leader.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.entry_leader.elf.sections.physical_size:
-      dashed_name: process-entry-leader-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.entry_leader.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.entry_leader.elf.sections.type:
-      dashed_name: process-entry-leader-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.entry_leader.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.entry_leader.elf.sections.var_entropy:
-      dashed_name: process-entry-leader-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.elf.sections.virtual_address:
-      dashed_name: process-entry-leader-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.entry_leader.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.entry_leader.elf.sections.virtual_size:
-      dashed_name: process-entry-leader-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.entry_leader.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.entry_leader.elf.segments:
-      dashed_name: process-entry-leader-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.entry_leader.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.entry_leader.elf.segments.sections:
-      dashed_name: process-entry-leader-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.entry_leader.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.entry_leader.elf.segments.type:
-      dashed_name: process-entry-leader-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.entry_leader.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.entry_leader.elf.shared_libraries:
-      dashed_name: process-entry-leader-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.entry_leader.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.entry_leader.elf.telfhash:
-      dashed_name: process-entry-leader-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.entry_leader.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.entry_leader.end:
-      dashed_name: process-entry-leader-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.entry_leader.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.entry_leader.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.entry_leader.entity_id:
-      dashed_name: process-entry-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.entry_leader.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.entry_leader.entry_meta.source.address:
-      dashed_name: process-entry-leader-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.entry_leader.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.entry_leader.entry_meta.source.as.number:
-      dashed_name: process-entry-leader-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.entry_leader.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.entry_leader.entry_meta.source.as.organization.name:
-      dashed_name: process-entry-leader-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.entry_leader.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.entry_leader.entry_meta.source.bytes:
-      dashed_name: process-entry-leader-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.entry_leader.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.entry_leader.entry_meta.source.domain:
-      dashed_name: process-entry-leader-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.entry_leader.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.entry_leader.entry_meta.source.geo.city_name:
-      dashed_name: process-entry-leader-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.entry_leader.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.entry_leader.entry_meta.source.geo.continent_code:
-      dashed_name: process-entry-leader-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.entry_leader.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.entry_leader.entry_meta.source.geo.continent_name:
-      dashed_name: process-entry-leader-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.entry_leader.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.entry_leader.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-entry-leader-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.entry_leader.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.entry_leader.entry_meta.source.geo.country_name:
-      dashed_name: process-entry-leader-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.entry_leader.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.entry_leader.entry_meta.source.geo.location:
-      dashed_name: process-entry-leader-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.entry_leader.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.entry_leader.entry_meta.source.geo.name:
-      dashed_name: process-entry-leader-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.entry_leader.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.entry_leader.entry_meta.source.geo.postal_code:
-      dashed_name: process-entry-leader-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.entry_leader.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.entry_leader.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-entry-leader-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.entry_leader.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.entry_leader.entry_meta.source.geo.region_name:
-      dashed_name: process-entry-leader-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.entry_leader.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.entry_leader.entry_meta.source.geo.timezone:
-      dashed_name: process-entry-leader-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.entry_leader.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.entry_leader.entry_meta.source.ip:
-      dashed_name: process-entry-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.entry_leader.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.entry_leader.entry_meta.source.mac:
-      dashed_name: process-entry-leader-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.entry_leader.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.entry_leader.entry_meta.source.nat.ip:
-      dashed_name: process-entry-leader-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.entry_leader.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.entry_leader.entry_meta.source.nat.port:
-      dashed_name: process-entry-leader-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.entry_leader.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.entry_leader.entry_meta.source.packets:
-      dashed_name: process-entry-leader-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.entry_leader.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.entry_leader.entry_meta.source.port:
-      dashed_name: process-entry-leader-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.entry_leader.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.entry_leader.entry_meta.source.registered_domain:
-      dashed_name: process-entry-leader-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.entry_leader.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.entry_leader.entry_meta.source.subdomain:
-      dashed_name: process-entry-leader-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.entry_leader.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.entry_leader.entry_meta.source.top_level_domain:
-      dashed_name: process-entry-leader-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.entry_leader.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.entry_leader.entry_meta.type:
-      dashed_name: process-entry-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.entry_leader.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.entry_leader.env_vars:
-      dashed_name: process-entry-leader-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.entry_leader.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.executable:
-      dashed_name: process-entry-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.entry_leader.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.entry_leader.exit_code:
-      dashed_name: process-entry-leader-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.entry_leader.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.entry_leader.group.domain:
-      dashed_name: process-entry-leader-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.group.id:
-      dashed_name: process-entry-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.group.name:
-      dashed_name: process-entry-leader-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.entry_leader.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.entry_leader.hash.md5:
-      dashed_name: process-entry-leader-hash-md5
-      description: MD5 hash.
-      flat_name: process.entry_leader.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.entry_leader.hash.sha1:
-      dashed_name: process-entry-leader-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.entry_leader.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.entry_leader.hash.sha256:
-      dashed_name: process-entry-leader-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.entry_leader.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.entry_leader.hash.sha384:
-      dashed_name: process-entry-leader-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.entry_leader.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.entry_leader.hash.sha512:
-      dashed_name: process-entry-leader-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.entry_leader.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.entry_leader.hash.ssdeep:
-      dashed_name: process-entry-leader-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.entry_leader.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.entry_leader.hash.tlsh:
-      dashed_name: process-entry-leader-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.entry_leader.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.entry_leader.interactive:
-      dashed_name: process-entry-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.entry_leader.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.entry_leader.io:
-      dashed_name: process-entry-leader-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.entry_leader.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.entry_leader.io.bytes_skipped:
-      dashed_name: process-entry-leader-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.entry_leader.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.entry_leader.io.bytes_skipped.length:
-      dashed_name: process-entry-leader-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.entry_leader.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.entry_leader.io.bytes_skipped.offset:
-      dashed_name: process-entry-leader-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.entry_leader.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.entry_leader.io.max_bytes_per_process_exceeded:
-      dashed_name: process-entry-leader-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.entry_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.entry_leader.io.text:
-      dashed_name: process-entry-leader-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.entry_leader.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.entry_leader.io.total_bytes_captured:
-      dashed_name: process-entry-leader-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.entry_leader.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.entry_leader.io.total_bytes_skipped:
-      dashed_name: process-entry-leader-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.entry_leader.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.entry_leader.io.type:
-      dashed_name: process-entry-leader-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.entry_leader.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.entry_leader.macho.go_import_hash:
-      dashed_name: process-entry-leader-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.entry_leader.macho.go_imports:
-      dashed_name: process-entry-leader-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.macho.go_imports_names_entropy:
-      dashed_name: process-entry-leader-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.macho.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.macho.go_stripped:
-      dashed_name: process-entry-leader-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.entry_leader.macho.import_hash:
-      dashed_name: process-entry-leader-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.entry_leader.macho.imports:
-      dashed_name: process-entry-leader-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.macho.imports_names_entropy:
-      dashed_name: process-entry-leader-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.macho.imports_names_var_entropy:
-      dashed_name: process-entry-leader-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.macho.sections:
-      dashed_name: process-entry-leader-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.entry_leader.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.entry_leader.macho.sections.entropy:
-      dashed_name: process-entry-leader-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.macho.sections.name:
-      dashed_name: process-entry-leader-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.entry_leader.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.entry_leader.macho.sections.physical_size:
-      dashed_name: process-entry-leader-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.entry_leader.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.entry_leader.macho.sections.var_entropy:
-      dashed_name: process-entry-leader-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.macho.sections.virtual_size:
-      dashed_name: process-entry-leader-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.entry_leader.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.entry_leader.macho.symhash:
-      dashed_name: process-entry-leader-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.entry_leader.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.entry_leader.name:
-      dashed_name: process-entry-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.entry_leader.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.entry_leader.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.entry_leader.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.entry_leader.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.entry_leader.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.entry_leader.parent.args:
-      dashed_name: process-entry-leader-parent-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.entry_leader.parent.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.entry_leader.parent.args_count:
-      dashed_name: process-entry-leader-parent-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.entry_leader.parent.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.entry_leader.parent.attested_groups.domain:
-      dashed_name: process-entry-leader-parent-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.attested_groups.id:
-      dashed_name: process-entry-leader-parent-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.attested_groups.name:
-      dashed_name: process-entry-leader-parent-attested-groups-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.attested_user.domain:
-      dashed_name: process-entry-leader-parent-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.parent.attested_user.email:
-      dashed_name: process-entry-leader-parent-attested-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.parent.attested_user.full_name:
-      dashed_name: process-entry-leader-parent-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.attested_user.group.domain:
-      dashed_name: process-entry-leader-parent-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.attested_user.group.id:
-      dashed_name: process-entry-leader-parent-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.attested_user.group.name:
-      dashed_name: process-entry-leader-parent-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.attested_user.hash:
-      dashed_name: process-entry-leader-parent-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.attested_user.id:
-      dashed_name: process-entry-leader-parent-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.attested_user.name:
-      dashed_name: process-entry-leader-parent-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.attested_user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.attested_user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.attested_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.attested_user.risk.static_level:
-      dashed_name: process-entry-leader-parent-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.attested_user.risk.static_score:
-      dashed_name: process-entry-leader-parent-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.attested_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.attested_user.roles:
-      dashed_name: process-entry-leader-parent-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.code_signature.digest_algorithm:
-      dashed_name: process-entry-leader-parent-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.entry_leader.parent.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.entry_leader.parent.code_signature.exists:
-      dashed_name: process-entry-leader-parent-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.entry_leader.parent.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.entry_leader.parent.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.entry_leader.parent.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.entry_leader.parent.code_signature.signing_id:
-      dashed_name: process-entry-leader-parent-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.entry_leader.parent.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.entry_leader.parent.code_signature.status:
-      dashed_name: process-entry-leader-parent-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.entry_leader.parent.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.entry_leader.parent.code_signature.subject_name:
-      dashed_name: process-entry-leader-parent-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.entry_leader.parent.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.entry_leader.parent.code_signature.team_id:
-      dashed_name: process-entry-leader-parent-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.entry_leader.parent.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.entry_leader.parent.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.entry_leader.parent.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.entry_leader.parent.code_signature.timestamp:
-      dashed_name: process-entry-leader-parent-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.entry_leader.parent.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.entry_leader.parent.code_signature.trusted:
-      dashed_name: process-entry-leader-parent-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.entry_leader.parent.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.entry_leader.parent.code_signature.valid:
-      dashed_name: process-entry-leader-parent-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.entry_leader.parent.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.entry_leader.parent.command_line:
-      dashed_name: process-entry-leader-parent-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.entry_leader.parent.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.entry_leader.parent.elf.architecture:
-      dashed_name: process-entry-leader-parent-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.entry_leader.parent.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.entry_leader.parent.elf.byte_order:
-      dashed_name: process-entry-leader-parent-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.entry_leader.parent.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.entry_leader.parent.elf.cpu_type:
-      dashed_name: process-entry-leader-parent-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.entry_leader.parent.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.entry_leader.parent.elf.creation_date:
-      dashed_name: process-entry-leader-parent-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.entry_leader.parent.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.entry_leader.parent.elf.exports:
-      dashed_name: process-entry-leader-parent-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.entry_leader.parent.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.entry_leader.parent.elf.go_import_hash:
-      dashed_name: process-entry-leader-parent-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.parent.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.entry_leader.parent.elf.go_imports:
-      dashed_name: process-entry-leader-parent-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.parent.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.parent.elf.go_imports_names_entropy:
-      dashed_name: process-entry-leader-parent-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.elf.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.elf.go_stripped:
-      dashed_name: process-entry-leader-parent-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.parent.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.entry_leader.parent.elf.header.abi_version:
-      dashed_name: process-entry-leader-parent-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.entry_leader.parent.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.entry_leader.parent.elf.header.class:
-      dashed_name: process-entry-leader-parent-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.entry_leader.parent.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.entry_leader.parent.elf.header.data:
-      dashed_name: process-entry-leader-parent-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.entry_leader.parent.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.entry_leader.parent.elf.header.entrypoint:
-      dashed_name: process-entry-leader-parent-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.entry_leader.parent.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.entry_leader.parent.elf.header.object_version:
-      dashed_name: process-entry-leader-parent-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.entry_leader.parent.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.entry_leader.parent.elf.header.os_abi:
-      dashed_name: process-entry-leader-parent-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.entry_leader.parent.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.entry_leader.parent.elf.header.type:
-      dashed_name: process-entry-leader-parent-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.entry_leader.parent.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.entry_leader.parent.elf.header.version:
-      dashed_name: process-entry-leader-parent-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.entry_leader.parent.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.entry_leader.parent.elf.import_hash:
-      dashed_name: process-entry-leader-parent-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.parent.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.entry_leader.parent.elf.imports:
-      dashed_name: process-entry-leader-parent-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.parent.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.parent.elf.imports_names_entropy:
-      dashed_name: process-entry-leader-parent-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.parent.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.parent.elf.imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.parent.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.parent.elf.sections:
-      dashed_name: process-entry-leader-parent-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.entry_leader.parent.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.entry_leader.parent.elf.sections.chi2:
-      dashed_name: process-entry-leader-parent-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.entry_leader.parent.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.entry_leader.parent.elf.sections.entropy:
-      dashed_name: process-entry-leader-parent-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.elf.sections.flags:
-      dashed_name: process-entry-leader-parent-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.entry_leader.parent.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.entry_leader.parent.elf.sections.name:
-      dashed_name: process-entry-leader-parent-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.entry_leader.parent.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.entry_leader.parent.elf.sections.physical_offset:
-      dashed_name: process-entry-leader-parent-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.entry_leader.parent.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.entry_leader.parent.elf.sections.physical_size:
-      dashed_name: process-entry-leader-parent-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.entry_leader.parent.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.entry_leader.parent.elf.sections.type:
-      dashed_name: process-entry-leader-parent-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.entry_leader.parent.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.entry_leader.parent.elf.sections.var_entropy:
-      dashed_name: process-entry-leader-parent-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.elf.sections.virtual_address:
-      dashed_name: process-entry-leader-parent-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.entry_leader.parent.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.entry_leader.parent.elf.sections.virtual_size:
-      dashed_name: process-entry-leader-parent-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.entry_leader.parent.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.entry_leader.parent.elf.segments:
-      dashed_name: process-entry-leader-parent-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.entry_leader.parent.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.entry_leader.parent.elf.segments.sections:
-      dashed_name: process-entry-leader-parent-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.entry_leader.parent.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.entry_leader.parent.elf.segments.type:
-      dashed_name: process-entry-leader-parent-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.entry_leader.parent.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.entry_leader.parent.elf.shared_libraries:
-      dashed_name: process-entry-leader-parent-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.entry_leader.parent.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.entry_leader.parent.elf.telfhash:
-      dashed_name: process-entry-leader-parent-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.entry_leader.parent.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.entry_leader.parent.end:
-      dashed_name: process-entry-leader-parent-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.parent.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.entry_leader.parent.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.entry_leader.parent.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.entry_leader.parent.entity_id:
-      dashed_name: process-entry-leader-parent-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.entry_leader.parent.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.address:
-      dashed_name: process-entry-leader-parent-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.entry_leader.parent.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.as.number:
-      dashed_name: process-entry-leader-parent-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.entry_leader.parent.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.entry_leader.parent.entry_meta.source.as.organization.name:
-      dashed_name: process-entry-leader-parent-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.bytes:
-      dashed_name: process-entry-leader-parent-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.entry_leader.parent.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.entry_leader.parent.entry_meta.source.domain:
-      dashed_name: process-entry-leader-parent-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.entry_leader.parent.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.city_name:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.continent_code:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.continent_name:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.country_name:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.location:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.entry_leader.parent.entry_meta.source.geo.name:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.postal_code:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.region_name:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.timezone:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.ip:
-      dashed_name: process-entry-leader-parent-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.entry_leader.parent.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.entry_leader.parent.entry_meta.source.mac:
-      dashed_name: process-entry-leader-parent-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.entry_leader.parent.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.nat.ip:
-      dashed_name: process-entry-leader-parent-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.entry_leader.parent.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.entry_leader.parent.entry_meta.source.nat.port:
-      dashed_name: process-entry-leader-parent-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.entry_leader.parent.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.entry_leader.parent.entry_meta.source.packets:
-      dashed_name: process-entry-leader-parent-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.entry_leader.parent.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.entry_leader.parent.entry_meta.source.port:
-      dashed_name: process-entry-leader-parent-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.entry_leader.parent.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.entry_leader.parent.entry_meta.source.registered_domain:
-      dashed_name: process-entry-leader-parent-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.entry_leader.parent.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.subdomain:
-      dashed_name: process-entry-leader-parent-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.entry_leader.parent.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.top_level_domain:
-      dashed_name: process-entry-leader-parent-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.entry_leader.parent.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.entry_leader.parent.entry_meta.type:
-      dashed_name: process-entry-leader-parent-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.entry_leader.parent.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.entry_leader.parent.env_vars:
-      dashed_name: process-entry-leader-parent-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.entry_leader.parent.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.executable:
-      dashed_name: process-entry-leader-parent-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.entry_leader.parent.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.entry_leader.parent.exit_code:
-      dashed_name: process-entry-leader-parent-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.entry_leader.parent.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.entry_leader.parent.group.domain:
-      dashed_name: process-entry-leader-parent-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.group.id:
-      dashed_name: process-entry-leader-parent-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.group.name:
-      dashed_name: process-entry-leader-parent-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.entry_leader.parent.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.entry_leader.parent.hash.md5:
-      dashed_name: process-entry-leader-parent-hash-md5
-      description: MD5 hash.
-      flat_name: process.entry_leader.parent.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.entry_leader.parent.hash.sha1:
-      dashed_name: process-entry-leader-parent-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.entry_leader.parent.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.entry_leader.parent.hash.sha256:
-      dashed_name: process-entry-leader-parent-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.entry_leader.parent.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.entry_leader.parent.hash.sha384:
-      dashed_name: process-entry-leader-parent-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.entry_leader.parent.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.entry_leader.parent.hash.sha512:
-      dashed_name: process-entry-leader-parent-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.entry_leader.parent.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.entry_leader.parent.hash.ssdeep:
-      dashed_name: process-entry-leader-parent-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.entry_leader.parent.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.entry_leader.parent.hash.tlsh:
-      dashed_name: process-entry-leader-parent-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.entry_leader.parent.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.entry_leader.parent.interactive:
-      dashed_name: process-entry-leader-parent-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.entry_leader.parent.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.entry_leader.parent.io:
-      dashed_name: process-entry-leader-parent-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.entry_leader.parent.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.entry_leader.parent.io.bytes_skipped:
-      dashed_name: process-entry-leader-parent-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.entry_leader.parent.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.entry_leader.parent.io.bytes_skipped.length:
-      dashed_name: process-entry-leader-parent-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.entry_leader.parent.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.entry_leader.parent.io.bytes_skipped.offset:
-      dashed_name: process-entry-leader-parent-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.entry_leader.parent.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.entry_leader.parent.io.max_bytes_per_process_exceeded:
-      dashed_name: process-entry-leader-parent-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.entry_leader.parent.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.entry_leader.parent.io.text:
-      dashed_name: process-entry-leader-parent-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.entry_leader.parent.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.entry_leader.parent.io.total_bytes_captured:
-      dashed_name: process-entry-leader-parent-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.entry_leader.parent.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.entry_leader.parent.io.total_bytes_skipped:
-      dashed_name: process-entry-leader-parent-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.entry_leader.parent.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.entry_leader.parent.io.type:
-      dashed_name: process-entry-leader-parent-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.entry_leader.parent.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.entry_leader.parent.macho.go_import_hash:
-      dashed_name: process-entry-leader-parent-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.parent.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.entry_leader.parent.macho.go_imports:
-      dashed_name: process-entry-leader-parent-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.parent.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.parent.macho.go_imports_names_entropy:
-      dashed_name: process-entry-leader-parent-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.macho.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.macho.go_stripped:
-      dashed_name: process-entry-leader-parent-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.parent.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.entry_leader.parent.macho.import_hash:
-      dashed_name: process-entry-leader-parent-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.parent.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.entry_leader.parent.macho.imports:
-      dashed_name: process-entry-leader-parent-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.parent.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.parent.macho.imports_names_entropy:
-      dashed_name: process-entry-leader-parent-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.parent.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.parent.macho.imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.parent.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.parent.macho.sections:
-      dashed_name: process-entry-leader-parent-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.entry_leader.parent.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.entry_leader.parent.macho.sections.entropy:
-      dashed_name: process-entry-leader-parent-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.macho.sections.name:
-      dashed_name: process-entry-leader-parent-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.entry_leader.parent.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.entry_leader.parent.macho.sections.physical_size:
-      dashed_name: process-entry-leader-parent-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.entry_leader.parent.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.entry_leader.parent.macho.sections.var_entropy:
-      dashed_name: process-entry-leader-parent-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.macho.sections.virtual_size:
-      dashed_name: process-entry-leader-parent-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.entry_leader.parent.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.entry_leader.parent.macho.symhash:
-      dashed_name: process-entry-leader-parent-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.entry_leader.parent.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.entry_leader.parent.name:
-      dashed_name: process-entry-leader-parent-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.entry_leader.parent.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.entry_leader.parent.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.entry_leader.parent.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.entry_leader.parent.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.entry_leader.parent.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.entry_leader.parent.pe.architecture:
-      dashed_name: process-entry-leader-parent-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.entry_leader.parent.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.entry_leader.parent.pe.company:
-      dashed_name: process-entry-leader-parent-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.entry_leader.parent.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.parent.pe.description:
-      dashed_name: process-entry-leader-parent-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.entry_leader.parent.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.parent.pe.file_version:
-      dashed_name: process-entry-leader-parent-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.entry_leader.parent.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.entry_leader.parent.pe.go_import_hash:
-      dashed_name: process-entry-leader-parent-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.parent.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.entry_leader.parent.pe.go_imports:
-      dashed_name: process-entry-leader-parent-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.parent.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.parent.pe.go_imports_names_entropy:
-      dashed_name: process-entry-leader-parent-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.pe.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.pe.go_stripped:
-      dashed_name: process-entry-leader-parent-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.parent.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.entry_leader.parent.pe.imphash:
-      dashed_name: process-entry-leader-parent-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.entry_leader.parent.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.entry_leader.parent.pe.import_hash:
-      dashed_name: process-entry-leader-parent-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.parent.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.entry_leader.parent.pe.imports:
-      dashed_name: process-entry-leader-parent-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.parent.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.parent.pe.imports_names_entropy:
-      dashed_name: process-entry-leader-parent-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.parent.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.parent.pe.imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.parent.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.parent.pe.original_file_name:
-      dashed_name: process-entry-leader-parent-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.entry_leader.parent.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.parent.pe.pehash:
-      dashed_name: process-entry-leader-parent-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.entry_leader.parent.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.entry_leader.parent.pe.product:
-      dashed_name: process-entry-leader-parent-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.entry_leader.parent.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.parent.pe.sections:
-      dashed_name: process-entry-leader-parent-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.entry_leader.parent.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.entry_leader.parent.pe.sections.entropy:
-      dashed_name: process-entry-leader-parent-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.pe.sections.name:
-      dashed_name: process-entry-leader-parent-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.entry_leader.parent.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.entry_leader.parent.pe.sections.physical_size:
-      dashed_name: process-entry-leader-parent-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.entry_leader.parent.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.entry_leader.parent.pe.sections.var_entropy:
-      dashed_name: process-entry-leader-parent-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.pe.sections.virtual_size:
-      dashed_name: process-entry-leader-parent-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.entry_leader.parent.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.entry_leader.parent.pid:
-      dashed_name: process-entry-leader-parent-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.entry_leader.parent.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.entry_leader.parent.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.entry_leader.parent.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.entry_leader.parent.real_group.domain:
-      dashed_name: process-entry-leader-parent-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.real_group.id:
-      dashed_name: process-entry-leader-parent-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.real_group.name:
-      dashed_name: process-entry-leader-parent-real-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.real_user.domain:
-      dashed_name: process-entry-leader-parent-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.parent.real_user.email:
-      dashed_name: process-entry-leader-parent-real-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.parent.real_user.full_name:
-      dashed_name: process-entry-leader-parent-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.real_user.group.domain:
-      dashed_name: process-entry-leader-parent-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.real_user.group.id:
-      dashed_name: process-entry-leader-parent-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.real_user.group.name:
-      dashed_name: process-entry-leader-parent-real-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.real_user.hash:
-      dashed_name: process-entry-leader-parent-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.real_user.id:
-      dashed_name: process-entry-leader-parent-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.real_user.name:
-      dashed_name: process-entry-leader-parent-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.real_user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.real_user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.real_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.real_user.risk.static_level:
-      dashed_name: process-entry-leader-parent-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.real_user.risk.static_score:
-      dashed_name: process-entry-leader-parent-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.real_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.real_user.roles:
-      dashed_name: process-entry-leader-parent-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.same_as_process:
-      dashed_name: process-entry-leader-parent-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.entry_leader.parent.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.entry_leader.parent.saved_group.domain:
-      dashed_name: process-entry-leader-parent-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.saved_group.id:
-      dashed_name: process-entry-leader-parent-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.saved_group.name:
-      dashed_name: process-entry-leader-parent-saved-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.saved_user.domain:
-      dashed_name: process-entry-leader-parent-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.parent.saved_user.email:
-      dashed_name: process-entry-leader-parent-saved-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.parent.saved_user.full_name:
-      dashed_name: process-entry-leader-parent-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.saved_user.group.domain:
-      dashed_name: process-entry-leader-parent-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.saved_user.group.id:
-      dashed_name: process-entry-leader-parent-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.saved_user.group.name:
-      dashed_name: process-entry-leader-parent-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.saved_user.hash:
-      dashed_name: process-entry-leader-parent-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.saved_user.id:
-      dashed_name: process-entry-leader-parent-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.saved_user.name:
-      dashed_name: process-entry-leader-parent-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.saved_user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.saved_user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.saved_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.saved_user.risk.static_level:
-      dashed_name: process-entry-leader-parent-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.saved_user.risk.static_score:
-      dashed_name: process-entry-leader-parent-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.saved_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.saved_user.roles:
-      dashed_name: process-entry-leader-parent-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.args:
-      dashed_name: process-entry-leader-parent-session-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.entry_leader.parent.session_leader.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.entry_leader.parent.session_leader.args_count:
-      dashed_name: process-entry-leader-parent-session-leader-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.entry_leader.parent.session_leader.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.entry_leader.parent.session_leader.attested_groups.domain:
-      dashed_name: process-entry-leader-parent-session-leader-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_groups.id:
-      dashed_name: process-entry-leader-parent-session-leader-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_groups.name:
-      dashed_name: process-entry-leader-parent-session-leader-attested-groups-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.domain:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.email:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.full_name:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.session_leader.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.group.id:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.group.name:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.hash:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.session_leader.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.id:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.session_leader.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.name:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.session_leader.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.session_leader.attested_user.risk.static_level:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.risk.static_score:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.session_leader.attested_user.roles:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.session_leader.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.digest_algorithm:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.entry_leader.parent.session_leader.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.exists:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.entry_leader.parent.session_leader.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.entry_leader.parent.session_leader.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.entry_leader.parent.session_leader.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.signing_id:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.entry_leader.parent.session_leader.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.status:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.entry_leader.parent.session_leader.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.subject_name:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.entry_leader.parent.session_leader.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.team_id:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.entry_leader.parent.session_leader.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.timestamp:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.entry_leader.parent.session_leader.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.entry_leader.parent.session_leader.code_signature.trusted:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.entry_leader.parent.session_leader.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.entry_leader.parent.session_leader.code_signature.valid:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.entry_leader.parent.session_leader.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.entry_leader.parent.session_leader.command_line:
-      dashed_name: process-entry-leader-parent-session-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.entry_leader.parent.session_leader.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.entry_leader.parent.session_leader.elf.architecture:
-      dashed_name: process-entry-leader-parent-session-leader-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.entry_leader.parent.session_leader.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.byte_order:
-      dashed_name: process-entry-leader-parent-session-leader-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.entry_leader.parent.session_leader.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.cpu_type:
-      dashed_name: process-entry-leader-parent-session-leader-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.entry_leader.parent.session_leader.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.creation_date:
-      dashed_name: process-entry-leader-parent-session-leader-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.entry_leader.parent.session_leader.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.entry_leader.parent.session_leader.elf.exports:
-      dashed_name: process-entry-leader-parent-session-leader-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.entry_leader.parent.session_leader.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.elf.go_import_hash:
-      dashed_name: process-entry-leader-parent-session-leader-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.parent.session_leader.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.go_imports:
-      dashed_name: process-entry-leader-parent-session-leader-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.parent.session_leader.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.elf.go_imports_names_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.session_leader.elf.go_stripped:
-      dashed_name: process-entry-leader-parent-session-leader-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.parent.session_leader.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.entry_leader.parent.session_leader.elf.header.abi_version:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.entry_leader.parent.session_leader.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.header.class:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.entry_leader.parent.session_leader.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.header.data:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.entry_leader.parent.session_leader.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.header.entrypoint:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.entry_leader.parent.session_leader.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.entry_leader.parent.session_leader.elf.header.object_version:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.entry_leader.parent.session_leader.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.header.os_abi:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.entry_leader.parent.session_leader.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.header.type:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.entry_leader.parent.session_leader.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.header.version:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.entry_leader.parent.session_leader.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.import_hash:
-      dashed_name: process-entry-leader-parent-session-leader-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.parent.session_leader.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.imports:
-      dashed_name: process-entry-leader-parent-session-leader-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.parent.session_leader.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.elf.imports_names_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.parent.session_leader.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.parent.session_leader.elf.imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.parent.session_leader.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.parent.session_leader.elf.sections:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.entry_leader.parent.session_leader.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.entry_leader.parent.session_leader.elf.sections.chi2:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.entry_leader.parent.session_leader.elf.sections.entropy:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.session_leader.elf.sections.flags:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.sections.name:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.sections.physical_offset:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.sections.physical_size:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.entry_leader.parent.session_leader.elf.sections.type:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.sections.var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.session_leader.elf.sections.virtual_address:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.entry_leader.parent.session_leader.elf.sections.virtual_size:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.entry_leader.parent.session_leader.elf.segments:
-      dashed_name: process-entry-leader-parent-session-leader-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.entry_leader.parent.session_leader.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.entry_leader.parent.session_leader.elf.segments.sections:
-      dashed_name: process-entry-leader-parent-session-leader-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.entry_leader.parent.session_leader.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.segments.type:
-      dashed_name: process-entry-leader-parent-session-leader-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.entry_leader.parent.session_leader.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.shared_libraries:
-      dashed_name: process-entry-leader-parent-session-leader-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.entry_leader.parent.session_leader.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.telfhash:
-      dashed_name: process-entry-leader-parent-session-leader-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.entry_leader.parent.session_leader.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.end:
-      dashed_name: process-entry-leader-parent-session-leader-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.parent.session_leader.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.entry_leader.parent.session_leader.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.entry_leader.parent.session_leader.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.entry_leader.parent.session_leader.entity_id:
-      dashed_name: process-entry-leader-parent-session-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.entry_leader.parent.session_leader.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.address:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.as.number:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.bytes:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.entry_leader.parent.session_leader.entry_meta.source.domain:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.location:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.name:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.ip:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.entry_leader.parent.session_leader.entry_meta.source.mac:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.nat.ip:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.entry_leader.parent.session_leader.entry_meta.source.nat.port:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.entry_leader.parent.session_leader.entry_meta.source.packets:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.entry_leader.parent.session_leader.entry_meta.source.port:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.entry_leader.parent.session_leader.entry_meta.source.registered_domain:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.subdomain:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.type:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.entry_leader.parent.session_leader.env_vars:
-      dashed_name: process-entry-leader-parent-session-leader-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.entry_leader.parent.session_leader.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.executable:
-      dashed_name: process-entry-leader-parent-session-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.entry_leader.parent.session_leader.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.entry_leader.parent.session_leader.exit_code:
-      dashed_name: process-entry-leader-parent-session-leader-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.entry_leader.parent.session_leader.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.entry_leader.parent.session_leader.group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.group.id:
-      dashed_name: process-entry-leader-parent-session-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.group.name:
-      dashed_name: process-entry-leader-parent-session-leader-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.entry_leader.parent.session_leader.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.md5:
-      dashed_name: process-entry-leader-parent-session-leader-hash-md5
-      description: MD5 hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.sha1:
-      dashed_name: process-entry-leader-parent-session-leader-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.sha256:
-      dashed_name: process-entry-leader-parent-session-leader-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.sha384:
-      dashed_name: process-entry-leader-parent-session-leader-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.sha512:
-      dashed_name: process-entry-leader-parent-session-leader-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.ssdeep:
-      dashed_name: process-entry-leader-parent-session-leader-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.tlsh:
-      dashed_name: process-entry-leader-parent-session-leader-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.interactive:
-      dashed_name: process-entry-leader-parent-session-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.entry_leader.parent.session_leader.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.entry_leader.parent.session_leader.io:
-      dashed_name: process-entry-leader-parent-session-leader-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.entry_leader.parent.session_leader.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.entry_leader.parent.session_leader.io.bytes_skipped:
-      dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.entry_leader.parent.session_leader.io.bytes_skipped.length:
-      dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.entry_leader.parent.session_leader.io.bytes_skipped.offset:
-      dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
-      dashed_name: process-entry-leader-parent-session-leader-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.entry_leader.parent.session_leader.io.text:
-      dashed_name: process-entry-leader-parent-session-leader-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.entry_leader.parent.session_leader.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.entry_leader.parent.session_leader.io.total_bytes_captured:
-      dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.entry_leader.parent.session_leader.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.entry_leader.parent.session_leader.io.total_bytes_skipped:
-      dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.entry_leader.parent.session_leader.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.entry_leader.parent.session_leader.io.type:
-      dashed_name: process-entry-leader-parent-session-leader-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.entry_leader.parent.session_leader.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.entry_leader.parent.session_leader.macho.go_import_hash:
-      dashed_name: process-entry-leader-parent-session-leader-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.parent.session_leader.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.entry_leader.parent.session_leader.macho.go_imports:
-      dashed_name: process-entry-leader-parent-session-leader-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.parent.session_leader.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.macho.go_imports_names_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.session_leader.macho.go_stripped:
-      dashed_name: process-entry-leader-parent-session-leader-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.parent.session_leader.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.entry_leader.parent.session_leader.macho.import_hash:
-      dashed_name: process-entry-leader-parent-session-leader-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.parent.session_leader.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.entry_leader.parent.session_leader.macho.imports:
-      dashed_name: process-entry-leader-parent-session-leader-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.parent.session_leader.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.macho.imports_names_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.parent.session_leader.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.parent.session_leader.macho.imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.parent.session_leader.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.parent.session_leader.macho.sections:
-      dashed_name: process-entry-leader-parent-session-leader-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.entry_leader.parent.session_leader.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.entry_leader.parent.session_leader.macho.sections.entropy:
-      dashed_name: process-entry-leader-parent-session-leader-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.session_leader.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.session_leader.macho.sections.name:
-      dashed_name: process-entry-leader-parent-session-leader-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.entry_leader.parent.session_leader.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.entry_leader.parent.session_leader.macho.sections.physical_size:
-      dashed_name: process-entry-leader-parent-session-leader-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.entry_leader.parent.session_leader.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.entry_leader.parent.session_leader.macho.sections.var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.session_leader.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.session_leader.macho.sections.virtual_size:
-      dashed_name: process-entry-leader-parent-session-leader-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.entry_leader.parent.session_leader.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.entry_leader.parent.session_leader.macho.symhash:
-      dashed_name: process-entry-leader-parent-session-leader-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.entry_leader.parent.session_leader.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.entry_leader.parent.session_leader.name:
-      dashed_name: process-entry-leader-parent-session-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.entry_leader.parent.session_leader.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.entry_leader.parent.session_leader.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.entry_leader.parent.session_leader.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.entry_leader.parent.session_leader.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.entry_leader.parent.session_leader.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.architecture:
-      dashed_name: process-entry-leader-parent-session-leader-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.entry_leader.parent.session_leader.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.company:
-      dashed_name: process-entry-leader-parent-session-leader-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.entry_leader.parent.session_leader.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.description:
-      dashed_name: process-entry-leader-parent-session-leader-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.entry_leader.parent.session_leader.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.file_version:
-      dashed_name: process-entry-leader-parent-session-leader-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.entry_leader.parent.session_leader.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.go_import_hash:
-      dashed_name: process-entry-leader-parent-session-leader-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.parent.session_leader.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.go_imports:
-      dashed_name: process-entry-leader-parent-session-leader-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.parent.session_leader.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.pe.go_imports_names_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.session_leader.pe.go_stripped:
-      dashed_name: process-entry-leader-parent-session-leader-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.parent.session_leader.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.entry_leader.parent.session_leader.pe.imphash:
-      dashed_name: process-entry-leader-parent-session-leader-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.entry_leader.parent.session_leader.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.import_hash:
-      dashed_name: process-entry-leader-parent-session-leader-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.parent.session_leader.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.imports:
-      dashed_name: process-entry-leader-parent-session-leader-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.parent.session_leader.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.pe.imports_names_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.parent.session_leader.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.parent.session_leader.pe.imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.parent.session_leader.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.parent.session_leader.pe.original_file_name:
-      dashed_name: process-entry-leader-parent-session-leader-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.entry_leader.parent.session_leader.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.pehash:
-      dashed_name: process-entry-leader-parent-session-leader-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.entry_leader.parent.session_leader.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.product:
-      dashed_name: process-entry-leader-parent-session-leader-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.entry_leader.parent.session_leader.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.sections:
-      dashed_name: process-entry-leader-parent-session-leader-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.entry_leader.parent.session_leader.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.entry_leader.parent.session_leader.pe.sections.entropy:
-      dashed_name: process-entry-leader-parent-session-leader-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.session_leader.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.session_leader.pe.sections.name:
-      dashed_name: process-entry-leader-parent-session-leader-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.entry_leader.parent.session_leader.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.sections.physical_size:
-      dashed_name: process-entry-leader-parent-session-leader-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.entry_leader.parent.session_leader.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.entry_leader.parent.session_leader.pe.sections.var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.session_leader.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.session_leader.pe.sections.virtual_size:
-      dashed_name: process-entry-leader-parent-session-leader-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.entry_leader.parent.session_leader.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.entry_leader.parent.session_leader.pid:
-      dashed_name: process-entry-leader-parent-session-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.entry_leader.parent.session_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.entry_leader.parent.session_leader.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.entry_leader.parent.session_leader.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.entry_leader.parent.session_leader.real_group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_group.id:
-      dashed_name: process-entry-leader-parent-session-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_group.name:
-      dashed_name: process-entry-leader-parent-session-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.domain:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.email:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.session_leader.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.full_name:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.session_leader.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.group.id:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.group.name:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.hash:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.session_leader.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.id:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.session_leader.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.name:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.session_leader.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.session_leader.real_user.risk.static_level:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.risk.static_score:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.session_leader.real_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.session_leader.real_user.roles:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.session_leader.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.same_as_process:
-      dashed_name: process-entry-leader-parent-session-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.entry_leader.parent.session_leader.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.entry_leader.parent.session_leader.saved_group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_group.id:
-      dashed_name: process-entry-leader-parent-session-leader-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_group.name:
-      dashed_name: process-entry-leader-parent-session-leader-saved-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.domain:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.email:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.full_name:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.session_leader.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.group.id:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.group.name:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.hash:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.session_leader.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.id:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.session_leader.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.name:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.session_leader.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.session_leader.saved_user.risk.static_level:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.risk.static_score:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.session_leader.saved_user.roles:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.session_leader.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.start:
-      dashed_name: process-entry-leader-parent-session-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.parent.session_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.entry_leader.parent.session_leader.supplemental_groups.domain:
-      dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.supplemental_groups.id:
-      dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.supplemental_groups.name:
-      dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.thread.capabilities.effective:
-      dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.entry_leader.parent.session_leader.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.thread.capabilities.permitted:
-      dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.entry_leader.parent.session_leader.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.thread.id:
-      dashed_name: process-entry-leader-parent-session-leader-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.entry_leader.parent.session_leader.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.entry_leader.parent.session_leader.thread.name:
-      dashed_name: process-entry-leader-parent-session-leader-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.entry_leader.parent.session_leader.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.entry_leader.parent.session_leader.title:
-      dashed_name: process-entry-leader-parent-session-leader-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.entry_leader.parent.session_leader.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.entry_leader.parent.session_leader.tty:
-      dashed_name: process-entry-leader-parent-session-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.entry_leader.parent.session_leader.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.entry_leader.parent.session_leader.tty.char_device.major:
-      dashed_name: process-entry-leader-parent-session-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.entry_leader.parent.session_leader.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.entry_leader.parent.session_leader.tty.char_device.minor:
-      dashed_name: process-entry-leader-parent-session-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.entry_leader.parent.session_leader.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.entry_leader.parent.session_leader.tty.columns:
-      dashed_name: process-entry-leader-parent-session-leader-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.entry_leader.parent.session_leader.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.entry_leader.parent.session_leader.tty.rows:
-      dashed_name: process-entry-leader-parent-session-leader-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.entry_leader.parent.session_leader.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.entry_leader.parent.session_leader.uptime:
-      dashed_name: process-entry-leader-parent-session-leader-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.entry_leader.parent.session_leader.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.entry_leader.parent.session_leader.user.domain:
-      dashed_name: process-entry-leader-parent-session-leader-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.email:
-      dashed_name: process-entry-leader-parent-session-leader-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.session_leader.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.full_name:
-      dashed_name: process-entry-leader-parent-session-leader-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.session_leader.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.group.id:
-      dashed_name: process-entry-leader-parent-session-leader-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.group.name:
-      dashed_name: process-entry-leader-parent-session-leader-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.hash:
-      dashed_name: process-entry-leader-parent-session-leader-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.session_leader.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.id:
-      dashed_name: process-entry-leader-parent-session-leader-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.session_leader.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.name:
-      dashed_name: process-entry-leader-parent-session-leader-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.session_leader.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.session_leader.user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.session_leader.user.risk.static_level:
-      dashed_name: process-entry-leader-parent-session-leader-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.risk.static_score:
-      dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.session_leader.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.session_leader.user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.session_leader.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.session_leader.user.roles:
-      dashed_name: process-entry-leader-parent-session-leader-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.session_leader.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.vpid:
-      dashed_name: process-entry-leader-parent-session-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.entry_leader.parent.session_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.entry_leader.parent.session_leader.working_directory:
-      dashed_name: process-entry-leader-parent-session-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.entry_leader.parent.session_leader.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.entry_leader.parent.start:
-      dashed_name: process-entry-leader-parent-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.parent.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.entry_leader.parent.supplemental_groups.domain:
-      dashed_name: process-entry-leader-parent-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.supplemental_groups.id:
-      dashed_name: process-entry-leader-parent-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.supplemental_groups.name:
-      dashed_name: process-entry-leader-parent-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.thread.capabilities.effective:
-      dashed_name: process-entry-leader-parent-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.entry_leader.parent.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.thread.capabilities.permitted:
-      dashed_name: process-entry-leader-parent-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.entry_leader.parent.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.thread.id:
-      dashed_name: process-entry-leader-parent-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.entry_leader.parent.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.entry_leader.parent.thread.name:
-      dashed_name: process-entry-leader-parent-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.entry_leader.parent.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.entry_leader.parent.title:
-      dashed_name: process-entry-leader-parent-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.entry_leader.parent.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.entry_leader.parent.tty:
-      dashed_name: process-entry-leader-parent-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.entry_leader.parent.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.entry_leader.parent.tty.char_device.major:
-      dashed_name: process-entry-leader-parent-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.entry_leader.parent.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.entry_leader.parent.tty.char_device.minor:
-      dashed_name: process-entry-leader-parent-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.entry_leader.parent.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.entry_leader.parent.tty.columns:
-      dashed_name: process-entry-leader-parent-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.entry_leader.parent.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.entry_leader.parent.tty.rows:
-      dashed_name: process-entry-leader-parent-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.entry_leader.parent.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.entry_leader.parent.uptime:
-      dashed_name: process-entry-leader-parent-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.entry_leader.parent.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.entry_leader.parent.user.domain:
-      dashed_name: process-entry-leader-parent-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.parent.user.email:
-      dashed_name: process-entry-leader-parent-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.parent.user.full_name:
-      dashed_name: process-entry-leader-parent-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.user.group.domain:
-      dashed_name: process-entry-leader-parent-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.user.group.id:
-      dashed_name: process-entry-leader-parent-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.user.group.name:
-      dashed_name: process-entry-leader-parent-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.user.hash:
-      dashed_name: process-entry-leader-parent-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.user.id:
-      dashed_name: process-entry-leader-parent-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.user.name:
-      dashed_name: process-entry-leader-parent-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.user.risk.static_level:
-      dashed_name: process-entry-leader-parent-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.user.risk.static_score:
-      dashed_name: process-entry-leader-parent-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.user.roles:
-      dashed_name: process-entry-leader-parent-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.vpid:
-      dashed_name: process-entry-leader-parent-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.entry_leader.parent.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.entry_leader.parent.working_directory:
-      dashed_name: process-entry-leader-parent-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.entry_leader.parent.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.entry_leader.pe.architecture:
-      dashed_name: process-entry-leader-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.entry_leader.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.entry_leader.pe.company:
-      dashed_name: process-entry-leader-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.entry_leader.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.pe.description:
-      dashed_name: process-entry-leader-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.entry_leader.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.pe.file_version:
-      dashed_name: process-entry-leader-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.entry_leader.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.entry_leader.pe.go_import_hash:
-      dashed_name: process-entry-leader-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.entry_leader.pe.go_imports:
-      dashed_name: process-entry-leader-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.pe.go_imports_names_entropy:
-      dashed_name: process-entry-leader-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.pe.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.pe.go_stripped:
-      dashed_name: process-entry-leader-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.entry_leader.pe.imphash:
-      dashed_name: process-entry-leader-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.entry_leader.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.entry_leader.pe.import_hash:
-      dashed_name: process-entry-leader-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.entry_leader.pe.imports:
-      dashed_name: process-entry-leader-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.pe.imports_names_entropy:
-      dashed_name: process-entry-leader-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.pe.imports_names_var_entropy:
-      dashed_name: process-entry-leader-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.pe.original_file_name:
-      dashed_name: process-entry-leader-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.entry_leader.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.pe.pehash:
-      dashed_name: process-entry-leader-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.entry_leader.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.entry_leader.pe.product:
-      dashed_name: process-entry-leader-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.entry_leader.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.pe.sections:
-      dashed_name: process-entry-leader-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.entry_leader.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.entry_leader.pe.sections.entropy:
-      dashed_name: process-entry-leader-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.pe.sections.name:
-      dashed_name: process-entry-leader-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.entry_leader.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.entry_leader.pe.sections.physical_size:
-      dashed_name: process-entry-leader-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.entry_leader.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.entry_leader.pe.sections.var_entropy:
-      dashed_name: process-entry-leader-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.pe.sections.virtual_size:
-      dashed_name: process-entry-leader-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.entry_leader.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.entry_leader.pid:
-      dashed_name: process-entry-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.entry_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.entry_leader.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.entry_leader.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.entry_leader.real_group.domain:
-      dashed_name: process-entry-leader-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.real_group.id:
-      dashed_name: process-entry-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.real_group.name:
-      dashed_name: process-entry-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.real_user.domain:
-      dashed_name: process-entry-leader-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.real_user.email:
-      dashed_name: process-entry-leader-real-user-email
-      description: User email address.
-      flat_name: process.entry_leader.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.real_user.full_name:
-      dashed_name: process-entry-leader-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.real_user.group.domain:
-      dashed_name: process-entry-leader-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.real_user.group.id:
-      dashed_name: process-entry-leader-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.real_user.group.name:
-      dashed_name: process-entry-leader-real-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.real_user.hash:
-      dashed_name: process-entry-leader-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.real_user.id:
-      dashed_name: process-entry-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.real_user.name:
-      dashed_name: process-entry-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.real_user.risk.calculated_level:
-      dashed_name: process-entry-leader-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.real_user.risk.calculated_score:
-      dashed_name: process-entry-leader-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.real_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.real_user.risk.static_level:
-      dashed_name: process-entry-leader-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.real_user.risk.static_score:
-      dashed_name: process-entry-leader-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.real_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.real_user.roles:
-      dashed_name: process-entry-leader-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.same_as_process:
-      dashed_name: process-entry-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.entry_leader.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.entry_leader.saved_group.domain:
-      dashed_name: process-entry-leader-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.saved_group.id:
-      dashed_name: process-entry-leader-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.saved_group.name:
-      dashed_name: process-entry-leader-saved-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.saved_user.domain:
-      dashed_name: process-entry-leader-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.saved_user.email:
-      dashed_name: process-entry-leader-saved-user-email
-      description: User email address.
-      flat_name: process.entry_leader.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.saved_user.full_name:
-      dashed_name: process-entry-leader-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.saved_user.group.domain:
-      dashed_name: process-entry-leader-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.saved_user.group.id:
-      dashed_name: process-entry-leader-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.saved_user.group.name:
-      dashed_name: process-entry-leader-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.saved_user.hash:
-      dashed_name: process-entry-leader-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.saved_user.id:
-      dashed_name: process-entry-leader-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.saved_user.name:
-      dashed_name: process-entry-leader-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.saved_user.risk.calculated_level:
-      dashed_name: process-entry-leader-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.saved_user.risk.calculated_score:
-      dashed_name: process-entry-leader-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.saved_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.saved_user.risk.static_level:
-      dashed_name: process-entry-leader-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.saved_user.risk.static_score:
-      dashed_name: process-entry-leader-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.saved_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.saved_user.roles:
-      dashed_name: process-entry-leader-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.start:
-      dashed_name: process-entry-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.entry_leader.supplemental_groups.domain:
-      dashed_name: process-entry-leader-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.supplemental_groups.id:
-      dashed_name: process-entry-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.supplemental_groups.name:
-      dashed_name: process-entry-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.entry_leader.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.thread.capabilities.effective:
-      dashed_name: process-entry-leader-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.entry_leader.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.thread.capabilities.permitted:
-      dashed_name: process-entry-leader-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.entry_leader.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.thread.id:
-      dashed_name: process-entry-leader-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.entry_leader.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.entry_leader.thread.name:
-      dashed_name: process-entry-leader-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.entry_leader.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.entry_leader.title:
-      dashed_name: process-entry-leader-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.entry_leader.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.entry_leader.tty:
-      dashed_name: process-entry-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.entry_leader.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.entry_leader.tty.char_device.major:
-      dashed_name: process-entry-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.entry_leader.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.entry_leader.tty.char_device.minor:
-      dashed_name: process-entry-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.entry_leader.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.entry_leader.tty.columns:
-      dashed_name: process-entry-leader-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.entry_leader.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.entry_leader.tty.rows:
-      dashed_name: process-entry-leader-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.entry_leader.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.entry_leader.uptime:
-      dashed_name: process-entry-leader-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.entry_leader.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.entry_leader.user.domain:
-      dashed_name: process-entry-leader-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.user.email:
-      dashed_name: process-entry-leader-user-email
-      description: User email address.
-      flat_name: process.entry_leader.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.user.full_name:
-      dashed_name: process-entry-leader-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.user.group.domain:
-      dashed_name: process-entry-leader-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.user.group.id:
-      dashed_name: process-entry-leader-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.user.group.name:
-      dashed_name: process-entry-leader-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.user.hash:
-      dashed_name: process-entry-leader-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.user.id:
-      dashed_name: process-entry-leader-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.user.name:
-      dashed_name: process-entry-leader-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.user.risk.calculated_level:
-      dashed_name: process-entry-leader-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.user.risk.calculated_score:
-      dashed_name: process-entry-leader-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.user.risk.static_level:
-      dashed_name: process-entry-leader-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.user.risk.static_score:
-      dashed_name: process-entry-leader-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.user.risk.static_score_norm:
-      dashed_name: process-entry-leader-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.user.roles:
-      dashed_name: process-entry-leader-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.vpid:
-      dashed_name: process-entry-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.entry_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.entry_leader.working_directory:
-      dashed_name: process-entry-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.entry_leader.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.entry_meta.source.address:
-      dashed_name: process-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.entry_meta.source.as.number:
-      dashed_name: process-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.entry_meta.source.as.organization.name:
-      dashed_name: process-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.entry_meta.source.bytes:
-      dashed_name: process-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.entry_meta.source.domain:
-      dashed_name: process-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.entry_meta.source.geo.city_name:
-      dashed_name: process-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.entry_meta.source.geo.continent_code:
-      dashed_name: process-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.entry_meta.source.geo.continent_name:
-      dashed_name: process-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.entry_meta.source.geo.country_name:
-      dashed_name: process-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.entry_meta.source.geo.location:
-      dashed_name: process-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.entry_meta.source.geo.name:
-      dashed_name: process-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.entry_meta.source.geo.postal_code:
-      dashed_name: process-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.entry_meta.source.geo.region_name:
-      dashed_name: process-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.entry_meta.source.geo.timezone:
-      dashed_name: process-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.entry_meta.source.ip:
-      dashed_name: process-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.entry_meta.source.mac:
-      dashed_name: process-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.entry_meta.source.nat.ip:
-      dashed_name: process-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.entry_meta.source.nat.port:
-      dashed_name: process-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.entry_meta.source.packets:
-      dashed_name: process-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.entry_meta.source.port:
-      dashed_name: process-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.entry_meta.source.registered_domain:
-      dashed_name: process-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.entry_meta.source.subdomain:
-      dashed_name: process-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.entry_meta.source.top_level_domain:
-      dashed_name: process-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.entry_meta.type:
-      dashed_name: process-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.env_vars:
-      dashed_name: process-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.executable:
-      dashed_name: process-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      otel:
-      - attribute: process.executable.path
-        relation: equivalent
-        stability: development
-      short: Absolute path to the process executable.
-      type: keyword
-    process.exit_code:
-      dashed_name: process-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      short: The exit code of the process.
-      type: long
-    process.group.domain:
-      dashed_name: process-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group.id:
-      dashed_name: process-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group.name:
-      dashed_name: process-group-name
-      description: Name of the group.
-      flat_name: process.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.args:
-      dashed_name: process-group-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.group_leader.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.group_leader.args_count:
-      dashed_name: process-group-leader-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.group_leader.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.group_leader.attested_groups.domain:
-      dashed_name: process-group-leader-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.attested_groups.id:
-      dashed_name: process-group-leader-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.attested_groups.name:
-      dashed_name: process-group-leader-attested-groups-name
-      description: Name of the group.
-      flat_name: process.group_leader.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.attested_user.domain:
-      dashed_name: process-group-leader-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.group_leader.attested_user.email:
-      dashed_name: process-group-leader-attested-user-email
-      description: User email address.
-      flat_name: process.group_leader.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.group_leader.attested_user.full_name:
-      dashed_name: process-group-leader-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.group_leader.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.group_leader.attested_user.group.domain:
-      dashed_name: process-group-leader-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.attested_user.group.id:
-      dashed_name: process-group-leader-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.attested_user.group.name:
-      dashed_name: process-group-leader-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.attested_user.hash:
-      dashed_name: process-group-leader-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.group_leader.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.group_leader.attested_user.id:
-      dashed_name: process-group-leader-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.group_leader.attested_user.name:
-      dashed_name: process-group-leader-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.group_leader.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.group_leader.attested_user.risk.calculated_level:
-      dashed_name: process-group-leader-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.group_leader.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.group_leader.attested_user.risk.calculated_score:
-      dashed_name: process-group-leader-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.group_leader.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.group_leader.attested_user.risk.calculated_score_norm:
-      dashed_name: process-group-leader-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.group_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.group_leader.attested_user.risk.static_level:
-      dashed_name: process-group-leader-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.group_leader.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.group_leader.attested_user.risk.static_score:
-      dashed_name: process-group-leader-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.group_leader.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.group_leader.attested_user.risk.static_score_norm:
-      dashed_name: process-group-leader-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.group_leader.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.group_leader.attested_user.roles:
-      dashed_name: process-group-leader-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.group_leader.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.code_signature.digest_algorithm:
-      dashed_name: process-group-leader-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.group_leader.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.group_leader.code_signature.exists:
-      dashed_name: process-group-leader-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.group_leader.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.group_leader.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.group_leader.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.group_leader.code_signature.signing_id:
-      dashed_name: process-group-leader-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.group_leader.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.group_leader.code_signature.status:
-      dashed_name: process-group-leader-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.group_leader.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.group_leader.code_signature.subject_name:
-      dashed_name: process-group-leader-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.group_leader.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.group_leader.code_signature.team_id:
-      dashed_name: process-group-leader-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.group_leader.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.group_leader.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.group_leader.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.group_leader.code_signature.timestamp:
-      dashed_name: process-group-leader-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.group_leader.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.group_leader.code_signature.trusted:
-      dashed_name: process-group-leader-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.group_leader.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.group_leader.code_signature.valid:
-      dashed_name: process-group-leader-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.group_leader.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.group_leader.command_line:
-      dashed_name: process-group-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.group_leader.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.group_leader.elf.architecture:
-      dashed_name: process-group-leader-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.group_leader.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.group_leader.elf.byte_order:
-      dashed_name: process-group-leader-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.group_leader.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.group_leader.elf.cpu_type:
-      dashed_name: process-group-leader-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.group_leader.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.group_leader.elf.creation_date:
-      dashed_name: process-group-leader-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.group_leader.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.group_leader.elf.exports:
-      dashed_name: process-group-leader-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.group_leader.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.group_leader.elf.go_import_hash:
-      dashed_name: process-group-leader-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.group_leader.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.group_leader.elf.go_imports:
-      dashed_name: process-group-leader-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.group_leader.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.group_leader.elf.go_imports_names_entropy:
-      dashed_name: process-group-leader-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.group_leader.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.group_leader.elf.go_imports_names_var_entropy:
-      dashed_name: process-group-leader-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.group_leader.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.group_leader.elf.go_stripped:
-      dashed_name: process-group-leader-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.group_leader.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.group_leader.elf.header.abi_version:
-      dashed_name: process-group-leader-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.group_leader.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.group_leader.elf.header.class:
-      dashed_name: process-group-leader-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.group_leader.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.group_leader.elf.header.data:
-      dashed_name: process-group-leader-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.group_leader.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.group_leader.elf.header.entrypoint:
-      dashed_name: process-group-leader-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.group_leader.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.group_leader.elf.header.object_version:
-      dashed_name: process-group-leader-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.group_leader.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.group_leader.elf.header.os_abi:
-      dashed_name: process-group-leader-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.group_leader.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.group_leader.elf.header.type:
-      dashed_name: process-group-leader-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.group_leader.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.group_leader.elf.header.version:
-      dashed_name: process-group-leader-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.group_leader.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.group_leader.elf.import_hash:
-      dashed_name: process-group-leader-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.group_leader.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.group_leader.elf.imports:
-      dashed_name: process-group-leader-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.group_leader.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.group_leader.elf.imports_names_entropy:
-      dashed_name: process-group-leader-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.group_leader.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.group_leader.elf.imports_names_var_entropy:
-      dashed_name: process-group-leader-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.group_leader.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.group_leader.elf.sections:
-      dashed_name: process-group-leader-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.group_leader.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.group_leader.elf.sections.chi2:
-      dashed_name: process-group-leader-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.group_leader.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.group_leader.elf.sections.entropy:
-      dashed_name: process-group-leader-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.group_leader.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.group_leader.elf.sections.flags:
-      dashed_name: process-group-leader-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.group_leader.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.group_leader.elf.sections.name:
-      dashed_name: process-group-leader-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.group_leader.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.group_leader.elf.sections.physical_offset:
-      dashed_name: process-group-leader-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.group_leader.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.group_leader.elf.sections.physical_size:
-      dashed_name: process-group-leader-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.group_leader.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.group_leader.elf.sections.type:
-      dashed_name: process-group-leader-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.group_leader.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.group_leader.elf.sections.var_entropy:
-      dashed_name: process-group-leader-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.group_leader.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.group_leader.elf.sections.virtual_address:
-      dashed_name: process-group-leader-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.group_leader.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.group_leader.elf.sections.virtual_size:
-      dashed_name: process-group-leader-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.group_leader.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.group_leader.elf.segments:
-      dashed_name: process-group-leader-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.group_leader.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.group_leader.elf.segments.sections:
-      dashed_name: process-group-leader-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.group_leader.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.group_leader.elf.segments.type:
-      dashed_name: process-group-leader-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.group_leader.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.group_leader.elf.shared_libraries:
-      dashed_name: process-group-leader-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.group_leader.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.group_leader.elf.telfhash:
-      dashed_name: process-group-leader-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.group_leader.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.group_leader.end:
-      dashed_name: process-group-leader-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.group_leader.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.group_leader.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.group_leader.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.group_leader.entity_id:
-      dashed_name: process-group-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.group_leader.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.group_leader.entry_meta.source.address:
-      dashed_name: process-group-leader-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.group_leader.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.group_leader.entry_meta.source.as.number:
-      dashed_name: process-group-leader-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.group_leader.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.group_leader.entry_meta.source.as.organization.name:
-      dashed_name: process-group-leader-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.group_leader.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.group_leader.entry_meta.source.bytes:
-      dashed_name: process-group-leader-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.group_leader.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.group_leader.entry_meta.source.domain:
-      dashed_name: process-group-leader-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.group_leader.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.city_name:
-      dashed_name: process-group-leader-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.group_leader.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.continent_code:
-      dashed_name: process-group-leader-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.group_leader.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.continent_name:
-      dashed_name: process-group-leader-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.group_leader.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-group-leader-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.group_leader.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.country_name:
-      dashed_name: process-group-leader-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.group_leader.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.location:
-      dashed_name: process-group-leader-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.group_leader.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.group_leader.entry_meta.source.geo.name:
-      dashed_name: process-group-leader-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.group_leader.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.postal_code:
-      dashed_name: process-group-leader-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.group_leader.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-group-leader-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.group_leader.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.region_name:
-      dashed_name: process-group-leader-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.group_leader.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.timezone:
-      dashed_name: process-group-leader-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.group_leader.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.group_leader.entry_meta.source.ip:
-      dashed_name: process-group-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.group_leader.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.group_leader.entry_meta.source.mac:
-      dashed_name: process-group-leader-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.group_leader.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.group_leader.entry_meta.source.nat.ip:
-      dashed_name: process-group-leader-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.group_leader.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.group_leader.entry_meta.source.nat.port:
-      dashed_name: process-group-leader-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.group_leader.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.group_leader.entry_meta.source.packets:
-      dashed_name: process-group-leader-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.group_leader.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.group_leader.entry_meta.source.port:
-      dashed_name: process-group-leader-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.group_leader.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.group_leader.entry_meta.source.registered_domain:
-      dashed_name: process-group-leader-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.group_leader.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.group_leader.entry_meta.source.subdomain:
-      dashed_name: process-group-leader-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.group_leader.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.group_leader.entry_meta.source.top_level_domain:
-      dashed_name: process-group-leader-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.group_leader.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.group_leader.entry_meta.type:
-      dashed_name: process-group-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.group_leader.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.group_leader.env_vars:
-      dashed_name: process-group-leader-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.group_leader.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.executable:
-      dashed_name: process-group-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.group_leader.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.group_leader.exit_code:
-      dashed_name: process-group-leader-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.group_leader.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.group_leader.group.domain:
-      dashed_name: process-group-leader-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.group.id:
-      dashed_name: process-group-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.group.name:
-      dashed_name: process-group-leader-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.group_leader.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.group_leader.hash.md5:
-      dashed_name: process-group-leader-hash-md5
-      description: MD5 hash.
-      flat_name: process.group_leader.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.group_leader.hash.sha1:
-      dashed_name: process-group-leader-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.group_leader.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.group_leader.hash.sha256:
-      dashed_name: process-group-leader-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.group_leader.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.group_leader.hash.sha384:
-      dashed_name: process-group-leader-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.group_leader.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.group_leader.hash.sha512:
-      dashed_name: process-group-leader-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.group_leader.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.group_leader.hash.ssdeep:
-      dashed_name: process-group-leader-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.group_leader.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.group_leader.hash.tlsh:
-      dashed_name: process-group-leader-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.group_leader.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.group_leader.interactive:
-      dashed_name: process-group-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.group_leader.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.group_leader.io:
-      dashed_name: process-group-leader-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.group_leader.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.group_leader.io.bytes_skipped:
-      dashed_name: process-group-leader-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.group_leader.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.group_leader.io.bytes_skipped.length:
-      dashed_name: process-group-leader-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.group_leader.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.group_leader.io.bytes_skipped.offset:
-      dashed_name: process-group-leader-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.group_leader.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.group_leader.io.max_bytes_per_process_exceeded:
-      dashed_name: process-group-leader-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.group_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.group_leader.io.text:
-      dashed_name: process-group-leader-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.group_leader.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.group_leader.io.total_bytes_captured:
-      dashed_name: process-group-leader-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.group_leader.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.group_leader.io.total_bytes_skipped:
-      dashed_name: process-group-leader-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.group_leader.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.group_leader.io.type:
-      dashed_name: process-group-leader-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.group_leader.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.group_leader.macho.go_import_hash:
-      dashed_name: process-group-leader-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.group_leader.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.group_leader.macho.go_imports:
-      dashed_name: process-group-leader-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.group_leader.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.group_leader.macho.go_imports_names_entropy:
-      dashed_name: process-group-leader-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.group_leader.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.group_leader.macho.go_imports_names_var_entropy:
-      dashed_name: process-group-leader-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.group_leader.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.group_leader.macho.go_stripped:
-      dashed_name: process-group-leader-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.group_leader.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.group_leader.macho.import_hash:
-      dashed_name: process-group-leader-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.group_leader.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.group_leader.macho.imports:
-      dashed_name: process-group-leader-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.group_leader.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.group_leader.macho.imports_names_entropy:
-      dashed_name: process-group-leader-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.group_leader.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.group_leader.macho.imports_names_var_entropy:
-      dashed_name: process-group-leader-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.group_leader.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.group_leader.macho.sections:
-      dashed_name: process-group-leader-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.group_leader.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.group_leader.macho.sections.entropy:
-      dashed_name: process-group-leader-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.group_leader.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.group_leader.macho.sections.name:
-      dashed_name: process-group-leader-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.group_leader.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.group_leader.macho.sections.physical_size:
-      dashed_name: process-group-leader-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.group_leader.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.group_leader.macho.sections.var_entropy:
-      dashed_name: process-group-leader-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.group_leader.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.group_leader.macho.sections.virtual_size:
-      dashed_name: process-group-leader-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.group_leader.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.group_leader.macho.symhash:
-      dashed_name: process-group-leader-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.group_leader.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.group_leader.name:
-      dashed_name: process-group-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.group_leader.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.group_leader.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.group_leader.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.group_leader.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.group_leader.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.group_leader.pe.architecture:
-      dashed_name: process-group-leader-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.group_leader.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.group_leader.pe.company:
-      dashed_name: process-group-leader-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.group_leader.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.group_leader.pe.description:
-      dashed_name: process-group-leader-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.group_leader.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.group_leader.pe.file_version:
-      dashed_name: process-group-leader-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.group_leader.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.group_leader.pe.go_import_hash:
-      dashed_name: process-group-leader-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.group_leader.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.group_leader.pe.go_imports:
-      dashed_name: process-group-leader-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.group_leader.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.group_leader.pe.go_imports_names_entropy:
-      dashed_name: process-group-leader-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.group_leader.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.group_leader.pe.go_imports_names_var_entropy:
-      dashed_name: process-group-leader-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.group_leader.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.group_leader.pe.go_stripped:
-      dashed_name: process-group-leader-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.group_leader.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.group_leader.pe.imphash:
-      dashed_name: process-group-leader-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.group_leader.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.group_leader.pe.import_hash:
-      dashed_name: process-group-leader-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.group_leader.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.group_leader.pe.imports:
-      dashed_name: process-group-leader-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.group_leader.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.group_leader.pe.imports_names_entropy:
-      dashed_name: process-group-leader-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.group_leader.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.group_leader.pe.imports_names_var_entropy:
-      dashed_name: process-group-leader-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.group_leader.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.group_leader.pe.original_file_name:
-      dashed_name: process-group-leader-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.group_leader.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.group_leader.pe.pehash:
-      dashed_name: process-group-leader-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.group_leader.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.group_leader.pe.product:
-      dashed_name: process-group-leader-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.group_leader.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.group_leader.pe.sections:
-      dashed_name: process-group-leader-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.group_leader.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.group_leader.pe.sections.entropy:
-      dashed_name: process-group-leader-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.group_leader.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.group_leader.pe.sections.name:
-      dashed_name: process-group-leader-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.group_leader.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.group_leader.pe.sections.physical_size:
-      dashed_name: process-group-leader-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.group_leader.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.group_leader.pe.sections.var_entropy:
-      dashed_name: process-group-leader-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.group_leader.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.group_leader.pe.sections.virtual_size:
-      dashed_name: process-group-leader-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.group_leader.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.group_leader.pid:
-      dashed_name: process-group-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.group_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      otel:
-      - relation: match
-        stability: development
-      short: Process id.
-      type: long
-    process.group_leader.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.group_leader.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.group_leader.real_group.domain:
-      dashed_name: process-group-leader-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.real_group.id:
-      dashed_name: process-group-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.real_group.name:
-      dashed_name: process-group-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.real_user.domain:
-      dashed_name: process-group-leader-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.group_leader.real_user.email:
-      dashed_name: process-group-leader-real-user-email
-      description: User email address.
-      flat_name: process.group_leader.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.group_leader.real_user.full_name:
-      dashed_name: process-group-leader-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.group_leader.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.group_leader.real_user.group.domain:
-      dashed_name: process-group-leader-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.real_user.group.id:
-      dashed_name: process-group-leader-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.real_user.group.name:
-      dashed_name: process-group-leader-real-user-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.real_user.hash:
-      dashed_name: process-group-leader-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.group_leader.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.group_leader.real_user.id:
-      dashed_name: process-group-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.group_leader.real_user.name:
-      dashed_name: process-group-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.group_leader.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.group_leader.real_user.risk.calculated_level:
-      dashed_name: process-group-leader-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.group_leader.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.group_leader.real_user.risk.calculated_score:
-      dashed_name: process-group-leader-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.group_leader.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.group_leader.real_user.risk.calculated_score_norm:
-      dashed_name: process-group-leader-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.group_leader.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.group_leader.real_user.risk.static_level:
-      dashed_name: process-group-leader-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.group_leader.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.group_leader.real_user.risk.static_score:
-      dashed_name: process-group-leader-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.group_leader.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.group_leader.real_user.risk.static_score_norm:
-      dashed_name: process-group-leader-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.group_leader.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.group_leader.real_user.roles:
-      dashed_name: process-group-leader-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.group_leader.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.same_as_process:
-      dashed_name: process-group-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.group_leader.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.group_leader.saved_group.domain:
-      dashed_name: process-group-leader-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.saved_group.id:
-      dashed_name: process-group-leader-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.saved_group.name:
-      dashed_name: process-group-leader-saved-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.saved_user.domain:
-      dashed_name: process-group-leader-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.group_leader.saved_user.email:
-      dashed_name: process-group-leader-saved-user-email
-      description: User email address.
-      flat_name: process.group_leader.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.group_leader.saved_user.full_name:
-      dashed_name: process-group-leader-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.group_leader.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.group_leader.saved_user.group.domain:
-      dashed_name: process-group-leader-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.saved_user.group.id:
-      dashed_name: process-group-leader-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.saved_user.group.name:
-      dashed_name: process-group-leader-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.saved_user.hash:
-      dashed_name: process-group-leader-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.group_leader.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.group_leader.saved_user.id:
-      dashed_name: process-group-leader-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.group_leader.saved_user.name:
-      dashed_name: process-group-leader-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.group_leader.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.group_leader.saved_user.risk.calculated_level:
-      dashed_name: process-group-leader-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.group_leader.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.group_leader.saved_user.risk.calculated_score:
-      dashed_name: process-group-leader-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.group_leader.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.group_leader.saved_user.risk.calculated_score_norm:
-      dashed_name: process-group-leader-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.group_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.group_leader.saved_user.risk.static_level:
-      dashed_name: process-group-leader-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.group_leader.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.group_leader.saved_user.risk.static_score:
-      dashed_name: process-group-leader-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.group_leader.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.group_leader.saved_user.risk.static_score_norm:
-      dashed_name: process-group-leader-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.group_leader.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.group_leader.saved_user.roles:
-      dashed_name: process-group-leader-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.group_leader.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.start:
-      dashed_name: process-group-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.group_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.group_leader.supplemental_groups.domain:
-      dashed_name: process-group-leader-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.supplemental_groups.id:
-      dashed_name: process-group-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.supplemental_groups.name:
-      dashed_name: process-group-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.group_leader.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.thread.capabilities.effective:
-      dashed_name: process-group-leader-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.group_leader.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.thread.capabilities.permitted:
-      dashed_name: process-group-leader-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.group_leader.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.thread.id:
-      dashed_name: process-group-leader-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.group_leader.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.group_leader.thread.name:
-      dashed_name: process-group-leader-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.group_leader.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.group_leader.title:
-      dashed_name: process-group-leader-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.group_leader.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.group_leader.tty:
-      dashed_name: process-group-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.group_leader.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.group_leader.tty.char_device.major:
-      dashed_name: process-group-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.group_leader.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.group_leader.tty.char_device.minor:
-      dashed_name: process-group-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.group_leader.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.group_leader.tty.columns:
-      dashed_name: process-group-leader-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.group_leader.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.group_leader.tty.rows:
-      dashed_name: process-group-leader-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.group_leader.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.group_leader.uptime:
-      dashed_name: process-group-leader-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.group_leader.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.group_leader.user.domain:
-      dashed_name: process-group-leader-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.group_leader.user.email:
-      dashed_name: process-group-leader-user-email
-      description: User email address.
-      flat_name: process.group_leader.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.group_leader.user.full_name:
-      dashed_name: process-group-leader-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.group_leader.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.group_leader.user.group.domain:
-      dashed_name: process-group-leader-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.user.group.id:
-      dashed_name: process-group-leader-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.user.group.name:
-      dashed_name: process-group-leader-user-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.user.hash:
-      dashed_name: process-group-leader-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.group_leader.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.group_leader.user.id:
-      dashed_name: process-group-leader-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.group_leader.user.name:
-      dashed_name: process-group-leader-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.group_leader.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.group_leader.user.risk.calculated_level:
-      dashed_name: process-group-leader-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.group_leader.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.group_leader.user.risk.calculated_score:
-      dashed_name: process-group-leader-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.group_leader.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.group_leader.user.risk.calculated_score_norm:
-      dashed_name: process-group-leader-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.group_leader.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.group_leader.user.risk.static_level:
-      dashed_name: process-group-leader-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.group_leader.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.group_leader.user.risk.static_score:
-      dashed_name: process-group-leader-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.group_leader.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.group_leader.user.risk.static_score_norm:
-      dashed_name: process-group-leader-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.group_leader.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.group_leader.user.roles:
-      dashed_name: process-group-leader-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.group_leader.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.vpid:
-      dashed_name: process-group-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.group_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.group_leader.working_directory:
-      dashed_name: process-group-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.group_leader.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.hash.md5:
-      dashed_name: process-hash-md5
-      description: MD5 hash.
-      flat_name: process.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.hash.sha1:
-      dashed_name: process-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.hash.sha256:
-      dashed_name: process-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.hash.sha384:
-      dashed_name: process-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.hash.sha512:
-      dashed_name: process-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.hash.ssdeep:
-      dashed_name: process-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.hash.tlsh:
-      dashed_name: process-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.interactive:
-      dashed_name: process-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      otel:
-      - relation: match
-        stability: development
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.io:
-      dashed_name: process-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.io
-      level: extended
-      name: io
-      normalize: []
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.io.bytes_skipped:
-      dashed_name: process-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.io.bytes_skipped.length:
-      dashed_name: process-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      short: The length of bytes skipped.
-      type: long
-    process.io.bytes_skipped.offset:
-      dashed_name: process-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.io.max_bytes_per_process_exceeded:
-      dashed_name: process-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.io.text:
-      dashed_name: process-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.io.total_bytes_captured:
-      dashed_name: process-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      short: The total number of bytes captured in this event.
-      type: long
-    process.io.total_bytes_skipped:
-      dashed_name: process-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.io.type:
-      dashed_name: process-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.macho.go_import_hash:
-      dashed_name: process-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.macho.go_imports:
-      dashed_name: process-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.macho.go_imports_names_entropy:
-      dashed_name: process-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.macho.go_imports_names_var_entropy:
-      dashed_name: process-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.macho.go_stripped:
-      dashed_name: process-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.macho.import_hash:
-      dashed_name: process-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.macho.imports:
-      dashed_name: process-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.macho.imports_names_entropy:
-      dashed_name: process-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.macho.imports_names_var_entropy:
-      dashed_name: process-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.macho.sections:
-      dashed_name: process-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.macho.sections.entropy:
-      dashed_name: process-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.macho.sections.name:
-      dashed_name: process-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.macho.sections.physical_size:
-      dashed_name: process-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.macho.sections.var_entropy:
-      dashed_name: process-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.macho.sections.virtual_size:
-      dashed_name: process-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.macho.symhash:
-      dashed_name: process-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.name:
-      dashed_name: process-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      short: Process name.
-      type: keyword
-    process.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.parent.args:
-      dashed_name: process-parent-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.parent.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.parent.args_count:
-      dashed_name: process-parent-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.parent.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.parent.attested_groups.domain:
-      dashed_name: process-parent-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.attested_groups.id:
-      dashed_name: process-parent-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.attested_groups.name:
-      dashed_name: process-parent-attested-groups-name
-      description: Name of the group.
-      flat_name: process.parent.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.attested_user.domain:
-      dashed_name: process-parent-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.attested_user.email:
-      dashed_name: process-parent-attested-user-email
-      description: User email address.
-      flat_name: process.parent.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.attested_user.full_name:
-      dashed_name: process-parent-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.attested_user.group.domain:
-      dashed_name: process-parent-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.attested_user.group.id:
-      dashed_name: process-parent-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.attested_user.group.name:
-      dashed_name: process-parent-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.attested_user.hash:
-      dashed_name: process-parent-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.attested_user.id:
-      dashed_name: process-parent-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.attested_user.name:
-      dashed_name: process-parent-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.attested_user.risk.calculated_level:
-      dashed_name: process-parent-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.attested_user.risk.calculated_score:
-      dashed_name: process-parent-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.attested_user.risk.calculated_score_norm:
-      dashed_name: process-parent-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.attested_user.risk.static_level:
-      dashed_name: process-parent-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.attested_user.risk.static_score:
-      dashed_name: process-parent-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.attested_user.risk.static_score_norm:
-      dashed_name: process-parent-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.attested_user.roles:
-      dashed_name: process-parent-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.code_signature.digest_algorithm:
-      dashed_name: process-parent-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.parent.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.parent.code_signature.exists:
-      dashed_name: process-parent-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.parent.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.parent.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.parent.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.parent.code_signature.signing_id:
-      dashed_name: process-parent-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.parent.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.parent.code_signature.status:
-      dashed_name: process-parent-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.parent.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.parent.code_signature.subject_name:
-      dashed_name: process-parent-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.parent.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.parent.code_signature.team_id:
-      dashed_name: process-parent-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.parent.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.parent.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.parent.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.parent.code_signature.timestamp:
-      dashed_name: process-parent-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.parent.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.parent.code_signature.trusted:
-      dashed_name: process-parent-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.parent.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.parent.code_signature.valid:
-      dashed_name: process-parent-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.parent.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.parent.command_line:
-      dashed_name: process-parent-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.parent.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.parent.elf.architecture:
-      dashed_name: process-parent-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.parent.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.parent.elf.byte_order:
-      dashed_name: process-parent-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.parent.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.parent.elf.cpu_type:
-      dashed_name: process-parent-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.parent.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.parent.elf.creation_date:
-      dashed_name: process-parent-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.parent.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.parent.elf.exports:
-      dashed_name: process-parent-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.parent.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.parent.elf.go_import_hash:
-      dashed_name: process-parent-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.parent.elf.go_imports:
-      dashed_name: process-parent-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.parent.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.parent.elf.go_imports_names_entropy:
-      dashed_name: process-parent-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.elf.go_imports_names_var_entropy:
-      dashed_name: process-parent-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.elf.go_stripped:
-      dashed_name: process-parent-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.parent.elf.header.abi_version:
-      dashed_name: process-parent-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.parent.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.parent.elf.header.class:
-      dashed_name: process-parent-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.parent.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.parent.elf.header.data:
-      dashed_name: process-parent-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.parent.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.parent.elf.header.entrypoint:
-      dashed_name: process-parent-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.parent.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.parent.elf.header.object_version:
-      dashed_name: process-parent-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.parent.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.parent.elf.header.os_abi:
-      dashed_name: process-parent-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.parent.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.parent.elf.header.type:
-      dashed_name: process-parent-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.parent.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.parent.elf.header.version:
-      dashed_name: process-parent-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.parent.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.parent.elf.import_hash:
-      dashed_name: process-parent-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.parent.elf.imports:
-      dashed_name: process-parent-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.parent.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.parent.elf.imports_names_entropy:
-      dashed_name: process-parent-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.parent.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.parent.elf.imports_names_var_entropy:
-      dashed_name: process-parent-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.parent.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.parent.elf.sections:
-      dashed_name: process-parent-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.parent.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.parent.elf.sections.chi2:
-      dashed_name: process-parent-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.parent.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.parent.elf.sections.entropy:
-      dashed_name: process-parent-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.parent.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.parent.elf.sections.flags:
-      dashed_name: process-parent-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.parent.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.parent.elf.sections.name:
-      dashed_name: process-parent-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.parent.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.parent.elf.sections.physical_offset:
-      dashed_name: process-parent-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.parent.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.parent.elf.sections.physical_size:
-      dashed_name: process-parent-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.parent.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.parent.elf.sections.type:
-      dashed_name: process-parent-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.parent.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.parent.elf.sections.var_entropy:
-      dashed_name: process-parent-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.parent.elf.sections.virtual_address:
-      dashed_name: process-parent-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.parent.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.parent.elf.sections.virtual_size:
-      dashed_name: process-parent-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.parent.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.parent.elf.segments:
-      dashed_name: process-parent-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.parent.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.parent.elf.segments.sections:
-      dashed_name: process-parent-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.parent.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.parent.elf.segments.type:
-      dashed_name: process-parent-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.parent.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.parent.elf.shared_libraries:
-      dashed_name: process-parent-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.parent.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.parent.elf.telfhash:
-      dashed_name: process-parent-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.parent.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.parent.end:
-      dashed_name: process-parent-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.parent.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.parent.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.parent.entity_id:
-      dashed_name: process-parent-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.parent.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.parent.entry_meta.source.address:
-      dashed_name: process-parent-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.parent.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.parent.entry_meta.source.as.number:
-      dashed_name: process-parent-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.parent.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.parent.entry_meta.source.as.organization.name:
-      dashed_name: process-parent-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.parent.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.parent.entry_meta.source.bytes:
-      dashed_name: process-parent-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.parent.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.parent.entry_meta.source.domain:
-      dashed_name: process-parent-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.parent.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.parent.entry_meta.source.geo.city_name:
-      dashed_name: process-parent-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.parent.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.parent.entry_meta.source.geo.continent_code:
-      dashed_name: process-parent-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.parent.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.parent.entry_meta.source.geo.continent_name:
-      dashed_name: process-parent-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.parent.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.parent.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-parent-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.parent.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.parent.entry_meta.source.geo.country_name:
-      dashed_name: process-parent-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.parent.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.parent.entry_meta.source.geo.location:
-      dashed_name: process-parent-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.parent.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.parent.entry_meta.source.geo.name:
-      dashed_name: process-parent-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.parent.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.parent.entry_meta.source.geo.postal_code:
-      dashed_name: process-parent-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.parent.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.parent.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-parent-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.parent.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.parent.entry_meta.source.geo.region_name:
-      dashed_name: process-parent-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.parent.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.parent.entry_meta.source.geo.timezone:
-      dashed_name: process-parent-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.parent.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.parent.entry_meta.source.ip:
-      dashed_name: process-parent-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.parent.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.parent.entry_meta.source.mac:
-      dashed_name: process-parent-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.parent.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.parent.entry_meta.source.nat.ip:
-      dashed_name: process-parent-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.parent.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.parent.entry_meta.source.nat.port:
-      dashed_name: process-parent-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.parent.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.parent.entry_meta.source.packets:
-      dashed_name: process-parent-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.parent.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.parent.entry_meta.source.port:
-      dashed_name: process-parent-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.parent.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.parent.entry_meta.source.registered_domain:
-      dashed_name: process-parent-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.parent.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.parent.entry_meta.source.subdomain:
-      dashed_name: process-parent-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.parent.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.parent.entry_meta.source.top_level_domain:
-      dashed_name: process-parent-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.parent.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.parent.entry_meta.type:
-      dashed_name: process-parent-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.parent.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.parent.env_vars:
-      dashed_name: process-parent-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.parent.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.executable:
-      dashed_name: process-parent-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.parent.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.parent.exit_code:
-      dashed_name: process-parent-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.parent.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.parent.group.domain:
-      dashed_name: process-parent-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group.id:
-      dashed_name: process-parent-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group.name:
-      dashed_name: process-parent-group-name
-      description: Name of the group.
-      flat_name: process.parent.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.args:
-      dashed_name: process-parent-group-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.parent.group_leader.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.parent.group_leader.args_count:
-      dashed_name: process-parent-group-leader-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.parent.group_leader.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.parent.group_leader.attested_groups.domain:
-      dashed_name: process-parent-group-leader-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.attested_groups.id:
-      dashed_name: process-parent-group-leader-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.attested_groups.name:
-      dashed_name: process-parent-group-leader-attested-groups-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.attested_user.domain:
-      dashed_name: process-parent-group-leader-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.group_leader.attested_user.email:
-      dashed_name: process-parent-group-leader-attested-user-email
-      description: User email address.
-      flat_name: process.parent.group_leader.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.group_leader.attested_user.full_name:
-      dashed_name: process-parent-group-leader-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.group_leader.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.group_leader.attested_user.group.domain:
-      dashed_name: process-parent-group-leader-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.attested_user.group.id:
-      dashed_name: process-parent-group-leader-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.attested_user.group.name:
-      dashed_name: process-parent-group-leader-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.attested_user.hash:
-      dashed_name: process-parent-group-leader-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.group_leader.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.group_leader.attested_user.id:
-      dashed_name: process-parent-group-leader-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.group_leader.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.group_leader.attested_user.name:
-      dashed_name: process-parent-group-leader-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.group_leader.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.group_leader.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.group_leader.attested_user.risk.calculated_level:
-      dashed_name: process-parent-group-leader-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.group_leader.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.group_leader.attested_user.risk.calculated_score:
-      dashed_name: process-parent-group-leader-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.group_leader.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.group_leader.attested_user.risk.calculated_score_norm:
-      dashed_name: process-parent-group-leader-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.group_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.group_leader.attested_user.risk.static_level:
-      dashed_name: process-parent-group-leader-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.group_leader.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.group_leader.attested_user.risk.static_score:
-      dashed_name: process-parent-group-leader-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.group_leader.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.group_leader.attested_user.risk.static_score_norm:
-      dashed_name: process-parent-group-leader-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.group_leader.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.group_leader.attested_user.roles:
-      dashed_name: process-parent-group-leader-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.group_leader.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.code_signature.digest_algorithm:
-      dashed_name: process-parent-group-leader-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.parent.group_leader.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.parent.group_leader.code_signature.exists:
-      dashed_name: process-parent-group-leader-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.parent.group_leader.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.parent.group_leader.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.parent.group_leader.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.parent.group_leader.code_signature.signing_id:
-      dashed_name: process-parent-group-leader-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.parent.group_leader.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.parent.group_leader.code_signature.status:
-      dashed_name: process-parent-group-leader-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.parent.group_leader.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.parent.group_leader.code_signature.subject_name:
-      dashed_name: process-parent-group-leader-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.parent.group_leader.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.parent.group_leader.code_signature.team_id:
-      dashed_name: process-parent-group-leader-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.parent.group_leader.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.parent.group_leader.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.parent.group_leader.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.parent.group_leader.code_signature.timestamp:
-      dashed_name: process-parent-group-leader-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.parent.group_leader.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.parent.group_leader.code_signature.trusted:
-      dashed_name: process-parent-group-leader-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.parent.group_leader.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.parent.group_leader.code_signature.valid:
-      dashed_name: process-parent-group-leader-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.parent.group_leader.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.parent.group_leader.command_line:
-      dashed_name: process-parent-group-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.parent.group_leader.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.parent.group_leader.elf.architecture:
-      dashed_name: process-parent-group-leader-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.parent.group_leader.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.parent.group_leader.elf.byte_order:
-      dashed_name: process-parent-group-leader-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.parent.group_leader.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.parent.group_leader.elf.cpu_type:
-      dashed_name: process-parent-group-leader-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.parent.group_leader.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.parent.group_leader.elf.creation_date:
-      dashed_name: process-parent-group-leader-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.parent.group_leader.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.parent.group_leader.elf.exports:
-      dashed_name: process-parent-group-leader-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.parent.group_leader.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.parent.group_leader.elf.go_import_hash:
-      dashed_name: process-parent-group-leader-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.group_leader.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.parent.group_leader.elf.go_imports:
-      dashed_name: process-parent-group-leader-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.parent.group_leader.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.parent.group_leader.elf.go_imports_names_entropy:
-      dashed_name: process-parent-group-leader-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.group_leader.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.group_leader.elf.go_imports_names_var_entropy:
-      dashed_name: process-parent-group-leader-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.group_leader.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.group_leader.elf.go_stripped:
-      dashed_name: process-parent-group-leader-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.group_leader.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.parent.group_leader.elf.header.abi_version:
-      dashed_name: process-parent-group-leader-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.parent.group_leader.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.parent.group_leader.elf.header.class:
-      dashed_name: process-parent-group-leader-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.parent.group_leader.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.parent.group_leader.elf.header.data:
-      dashed_name: process-parent-group-leader-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.parent.group_leader.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.parent.group_leader.elf.header.entrypoint:
-      dashed_name: process-parent-group-leader-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.parent.group_leader.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.parent.group_leader.elf.header.object_version:
-      dashed_name: process-parent-group-leader-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.parent.group_leader.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.parent.group_leader.elf.header.os_abi:
-      dashed_name: process-parent-group-leader-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.parent.group_leader.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.parent.group_leader.elf.header.type:
-      dashed_name: process-parent-group-leader-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.parent.group_leader.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.parent.group_leader.elf.header.version:
-      dashed_name: process-parent-group-leader-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.parent.group_leader.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.parent.group_leader.elf.import_hash:
-      dashed_name: process-parent-group-leader-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.group_leader.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.parent.group_leader.elf.imports:
-      dashed_name: process-parent-group-leader-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.parent.group_leader.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.parent.group_leader.elf.imports_names_entropy:
-      dashed_name: process-parent-group-leader-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.parent.group_leader.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.parent.group_leader.elf.imports_names_var_entropy:
-      dashed_name: process-parent-group-leader-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.parent.group_leader.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.parent.group_leader.elf.sections:
-      dashed_name: process-parent-group-leader-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.parent.group_leader.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.parent.group_leader.elf.sections.chi2:
-      dashed_name: process-parent-group-leader-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.parent.group_leader.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.parent.group_leader.elf.sections.entropy:
-      dashed_name: process-parent-group-leader-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.parent.group_leader.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.parent.group_leader.elf.sections.flags:
-      dashed_name: process-parent-group-leader-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.parent.group_leader.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.parent.group_leader.elf.sections.name:
-      dashed_name: process-parent-group-leader-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.parent.group_leader.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.parent.group_leader.elf.sections.physical_offset:
-      dashed_name: process-parent-group-leader-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.parent.group_leader.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.parent.group_leader.elf.sections.physical_size:
-      dashed_name: process-parent-group-leader-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.parent.group_leader.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.parent.group_leader.elf.sections.type:
-      dashed_name: process-parent-group-leader-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.parent.group_leader.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.parent.group_leader.elf.sections.var_entropy:
-      dashed_name: process-parent-group-leader-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.group_leader.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.parent.group_leader.elf.sections.virtual_address:
-      dashed_name: process-parent-group-leader-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.parent.group_leader.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.parent.group_leader.elf.sections.virtual_size:
-      dashed_name: process-parent-group-leader-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.parent.group_leader.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.parent.group_leader.elf.segments:
-      dashed_name: process-parent-group-leader-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.parent.group_leader.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.parent.group_leader.elf.segments.sections:
-      dashed_name: process-parent-group-leader-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.parent.group_leader.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.parent.group_leader.elf.segments.type:
-      dashed_name: process-parent-group-leader-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.parent.group_leader.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.parent.group_leader.elf.shared_libraries:
-      dashed_name: process-parent-group-leader-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.parent.group_leader.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.parent.group_leader.elf.telfhash:
-      dashed_name: process-parent-group-leader-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.parent.group_leader.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.parent.group_leader.end:
-      dashed_name: process-parent-group-leader-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.group_leader.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.parent.group_leader.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.parent.group_leader.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.parent.group_leader.entity_id:
-      dashed_name: process-parent-group-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.parent.group_leader.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.address:
-      dashed_name: process-parent-group-leader-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.parent.group_leader.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.as.number:
-      dashed_name: process-parent-group-leader-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.parent.group_leader.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.parent.group_leader.entry_meta.source.as.organization.name:
-      dashed_name: process-parent-group-leader-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.parent.group_leader.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.bytes:
-      dashed_name: process-parent-group-leader-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.parent.group_leader.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.parent.group_leader.entry_meta.source.domain:
-      dashed_name: process-parent-group-leader-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.parent.group_leader.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.city_name:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.parent.group_leader.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.continent_code:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.parent.group_leader.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.continent_name:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.parent.group_leader.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.parent.group_leader.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.country_name:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.parent.group_leader.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.location:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.parent.group_leader.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.parent.group_leader.entry_meta.source.geo.name:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.parent.group_leader.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.postal_code:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.parent.group_leader.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.parent.group_leader.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.region_name:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.parent.group_leader.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.timezone:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.parent.group_leader.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.ip:
-      dashed_name: process-parent-group-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.parent.group_leader.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.parent.group_leader.entry_meta.source.mac:
-      dashed_name: process-parent-group-leader-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.parent.group_leader.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.nat.ip:
-      dashed_name: process-parent-group-leader-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.parent.group_leader.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.parent.group_leader.entry_meta.source.nat.port:
-      dashed_name: process-parent-group-leader-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.parent.group_leader.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.parent.group_leader.entry_meta.source.packets:
-      dashed_name: process-parent-group-leader-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.parent.group_leader.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.parent.group_leader.entry_meta.source.port:
-      dashed_name: process-parent-group-leader-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.parent.group_leader.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.parent.group_leader.entry_meta.source.registered_domain:
-      dashed_name: process-parent-group-leader-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.parent.group_leader.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.subdomain:
-      dashed_name: process-parent-group-leader-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.parent.group_leader.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.top_level_domain:
-      dashed_name: process-parent-group-leader-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.parent.group_leader.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.parent.group_leader.entry_meta.type:
-      dashed_name: process-parent-group-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.parent.group_leader.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.parent.group_leader.env_vars:
-      dashed_name: process-parent-group-leader-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.parent.group_leader.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.executable:
-      dashed_name: process-parent-group-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.parent.group_leader.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.parent.group_leader.exit_code:
-      dashed_name: process-parent-group-leader-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.parent.group_leader.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.parent.group_leader.group.domain:
-      dashed_name: process-parent-group-leader-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.group.id:
-      dashed_name: process-parent-group-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.group.name:
-      dashed_name: process-parent-group-leader-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.parent.group_leader.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.parent.group_leader.hash.md5:
-      dashed_name: process-parent-group-leader-hash-md5
-      description: MD5 hash.
-      flat_name: process.parent.group_leader.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.parent.group_leader.hash.sha1:
-      dashed_name: process-parent-group-leader-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.parent.group_leader.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.parent.group_leader.hash.sha256:
-      dashed_name: process-parent-group-leader-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.parent.group_leader.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.parent.group_leader.hash.sha384:
-      dashed_name: process-parent-group-leader-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.parent.group_leader.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.parent.group_leader.hash.sha512:
-      dashed_name: process-parent-group-leader-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.parent.group_leader.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.parent.group_leader.hash.ssdeep:
-      dashed_name: process-parent-group-leader-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.parent.group_leader.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.parent.group_leader.hash.tlsh:
-      dashed_name: process-parent-group-leader-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.parent.group_leader.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.parent.group_leader.interactive:
-      dashed_name: process-parent-group-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.parent.group_leader.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.parent.group_leader.io:
-      dashed_name: process-parent-group-leader-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.parent.group_leader.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.parent.group_leader.io.bytes_skipped:
-      dashed_name: process-parent-group-leader-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.parent.group_leader.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.parent.group_leader.io.bytes_skipped.length:
-      dashed_name: process-parent-group-leader-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.parent.group_leader.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.parent.group_leader.io.bytes_skipped.offset:
-      dashed_name: process-parent-group-leader-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.parent.group_leader.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.parent.group_leader.io.max_bytes_per_process_exceeded:
-      dashed_name: process-parent-group-leader-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.parent.group_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.parent.group_leader.io.text:
-      dashed_name: process-parent-group-leader-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.parent.group_leader.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.parent.group_leader.io.total_bytes_captured:
-      dashed_name: process-parent-group-leader-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.parent.group_leader.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.parent.group_leader.io.total_bytes_skipped:
-      dashed_name: process-parent-group-leader-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.parent.group_leader.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.parent.group_leader.io.type:
-      dashed_name: process-parent-group-leader-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.parent.group_leader.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.parent.group_leader.macho.go_import_hash:
-      dashed_name: process-parent-group-leader-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.group_leader.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.parent.group_leader.macho.go_imports:
-      dashed_name: process-parent-group-leader-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.parent.group_leader.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.parent.group_leader.macho.go_imports_names_entropy:
-      dashed_name: process-parent-group-leader-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.group_leader.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.group_leader.macho.go_imports_names_var_entropy:
-      dashed_name: process-parent-group-leader-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.group_leader.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.group_leader.macho.go_stripped:
-      dashed_name: process-parent-group-leader-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.group_leader.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.parent.group_leader.macho.import_hash:
-      dashed_name: process-parent-group-leader-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.group_leader.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.parent.group_leader.macho.imports:
-      dashed_name: process-parent-group-leader-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.parent.group_leader.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.parent.group_leader.macho.imports_names_entropy:
-      dashed_name: process-parent-group-leader-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.parent.group_leader.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.parent.group_leader.macho.imports_names_var_entropy:
-      dashed_name: process-parent-group-leader-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.parent.group_leader.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.parent.group_leader.macho.sections:
-      dashed_name: process-parent-group-leader-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.parent.group_leader.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.parent.group_leader.macho.sections.entropy:
-      dashed_name: process-parent-group-leader-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.parent.group_leader.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.parent.group_leader.macho.sections.name:
-      dashed_name: process-parent-group-leader-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.parent.group_leader.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.parent.group_leader.macho.sections.physical_size:
-      dashed_name: process-parent-group-leader-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.parent.group_leader.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.parent.group_leader.macho.sections.var_entropy:
-      dashed_name: process-parent-group-leader-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.group_leader.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.parent.group_leader.macho.sections.virtual_size:
-      dashed_name: process-parent-group-leader-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.parent.group_leader.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.parent.group_leader.macho.symhash:
-      dashed_name: process-parent-group-leader-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.parent.group_leader.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.parent.group_leader.name:
-      dashed_name: process-parent-group-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.parent.group_leader.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.parent.group_leader.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.parent.group_leader.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.parent.group_leader.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.parent.group_leader.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.parent.group_leader.pe.architecture:
-      dashed_name: process-parent-group-leader-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.parent.group_leader.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.parent.group_leader.pe.company:
-      dashed_name: process-parent-group-leader-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.parent.group_leader.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.parent.group_leader.pe.description:
-      dashed_name: process-parent-group-leader-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.parent.group_leader.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.parent.group_leader.pe.file_version:
-      dashed_name: process-parent-group-leader-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.parent.group_leader.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.parent.group_leader.pe.go_import_hash:
-      dashed_name: process-parent-group-leader-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.group_leader.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.parent.group_leader.pe.go_imports:
-      dashed_name: process-parent-group-leader-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.parent.group_leader.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.parent.group_leader.pe.go_imports_names_entropy:
-      dashed_name: process-parent-group-leader-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.group_leader.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.group_leader.pe.go_imports_names_var_entropy:
-      dashed_name: process-parent-group-leader-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.group_leader.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.group_leader.pe.go_stripped:
-      dashed_name: process-parent-group-leader-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.group_leader.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.parent.group_leader.pe.imphash:
-      dashed_name: process-parent-group-leader-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.parent.group_leader.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.parent.group_leader.pe.import_hash:
-      dashed_name: process-parent-group-leader-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.group_leader.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.parent.group_leader.pe.imports:
-      dashed_name: process-parent-group-leader-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.parent.group_leader.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.parent.group_leader.pe.imports_names_entropy:
-      dashed_name: process-parent-group-leader-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.parent.group_leader.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.parent.group_leader.pe.imports_names_var_entropy:
-      dashed_name: process-parent-group-leader-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.parent.group_leader.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.parent.group_leader.pe.original_file_name:
-      dashed_name: process-parent-group-leader-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.parent.group_leader.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.parent.group_leader.pe.pehash:
-      dashed_name: process-parent-group-leader-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.parent.group_leader.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.parent.group_leader.pe.product:
-      dashed_name: process-parent-group-leader-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.parent.group_leader.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.parent.group_leader.pe.sections:
-      dashed_name: process-parent-group-leader-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.parent.group_leader.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.parent.group_leader.pe.sections.entropy:
-      dashed_name: process-parent-group-leader-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.parent.group_leader.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.parent.group_leader.pe.sections.name:
-      dashed_name: process-parent-group-leader-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.parent.group_leader.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.parent.group_leader.pe.sections.physical_size:
-      dashed_name: process-parent-group-leader-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.parent.group_leader.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.parent.group_leader.pe.sections.var_entropy:
-      dashed_name: process-parent-group-leader-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.group_leader.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.parent.group_leader.pe.sections.virtual_size:
-      dashed_name: process-parent-group-leader-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.parent.group_leader.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.parent.group_leader.pid:
-      dashed_name: process-parent-group-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.parent.group_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.parent.group_leader.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.parent.group_leader.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.parent.group_leader.real_group.domain:
-      dashed_name: process-parent-group-leader-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.real_group.id:
-      dashed_name: process-parent-group-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.real_group.name:
-      dashed_name: process-parent-group-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.real_user.domain:
-      dashed_name: process-parent-group-leader-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.group_leader.real_user.email:
-      dashed_name: process-parent-group-leader-real-user-email
-      description: User email address.
-      flat_name: process.parent.group_leader.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.group_leader.real_user.full_name:
-      dashed_name: process-parent-group-leader-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.group_leader.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.group_leader.real_user.group.domain:
-      dashed_name: process-parent-group-leader-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.real_user.group.id:
-      dashed_name: process-parent-group-leader-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.real_user.group.name:
-      dashed_name: process-parent-group-leader-real-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.real_user.hash:
-      dashed_name: process-parent-group-leader-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.group_leader.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.group_leader.real_user.id:
-      dashed_name: process-parent-group-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.group_leader.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.group_leader.real_user.name:
-      dashed_name: process-parent-group-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.group_leader.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.group_leader.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.group_leader.real_user.risk.calculated_level:
-      dashed_name: process-parent-group-leader-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.group_leader.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.group_leader.real_user.risk.calculated_score:
-      dashed_name: process-parent-group-leader-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.group_leader.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.group_leader.real_user.risk.calculated_score_norm:
-      dashed_name: process-parent-group-leader-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.group_leader.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.group_leader.real_user.risk.static_level:
-      dashed_name: process-parent-group-leader-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.group_leader.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.group_leader.real_user.risk.static_score:
-      dashed_name: process-parent-group-leader-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.group_leader.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.group_leader.real_user.risk.static_score_norm:
-      dashed_name: process-parent-group-leader-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.group_leader.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.group_leader.real_user.roles:
-      dashed_name: process-parent-group-leader-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.group_leader.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.same_as_process:
-      dashed_name: process-parent-group-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.parent.group_leader.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.parent.group_leader.saved_group.domain:
-      dashed_name: process-parent-group-leader-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.saved_group.id:
-      dashed_name: process-parent-group-leader-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.saved_group.name:
-      dashed_name: process-parent-group-leader-saved-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.saved_user.domain:
-      dashed_name: process-parent-group-leader-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.group_leader.saved_user.email:
-      dashed_name: process-parent-group-leader-saved-user-email
-      description: User email address.
-      flat_name: process.parent.group_leader.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.group_leader.saved_user.full_name:
-      dashed_name: process-parent-group-leader-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.group_leader.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.group_leader.saved_user.group.domain:
-      dashed_name: process-parent-group-leader-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.saved_user.group.id:
-      dashed_name: process-parent-group-leader-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.saved_user.group.name:
-      dashed_name: process-parent-group-leader-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.saved_user.hash:
-      dashed_name: process-parent-group-leader-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.group_leader.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.group_leader.saved_user.id:
-      dashed_name: process-parent-group-leader-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.group_leader.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.group_leader.saved_user.name:
-      dashed_name: process-parent-group-leader-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.group_leader.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.group_leader.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.group_leader.saved_user.risk.calculated_level:
-      dashed_name: process-parent-group-leader-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.group_leader.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.group_leader.saved_user.risk.calculated_score:
-      dashed_name: process-parent-group-leader-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.group_leader.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.group_leader.saved_user.risk.calculated_score_norm:
-      dashed_name: process-parent-group-leader-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.group_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.group_leader.saved_user.risk.static_level:
-      dashed_name: process-parent-group-leader-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.group_leader.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.group_leader.saved_user.risk.static_score:
-      dashed_name: process-parent-group-leader-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.group_leader.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.group_leader.saved_user.risk.static_score_norm:
-      dashed_name: process-parent-group-leader-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.group_leader.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.group_leader.saved_user.roles:
-      dashed_name: process-parent-group-leader-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.group_leader.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.start:
-      dashed_name: process-parent-group-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.group_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.parent.group_leader.supplemental_groups.domain:
-      dashed_name: process-parent-group-leader-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.supplemental_groups.id:
-      dashed_name: process-parent-group-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.supplemental_groups.name:
-      dashed_name: process-parent-group-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.thread.capabilities.effective:
-      dashed_name: process-parent-group-leader-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.parent.group_leader.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.thread.capabilities.permitted:
-      dashed_name: process-parent-group-leader-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.parent.group_leader.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.thread.id:
-      dashed_name: process-parent-group-leader-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.parent.group_leader.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.parent.group_leader.thread.name:
-      dashed_name: process-parent-group-leader-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.parent.group_leader.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.parent.group_leader.title:
-      dashed_name: process-parent-group-leader-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.parent.group_leader.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.parent.group_leader.tty:
-      dashed_name: process-parent-group-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.parent.group_leader.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.parent.group_leader.tty.char_device.major:
-      dashed_name: process-parent-group-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.parent.group_leader.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.parent.group_leader.tty.char_device.minor:
-      dashed_name: process-parent-group-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.parent.group_leader.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.parent.group_leader.tty.columns:
-      dashed_name: process-parent-group-leader-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.parent.group_leader.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.parent.group_leader.tty.rows:
-      dashed_name: process-parent-group-leader-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.parent.group_leader.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.parent.group_leader.uptime:
-      dashed_name: process-parent-group-leader-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.parent.group_leader.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.parent.group_leader.user.domain:
-      dashed_name: process-parent-group-leader-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.group_leader.user.email:
-      dashed_name: process-parent-group-leader-user-email
-      description: User email address.
-      flat_name: process.parent.group_leader.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.group_leader.user.full_name:
-      dashed_name: process-parent-group-leader-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.group_leader.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.group_leader.user.group.domain:
-      dashed_name: process-parent-group-leader-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.user.group.id:
-      dashed_name: process-parent-group-leader-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.user.group.name:
-      dashed_name: process-parent-group-leader-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.user.hash:
-      dashed_name: process-parent-group-leader-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.group_leader.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.group_leader.user.id:
-      dashed_name: process-parent-group-leader-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.group_leader.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.group_leader.user.name:
-      dashed_name: process-parent-group-leader-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.group_leader.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.group_leader.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.group_leader.user.risk.calculated_level:
-      dashed_name: process-parent-group-leader-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.group_leader.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.group_leader.user.risk.calculated_score:
-      dashed_name: process-parent-group-leader-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.group_leader.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.group_leader.user.risk.calculated_score_norm:
-      dashed_name: process-parent-group-leader-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.group_leader.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.group_leader.user.risk.static_level:
-      dashed_name: process-parent-group-leader-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.group_leader.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.group_leader.user.risk.static_score:
-      dashed_name: process-parent-group-leader-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.group_leader.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.group_leader.user.risk.static_score_norm:
-      dashed_name: process-parent-group-leader-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.group_leader.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.group_leader.user.roles:
-      dashed_name: process-parent-group-leader-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.group_leader.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.vpid:
-      dashed_name: process-parent-group-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.parent.group_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.parent.group_leader.working_directory:
-      dashed_name: process-parent-group-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.parent.group_leader.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.parent.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.parent.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.parent.hash.md5:
-      dashed_name: process-parent-hash-md5
-      description: MD5 hash.
-      flat_name: process.parent.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.parent.hash.sha1:
-      dashed_name: process-parent-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.parent.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.parent.hash.sha256:
-      dashed_name: process-parent-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.parent.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.parent.hash.sha384:
-      dashed_name: process-parent-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.parent.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.parent.hash.sha512:
-      dashed_name: process-parent-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.parent.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.parent.hash.ssdeep:
-      dashed_name: process-parent-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.parent.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.parent.hash.tlsh:
-      dashed_name: process-parent-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.parent.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.parent.interactive:
-      dashed_name: process-parent-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.parent.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.parent.io:
-      dashed_name: process-parent-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.parent.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.parent.io.bytes_skipped:
-      dashed_name: process-parent-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.parent.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.parent.io.bytes_skipped.length:
-      dashed_name: process-parent-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.parent.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.parent.io.bytes_skipped.offset:
-      dashed_name: process-parent-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.parent.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.parent.io.max_bytes_per_process_exceeded:
-      dashed_name: process-parent-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.parent.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.parent.io.text:
-      dashed_name: process-parent-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.parent.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.parent.io.total_bytes_captured:
-      dashed_name: process-parent-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.parent.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.parent.io.total_bytes_skipped:
-      dashed_name: process-parent-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.parent.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.parent.io.type:
-      dashed_name: process-parent-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.parent.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.parent.macho.go_import_hash:
-      dashed_name: process-parent-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.parent.macho.go_imports:
-      dashed_name: process-parent-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.parent.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.parent.macho.go_imports_names_entropy:
-      dashed_name: process-parent-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.macho.go_imports_names_var_entropy:
-      dashed_name: process-parent-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.macho.go_stripped:
-      dashed_name: process-parent-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.parent.macho.import_hash:
-      dashed_name: process-parent-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.parent.macho.imports:
-      dashed_name: process-parent-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.parent.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.parent.macho.imports_names_entropy:
-      dashed_name: process-parent-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.parent.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.parent.macho.imports_names_var_entropy:
-      dashed_name: process-parent-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.parent.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.parent.macho.sections:
-      dashed_name: process-parent-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.parent.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.parent.macho.sections.entropy:
-      dashed_name: process-parent-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.parent.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.parent.macho.sections.name:
-      dashed_name: process-parent-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.parent.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.parent.macho.sections.physical_size:
-      dashed_name: process-parent-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.parent.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.parent.macho.sections.var_entropy:
-      dashed_name: process-parent-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.parent.macho.sections.virtual_size:
-      dashed_name: process-parent-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.parent.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.parent.macho.symhash:
-      dashed_name: process-parent-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.parent.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.parent.name:
-      dashed_name: process-parent-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.parent.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.parent.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.parent.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.parent.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.parent.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.parent.pe.architecture:
-      dashed_name: process-parent-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.parent.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.parent.pe.company:
-      dashed_name: process-parent-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.parent.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.parent.pe.description:
-      dashed_name: process-parent-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.parent.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.parent.pe.file_version:
-      dashed_name: process-parent-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.parent.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.parent.pe.go_import_hash:
-      dashed_name: process-parent-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.parent.pe.go_imports:
-      dashed_name: process-parent-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.parent.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.parent.pe.go_imports_names_entropy:
-      dashed_name: process-parent-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.pe.go_imports_names_var_entropy:
-      dashed_name: process-parent-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.pe.go_stripped:
-      dashed_name: process-parent-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.parent.pe.imphash:
-      dashed_name: process-parent-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.parent.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.parent.pe.import_hash:
-      dashed_name: process-parent-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.parent.pe.imports:
-      dashed_name: process-parent-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.parent.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.parent.pe.imports_names_entropy:
-      dashed_name: process-parent-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.parent.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.parent.pe.imports_names_var_entropy:
-      dashed_name: process-parent-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.parent.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.parent.pe.original_file_name:
-      dashed_name: process-parent-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.parent.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.parent.pe.pehash:
-      dashed_name: process-parent-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.parent.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.parent.pe.product:
-      dashed_name: process-parent-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.parent.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.parent.pe.sections:
-      dashed_name: process-parent-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.parent.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.parent.pe.sections.entropy:
-      dashed_name: process-parent-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.parent.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.parent.pe.sections.name:
-      dashed_name: process-parent-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.parent.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.parent.pe.sections.physical_size:
-      dashed_name: process-parent-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.parent.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.parent.pe.sections.var_entropy:
-      dashed_name: process-parent-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.parent.pe.sections.virtual_size:
-      dashed_name: process-parent-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.parent.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.parent.pid:
-      dashed_name: process-parent-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.parent.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.parent.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.parent.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.parent.real_group.domain:
-      dashed_name: process-parent-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.real_group.id:
-      dashed_name: process-parent-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.real_group.name:
-      dashed_name: process-parent-real-group-name
-      description: Name of the group.
-      flat_name: process.parent.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.real_user.domain:
-      dashed_name: process-parent-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.real_user.email:
-      dashed_name: process-parent-real-user-email
-      description: User email address.
-      flat_name: process.parent.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.real_user.full_name:
-      dashed_name: process-parent-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.real_user.group.domain:
-      dashed_name: process-parent-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.real_user.group.id:
-      dashed_name: process-parent-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.real_user.group.name:
-      dashed_name: process-parent-real-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.real_user.hash:
-      dashed_name: process-parent-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.real_user.id:
-      dashed_name: process-parent-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.real_user.name:
-      dashed_name: process-parent-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.real_user.risk.calculated_level:
-      dashed_name: process-parent-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.real_user.risk.calculated_score:
-      dashed_name: process-parent-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.real_user.risk.calculated_score_norm:
-      dashed_name: process-parent-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.real_user.risk.static_level:
-      dashed_name: process-parent-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.real_user.risk.static_score:
-      dashed_name: process-parent-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.real_user.risk.static_score_norm:
-      dashed_name: process-parent-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.real_user.roles:
-      dashed_name: process-parent-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.same_as_process:
-      dashed_name: process-parent-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.parent.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.parent.saved_group.domain:
-      dashed_name: process-parent-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.saved_group.id:
-      dashed_name: process-parent-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.saved_group.name:
-      dashed_name: process-parent-saved-group-name
-      description: Name of the group.
-      flat_name: process.parent.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.saved_user.domain:
-      dashed_name: process-parent-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.saved_user.email:
-      dashed_name: process-parent-saved-user-email
-      description: User email address.
-      flat_name: process.parent.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.saved_user.full_name:
-      dashed_name: process-parent-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.saved_user.group.domain:
-      dashed_name: process-parent-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.saved_user.group.id:
-      dashed_name: process-parent-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.saved_user.group.name:
-      dashed_name: process-parent-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.saved_user.hash:
-      dashed_name: process-parent-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.saved_user.id:
-      dashed_name: process-parent-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.saved_user.name:
-      dashed_name: process-parent-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.saved_user.risk.calculated_level:
-      dashed_name: process-parent-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.saved_user.risk.calculated_score:
-      dashed_name: process-parent-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.saved_user.risk.calculated_score_norm:
-      dashed_name: process-parent-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.saved_user.risk.static_level:
-      dashed_name: process-parent-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.saved_user.risk.static_score:
-      dashed_name: process-parent-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.saved_user.risk.static_score_norm:
-      dashed_name: process-parent-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.saved_user.roles:
-      dashed_name: process-parent-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.start:
-      dashed_name: process-parent-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.parent.supplemental_groups.domain:
-      dashed_name: process-parent-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.supplemental_groups.id:
-      dashed_name: process-parent-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.supplemental_groups.name:
-      dashed_name: process-parent-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.parent.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.thread.capabilities.effective:
-      dashed_name: process-parent-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.parent.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.thread.capabilities.permitted:
-      dashed_name: process-parent-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.parent.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.thread.id:
-      dashed_name: process-parent-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.parent.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.parent.thread.name:
-      dashed_name: process-parent-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.parent.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.parent.title:
-      dashed_name: process-parent-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.parent.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.parent.tty:
-      dashed_name: process-parent-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.parent.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.parent.tty.char_device.major:
-      dashed_name: process-parent-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.parent.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.parent.tty.char_device.minor:
-      dashed_name: process-parent-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.parent.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.parent.tty.columns:
-      dashed_name: process-parent-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.parent.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.parent.tty.rows:
-      dashed_name: process-parent-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.parent.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.parent.uptime:
-      dashed_name: process-parent-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.parent.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.parent.user.domain:
-      dashed_name: process-parent-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.user.email:
-      dashed_name: process-parent-user-email
-      description: User email address.
-      flat_name: process.parent.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.user.full_name:
-      dashed_name: process-parent-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.user.group.domain:
-      dashed_name: process-parent-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.user.group.id:
-      dashed_name: process-parent-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.user.group.name:
-      dashed_name: process-parent-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.user.hash:
-      dashed_name: process-parent-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.user.id:
-      dashed_name: process-parent-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.user.name:
-      dashed_name: process-parent-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.user.risk.calculated_level:
-      dashed_name: process-parent-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.user.risk.calculated_score:
-      dashed_name: process-parent-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.user.risk.calculated_score_norm:
-      dashed_name: process-parent-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.user.risk.static_level:
-      dashed_name: process-parent-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.user.risk.static_score:
-      dashed_name: process-parent-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.user.risk.static_score_norm:
-      dashed_name: process-parent-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.user.roles:
-      dashed_name: process-parent-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.vpid:
-      dashed_name: process-parent-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.parent.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.parent.working_directory:
-      dashed_name: process-parent-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.parent.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.pe.architecture:
-      dashed_name: process-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.pe.company:
-      dashed_name: process-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.pe.description:
-      dashed_name: process-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.pe.file_version:
-      dashed_name: process-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.pe.go_import_hash:
-      dashed_name: process-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.pe.go_imports:
-      dashed_name: process-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.pe.go_imports_names_entropy:
-      dashed_name: process-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.pe.go_imports_names_var_entropy:
-      dashed_name: process-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.pe.go_stripped:
-      dashed_name: process-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.pe.imphash:
-      dashed_name: process-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.pe.import_hash:
-      dashed_name: process-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.pe.imports:
-      dashed_name: process-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.pe.imports_names_entropy:
-      dashed_name: process-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.pe.imports_names_var_entropy:
-      dashed_name: process-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.pe.original_file_name:
-      dashed_name: process-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.pe.pehash:
-      dashed_name: process-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.pe.product:
-      dashed_name: process-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.pe.sections:
-      dashed_name: process-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.pe.sections.entropy:
-      dashed_name: process-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.pe.sections.name:
-      dashed_name: process-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.pe.sections.physical_size:
-      dashed_name: process-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.pe.sections.var_entropy:
-      dashed_name: process-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.pe.sections.virtual_size:
-      dashed_name: process-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.pid:
-      dashed_name: process-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      otel:
-      - relation: match
-        stability: development
-      short: Process id.
-      type: long
-    process.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.previous.args:
-      dashed_name: process-previous-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.previous.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.previous.args_count:
-      dashed_name: process-previous-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.previous.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.previous.attested_groups.domain:
-      dashed_name: process-previous-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.attested_groups.id:
-      dashed_name: process-previous-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.attested_groups.name:
-      dashed_name: process-previous-attested-groups-name
-      description: Name of the group.
-      flat_name: process.previous.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.attested_user.domain:
-      dashed_name: process-previous-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.previous.attested_user.email:
-      dashed_name: process-previous-attested-user-email
-      description: User email address.
-      flat_name: process.previous.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.previous.attested_user.full_name:
-      dashed_name: process-previous-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.previous.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.previous.attested_user.group.domain:
-      dashed_name: process-previous-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.attested_user.group.id:
-      dashed_name: process-previous-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.attested_user.group.name:
-      dashed_name: process-previous-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.previous.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.attested_user.hash:
-      dashed_name: process-previous-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.previous.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.previous.attested_user.id:
-      dashed_name: process-previous-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.previous.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.previous.attested_user.name:
-      dashed_name: process-previous-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.previous.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.previous.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.previous.attested_user.risk.calculated_level:
-      dashed_name: process-previous-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.previous.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.previous.attested_user.risk.calculated_score:
-      dashed_name: process-previous-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.previous.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.previous.attested_user.risk.calculated_score_norm:
-      dashed_name: process-previous-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.previous.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.previous.attested_user.risk.static_level:
-      dashed_name: process-previous-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.previous.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.previous.attested_user.risk.static_score:
-      dashed_name: process-previous-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.previous.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.previous.attested_user.risk.static_score_norm:
-      dashed_name: process-previous-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.previous.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.previous.attested_user.roles:
-      dashed_name: process-previous-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.previous.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.code_signature.digest_algorithm:
-      dashed_name: process-previous-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.previous.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.previous.code_signature.exists:
-      dashed_name: process-previous-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.previous.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.previous.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.previous.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.previous.code_signature.signing_id:
-      dashed_name: process-previous-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.previous.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.previous.code_signature.status:
-      dashed_name: process-previous-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.previous.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.previous.code_signature.subject_name:
-      dashed_name: process-previous-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.previous.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.previous.code_signature.team_id:
-      dashed_name: process-previous-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.previous.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.previous.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.previous.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.previous.code_signature.timestamp:
-      dashed_name: process-previous-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.previous.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.previous.code_signature.trusted:
-      dashed_name: process-previous-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.previous.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.previous.code_signature.valid:
-      dashed_name: process-previous-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.previous.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.previous.command_line:
-      dashed_name: process-previous-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.previous.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.previous.elf.architecture:
-      dashed_name: process-previous-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.previous.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.previous.elf.byte_order:
-      dashed_name: process-previous-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.previous.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.previous.elf.cpu_type:
-      dashed_name: process-previous-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.previous.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.previous.elf.creation_date:
-      dashed_name: process-previous-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.previous.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.previous.elf.exports:
-      dashed_name: process-previous-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.previous.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.previous.elf.go_import_hash:
-      dashed_name: process-previous-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.previous.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.previous.elf.go_imports:
-      dashed_name: process-previous-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.previous.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.previous.elf.go_imports_names_entropy:
-      dashed_name: process-previous-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.previous.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.previous.elf.go_imports_names_var_entropy:
-      dashed_name: process-previous-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.previous.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.previous.elf.go_stripped:
-      dashed_name: process-previous-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.previous.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.previous.elf.header.abi_version:
-      dashed_name: process-previous-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.previous.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.previous.elf.header.class:
-      dashed_name: process-previous-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.previous.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.previous.elf.header.data:
-      dashed_name: process-previous-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.previous.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.previous.elf.header.entrypoint:
-      dashed_name: process-previous-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.previous.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.previous.elf.header.object_version:
-      dashed_name: process-previous-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.previous.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.previous.elf.header.os_abi:
-      dashed_name: process-previous-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.previous.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.previous.elf.header.type:
-      dashed_name: process-previous-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.previous.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.previous.elf.header.version:
-      dashed_name: process-previous-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.previous.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.previous.elf.import_hash:
-      dashed_name: process-previous-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.previous.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.previous.elf.imports:
-      dashed_name: process-previous-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.previous.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.previous.elf.imports_names_entropy:
-      dashed_name: process-previous-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.previous.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.previous.elf.imports_names_var_entropy:
-      dashed_name: process-previous-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.previous.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.previous.elf.sections:
-      dashed_name: process-previous-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.previous.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.previous.elf.sections.chi2:
-      dashed_name: process-previous-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.previous.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.previous.elf.sections.entropy:
-      dashed_name: process-previous-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.previous.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.previous.elf.sections.flags:
-      dashed_name: process-previous-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.previous.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.previous.elf.sections.name:
-      dashed_name: process-previous-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.previous.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.previous.elf.sections.physical_offset:
-      dashed_name: process-previous-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.previous.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.previous.elf.sections.physical_size:
-      dashed_name: process-previous-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.previous.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.previous.elf.sections.type:
-      dashed_name: process-previous-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.previous.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.previous.elf.sections.var_entropy:
-      dashed_name: process-previous-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.previous.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.previous.elf.sections.virtual_address:
-      dashed_name: process-previous-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.previous.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.previous.elf.sections.virtual_size:
-      dashed_name: process-previous-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.previous.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.previous.elf.segments:
-      dashed_name: process-previous-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.previous.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.previous.elf.segments.sections:
-      dashed_name: process-previous-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.previous.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.previous.elf.segments.type:
-      dashed_name: process-previous-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.previous.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.previous.elf.shared_libraries:
-      dashed_name: process-previous-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.previous.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.previous.elf.telfhash:
-      dashed_name: process-previous-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.previous.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.previous.end:
-      dashed_name: process-previous-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.previous.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.previous.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.previous.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.previous.entity_id:
-      dashed_name: process-previous-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.previous.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.previous.entry_meta.source.address:
-      dashed_name: process-previous-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.previous.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.previous.entry_meta.source.as.number:
-      dashed_name: process-previous-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.previous.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.previous.entry_meta.source.as.organization.name:
-      dashed_name: process-previous-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.previous.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.previous.entry_meta.source.bytes:
-      dashed_name: process-previous-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.previous.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.previous.entry_meta.source.domain:
-      dashed_name: process-previous-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.previous.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.previous.entry_meta.source.geo.city_name:
-      dashed_name: process-previous-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.previous.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.previous.entry_meta.source.geo.continent_code:
-      dashed_name: process-previous-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.previous.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.previous.entry_meta.source.geo.continent_name:
-      dashed_name: process-previous-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.previous.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.previous.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-previous-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.previous.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.previous.entry_meta.source.geo.country_name:
-      dashed_name: process-previous-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.previous.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.previous.entry_meta.source.geo.location:
-      dashed_name: process-previous-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.previous.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.previous.entry_meta.source.geo.name:
-      dashed_name: process-previous-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.previous.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.previous.entry_meta.source.geo.postal_code:
-      dashed_name: process-previous-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.previous.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.previous.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-previous-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.previous.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.previous.entry_meta.source.geo.region_name:
-      dashed_name: process-previous-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.previous.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.previous.entry_meta.source.geo.timezone:
-      dashed_name: process-previous-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.previous.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.previous.entry_meta.source.ip:
-      dashed_name: process-previous-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.previous.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.previous.entry_meta.source.mac:
-      dashed_name: process-previous-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.previous.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.previous.entry_meta.source.nat.ip:
-      dashed_name: process-previous-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.previous.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.previous.entry_meta.source.nat.port:
-      dashed_name: process-previous-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.previous.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.previous.entry_meta.source.packets:
-      dashed_name: process-previous-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.previous.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.previous.entry_meta.source.port:
-      dashed_name: process-previous-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.previous.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.previous.entry_meta.source.registered_domain:
-      dashed_name: process-previous-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.previous.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.previous.entry_meta.source.subdomain:
-      dashed_name: process-previous-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.previous.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.previous.entry_meta.source.top_level_domain:
-      dashed_name: process-previous-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.previous.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.previous.entry_meta.type:
-      dashed_name: process-previous-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.previous.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.previous.env_vars:
-      dashed_name: process-previous-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.previous.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.executable:
-      dashed_name: process-previous-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.previous.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.previous.exit_code:
-      dashed_name: process-previous-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.previous.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.previous.group.domain:
-      dashed_name: process-previous-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.group.id:
-      dashed_name: process-previous-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.group.name:
-      dashed_name: process-previous-group-name
-      description: Name of the group.
-      flat_name: process.previous.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.previous.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.previous.hash.md5:
-      dashed_name: process-previous-hash-md5
-      description: MD5 hash.
-      flat_name: process.previous.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.previous.hash.sha1:
-      dashed_name: process-previous-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.previous.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.previous.hash.sha256:
-      dashed_name: process-previous-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.previous.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.previous.hash.sha384:
-      dashed_name: process-previous-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.previous.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.previous.hash.sha512:
-      dashed_name: process-previous-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.previous.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.previous.hash.ssdeep:
-      dashed_name: process-previous-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.previous.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.previous.hash.tlsh:
-      dashed_name: process-previous-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.previous.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.previous.interactive:
-      dashed_name: process-previous-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.previous.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.previous.io:
-      dashed_name: process-previous-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.previous.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.previous.io.bytes_skipped:
-      dashed_name: process-previous-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.previous.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.previous.io.bytes_skipped.length:
-      dashed_name: process-previous-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.previous.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.previous.io.bytes_skipped.offset:
-      dashed_name: process-previous-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.previous.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.previous.io.max_bytes_per_process_exceeded:
-      dashed_name: process-previous-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.previous.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.previous.io.text:
-      dashed_name: process-previous-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.previous.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.previous.io.total_bytes_captured:
-      dashed_name: process-previous-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.previous.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.previous.io.total_bytes_skipped:
-      dashed_name: process-previous-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.previous.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.previous.io.type:
-      dashed_name: process-previous-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.previous.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.previous.macho.go_import_hash:
-      dashed_name: process-previous-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.previous.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.previous.macho.go_imports:
-      dashed_name: process-previous-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.previous.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.previous.macho.go_imports_names_entropy:
-      dashed_name: process-previous-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.previous.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.previous.macho.go_imports_names_var_entropy:
-      dashed_name: process-previous-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.previous.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.previous.macho.go_stripped:
-      dashed_name: process-previous-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.previous.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.previous.macho.import_hash:
-      dashed_name: process-previous-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.previous.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.previous.macho.imports:
-      dashed_name: process-previous-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.previous.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.previous.macho.imports_names_entropy:
-      dashed_name: process-previous-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.previous.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.previous.macho.imports_names_var_entropy:
-      dashed_name: process-previous-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.previous.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.previous.macho.sections:
-      dashed_name: process-previous-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.previous.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.previous.macho.sections.entropy:
-      dashed_name: process-previous-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.previous.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.previous.macho.sections.name:
-      dashed_name: process-previous-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.previous.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.previous.macho.sections.physical_size:
-      dashed_name: process-previous-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.previous.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.previous.macho.sections.var_entropy:
-      dashed_name: process-previous-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.previous.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.previous.macho.sections.virtual_size:
-      dashed_name: process-previous-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.previous.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.previous.macho.symhash:
-      dashed_name: process-previous-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.previous.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.previous.name:
-      dashed_name: process-previous-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.previous.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.previous.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.previous.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.previous.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.previous.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.previous.pe.architecture:
-      dashed_name: process-previous-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.previous.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.previous.pe.company:
-      dashed_name: process-previous-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.previous.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.previous.pe.description:
-      dashed_name: process-previous-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.previous.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.previous.pe.file_version:
-      dashed_name: process-previous-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.previous.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.previous.pe.go_import_hash:
-      dashed_name: process-previous-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.previous.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.previous.pe.go_imports:
-      dashed_name: process-previous-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.previous.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.previous.pe.go_imports_names_entropy:
-      dashed_name: process-previous-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.previous.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.previous.pe.go_imports_names_var_entropy:
-      dashed_name: process-previous-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.previous.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.previous.pe.go_stripped:
-      dashed_name: process-previous-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.previous.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.previous.pe.imphash:
-      dashed_name: process-previous-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.previous.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.previous.pe.import_hash:
-      dashed_name: process-previous-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.previous.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.previous.pe.imports:
-      dashed_name: process-previous-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.previous.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.previous.pe.imports_names_entropy:
-      dashed_name: process-previous-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.previous.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.previous.pe.imports_names_var_entropy:
-      dashed_name: process-previous-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.previous.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.previous.pe.original_file_name:
-      dashed_name: process-previous-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.previous.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.previous.pe.pehash:
-      dashed_name: process-previous-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.previous.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.previous.pe.product:
-      dashed_name: process-previous-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.previous.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.previous.pe.sections:
-      dashed_name: process-previous-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.previous.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.previous.pe.sections.entropy:
-      dashed_name: process-previous-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.previous.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.previous.pe.sections.name:
-      dashed_name: process-previous-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.previous.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.previous.pe.sections.physical_size:
-      dashed_name: process-previous-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.previous.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.previous.pe.sections.var_entropy:
-      dashed_name: process-previous-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.previous.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.previous.pe.sections.virtual_size:
-      dashed_name: process-previous-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.previous.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.previous.pid:
-      dashed_name: process-previous-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.previous.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.previous.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.previous.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.previous.real_group.domain:
-      dashed_name: process-previous-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.real_group.id:
-      dashed_name: process-previous-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.real_group.name:
-      dashed_name: process-previous-real-group-name
-      description: Name of the group.
-      flat_name: process.previous.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.real_user.domain:
-      dashed_name: process-previous-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.previous.real_user.email:
-      dashed_name: process-previous-real-user-email
-      description: User email address.
-      flat_name: process.previous.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.previous.real_user.full_name:
-      dashed_name: process-previous-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.previous.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.previous.real_user.group.domain:
-      dashed_name: process-previous-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.real_user.group.id:
-      dashed_name: process-previous-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.real_user.group.name:
-      dashed_name: process-previous-real-user-group-name
-      description: Name of the group.
-      flat_name: process.previous.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.real_user.hash:
-      dashed_name: process-previous-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.previous.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.previous.real_user.id:
-      dashed_name: process-previous-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.previous.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.previous.real_user.name:
-      dashed_name: process-previous-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.previous.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.previous.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.previous.real_user.risk.calculated_level:
-      dashed_name: process-previous-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.previous.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.previous.real_user.risk.calculated_score:
-      dashed_name: process-previous-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.previous.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.previous.real_user.risk.calculated_score_norm:
-      dashed_name: process-previous-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.previous.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.previous.real_user.risk.static_level:
-      dashed_name: process-previous-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.previous.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.previous.real_user.risk.static_score:
-      dashed_name: process-previous-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.previous.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.previous.real_user.risk.static_score_norm:
-      dashed_name: process-previous-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.previous.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.previous.real_user.roles:
-      dashed_name: process-previous-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.previous.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.same_as_process:
-      dashed_name: process-previous-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.previous.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.previous.saved_group.domain:
-      dashed_name: process-previous-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.saved_group.id:
-      dashed_name: process-previous-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.saved_group.name:
-      dashed_name: process-previous-saved-group-name
-      description: Name of the group.
-      flat_name: process.previous.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.saved_user.domain:
-      dashed_name: process-previous-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.previous.saved_user.email:
-      dashed_name: process-previous-saved-user-email
-      description: User email address.
-      flat_name: process.previous.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.previous.saved_user.full_name:
-      dashed_name: process-previous-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.previous.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.previous.saved_user.group.domain:
-      dashed_name: process-previous-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.saved_user.group.id:
-      dashed_name: process-previous-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.saved_user.group.name:
-      dashed_name: process-previous-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.previous.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.saved_user.hash:
-      dashed_name: process-previous-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.previous.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.previous.saved_user.id:
-      dashed_name: process-previous-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.previous.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.previous.saved_user.name:
-      dashed_name: process-previous-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.previous.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.previous.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.previous.saved_user.risk.calculated_level:
-      dashed_name: process-previous-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.previous.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.previous.saved_user.risk.calculated_score:
-      dashed_name: process-previous-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.previous.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.previous.saved_user.risk.calculated_score_norm:
-      dashed_name: process-previous-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.previous.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.previous.saved_user.risk.static_level:
-      dashed_name: process-previous-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.previous.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.previous.saved_user.risk.static_score:
-      dashed_name: process-previous-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.previous.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.previous.saved_user.risk.static_score_norm:
-      dashed_name: process-previous-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.previous.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.previous.saved_user.roles:
-      dashed_name: process-previous-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.previous.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.start:
-      dashed_name: process-previous-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.previous.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.previous.supplemental_groups.domain:
-      dashed_name: process-previous-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.supplemental_groups.id:
-      dashed_name: process-previous-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.supplemental_groups.name:
-      dashed_name: process-previous-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.previous.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.thread.capabilities.effective:
-      dashed_name: process-previous-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.previous.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.thread.capabilities.permitted:
-      dashed_name: process-previous-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.previous.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.thread.id:
-      dashed_name: process-previous-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.previous.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.previous.thread.name:
-      dashed_name: process-previous-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.previous.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.previous.title:
-      dashed_name: process-previous-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.previous.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.previous.tty:
-      dashed_name: process-previous-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.previous.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.previous.tty.char_device.major:
-      dashed_name: process-previous-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.previous.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.previous.tty.char_device.minor:
-      dashed_name: process-previous-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.previous.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.previous.tty.columns:
-      dashed_name: process-previous-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.previous.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.previous.tty.rows:
-      dashed_name: process-previous-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.previous.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.previous.uptime:
-      dashed_name: process-previous-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.previous.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.previous.user.domain:
-      dashed_name: process-previous-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.previous.user.email:
-      dashed_name: process-previous-user-email
-      description: User email address.
-      flat_name: process.previous.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.previous.user.full_name:
-      dashed_name: process-previous-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.previous.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.previous.user.group.domain:
-      dashed_name: process-previous-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.user.group.id:
-      dashed_name: process-previous-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.user.group.name:
-      dashed_name: process-previous-user-group-name
-      description: Name of the group.
-      flat_name: process.previous.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.user.hash:
-      dashed_name: process-previous-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.previous.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.previous.user.id:
-      dashed_name: process-previous-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.previous.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.previous.user.name:
-      dashed_name: process-previous-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.previous.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.previous.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.previous.user.risk.calculated_level:
-      dashed_name: process-previous-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.previous.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.previous.user.risk.calculated_score:
-      dashed_name: process-previous-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.previous.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.previous.user.risk.calculated_score_norm:
-      dashed_name: process-previous-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.previous.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.previous.user.risk.static_level:
-      dashed_name: process-previous-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.previous.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.previous.user.risk.static_score:
-      dashed_name: process-previous-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.previous.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.previous.user.risk.static_score_norm:
-      dashed_name: process-previous-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.previous.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.previous.user.roles:
-      dashed_name: process-previous-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.previous.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.vpid:
-      dashed_name: process-previous-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.previous.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.previous.working_directory:
-      dashed_name: process-previous-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.previous.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.real_group.domain:
-      dashed_name: process-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.real_group.id:
-      dashed_name: process-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.real_group.name:
-      dashed_name: process-real-group-name
-      description: Name of the group.
-      flat_name: process.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.real_user.domain:
-      dashed_name: process-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.real_user.email:
-      dashed_name: process-real-user-email
-      description: User email address.
-      flat_name: process.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.real_user.full_name:
-      dashed_name: process-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.real_user.group.domain:
-      dashed_name: process-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.real_user.group.id:
-      dashed_name: process-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.real_user.group.name:
-      dashed_name: process-real-user-group-name
-      description: Name of the group.
-      flat_name: process.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.real_user.hash:
-      dashed_name: process-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.real_user.id:
-      dashed_name: process-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
-      short: Unique identifier of the user.
-      type: keyword
-    process.real_user.name:
-      dashed_name: process-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
-      short: Short name or login of the user.
-      type: keyword
-    process.real_user.risk.calculated_level:
-      dashed_name: process-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.real_user.risk.calculated_score:
-      dashed_name: process-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.real_user.risk.calculated_score_norm:
-      dashed_name: process-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.real_user.risk.static_level:
-      dashed_name: process-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.real_user.risk.static_score:
-      dashed_name: process-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.real_user.risk.static_score_norm:
-      dashed_name: process-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.real_user.roles:
-      dashed_name: process-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.args:
-      dashed_name: process-responsible-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.responsible.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.responsible.args_count:
-      dashed_name: process-responsible-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.responsible.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.responsible.attested_groups.domain:
-      dashed_name: process-responsible-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.attested_groups.id:
-      dashed_name: process-responsible-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.attested_groups.name:
-      dashed_name: process-responsible-attested-groups-name
-      description: Name of the group.
-      flat_name: process.responsible.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.attested_user.domain:
-      dashed_name: process-responsible-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.responsible.attested_user.email:
-      dashed_name: process-responsible-attested-user-email
-      description: User email address.
-      flat_name: process.responsible.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.responsible.attested_user.full_name:
-      dashed_name: process-responsible-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.responsible.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.responsible.attested_user.group.domain:
-      dashed_name: process-responsible-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.attested_user.group.id:
-      dashed_name: process-responsible-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.attested_user.group.name:
-      dashed_name: process-responsible-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.responsible.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.attested_user.hash:
-      dashed_name: process-responsible-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.responsible.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.responsible.attested_user.id:
-      dashed_name: process-responsible-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.responsible.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.responsible.attested_user.name:
-      dashed_name: process-responsible-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.responsible.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.responsible.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.responsible.attested_user.risk.calculated_level:
-      dashed_name: process-responsible-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.responsible.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.responsible.attested_user.risk.calculated_score:
-      dashed_name: process-responsible-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.responsible.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.responsible.attested_user.risk.calculated_score_norm:
-      dashed_name: process-responsible-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.responsible.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.responsible.attested_user.risk.static_level:
-      dashed_name: process-responsible-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.responsible.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.responsible.attested_user.risk.static_score:
-      dashed_name: process-responsible-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.responsible.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.responsible.attested_user.risk.static_score_norm:
-      dashed_name: process-responsible-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.responsible.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.responsible.attested_user.roles:
-      dashed_name: process-responsible-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.responsible.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.code_signature.digest_algorithm:
-      dashed_name: process-responsible-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.responsible.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.responsible.code_signature.exists:
-      dashed_name: process-responsible-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.responsible.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.responsible.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.responsible.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.responsible.code_signature.signing_id:
-      dashed_name: process-responsible-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.responsible.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.responsible.code_signature.status:
-      dashed_name: process-responsible-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.responsible.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.responsible.code_signature.subject_name:
-      dashed_name: process-responsible-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.responsible.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.responsible.code_signature.team_id:
-      dashed_name: process-responsible-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.responsible.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.responsible.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.responsible.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.responsible.code_signature.timestamp:
-      dashed_name: process-responsible-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.responsible.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.responsible.code_signature.trusted:
-      dashed_name: process-responsible-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.responsible.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.responsible.code_signature.valid:
-      dashed_name: process-responsible-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.responsible.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.responsible.command_line:
-      dashed_name: process-responsible-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.responsible.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.responsible.elf.architecture:
-      dashed_name: process-responsible-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.responsible.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.responsible.elf.byte_order:
-      dashed_name: process-responsible-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.responsible.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.responsible.elf.cpu_type:
-      dashed_name: process-responsible-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.responsible.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.responsible.elf.creation_date:
-      dashed_name: process-responsible-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.responsible.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.responsible.elf.exports:
-      dashed_name: process-responsible-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.responsible.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.responsible.elf.go_import_hash:
-      dashed_name: process-responsible-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.responsible.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.responsible.elf.go_imports:
-      dashed_name: process-responsible-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.responsible.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.responsible.elf.go_imports_names_entropy:
-      dashed_name: process-responsible-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.responsible.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.responsible.elf.go_imports_names_var_entropy:
-      dashed_name: process-responsible-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.responsible.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.responsible.elf.go_stripped:
-      dashed_name: process-responsible-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.responsible.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.responsible.elf.header.abi_version:
-      dashed_name: process-responsible-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.responsible.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.responsible.elf.header.class:
-      dashed_name: process-responsible-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.responsible.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.responsible.elf.header.data:
-      dashed_name: process-responsible-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.responsible.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.responsible.elf.header.entrypoint:
-      dashed_name: process-responsible-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.responsible.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.responsible.elf.header.object_version:
-      dashed_name: process-responsible-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.responsible.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.responsible.elf.header.os_abi:
-      dashed_name: process-responsible-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.responsible.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.responsible.elf.header.type:
-      dashed_name: process-responsible-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.responsible.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.responsible.elf.header.version:
-      dashed_name: process-responsible-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.responsible.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.responsible.elf.import_hash:
-      dashed_name: process-responsible-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.responsible.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.responsible.elf.imports:
-      dashed_name: process-responsible-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.responsible.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.responsible.elf.imports_names_entropy:
-      dashed_name: process-responsible-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.responsible.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.responsible.elf.imports_names_var_entropy:
-      dashed_name: process-responsible-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.responsible.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.responsible.elf.sections:
-      dashed_name: process-responsible-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.responsible.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.responsible.elf.sections.chi2:
-      dashed_name: process-responsible-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.responsible.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.responsible.elf.sections.entropy:
-      dashed_name: process-responsible-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.responsible.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.responsible.elf.sections.flags:
-      dashed_name: process-responsible-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.responsible.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.responsible.elf.sections.name:
-      dashed_name: process-responsible-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.responsible.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.responsible.elf.sections.physical_offset:
-      dashed_name: process-responsible-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.responsible.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.responsible.elf.sections.physical_size:
-      dashed_name: process-responsible-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.responsible.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.responsible.elf.sections.type:
-      dashed_name: process-responsible-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.responsible.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.responsible.elf.sections.var_entropy:
-      dashed_name: process-responsible-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.responsible.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.responsible.elf.sections.virtual_address:
-      dashed_name: process-responsible-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.responsible.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.responsible.elf.sections.virtual_size:
-      dashed_name: process-responsible-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.responsible.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.responsible.elf.segments:
-      dashed_name: process-responsible-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.responsible.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.responsible.elf.segments.sections:
-      dashed_name: process-responsible-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.responsible.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.responsible.elf.segments.type:
-      dashed_name: process-responsible-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.responsible.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.responsible.elf.shared_libraries:
-      dashed_name: process-responsible-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.responsible.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.responsible.elf.telfhash:
-      dashed_name: process-responsible-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.responsible.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.responsible.end:
-      dashed_name: process-responsible-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.responsible.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.responsible.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.responsible.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.responsible.entity_id:
-      dashed_name: process-responsible-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.responsible.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.responsible.entry_meta.source.address:
-      dashed_name: process-responsible-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.responsible.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.responsible.entry_meta.source.as.number:
-      dashed_name: process-responsible-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.responsible.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.responsible.entry_meta.source.as.organization.name:
-      dashed_name: process-responsible-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.responsible.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.responsible.entry_meta.source.bytes:
-      dashed_name: process-responsible-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.responsible.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.responsible.entry_meta.source.domain:
-      dashed_name: process-responsible-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.responsible.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.responsible.entry_meta.source.geo.city_name:
-      dashed_name: process-responsible-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.responsible.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.responsible.entry_meta.source.geo.continent_code:
-      dashed_name: process-responsible-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.responsible.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.responsible.entry_meta.source.geo.continent_name:
-      dashed_name: process-responsible-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.responsible.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.responsible.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-responsible-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.responsible.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.responsible.entry_meta.source.geo.country_name:
-      dashed_name: process-responsible-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.responsible.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.responsible.entry_meta.source.geo.location:
-      dashed_name: process-responsible-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.responsible.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.responsible.entry_meta.source.geo.name:
-      dashed_name: process-responsible-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.responsible.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.responsible.entry_meta.source.geo.postal_code:
-      dashed_name: process-responsible-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.responsible.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.responsible.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-responsible-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.responsible.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.responsible.entry_meta.source.geo.region_name:
-      dashed_name: process-responsible-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.responsible.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.responsible.entry_meta.source.geo.timezone:
-      dashed_name: process-responsible-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.responsible.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.responsible.entry_meta.source.ip:
-      dashed_name: process-responsible-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.responsible.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.responsible.entry_meta.source.mac:
-      dashed_name: process-responsible-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.responsible.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.responsible.entry_meta.source.nat.ip:
-      dashed_name: process-responsible-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.responsible.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.responsible.entry_meta.source.nat.port:
-      dashed_name: process-responsible-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.responsible.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.responsible.entry_meta.source.packets:
-      dashed_name: process-responsible-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.responsible.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.responsible.entry_meta.source.port:
-      dashed_name: process-responsible-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.responsible.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.responsible.entry_meta.source.registered_domain:
-      dashed_name: process-responsible-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.responsible.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.responsible.entry_meta.source.subdomain:
-      dashed_name: process-responsible-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.responsible.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.responsible.entry_meta.source.top_level_domain:
-      dashed_name: process-responsible-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.responsible.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.responsible.entry_meta.type:
-      dashed_name: process-responsible-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.responsible.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.responsible.env_vars:
-      dashed_name: process-responsible-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.responsible.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.executable:
-      dashed_name: process-responsible-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.responsible.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.responsible.exit_code:
-      dashed_name: process-responsible-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.responsible.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.responsible.group.domain:
-      dashed_name: process-responsible-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.group.id:
-      dashed_name: process-responsible-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.group.name:
-      dashed_name: process-responsible-group-name
-      description: Name of the group.
-      flat_name: process.responsible.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.responsible.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.responsible.hash.md5:
-      dashed_name: process-responsible-hash-md5
-      description: MD5 hash.
-      flat_name: process.responsible.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.responsible.hash.sha1:
-      dashed_name: process-responsible-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.responsible.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.responsible.hash.sha256:
-      dashed_name: process-responsible-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.responsible.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.responsible.hash.sha384:
-      dashed_name: process-responsible-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.responsible.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.responsible.hash.sha512:
-      dashed_name: process-responsible-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.responsible.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.responsible.hash.ssdeep:
-      dashed_name: process-responsible-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.responsible.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.responsible.hash.tlsh:
-      dashed_name: process-responsible-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.responsible.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.responsible.interactive:
-      dashed_name: process-responsible-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.responsible.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.responsible.io:
-      dashed_name: process-responsible-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.responsible.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.responsible.io.bytes_skipped:
-      dashed_name: process-responsible-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.responsible.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.responsible.io.bytes_skipped.length:
-      dashed_name: process-responsible-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.responsible.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.responsible.io.bytes_skipped.offset:
-      dashed_name: process-responsible-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.responsible.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.responsible.io.max_bytes_per_process_exceeded:
-      dashed_name: process-responsible-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.responsible.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.responsible.io.text:
-      dashed_name: process-responsible-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.responsible.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.responsible.io.total_bytes_captured:
-      dashed_name: process-responsible-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.responsible.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.responsible.io.total_bytes_skipped:
-      dashed_name: process-responsible-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.responsible.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.responsible.io.type:
-      dashed_name: process-responsible-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.responsible.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.responsible.macho.go_import_hash:
-      dashed_name: process-responsible-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.responsible.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.responsible.macho.go_imports:
-      dashed_name: process-responsible-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.responsible.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.responsible.macho.go_imports_names_entropy:
-      dashed_name: process-responsible-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.responsible.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.responsible.macho.go_imports_names_var_entropy:
-      dashed_name: process-responsible-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.responsible.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.responsible.macho.go_stripped:
-      dashed_name: process-responsible-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.responsible.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.responsible.macho.import_hash:
-      dashed_name: process-responsible-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.responsible.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.responsible.macho.imports:
-      dashed_name: process-responsible-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.responsible.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.responsible.macho.imports_names_entropy:
-      dashed_name: process-responsible-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.responsible.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.responsible.macho.imports_names_var_entropy:
-      dashed_name: process-responsible-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.responsible.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.responsible.macho.sections:
-      dashed_name: process-responsible-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.responsible.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.responsible.macho.sections.entropy:
-      dashed_name: process-responsible-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.responsible.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.responsible.macho.sections.name:
-      dashed_name: process-responsible-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.responsible.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.responsible.macho.sections.physical_size:
-      dashed_name: process-responsible-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.responsible.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.responsible.macho.sections.var_entropy:
-      dashed_name: process-responsible-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.responsible.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.responsible.macho.sections.virtual_size:
-      dashed_name: process-responsible-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.responsible.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.responsible.macho.symhash:
-      dashed_name: process-responsible-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.responsible.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.responsible.name:
-      dashed_name: process-responsible-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.responsible.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.responsible.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.responsible.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.responsible.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.responsible.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.responsible.pe.architecture:
-      dashed_name: process-responsible-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.responsible.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.responsible.pe.company:
-      dashed_name: process-responsible-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.responsible.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.responsible.pe.description:
-      dashed_name: process-responsible-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.responsible.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.responsible.pe.file_version:
-      dashed_name: process-responsible-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.responsible.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.responsible.pe.go_import_hash:
-      dashed_name: process-responsible-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.responsible.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.responsible.pe.go_imports:
-      dashed_name: process-responsible-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.responsible.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.responsible.pe.go_imports_names_entropy:
-      dashed_name: process-responsible-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.responsible.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.responsible.pe.go_imports_names_var_entropy:
-      dashed_name: process-responsible-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.responsible.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.responsible.pe.go_stripped:
-      dashed_name: process-responsible-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.responsible.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.responsible.pe.imphash:
-      dashed_name: process-responsible-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.responsible.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.responsible.pe.import_hash:
-      dashed_name: process-responsible-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.responsible.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.responsible.pe.imports:
-      dashed_name: process-responsible-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.responsible.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.responsible.pe.imports_names_entropy:
-      dashed_name: process-responsible-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.responsible.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.responsible.pe.imports_names_var_entropy:
-      dashed_name: process-responsible-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.responsible.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.responsible.pe.original_file_name:
-      dashed_name: process-responsible-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.responsible.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.responsible.pe.pehash:
-      dashed_name: process-responsible-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.responsible.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.responsible.pe.product:
-      dashed_name: process-responsible-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.responsible.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.responsible.pe.sections:
-      dashed_name: process-responsible-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.responsible.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.responsible.pe.sections.entropy:
-      dashed_name: process-responsible-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.responsible.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.responsible.pe.sections.name:
-      dashed_name: process-responsible-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.responsible.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.responsible.pe.sections.physical_size:
-      dashed_name: process-responsible-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.responsible.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.responsible.pe.sections.var_entropy:
-      dashed_name: process-responsible-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.responsible.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.responsible.pe.sections.virtual_size:
-      dashed_name: process-responsible-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.responsible.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.responsible.pid:
-      dashed_name: process-responsible-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.responsible.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.responsible.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.responsible.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.responsible.real_group.domain:
-      dashed_name: process-responsible-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.real_group.id:
-      dashed_name: process-responsible-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.real_group.name:
-      dashed_name: process-responsible-real-group-name
-      description: Name of the group.
-      flat_name: process.responsible.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.real_user.domain:
-      dashed_name: process-responsible-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.responsible.real_user.email:
-      dashed_name: process-responsible-real-user-email
-      description: User email address.
-      flat_name: process.responsible.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.responsible.real_user.full_name:
-      dashed_name: process-responsible-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.responsible.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.responsible.real_user.group.domain:
-      dashed_name: process-responsible-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.real_user.group.id:
-      dashed_name: process-responsible-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.real_user.group.name:
-      dashed_name: process-responsible-real-user-group-name
-      description: Name of the group.
-      flat_name: process.responsible.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.real_user.hash:
-      dashed_name: process-responsible-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.responsible.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.responsible.real_user.id:
-      dashed_name: process-responsible-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.responsible.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.responsible.real_user.name:
-      dashed_name: process-responsible-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.responsible.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.responsible.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.responsible.real_user.risk.calculated_level:
-      dashed_name: process-responsible-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.responsible.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.responsible.real_user.risk.calculated_score:
-      dashed_name: process-responsible-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.responsible.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.responsible.real_user.risk.calculated_score_norm:
-      dashed_name: process-responsible-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.responsible.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.responsible.real_user.risk.static_level:
-      dashed_name: process-responsible-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.responsible.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.responsible.real_user.risk.static_score:
-      dashed_name: process-responsible-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.responsible.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.responsible.real_user.risk.static_score_norm:
-      dashed_name: process-responsible-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.responsible.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.responsible.real_user.roles:
-      dashed_name: process-responsible-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.responsible.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.same_as_process:
-      dashed_name: process-responsible-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.responsible.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.responsible.saved_group.domain:
-      dashed_name: process-responsible-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.saved_group.id:
-      dashed_name: process-responsible-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.saved_group.name:
-      dashed_name: process-responsible-saved-group-name
-      description: Name of the group.
-      flat_name: process.responsible.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.saved_user.domain:
-      dashed_name: process-responsible-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.responsible.saved_user.email:
-      dashed_name: process-responsible-saved-user-email
-      description: User email address.
-      flat_name: process.responsible.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.responsible.saved_user.full_name:
-      dashed_name: process-responsible-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.responsible.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.responsible.saved_user.group.domain:
-      dashed_name: process-responsible-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.saved_user.group.id:
-      dashed_name: process-responsible-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.saved_user.group.name:
-      dashed_name: process-responsible-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.responsible.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.saved_user.hash:
-      dashed_name: process-responsible-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.responsible.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.responsible.saved_user.id:
-      dashed_name: process-responsible-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.responsible.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.responsible.saved_user.name:
-      dashed_name: process-responsible-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.responsible.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.responsible.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.responsible.saved_user.risk.calculated_level:
-      dashed_name: process-responsible-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.responsible.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.responsible.saved_user.risk.calculated_score:
-      dashed_name: process-responsible-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.responsible.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.responsible.saved_user.risk.calculated_score_norm:
-      dashed_name: process-responsible-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.responsible.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.responsible.saved_user.risk.static_level:
-      dashed_name: process-responsible-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.responsible.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.responsible.saved_user.risk.static_score:
-      dashed_name: process-responsible-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.responsible.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.responsible.saved_user.risk.static_score_norm:
-      dashed_name: process-responsible-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.responsible.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.responsible.saved_user.roles:
-      dashed_name: process-responsible-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.responsible.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.start:
-      dashed_name: process-responsible-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.responsible.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.responsible.supplemental_groups.domain:
-      dashed_name: process-responsible-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.supplemental_groups.id:
-      dashed_name: process-responsible-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.supplemental_groups.name:
-      dashed_name: process-responsible-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.responsible.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.thread.capabilities.effective:
-      dashed_name: process-responsible-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.responsible.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.thread.capabilities.permitted:
-      dashed_name: process-responsible-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.responsible.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.thread.id:
-      dashed_name: process-responsible-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.responsible.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.responsible.thread.name:
-      dashed_name: process-responsible-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.responsible.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.responsible.title:
-      dashed_name: process-responsible-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.responsible.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.responsible.tty:
-      dashed_name: process-responsible-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.responsible.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.responsible.tty.char_device.major:
-      dashed_name: process-responsible-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.responsible.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.responsible.tty.char_device.minor:
-      dashed_name: process-responsible-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.responsible.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.responsible.tty.columns:
-      dashed_name: process-responsible-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.responsible.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.responsible.tty.rows:
-      dashed_name: process-responsible-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.responsible.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.responsible.uptime:
-      dashed_name: process-responsible-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.responsible.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.responsible.user.domain:
-      dashed_name: process-responsible-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.responsible.user.email:
-      dashed_name: process-responsible-user-email
-      description: User email address.
-      flat_name: process.responsible.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.responsible.user.full_name:
-      dashed_name: process-responsible-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.responsible.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.responsible.user.group.domain:
-      dashed_name: process-responsible-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.user.group.id:
-      dashed_name: process-responsible-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.user.group.name:
-      dashed_name: process-responsible-user-group-name
-      description: Name of the group.
-      flat_name: process.responsible.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.user.hash:
-      dashed_name: process-responsible-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.responsible.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.responsible.user.id:
-      dashed_name: process-responsible-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.responsible.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.responsible.user.name:
-      dashed_name: process-responsible-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.responsible.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.responsible.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.responsible.user.risk.calculated_level:
-      dashed_name: process-responsible-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.responsible.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.responsible.user.risk.calculated_score:
-      dashed_name: process-responsible-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.responsible.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.responsible.user.risk.calculated_score_norm:
-      dashed_name: process-responsible-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.responsible.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.responsible.user.risk.static_level:
-      dashed_name: process-responsible-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.responsible.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.responsible.user.risk.static_score:
-      dashed_name: process-responsible-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.responsible.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.responsible.user.risk.static_score_norm:
-      dashed_name: process-responsible-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.responsible.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.responsible.user.roles:
-      dashed_name: process-responsible-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.responsible.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.vpid:
-      dashed_name: process-responsible-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.responsible.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.responsible.working_directory:
-      dashed_name: process-responsible-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.responsible.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.same_as_process:
-      dashed_name: process-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.saved_group.domain:
-      dashed_name: process-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.saved_group.id:
-      dashed_name: process-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.saved_group.name:
-      dashed_name: process-saved-group-name
-      description: Name of the group.
-      flat_name: process.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.saved_user.domain:
-      dashed_name: process-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.saved_user.email:
-      dashed_name: process-saved-user-email
-      description: User email address.
-      flat_name: process.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.saved_user.full_name:
-      dashed_name: process-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.saved_user.group.domain:
-      dashed_name: process-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.saved_user.group.id:
-      dashed_name: process-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.saved_user.group.name:
-      dashed_name: process-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.saved_user.hash:
-      dashed_name: process-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.saved_user.id:
-      dashed_name: process-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
-      short: Unique identifier of the user.
-      type: keyword
-    process.saved_user.name:
-      dashed_name: process-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
-      short: Short name or login of the user.
-      type: keyword
-    process.saved_user.risk.calculated_level:
-      dashed_name: process-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.saved_user.risk.calculated_score:
-      dashed_name: process-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.saved_user.risk.calculated_score_norm:
-      dashed_name: process-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.saved_user.risk.static_level:
-      dashed_name: process-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.saved_user.risk.static_score:
-      dashed_name: process-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.saved_user.risk.static_score_norm:
-      dashed_name: process-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.saved_user.roles:
-      dashed_name: process-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.args:
-      dashed_name: process-session-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.session_leader.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.session_leader.args_count:
-      dashed_name: process-session-leader-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.session_leader.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.session_leader.attested_groups.domain:
-      dashed_name: process-session-leader-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.attested_groups.id:
-      dashed_name: process-session-leader-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.attested_groups.name:
-      dashed_name: process-session-leader-attested-groups-name
-      description: Name of the group.
-      flat_name: process.session_leader.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.attested_user.domain:
-      dashed_name: process-session-leader-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.attested_user.email:
-      dashed_name: process-session-leader-attested-user-email
-      description: User email address.
-      flat_name: process.session_leader.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.attested_user.full_name:
-      dashed_name: process-session-leader-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.attested_user.group.domain:
-      dashed_name: process-session-leader-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.attested_user.group.id:
-      dashed_name: process-session-leader-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.attested_user.group.name:
-      dashed_name: process-session-leader-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.attested_user.hash:
-      dashed_name: process-session-leader-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.attested_user.id:
-      dashed_name: process-session-leader-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.attested_user.name:
-      dashed_name: process-session-leader-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.attested_user.risk.calculated_level:
-      dashed_name: process-session-leader-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.attested_user.risk.calculated_score:
-      dashed_name: process-session-leader-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.attested_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.attested_user.risk.static_level:
-      dashed_name: process-session-leader-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.attested_user.risk.static_score:
-      dashed_name: process-session-leader-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.attested_user.risk.static_score_norm:
-      dashed_name: process-session-leader-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.attested_user.roles:
-      dashed_name: process-session-leader-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.code_signature.digest_algorithm:
-      dashed_name: process-session-leader-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.session_leader.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.session_leader.code_signature.exists:
-      dashed_name: process-session-leader-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.session_leader.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.session_leader.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.session_leader.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.session_leader.code_signature.signing_id:
-      dashed_name: process-session-leader-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.session_leader.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.session_leader.code_signature.status:
-      dashed_name: process-session-leader-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.session_leader.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.session_leader.code_signature.subject_name:
-      dashed_name: process-session-leader-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.session_leader.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.session_leader.code_signature.team_id:
-      dashed_name: process-session-leader-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.session_leader.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.session_leader.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.session_leader.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.session_leader.code_signature.timestamp:
-      dashed_name: process-session-leader-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.session_leader.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.session_leader.code_signature.trusted:
-      dashed_name: process-session-leader-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.session_leader.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.session_leader.code_signature.valid:
-      dashed_name: process-session-leader-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.session_leader.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.session_leader.command_line:
-      dashed_name: process-session-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.session_leader.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.session_leader.elf.architecture:
-      dashed_name: process-session-leader-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.session_leader.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.session_leader.elf.byte_order:
-      dashed_name: process-session-leader-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.session_leader.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.session_leader.elf.cpu_type:
-      dashed_name: process-session-leader-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.session_leader.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.session_leader.elf.creation_date:
-      dashed_name: process-session-leader-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.session_leader.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.session_leader.elf.exports:
-      dashed_name: process-session-leader-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.session_leader.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.session_leader.elf.go_import_hash:
-      dashed_name: process-session-leader-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.session_leader.elf.go_imports:
-      dashed_name: process-session-leader-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.elf.go_imports_names_entropy:
-      dashed_name: process-session-leader-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.elf.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.elf.go_stripped:
-      dashed_name: process-session-leader-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.elf.header.abi_version:
-      dashed_name: process-session-leader-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.session_leader.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.session_leader.elf.header.class:
-      dashed_name: process-session-leader-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.session_leader.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.session_leader.elf.header.data:
-      dashed_name: process-session-leader-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.session_leader.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.session_leader.elf.header.entrypoint:
-      dashed_name: process-session-leader-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.session_leader.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.session_leader.elf.header.object_version:
-      dashed_name: process-session-leader-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.session_leader.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.session_leader.elf.header.os_abi:
-      dashed_name: process-session-leader-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.session_leader.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.session_leader.elf.header.type:
-      dashed_name: process-session-leader-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.session_leader.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.session_leader.elf.header.version:
-      dashed_name: process-session-leader-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.session_leader.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.session_leader.elf.import_hash:
-      dashed_name: process-session-leader-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.session_leader.elf.imports:
-      dashed_name: process-session-leader-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.elf.imports_names_entropy:
-      dashed_name: process-session-leader-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.elf.imports_names_var_entropy:
-      dashed_name: process-session-leader-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.elf.sections:
-      dashed_name: process-session-leader-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.session_leader.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.session_leader.elf.sections.chi2:
-      dashed_name: process-session-leader-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.session_leader.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.session_leader.elf.sections.entropy:
-      dashed_name: process-session-leader-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.elf.sections.flags:
-      dashed_name: process-session-leader-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.session_leader.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.session_leader.elf.sections.name:
-      dashed_name: process-session-leader-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.session_leader.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.session_leader.elf.sections.physical_offset:
-      dashed_name: process-session-leader-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.session_leader.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.session_leader.elf.sections.physical_size:
-      dashed_name: process-session-leader-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.session_leader.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.session_leader.elf.sections.type:
-      dashed_name: process-session-leader-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.session_leader.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.session_leader.elf.sections.var_entropy:
-      dashed_name: process-session-leader-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.elf.sections.virtual_address:
-      dashed_name: process-session-leader-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.session_leader.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.session_leader.elf.sections.virtual_size:
-      dashed_name: process-session-leader-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.session_leader.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.session_leader.elf.segments:
-      dashed_name: process-session-leader-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.session_leader.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.session_leader.elf.segments.sections:
-      dashed_name: process-session-leader-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.session_leader.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.session_leader.elf.segments.type:
-      dashed_name: process-session-leader-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.session_leader.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.session_leader.elf.shared_libraries:
-      dashed_name: process-session-leader-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.session_leader.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.session_leader.elf.telfhash:
-      dashed_name: process-session-leader-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.session_leader.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.session_leader.end:
-      dashed_name: process-session-leader-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.session_leader.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.session_leader.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.session_leader.entity_id:
-      dashed_name: process-session-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.session_leader.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.session_leader.entry_meta.source.address:
-      dashed_name: process-session-leader-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.session_leader.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.session_leader.entry_meta.source.as.number:
-      dashed_name: process-session-leader-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.session_leader.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.session_leader.entry_meta.source.as.organization.name:
-      dashed_name: process-session-leader-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.session_leader.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.session_leader.entry_meta.source.bytes:
-      dashed_name: process-session-leader-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.session_leader.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.session_leader.entry_meta.source.domain:
-      dashed_name: process-session-leader-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.session_leader.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.city_name:
-      dashed_name: process-session-leader-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.session_leader.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.continent_code:
-      dashed_name: process-session-leader-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.session_leader.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.continent_name:
-      dashed_name: process-session-leader-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.session_leader.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-session-leader-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.session_leader.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.country_name:
-      dashed_name: process-session-leader-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.session_leader.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.location:
-      dashed_name: process-session-leader-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.session_leader.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.session_leader.entry_meta.source.geo.name:
-      dashed_name: process-session-leader-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.session_leader.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.postal_code:
-      dashed_name: process-session-leader-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.session_leader.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-session-leader-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.session_leader.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.region_name:
-      dashed_name: process-session-leader-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.session_leader.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.timezone:
-      dashed_name: process-session-leader-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.session_leader.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.session_leader.entry_meta.source.ip:
-      dashed_name: process-session-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.session_leader.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.session_leader.entry_meta.source.mac:
-      dashed_name: process-session-leader-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.session_leader.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.session_leader.entry_meta.source.nat.ip:
-      dashed_name: process-session-leader-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.session_leader.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.session_leader.entry_meta.source.nat.port:
-      dashed_name: process-session-leader-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.session_leader.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.session_leader.entry_meta.source.packets:
-      dashed_name: process-session-leader-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.session_leader.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.session_leader.entry_meta.source.port:
-      dashed_name: process-session-leader-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.session_leader.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.session_leader.entry_meta.source.registered_domain:
-      dashed_name: process-session-leader-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.session_leader.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.session_leader.entry_meta.source.subdomain:
-      dashed_name: process-session-leader-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.session_leader.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.session_leader.entry_meta.source.top_level_domain:
-      dashed_name: process-session-leader-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.session_leader.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.session_leader.entry_meta.type:
-      dashed_name: process-session-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.session_leader.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.session_leader.env_vars:
-      dashed_name: process-session-leader-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.session_leader.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.executable:
-      dashed_name: process-session-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.session_leader.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.session_leader.exit_code:
-      dashed_name: process-session-leader-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.session_leader.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.session_leader.group.domain:
-      dashed_name: process-session-leader-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.group.id:
-      dashed_name: process-session-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.group.name:
-      dashed_name: process-session-leader-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.session_leader.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.session_leader.hash.md5:
-      dashed_name: process-session-leader-hash-md5
-      description: MD5 hash.
-      flat_name: process.session_leader.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.session_leader.hash.sha1:
-      dashed_name: process-session-leader-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.session_leader.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.session_leader.hash.sha256:
-      dashed_name: process-session-leader-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.session_leader.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.session_leader.hash.sha384:
-      dashed_name: process-session-leader-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.session_leader.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.session_leader.hash.sha512:
-      dashed_name: process-session-leader-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.session_leader.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.session_leader.hash.ssdeep:
-      dashed_name: process-session-leader-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.session_leader.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.session_leader.hash.tlsh:
-      dashed_name: process-session-leader-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.session_leader.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.session_leader.interactive:
-      dashed_name: process-session-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.session_leader.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.session_leader.io:
-      dashed_name: process-session-leader-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.session_leader.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.session_leader.io.bytes_skipped:
-      dashed_name: process-session-leader-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.session_leader.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.session_leader.io.bytes_skipped.length:
-      dashed_name: process-session-leader-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.session_leader.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.session_leader.io.bytes_skipped.offset:
-      dashed_name: process-session-leader-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.session_leader.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.session_leader.io.max_bytes_per_process_exceeded:
-      dashed_name: process-session-leader-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.session_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.session_leader.io.text:
-      dashed_name: process-session-leader-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.session_leader.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.session_leader.io.total_bytes_captured:
-      dashed_name: process-session-leader-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.session_leader.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.session_leader.io.total_bytes_skipped:
-      dashed_name: process-session-leader-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.session_leader.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.session_leader.io.type:
-      dashed_name: process-session-leader-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.session_leader.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.session_leader.macho.go_import_hash:
-      dashed_name: process-session-leader-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.session_leader.macho.go_imports:
-      dashed_name: process-session-leader-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.macho.go_imports_names_entropy:
-      dashed_name: process-session-leader-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.macho.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.macho.go_stripped:
-      dashed_name: process-session-leader-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.macho.import_hash:
-      dashed_name: process-session-leader-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.session_leader.macho.imports:
-      dashed_name: process-session-leader-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.macho.imports_names_entropy:
-      dashed_name: process-session-leader-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.macho.imports_names_var_entropy:
-      dashed_name: process-session-leader-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.macho.sections:
-      dashed_name: process-session-leader-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.session_leader.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.session_leader.macho.sections.entropy:
-      dashed_name: process-session-leader-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.macho.sections.name:
-      dashed_name: process-session-leader-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.session_leader.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.session_leader.macho.sections.physical_size:
-      dashed_name: process-session-leader-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.session_leader.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.session_leader.macho.sections.var_entropy:
-      dashed_name: process-session-leader-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.macho.sections.virtual_size:
-      dashed_name: process-session-leader-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.session_leader.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.session_leader.macho.symhash:
-      dashed_name: process-session-leader-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.session_leader.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.session_leader.name:
-      dashed_name: process-session-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.session_leader.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.session_leader.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.session_leader.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.session_leader.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.session_leader.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.session_leader.parent.args:
-      dashed_name: process-session-leader-parent-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.session_leader.parent.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.session_leader.parent.args_count:
-      dashed_name: process-session-leader-parent-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.session_leader.parent.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.session_leader.parent.attested_groups.domain:
-      dashed_name: process-session-leader-parent-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.attested_groups.id:
-      dashed_name: process-session-leader-parent-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.attested_groups.name:
-      dashed_name: process-session-leader-parent-attested-groups-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.attested_user.domain:
-      dashed_name: process-session-leader-parent-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.attested_user.email:
-      dashed_name: process-session-leader-parent-attested-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.attested_user.full_name:
-      dashed_name: process-session-leader-parent-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.attested_user.group.domain:
-      dashed_name: process-session-leader-parent-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.attested_user.group.id:
-      dashed_name: process-session-leader-parent-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.attested_user.group.name:
-      dashed_name: process-session-leader-parent-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.attested_user.hash:
-      dashed_name: process-session-leader-parent-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.attested_user.id:
-      dashed_name: process-session-leader-parent-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.parent.attested_user.name:
-      dashed_name: process-session-leader-parent-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.parent.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.parent.attested_user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.attested_user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.attested_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.attested_user.risk.static_level:
-      dashed_name: process-session-leader-parent-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.attested_user.risk.static_score:
-      dashed_name: process-session-leader-parent-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.attested_user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.attested_user.roles:
-      dashed_name: process-session-leader-parent-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.code_signature.digest_algorithm:
-      dashed_name: process-session-leader-parent-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.session_leader.parent.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.session_leader.parent.code_signature.exists:
-      dashed_name: process-session-leader-parent-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.session_leader.parent.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.session_leader.parent.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.session_leader.parent.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.session_leader.parent.code_signature.signing_id:
-      dashed_name: process-session-leader-parent-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.session_leader.parent.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.session_leader.parent.code_signature.status:
-      dashed_name: process-session-leader-parent-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.session_leader.parent.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.session_leader.parent.code_signature.subject_name:
-      dashed_name: process-session-leader-parent-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.session_leader.parent.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.session_leader.parent.code_signature.team_id:
-      dashed_name: process-session-leader-parent-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.session_leader.parent.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.session_leader.parent.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.session_leader.parent.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.session_leader.parent.code_signature.timestamp:
-      dashed_name: process-session-leader-parent-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.session_leader.parent.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.session_leader.parent.code_signature.trusted:
-      dashed_name: process-session-leader-parent-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.session_leader.parent.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.session_leader.parent.code_signature.valid:
-      dashed_name: process-session-leader-parent-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.session_leader.parent.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.session_leader.parent.command_line:
-      dashed_name: process-session-leader-parent-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.session_leader.parent.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.session_leader.parent.elf.architecture:
-      dashed_name: process-session-leader-parent-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.session_leader.parent.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.session_leader.parent.elf.byte_order:
-      dashed_name: process-session-leader-parent-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.session_leader.parent.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.session_leader.parent.elf.cpu_type:
-      dashed_name: process-session-leader-parent-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.session_leader.parent.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.session_leader.parent.elf.creation_date:
-      dashed_name: process-session-leader-parent-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.session_leader.parent.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.session_leader.parent.elf.exports:
-      dashed_name: process-session-leader-parent-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.session_leader.parent.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.session_leader.parent.elf.go_import_hash:
-      dashed_name: process-session-leader-parent-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.parent.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.session_leader.parent.elf.go_imports:
-      dashed_name: process-session-leader-parent-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.parent.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.parent.elf.go_imports_names_entropy:
-      dashed_name: process-session-leader-parent-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.elf.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.elf.go_stripped:
-      dashed_name: process-session-leader-parent-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.parent.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.parent.elf.header.abi_version:
-      dashed_name: process-session-leader-parent-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.session_leader.parent.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.session_leader.parent.elf.header.class:
-      dashed_name: process-session-leader-parent-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.session_leader.parent.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.session_leader.parent.elf.header.data:
-      dashed_name: process-session-leader-parent-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.session_leader.parent.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.session_leader.parent.elf.header.entrypoint:
-      dashed_name: process-session-leader-parent-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.session_leader.parent.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.session_leader.parent.elf.header.object_version:
-      dashed_name: process-session-leader-parent-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.session_leader.parent.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.session_leader.parent.elf.header.os_abi:
-      dashed_name: process-session-leader-parent-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.session_leader.parent.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.session_leader.parent.elf.header.type:
-      dashed_name: process-session-leader-parent-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.session_leader.parent.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.session_leader.parent.elf.header.version:
-      dashed_name: process-session-leader-parent-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.session_leader.parent.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.session_leader.parent.elf.import_hash:
-      dashed_name: process-session-leader-parent-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.parent.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.session_leader.parent.elf.imports:
-      dashed_name: process-session-leader-parent-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.parent.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.parent.elf.imports_names_entropy:
-      dashed_name: process-session-leader-parent-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.parent.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.parent.elf.imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.parent.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.parent.elf.sections:
-      dashed_name: process-session-leader-parent-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.session_leader.parent.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.session_leader.parent.elf.sections.chi2:
-      dashed_name: process-session-leader-parent-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.session_leader.parent.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.session_leader.parent.elf.sections.entropy:
-      dashed_name: process-session-leader-parent-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.elf.sections.flags:
-      dashed_name: process-session-leader-parent-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.session_leader.parent.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.session_leader.parent.elf.sections.name:
-      dashed_name: process-session-leader-parent-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.session_leader.parent.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.session_leader.parent.elf.sections.physical_offset:
-      dashed_name: process-session-leader-parent-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.session_leader.parent.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.session_leader.parent.elf.sections.physical_size:
-      dashed_name: process-session-leader-parent-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.session_leader.parent.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.session_leader.parent.elf.sections.type:
-      dashed_name: process-session-leader-parent-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.session_leader.parent.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.session_leader.parent.elf.sections.var_entropy:
-      dashed_name: process-session-leader-parent-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.elf.sections.virtual_address:
-      dashed_name: process-session-leader-parent-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.session_leader.parent.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.session_leader.parent.elf.sections.virtual_size:
-      dashed_name: process-session-leader-parent-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.session_leader.parent.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.session_leader.parent.elf.segments:
-      dashed_name: process-session-leader-parent-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.session_leader.parent.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.session_leader.parent.elf.segments.sections:
-      dashed_name: process-session-leader-parent-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.session_leader.parent.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.session_leader.parent.elf.segments.type:
-      dashed_name: process-session-leader-parent-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.session_leader.parent.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.session_leader.parent.elf.shared_libraries:
-      dashed_name: process-session-leader-parent-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.session_leader.parent.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.session_leader.parent.elf.telfhash:
-      dashed_name: process-session-leader-parent-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.session_leader.parent.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.session_leader.parent.end:
-      dashed_name: process-session-leader-parent-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.parent.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.session_leader.parent.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.session_leader.parent.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.session_leader.parent.entity_id:
-      dashed_name: process-session-leader-parent-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.session_leader.parent.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.address:
-      dashed_name: process-session-leader-parent-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.session_leader.parent.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.as.number:
-      dashed_name: process-session-leader-parent-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.session_leader.parent.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.session_leader.parent.entry_meta.source.as.organization.name:
-      dashed_name: process-session-leader-parent-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.session_leader.parent.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.bytes:
-      dashed_name: process-session-leader-parent-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.session_leader.parent.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.session_leader.parent.entry_meta.source.domain:
-      dashed_name: process-session-leader-parent-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.session_leader.parent.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.city_name:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.session_leader.parent.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.continent_code:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.session_leader.parent.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.continent_name:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.session_leader.parent.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.session_leader.parent.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.country_name:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.session_leader.parent.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.location:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.session_leader.parent.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.session_leader.parent.entry_meta.source.geo.name:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.session_leader.parent.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.postal_code:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.session_leader.parent.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.session_leader.parent.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.region_name:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.session_leader.parent.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.timezone:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.session_leader.parent.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.ip:
-      dashed_name: process-session-leader-parent-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.session_leader.parent.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.session_leader.parent.entry_meta.source.mac:
-      dashed_name: process-session-leader-parent-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.session_leader.parent.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.nat.ip:
-      dashed_name: process-session-leader-parent-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.session_leader.parent.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.session_leader.parent.entry_meta.source.nat.port:
-      dashed_name: process-session-leader-parent-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.session_leader.parent.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.session_leader.parent.entry_meta.source.packets:
-      dashed_name: process-session-leader-parent-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.session_leader.parent.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.session_leader.parent.entry_meta.source.port:
-      dashed_name: process-session-leader-parent-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.session_leader.parent.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.session_leader.parent.entry_meta.source.registered_domain:
-      dashed_name: process-session-leader-parent-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.session_leader.parent.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.subdomain:
-      dashed_name: process-session-leader-parent-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.session_leader.parent.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.top_level_domain:
-      dashed_name: process-session-leader-parent-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.session_leader.parent.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.session_leader.parent.entry_meta.type:
-      dashed_name: process-session-leader-parent-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.session_leader.parent.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.session_leader.parent.env_vars:
-      dashed_name: process-session-leader-parent-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.session_leader.parent.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.executable:
-      dashed_name: process-session-leader-parent-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.session_leader.parent.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.session_leader.parent.exit_code:
-      dashed_name: process-session-leader-parent-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.session_leader.parent.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.session_leader.parent.group.domain:
-      dashed_name: process-session-leader-parent-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.group.id:
-      dashed_name: process-session-leader-parent-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.group.name:
-      dashed_name: process-session-leader-parent-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.session_leader.parent.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.session_leader.parent.hash.md5:
-      dashed_name: process-session-leader-parent-hash-md5
-      description: MD5 hash.
-      flat_name: process.session_leader.parent.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.session_leader.parent.hash.sha1:
-      dashed_name: process-session-leader-parent-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.session_leader.parent.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.session_leader.parent.hash.sha256:
-      dashed_name: process-session-leader-parent-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.session_leader.parent.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.session_leader.parent.hash.sha384:
-      dashed_name: process-session-leader-parent-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.session_leader.parent.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.session_leader.parent.hash.sha512:
-      dashed_name: process-session-leader-parent-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.session_leader.parent.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.session_leader.parent.hash.ssdeep:
-      dashed_name: process-session-leader-parent-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.session_leader.parent.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.session_leader.parent.hash.tlsh:
-      dashed_name: process-session-leader-parent-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.session_leader.parent.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.session_leader.parent.interactive:
-      dashed_name: process-session-leader-parent-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.session_leader.parent.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.session_leader.parent.io:
-      dashed_name: process-session-leader-parent-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.session_leader.parent.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.session_leader.parent.io.bytes_skipped:
-      dashed_name: process-session-leader-parent-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.session_leader.parent.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.session_leader.parent.io.bytes_skipped.length:
-      dashed_name: process-session-leader-parent-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.session_leader.parent.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.session_leader.parent.io.bytes_skipped.offset:
-      dashed_name: process-session-leader-parent-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.session_leader.parent.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.session_leader.parent.io.max_bytes_per_process_exceeded:
-      dashed_name: process-session-leader-parent-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.session_leader.parent.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.session_leader.parent.io.text:
-      dashed_name: process-session-leader-parent-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.session_leader.parent.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.session_leader.parent.io.total_bytes_captured:
-      dashed_name: process-session-leader-parent-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.session_leader.parent.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.session_leader.parent.io.total_bytes_skipped:
-      dashed_name: process-session-leader-parent-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.session_leader.parent.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.session_leader.parent.io.type:
-      dashed_name: process-session-leader-parent-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.session_leader.parent.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.session_leader.parent.macho.go_import_hash:
-      dashed_name: process-session-leader-parent-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.parent.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.session_leader.parent.macho.go_imports:
-      dashed_name: process-session-leader-parent-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.parent.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.parent.macho.go_imports_names_entropy:
-      dashed_name: process-session-leader-parent-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.macho.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.macho.go_stripped:
-      dashed_name: process-session-leader-parent-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.parent.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.parent.macho.import_hash:
-      dashed_name: process-session-leader-parent-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.parent.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.session_leader.parent.macho.imports:
-      dashed_name: process-session-leader-parent-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.parent.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.parent.macho.imports_names_entropy:
-      dashed_name: process-session-leader-parent-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.parent.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.parent.macho.imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.parent.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.parent.macho.sections:
-      dashed_name: process-session-leader-parent-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.session_leader.parent.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.session_leader.parent.macho.sections.entropy:
-      dashed_name: process-session-leader-parent-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.macho.sections.name:
-      dashed_name: process-session-leader-parent-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.session_leader.parent.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.session_leader.parent.macho.sections.physical_size:
-      dashed_name: process-session-leader-parent-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.session_leader.parent.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.session_leader.parent.macho.sections.var_entropy:
-      dashed_name: process-session-leader-parent-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.macho.sections.virtual_size:
-      dashed_name: process-session-leader-parent-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.session_leader.parent.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.session_leader.parent.macho.symhash:
-      dashed_name: process-session-leader-parent-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.session_leader.parent.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.session_leader.parent.name:
-      dashed_name: process-session-leader-parent-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.session_leader.parent.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.session_leader.parent.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.session_leader.parent.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.session_leader.parent.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.session_leader.parent.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.session_leader.parent.pe.architecture:
-      dashed_name: process-session-leader-parent-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.session_leader.parent.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.session_leader.parent.pe.company:
-      dashed_name: process-session-leader-parent-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.session_leader.parent.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.pe.description:
-      dashed_name: process-session-leader-parent-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.session_leader.parent.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.pe.file_version:
-      dashed_name: process-session-leader-parent-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.session_leader.parent.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.session_leader.parent.pe.go_import_hash:
-      dashed_name: process-session-leader-parent-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.parent.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.session_leader.parent.pe.go_imports:
-      dashed_name: process-session-leader-parent-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.parent.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.parent.pe.go_imports_names_entropy:
-      dashed_name: process-session-leader-parent-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.pe.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.pe.go_stripped:
-      dashed_name: process-session-leader-parent-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.parent.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.parent.pe.imphash:
-      dashed_name: process-session-leader-parent-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.session_leader.parent.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.session_leader.parent.pe.import_hash:
-      dashed_name: process-session-leader-parent-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.parent.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.session_leader.parent.pe.imports:
-      dashed_name: process-session-leader-parent-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.parent.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.parent.pe.imports_names_entropy:
-      dashed_name: process-session-leader-parent-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.parent.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.parent.pe.imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.parent.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.parent.pe.original_file_name:
-      dashed_name: process-session-leader-parent-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.session_leader.parent.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.pe.pehash:
-      dashed_name: process-session-leader-parent-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.session_leader.parent.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.session_leader.parent.pe.product:
-      dashed_name: process-session-leader-parent-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.session_leader.parent.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.pe.sections:
-      dashed_name: process-session-leader-parent-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.session_leader.parent.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.session_leader.parent.pe.sections.entropy:
-      dashed_name: process-session-leader-parent-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.pe.sections.name:
-      dashed_name: process-session-leader-parent-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.session_leader.parent.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.session_leader.parent.pe.sections.physical_size:
-      dashed_name: process-session-leader-parent-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.session_leader.parent.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.session_leader.parent.pe.sections.var_entropy:
-      dashed_name: process-session-leader-parent-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.pe.sections.virtual_size:
-      dashed_name: process-session-leader-parent-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.session_leader.parent.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.session_leader.parent.pid:
-      dashed_name: process-session-leader-parent-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.session_leader.parent.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.session_leader.parent.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.session_leader.parent.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.session_leader.parent.real_group.domain:
-      dashed_name: process-session-leader-parent-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.real_group.id:
-      dashed_name: process-session-leader-parent-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.real_group.name:
-      dashed_name: process-session-leader-parent-real-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.real_user.domain:
-      dashed_name: process-session-leader-parent-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.real_user.email:
-      dashed_name: process-session-leader-parent-real-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.real_user.full_name:
-      dashed_name: process-session-leader-parent-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.real_user.group.domain:
-      dashed_name: process-session-leader-parent-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.real_user.group.id:
-      dashed_name: process-session-leader-parent-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.real_user.group.name:
-      dashed_name: process-session-leader-parent-real-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.real_user.hash:
-      dashed_name: process-session-leader-parent-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.real_user.id:
-      dashed_name: process-session-leader-parent-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.parent.real_user.name:
-      dashed_name: process-session-leader-parent-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.parent.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.parent.real_user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.real_user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.real_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.real_user.risk.static_level:
-      dashed_name: process-session-leader-parent-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.real_user.risk.static_score:
-      dashed_name: process-session-leader-parent-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.real_user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.real_user.roles:
-      dashed_name: process-session-leader-parent-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.same_as_process:
-      dashed_name: process-session-leader-parent-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.session_leader.parent.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.session_leader.parent.saved_group.domain:
-      dashed_name: process-session-leader-parent-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.saved_group.id:
-      dashed_name: process-session-leader-parent-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.saved_group.name:
-      dashed_name: process-session-leader-parent-saved-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.saved_user.domain:
-      dashed_name: process-session-leader-parent-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.saved_user.email:
-      dashed_name: process-session-leader-parent-saved-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.saved_user.full_name:
-      dashed_name: process-session-leader-parent-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.saved_user.group.domain:
-      dashed_name: process-session-leader-parent-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.saved_user.group.id:
-      dashed_name: process-session-leader-parent-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.saved_user.group.name:
-      dashed_name: process-session-leader-parent-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.saved_user.hash:
-      dashed_name: process-session-leader-parent-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.saved_user.id:
-      dashed_name: process-session-leader-parent-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.parent.saved_user.name:
-      dashed_name: process-session-leader-parent-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.parent.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.parent.saved_user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.saved_user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.saved_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.saved_user.risk.static_level:
-      dashed_name: process-session-leader-parent-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.saved_user.risk.static_score:
-      dashed_name: process-session-leader-parent-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.saved_user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.saved_user.roles:
-      dashed_name: process-session-leader-parent-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.args:
-      dashed_name: process-session-leader-parent-session-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.session_leader.parent.session_leader.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.session_leader.parent.session_leader.args_count:
-      dashed_name: process-session-leader-parent-session-leader-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.session_leader.parent.session_leader.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.session_leader.parent.session_leader.attested_groups.domain:
-      dashed_name: process-session-leader-parent-session-leader-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_groups.id:
-      dashed_name: process-session-leader-parent-session-leader-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_groups.name:
-      dashed_name: process-session-leader-parent-session-leader-attested-groups-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.domain:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.email:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.session_leader.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.full_name:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.session_leader.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.group.domain:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.group.id:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.group.name:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.hash:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.session_leader.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.id:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.session_leader.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.name:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-name
+    process.entry_leader.real_user.name:
+      dashed_name: process-entry-leader-real-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.session_leader.parent.session_leader.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.session_leader.attested_user.risk.static_level:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.risk.static_score:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.session_leader.attested_user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.session_leader.attested_user.roles:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.session_leader.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.digest_algorithm:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.session_leader.parent.session_leader.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.exists:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.session_leader.parent.session_leader.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.session_leader.parent.session_leader.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.session_leader.parent.session_leader.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.signing_id:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.session_leader.parent.session_leader.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.status:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.session_leader.parent.session_leader.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.subject_name:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.session_leader.parent.session_leader.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.team_id:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.session_leader.parent.session_leader.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.session_leader.parent.session_leader.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.timestamp:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.session_leader.parent.session_leader.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.session_leader.parent.session_leader.code_signature.trusted:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.session_leader.parent.session_leader.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.session_leader.parent.session_leader.code_signature.valid:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.session_leader.parent.session_leader.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.session_leader.parent.session_leader.command_line:
-      dashed_name: process-session-leader-parent-session-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.session_leader.parent.session_leader.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.session_leader.parent.session_leader.elf.architecture:
-      dashed_name: process-session-leader-parent-session-leader-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.session_leader.parent.session_leader.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.byte_order:
-      dashed_name: process-session-leader-parent-session-leader-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.session_leader.parent.session_leader.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.cpu_type:
-      dashed_name: process-session-leader-parent-session-leader-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.session_leader.parent.session_leader.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.creation_date:
-      dashed_name: process-session-leader-parent-session-leader-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.session_leader.parent.session_leader.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.session_leader.parent.session_leader.elf.exports:
-      dashed_name: process-session-leader-parent-session-leader-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.session_leader.parent.session_leader.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.session_leader.parent.session_leader.elf.go_import_hash:
-      dashed_name: process-session-leader-parent-session-leader-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.parent.session_leader.elf.go_import_hash
+      flat_name: process.entry_leader.real_user.name
       ignore_above: 1024
-      level: extended
-      name: go_import_hash
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
+      original_fieldset: user
+      short: Short name or login of the user.
       type: keyword
-    process.session_leader.parent.session_leader.elf.go_imports:
-      dashed_name: process-session-leader-parent-session-leader-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.parent.session_leader.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.parent.session_leader.elf.go_imports_names_entropy:
-      dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.session_leader.elf.go_stripped:
-      dashed_name: process-session-leader-parent-session-leader-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.parent.session_leader.elf.go_stripped
+    process.entry_leader.same_as_process:
+      dashed_name: process-entry-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.entry_leader.same_as_process
       level: extended
-      name: go_stripped
+      name: same_as_process
       normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
       type: boolean
-    process.session_leader.parent.session_leader.elf.header.abi_version:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.session_leader.parent.session_leader.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.session_leader.parent.session_leader.elf.header.class:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.session_leader.parent.session_leader.elf.header.class
+    process.entry_leader.saved_group.id:
+      dashed_name: process-entry-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.saved_group.id
       ignore_above: 1024
       level: extended
-      name: header.class
+      name: id
       normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.parent.session_leader.elf.header.data:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.session_leader.parent.session_leader.elf.header.data
+    process.entry_leader.saved_group.name:
+      dashed_name: process-entry-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.saved_group.name
       ignore_above: 1024
       level: extended
-      name: header.data
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.session_leader.parent.session_leader.elf.header.entrypoint:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.session_leader.parent.session_leader.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.session_leader.parent.session_leader.elf.header.object_version:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.session_leader.parent.session_leader.elf.header.object_version
+    process.entry_leader.saved_user.id:
+      dashed_name: process-entry-leader-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.saved_user.id
       ignore_above: 1024
-      level: extended
-      name: header.object_version
+      level: core
+      name: id
       normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
+      original_fieldset: user
+      short: Unique identifier of the user.
       type: keyword
-    process.session_leader.parent.session_leader.elf.header.os_abi:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.session_leader.parent.session_leader.elf.header.os_abi
+    process.entry_leader.saved_user.name:
+      dashed_name: process-entry-leader-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.saved_user.name
       ignore_above: 1024
-      level: extended
-      name: header.os_abi
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
+      original_fieldset: user
+      short: Short name or login of the user.
       type: keyword
-    process.session_leader.parent.session_leader.elf.header.type:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.session_leader.parent.session_leader.elf.header.type
-      ignore_above: 1024
+    process.entry_leader.start:
+      dashed_name: process-entry-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.start
       level: extended
-      name: header.type
+      name: start
       normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.header.version:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.session_leader.parent.session_leader.elf.header.version
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.entry_leader.supplemental_groups.id:
+      dashed_name: process-entry-leader-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.supplemental_groups.id
       ignore_above: 1024
       level: extended
-      name: header.version
+      name: id
       normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.parent.session_leader.elf.import_hash:
-      dashed_name: process-session-leader-parent-session-leader-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.parent.session_leader.elf.import_hash
+    process.entry_leader.supplemental_groups.name:
+      dashed_name: process-entry-leader-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.supplemental_groups.name
       ignore_above: 1024
       level: extended
-      name: import_hash
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.session_leader.parent.session_leader.elf.imports:
-      dashed_name: process-session-leader-parent-session-leader-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.parent.session_leader.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.parent.session_leader.elf.imports_names_entropy:
-      dashed_name: process-session-leader-parent-session-leader-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.parent.session_leader.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.parent.session_leader.elf.imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.parent.session_leader.elf.imports_names_var_entropy
-      format: number
+    process.entry_leader.tty:
+      dashed_name: process-entry-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.entry_leader.tty
       level: extended
-      name: imports_names_var_entropy
+      name: tty
       normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.parent.session_leader.elf.sections:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.session_leader.parent.session_leader.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.session_leader.parent.session_leader.elf.sections.chi2:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.chi2
-      format: number
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.entry_leader.tty.char_device.major:
+      dashed_name: process-entry-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.entry_leader.tty.char_device.major
       level: extended
-      name: sections.chi2
+      name: tty.char_device.major
       normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
+      original_fieldset: process
+      short: The TTY character device's major number.
       type: long
-    process.session_leader.parent.session_leader.elf.sections.entropy:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.entropy
-      format: number
+    process.entry_leader.tty.char_device.minor:
+      dashed_name: process-entry-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.entry_leader.tty.char_device.minor
       level: extended
-      name: sections.entropy
+      name: tty.char_device.minor
       normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
+      original_fieldset: process
+      short: The TTY character device's minor number.
       type: long
-    process.session_leader.parent.session_leader.elf.sections.flags:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.sections.name:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.name
+    process.entry_leader.user.id:
+      dashed_name: process-entry-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.user.id
       ignore_above: 1024
-      level: extended
-      name: sections.name
+      level: core
+      name: id
       normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
+      original_fieldset: user
+      short: Unique identifier of the user.
       type: keyword
-    process.session_leader.parent.session_leader.elf.sections.physical_offset:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.physical_offset
+    process.entry_leader.user.name:
+      dashed_name: process-entry-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.user.name
       ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.user.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
+      original_fieldset: user
+      short: Short name or login of the user.
       type: keyword
-    process.session_leader.parent.session_leader.elf.sections.physical_size:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
+    process.entry_leader.vpid:
+      dashed_name: process-entry-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.vpid
+      format: string
+      level: core
+      name: vpid
       normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
+      original_fieldset: process
+      short: Virtual process id.
       type: long
-    process.session_leader.parent.session_leader.elf.sections.type:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.type
+    process.entry_leader.working_directory:
+      dashed_name: process-entry-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.entry_leader.working_directory
       ignore_above: 1024
       level: extended
-      name: sections.type
+      multi_fields:
+      - flat_name: process.entry_leader.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
       normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
+      original_fieldset: process
+      short: The working directory of the process.
       type: keyword
-    process.session_leader.parent.session_leader.elf.sections.var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.var_entropy
-      format: number
+    process.env_vars:
+      dashed_name: process-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.env_vars
+      ignore_above: 1024
       level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.session_leader.elf.sections.virtual_address:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_address
-      format: string
+      name: env_vars
+      normalize:
+      - array
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.executable:
+      dashed_name: process-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.executable
+      ignore_above: 1024
       level: extended
-      name: sections.virtual_address
+      multi_fields:
+      - flat_name: process.executable.text
+        name: text
+        type: match_only_text
+      name: executable
       normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.session_leader.parent.session_leader.elf.sections.virtual_size:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_size
-      format: string
+      otel:
+      - attribute: process.executable.path
+        relation: equivalent
+        stability: development
+      short: Absolute path to the process executable.
+      type: keyword
+    process.exit_code:
+      dashed_name: process-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.exit_code
       level: extended
-      name: sections.virtual_size
+      name: exit_code
       normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
+      short: The exit code of the process.
       type: long
-    process.session_leader.parent.session_leader.elf.segments:
-      dashed_name: process-session-leader-parent-session-leader-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.session_leader.parent.session_leader.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.session_leader.parent.session_leader.elf.segments.sections:
-      dashed_name: process-session-leader-parent-session-leader-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.session_leader.parent.session_leader.elf.segments.sections
+    process.group.id:
+      dashed_name: process-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group.id
       ignore_above: 1024
       level: extended
-      name: segments.sections
+      name: id
       normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.parent.session_leader.elf.segments.type:
-      dashed_name: process-session-leader-parent-session-leader-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.session_leader.parent.session_leader.elf.segments.type
+    process.group.name:
+      dashed_name: process-group-name
+      description: Name of the group.
+      flat_name: process.group.name
       ignore_above: 1024
       level: extended
-      name: segments.type
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.session_leader.parent.session_leader.elf.shared_libraries:
-      dashed_name: process-session-leader-parent-session-leader-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.session_leader.parent.session_leader.elf.shared_libraries
+    process.group_leader.args:
+      dashed_name: process-group-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.group_leader.args
       ignore_above: 1024
       level: extended
-      name: shared_libraries
+      name: args
       normalize:
       - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.telfhash:
-      dashed_name: process-session-leader-parent-session-leader-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.session_leader.parent.session_leader.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
+      original_fieldset: process
+      short: Array of process arguments.
       type: keyword
-    process.session_leader.parent.session_leader.end:
-      dashed_name: process-session-leader-parent-session-leader-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.parent.session_leader.end
+    process.group_leader.args_count:
+      dashed_name: process-group-leader-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.group_leader.args_count
       level: extended
-      name: end
+      name: args_count
       normalize: []
       original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.session_leader.parent.session_leader.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.session_leader.parent.session_leader.endpoint_security_client
+      short: Length of the process.args array.
+      type: long
+    process.group_leader.command_line:
+      dashed_name: process-group-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.group_leader.command_line
       level: extended
-      name: endpoint_security_client
+      multi_fields:
+      - flat_name: process.group_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
       normalize: []
       original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.session_leader.parent.session_leader.entity_id:
-      dashed_name: process-session-leader-parent-session-leader-entity-id
+      short: Full command line that started the process.
+      type: wildcard
+    process.group_leader.entity_id:
+      dashed_name: process-group-leader-entity-id
       description: 'Unique identifier for the process.
 
         The implementation of this is specified by the data source, but some examples
@@ -44619,461 +12767,375 @@ process:
         PID reuse as well as to identify a specific process over time, across multiple
         monitored hosts.'
       example: c2c455d9f99375d
-      flat_name: process.session_leader.parent.session_leader.entity_id
+      flat_name: process.group_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.group_leader.executable:
+      dashed_name: process-group-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.group_leader.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.group_leader.group.id:
+      dashed_name: process-group-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.group.id
       ignore_above: 1024
       level: extended
-      name: entity_id
+      name: id
       normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.address:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.address
+    process.group_leader.group.name:
+      dashed_name: process-group-leader-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.group.name
       ignore_above: 1024
       level: extended
-      name: address
+      name: name
       normalize: []
-      original_fieldset: source
-      short: Source network address.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.as.number:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.number
+    process.group_leader.interactive:
+      dashed_name: process-group-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.group_leader.interactive
       level: extended
-      name: number
+      name: interactive
       normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.session_leader.parent.session_leader.entry_meta.source.as.organization.name:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.group_leader.name:
+      dashed_name: process-group-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.group_leader.name
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text
+      - flat_name: process.group_leader.name.text
         name: text
         type: match_only_text
-      name: organization.name
+      name: name
       normalize: []
-      original_fieldset: as
-      short: Organization name.
+      original_fieldset: process
+      short: Process name.
       type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.bytes:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.bytes
-      format: bytes
+    process.group_leader.pid:
+      dashed_name: process-group-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.group_leader.pid
+      format: string
       level: core
-      name: bytes
+      name: pid
       normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
+      original_fieldset: process
+      otel:
+      - relation: match
+        stability: development
+      short: Process id.
       type: long
-    process.session_leader.parent.session_leader.entry_meta.source.domain:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.city_name:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code
+    process.group_leader.real_group.id:
+      dashed_name: process-group-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.real_group.id
       ignore_above: 1024
-      level: core
-      name: continent_code
+      level: extended
+      name: id
       normalize: []
-      original_fieldset: geo
-      short: Continent code.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name
+    process.group_leader.real_group.name:
+      dashed_name: process-group-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.real_group.name
       ignore_above: 1024
-      level: core
-      name: continent_name
+      level: extended
+      name: name
       normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+    process.group_leader.real_user.id:
+      dashed_name: process-group-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.real_user.id
       ignore_above: 1024
       level: core
-      name: country_iso_code
+      name: id
       normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
+      original_fieldset: user
+      short: Unique identifier of the user.
       type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.country_name:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_name
+    process.group_leader.real_user.name:
+      dashed_name: process-group-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.real_user.name
       ignore_above: 1024
       level: core
-      name: country_name
+      multi_fields:
+      - flat_name: process.group_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
-      original_fieldset: geo
-      short: Country name.
+      original_fieldset: user
+      short: Short name or login of the user.
       type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.location:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.session_leader.parent.session_leader.entry_meta.source.geo.name:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
+    process.group_leader.same_as_process:
+      dashed_name: process-group-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
 
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
 
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
 
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.group_leader.same_as_process
+      level: extended
+      name: same_as_process
       normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.group_leader.saved_group.id:
+      dashed_name: process-group-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.saved_group.id
       ignore_above: 1024
-      level: core
-      name: region_iso_code
+      level: extended
+      name: id
       normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.region_name:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_name
+    process.group_leader.saved_group.name:
+      dashed_name: process-group-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.saved_group.name
       ignore_above: 1024
-      level: core
-      name: region_name
+      level: extended
+      name: name
       normalize: []
-      original_fieldset: geo
-      short: Region name.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.timezone:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.timezone
+    process.group_leader.saved_user.id:
+      dashed_name: process-group-leader-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.saved_user.id
       ignore_above: 1024
       level: core
-      name: timezone
+      name: id
       normalize: []
-      original_fieldset: geo
-      short: Time zone.
+      original_fieldset: user
+      short: Unique identifier of the user.
       type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.ip:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.session_leader.parent.session_leader.entry_meta.source.mac:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.mac
+    process.group_leader.saved_user.name:
+      dashed_name: process-group-leader-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.saved_user.name
       ignore_above: 1024
       level: core
-      name: mac
+      multi_fields:
+      - flat_name: process.group_leader.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
+      original_fieldset: user
+      short: Short name or login of the user.
       type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.nat.ip:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.session_leader.parent.session_leader.entry_meta.source.nat.port:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.port
-      format: string
+    process.group_leader.start:
+      dashed_name: process-group-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.group_leader.start
       level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.session_leader.parent.session_leader.entry_meta.source.packets:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.session_leader.parent.session_leader.entry_meta.source.port:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.port
-      format: string
-      level: core
-      name: port
+      name: start
       normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.session_leader.parent.session_leader.entry_meta.source.registered_domain:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.registered_domain
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.group_leader.supplemental_groups.id:
+      dashed_name: process-group-leader-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.supplemental_groups.id
       ignore_above: 1024
       level: extended
-      name: registered_domain
+      name: id
       normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.subdomain:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.subdomain
+    process.group_leader.supplemental_groups.name:
+      dashed_name: process-group-leader-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.group_leader.supplemental_groups.name
       ignore_above: 1024
       level: extended
-      name: subdomain
+      name: name
       normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.top_level_domain:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.top_level_domain
-      ignore_above: 1024
+    process.group_leader.tty:
+      dashed_name: process-group-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.group_leader.tty
       level: extended
-      name: top_level_domain
+      name: tty
       normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.type:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.session_leader.parent.session_leader.entry_meta.type
-      ignore_above: 1024
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.group_leader.tty.char_device.major:
+      dashed_name: process-group-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.group_leader.tty.char_device.major
       level: extended
-      name: entry_meta.type
+      name: tty.char_device.major
       normalize: []
       original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.session_leader.parent.session_leader.env_vars:
-      dashed_name: process-session-leader-parent-session-leader-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.session_leader.parent.session_leader.env_vars
-      ignore_above: 1024
+      short: The TTY character device's major number.
+      type: long
+    process.group_leader.tty.char_device.minor:
+      dashed_name: process-group-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.group_leader.tty.char_device.minor
       level: extended
-      name: env_vars
-      normalize:
-      - array
+      name: tty.char_device.minor
+      normalize: []
       original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
+      short: The TTY character device's minor number.
+      type: long
+    process.group_leader.user.id:
+      dashed_name: process-group-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
       type: keyword
-    process.session_leader.parent.session_leader.executable:
-      dashed_name: process-session-leader-parent-session-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.session_leader.parent.session_leader.executable
+    process.group_leader.user.name:
+      dashed_name: process-group-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.user.name
       ignore_above: 1024
-      level: extended
+      level: core
       multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.executable.text
+      - flat_name: process.group_leader.user.name.text
         name: text
         type: match_only_text
-      name: executable
+      name: name
       normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
+      original_fieldset: user
+      short: Short name or login of the user.
       type: keyword
-    process.session_leader.parent.session_leader.exit_code:
-      dashed_name: process-session-leader-parent-session-leader-exit-code
-      description: 'The exit code of the process, if this is a termination event.
+    process.group_leader.vpid:
+      dashed_name: process-group-leader-vpid
+      description: 'Virtual process id.
 
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.session_leader.parent.session_leader.exit_code
-      level: extended
-      name: exit_code
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.group_leader.vpid
+      format: string
+      level: core
+      name: vpid
       normalize: []
       original_fieldset: process
-      short: The exit code of the process.
+      short: Virtual process id.
       type: long
-    process.session_leader.parent.session_leader.group.domain:
-      dashed_name: process-session-leader-parent-session-leader-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.group.id:
-      dashed_name: process-session-leader-parent-session-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.group.name:
-      dashed_name: process-session-leader-parent-session-leader-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.group.name
+    process.group_leader.working_directory:
+      dashed_name: process-group-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.group_leader.working_directory
       ignore_above: 1024
       level: extended
-      name: name
+      multi_fields:
+      - flat_name: process.group_leader.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: process
+      short: The working directory of the process.
       type: keyword
-    process.session_leader.parent.session_leader.hash.cdhash:
+    process.hash.cdhash:
       beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-hash-cdhash
+      dashed_name: process-hash-cdhash
       description: Code directory hash, utilized to uniquely identify and authenticate
         the integrity of the executable code.
       example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.session_leader.parent.session_leader.hash.cdhash
+      flat_name: process.hash.cdhash
       ignore_above: 1024
       level: extended
       name: cdhash
@@ -45081,10 +13143,10 @@ process:
       original_fieldset: hash
       short: The Code Directory (CD) hash of an executable.
       type: keyword
-    process.session_leader.parent.session_leader.hash.md5:
-      dashed_name: process-session-leader-parent-session-leader-hash-md5
+    process.hash.md5:
+      dashed_name: process-hash-md5
       description: MD5 hash.
-      flat_name: process.session_leader.parent.session_leader.hash.md5
+      flat_name: process.hash.md5
       ignore_above: 1024
       level: extended
       name: md5
@@ -45092,10 +13154,10 @@ process:
       original_fieldset: hash
       short: MD5 hash.
       type: keyword
-    process.session_leader.parent.session_leader.hash.sha1:
-      dashed_name: process-session-leader-parent-session-leader-hash-sha1
+    process.hash.sha1:
+      dashed_name: process-hash-sha1
       description: SHA1 hash.
-      flat_name: process.session_leader.parent.session_leader.hash.sha1
+      flat_name: process.hash.sha1
       ignore_above: 1024
       level: extended
       name: sha1
@@ -45103,10 +13165,10 @@ process:
       original_fieldset: hash
       short: SHA1 hash.
       type: keyword
-    process.session_leader.parent.session_leader.hash.sha256:
-      dashed_name: process-session-leader-parent-session-leader-hash-sha256
+    process.hash.sha256:
+      dashed_name: process-hash-sha256
       description: SHA256 hash.
-      flat_name: process.session_leader.parent.session_leader.hash.sha256
+      flat_name: process.hash.sha256
       ignore_above: 1024
       level: extended
       name: sha256
@@ -45114,10 +13176,10 @@ process:
       original_fieldset: hash
       short: SHA256 hash.
       type: keyword
-    process.session_leader.parent.session_leader.hash.sha384:
-      dashed_name: process-session-leader-parent-session-leader-hash-sha384
+    process.hash.sha384:
+      dashed_name: process-hash-sha384
       description: SHA384 hash.
-      flat_name: process.session_leader.parent.session_leader.hash.sha384
+      flat_name: process.hash.sha384
       ignore_above: 1024
       level: extended
       name: sha384
@@ -45125,10 +13187,10 @@ process:
       original_fieldset: hash
       short: SHA384 hash.
       type: keyword
-    process.session_leader.parent.session_leader.hash.sha512:
-      dashed_name: process-session-leader-parent-session-leader-hash-sha512
+    process.hash.sha512:
+      dashed_name: process-hash-sha512
       description: SHA512 hash.
-      flat_name: process.session_leader.parent.session_leader.hash.sha512
+      flat_name: process.hash.sha512
       ignore_above: 1024
       level: extended
       name: sha512
@@ -45136,10 +13198,10 @@ process:
       original_fieldset: hash
       short: SHA512 hash.
       type: keyword
-    process.session_leader.parent.session_leader.hash.ssdeep:
-      dashed_name: process-session-leader-parent-session-leader-hash-ssdeep
+    process.hash.ssdeep:
+      dashed_name: process-hash-ssdeep
       description: SSDEEP hash.
-      flat_name: process.session_leader.parent.session_leader.hash.ssdeep
+      flat_name: process.hash.ssdeep
       ignore_above: 1024
       level: extended
       name: ssdeep
@@ -45147,10 +13209,10 @@ process:
       original_fieldset: hash
       short: SSDEEP hash.
       type: keyword
-    process.session_leader.parent.session_leader.hash.tlsh:
-      dashed_name: process-session-leader-parent-session-leader-hash-tlsh
+    process.hash.tlsh:
+      dashed_name: process-hash-tlsh
       description: TLSH hash.
-      flat_name: process.session_leader.parent.session_leader.hash.tlsh
+      flat_name: process.hash.tlsh
       ignore_above: 1024
       level: extended
       name: tlsh
@@ -45158,8 +13220,8 @@ process:
       original_fieldset: hash
       short: TLSH hash.
       type: keyword
-    process.session_leader.parent.session_leader.interactive:
-      dashed_name: process-session-leader-parent-session-leader-interactive
+    process.interactive:
+      dashed_name: process-interactive
       description: 'Whether the process is connected to an interactive shell.
 
         Process interactivity is inferred from the processes file descriptors. If
@@ -45172,75 +13234,72 @@ process:
         backgrounded process is still considered interactive if stdin and stderr are
         connected to the controlling TTY.'
       example: true
-      flat_name: process.session_leader.parent.session_leader.interactive
+      flat_name: process.interactive
       level: extended
       name: interactive
       normalize: []
-      original_fieldset: process
+      otel:
+      - relation: match
+        stability: development
       short: Whether the process is connected to an interactive shell.
       type: boolean
-    process.session_leader.parent.session_leader.io:
-      dashed_name: process-session-leader-parent-session-leader-io
+    process.io:
+      dashed_name: process-io
       description: 'A chunk of input or output (IO) from a single process.
 
         This field only appears on the top level process object, which is the process
         that wrote the output or read the input.'
-      flat_name: process.session_leader.parent.session_leader.io
+      flat_name: process.io
       level: extended
       name: io
       normalize: []
-      original_fieldset: process
       short: A chunk of input or output (IO) from a single process.
       type: object
-    process.session_leader.parent.session_leader.io.bytes_skipped:
-      dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped
+    process.io.bytes_skipped:
+      dashed_name: process-io-bytes-skipped
       description: An array of byte offsets and lengths denoting where IO data has
         been skipped.
-      flat_name: process.session_leader.parent.session_leader.io.bytes_skipped
+      flat_name: process.io.bytes_skipped
       level: extended
       name: io.bytes_skipped
       normalize:
       - array
-      original_fieldset: process
       short: An array of byte offsets and lengths denoting where IO data has been
         skipped.
       type: object
-    process.session_leader.parent.session_leader.io.bytes_skipped.length:
-      dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-length
+    process.io.bytes_skipped.length:
+      dashed_name: process-io-bytes-skipped-length
       description: The length of bytes skipped.
-      flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.length
+      flat_name: process.io.bytes_skipped.length
       level: extended
       name: io.bytes_skipped.length
       normalize: []
-      original_fieldset: process
       short: The length of bytes skipped.
       type: long
-    process.session_leader.parent.session_leader.io.bytes_skipped.offset:
-      dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-offset
+    process.io.bytes_skipped.offset:
+      dashed_name: process-io-bytes-skipped-offset
       description: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
-      flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.offset
+      flat_name: process.io.bytes_skipped.offset
       level: extended
       name: io.bytes_skipped.offset
       normalize: []
-      original_fieldset: process
       short: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
       type: long
-    process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
-      dashed_name: process-session-leader-parent-session-leader-io-max-bytes-per-process-exceeded
+    process.io.max_bytes_per_process_exceeded:
+      dashed_name: process-io-max-bytes-per-process-exceeded
       description: If true, the process producing the output has exceeded the max_kilobytes_per_process
         configuration setting.
-      flat_name: process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+      flat_name: process.io.max_bytes_per_process_exceeded
       level: extended
       name: io.max_bytes_per_process_exceeded
       normalize: []
-      original_fieldset: process
       short: If true, the process producing the output has exceeded the max_kilobytes_per_process
         configuration setting.
       type: boolean
-    process.session_leader.parent.session_leader.io.text:
-      dashed_name: process-session-leader-parent-session-leader-io-text
+    process.io.text:
+      dashed_name: process-io-text
       description: 'A chunk of output or input sanitized to UTF-8.
 
         Best efforts are made to ensure complete lines are captured in these events.
@@ -45248,54 +13307,524 @@ process:
         event. TTY output may contain terminal control codes such as for cursor movement,
         so some string queries may not match due to terminal codes inserted between
         characters of a word.'
-      flat_name: process.session_leader.parent.session_leader.io.text
+      flat_name: process.io.text
       level: extended
       name: io.text
       normalize: []
-      original_fieldset: process
       short: A chunk of output or input sanitized to UTF-8.
       type: wildcard
-    process.session_leader.parent.session_leader.io.total_bytes_captured:
-      dashed_name: process-session-leader-parent-session-leader-io-total-bytes-captured
+    process.io.total_bytes_captured:
+      dashed_name: process-io-total-bytes-captured
       description: The total number of bytes captured in this event.
-      flat_name: process.session_leader.parent.session_leader.io.total_bytes_captured
+      flat_name: process.io.total_bytes_captured
       level: extended
       name: io.total_bytes_captured
       normalize: []
-      original_fieldset: process
       short: The total number of bytes captured in this event.
       type: long
-    process.session_leader.parent.session_leader.io.total_bytes_skipped:
-      dashed_name: process-session-leader-parent-session-leader-io-total-bytes-skipped
+    process.io.total_bytes_skipped:
+      dashed_name: process-io-total-bytes-skipped
       description: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits. Implementors should strive to ensure
         this value is always zero
-      flat_name: process.session_leader.parent.session_leader.io.total_bytes_skipped
+      flat_name: process.io.total_bytes_skipped
       level: extended
       name: io.total_bytes_skipped
       normalize: []
-      original_fieldset: process
       short: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits.
       type: long
-    process.session_leader.parent.session_leader.io.type:
-      dashed_name: process-session-leader-parent-session-leader-io-type
+    process.io.type:
+      dashed_name: process-io-type
       description: 'The type of object on which the IO action (read or write) was
         taken.
 
         Currently only ''tty'' is supported. Other types may be added in the future
         for ''file'' and ''socket'' support.'
-      flat_name: process.session_leader.parent.session_leader.io.type
+      flat_name: process.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.macho.go_import_hash:
+      dashed_name: process-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.macho.go_imports:
+      dashed_name: process-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.macho.go_imports_names_entropy:
+      dashed_name: process-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.macho.go_imports_names_var_entropy:
+      dashed_name: process-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.macho.go_stripped:
+      dashed_name: process-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.macho.import_hash:
+      dashed_name: process-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.macho.imports:
+      dashed_name: process-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.macho.imports_names_entropy:
+      dashed_name: process-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.macho.imports_names_var_entropy:
+      dashed_name: process-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.macho.sections:
+      dashed_name: process-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.macho.sections.entropy:
+      dashed_name: process-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.macho.sections.name:
+      dashed_name: process-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.macho.sections.physical_size:
+      dashed_name: process-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.macho.sections.var_entropy:
+      dashed_name: process-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.macho.sections.virtual_size:
+      dashed_name: process-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.macho.symhash:
+      dashed_name: process-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.name:
+      dashed_name: process-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      short: Process name.
+      type: keyword
+    process.parent.args:
+      dashed_name: process-parent-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.parent.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.parent.args_count:
+      dashed_name: process-parent-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.parent.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.parent.code_signature.digest_algorithm:
+      dashed_name: process-parent-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.parent.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.parent.code_signature.exists:
+      dashed_name: process-parent-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.parent.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.parent.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.parent.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.parent.code_signature.signing_id:
+      dashed_name: process-parent-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.parent.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.parent.code_signature.status:
+      dashed_name: process-parent-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.parent.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.parent.code_signature.subject_name:
+      dashed_name: process-parent-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.parent.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.parent.code_signature.team_id:
+      dashed_name: process-parent-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.parent.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.parent.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.parent.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.parent.code_signature.timestamp:
+      dashed_name: process-parent-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.parent.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.parent.code_signature.trusted:
+      dashed_name: process-parent-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.parent.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.parent.code_signature.valid:
+      dashed_name: process-parent-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.parent.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.parent.command_line:
+      dashed_name: process-parent-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.parent.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.parent.elf.architecture:
+      dashed_name: process-parent-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.parent.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.parent.elf.byte_order:
+      dashed_name: process-parent-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.parent.elf.byte_order
       ignore_above: 1024
       level: extended
-      name: io.type
+      name: byte_order
       normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
       type: keyword
-    process.session_leader.parent.session_leader.macho.go_import_hash:
-      dashed_name: process-session-leader-parent-session-leader-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    process.parent.elf.cpu_type:
+      dashed_name: process-parent-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.parent.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.parent.elf.creation_date:
+      dashed_name: process-parent-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.parent.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.parent.elf.exports:
+      dashed_name: process-parent-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.parent.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.parent.elf.go_import_hash:
+      dashed_name: process-parent-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
         change more traditional hash values.
@@ -45303,291 +13832,638 @@ process:
         The algorithm used to calculate the Go symbol hash and a reference implementation
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.parent.session_leader.macho.go_import_hash
+      flat_name: process.parent.elf.go_import_hash
       ignore_above: 1024
       level: extended
       name: go_import_hash
       normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
       type: keyword
-    process.session_leader.parent.session_leader.macho.go_imports:
-      dashed_name: process-session-leader-parent-session-leader-macho-go-imports
+    process.parent.elf.go_imports:
+      dashed_name: process-parent-elf-go-imports
       description: List of imported Go language element names and types.
-      flat_name: process.session_leader.parent.session_leader.macho.go_imports
+      flat_name: process.parent.elf.go_imports
       level: extended
       name: go_imports
       normalize: []
-      original_fieldset: macho
+      original_fieldset: elf
       short: List of imported Go language element names and types.
       type: flattened
-    process.session_leader.parent.session_leader.macho.go_imports_names_entropy:
-      dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-entropy
+    process.parent.elf.go_imports_names_entropy:
+      dashed_name: process-parent-elf-go-imports-names-entropy
       description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_entropy
+      flat_name: process.parent.elf.go_imports_names_entropy
       format: number
       level: extended
       name: go_imports_names_entropy
       normalize: []
-      original_fieldset: macho
+      original_fieldset: elf
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-var-entropy
+    process.parent.elf.go_imports_names_var_entropy:
+      dashed_name: process-parent-elf-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy
+      flat_name: process.parent.elf.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
       normalize: []
-      original_fieldset: macho
+      original_fieldset: elf
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.session_leader.parent.session_leader.macho.go_stripped:
-      dashed_name: process-session-leader-parent-session-leader-macho-go-stripped
+    process.parent.elf.go_stripped:
+      dashed_name: process-parent-elf-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.parent.session_leader.macho.go_stripped
+      flat_name: process.parent.elf.go_stripped
       level: extended
       name: go_stripped
       normalize: []
-      original_fieldset: macho
+      original_fieldset: elf
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.session_leader.parent.session_leader.macho.import_hash:
-      dashed_name: process-session-leader-parent-session-leader-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+    process.parent.elf.header.abi_version:
+      dashed_name: process-parent-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.parent.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.parent.elf.header.class:
+      dashed_name: process-parent-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.parent.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.parent.elf.header.data:
+      dashed_name: process-parent-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.parent.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.parent.elf.header.entrypoint:
+      dashed_name: process-parent-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.parent.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.parent.elf.header.object_version:
+      dashed_name: process-parent-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.parent.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.parent.elf.header.os_abi:
+      dashed_name: process-parent-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.parent.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.parent.elf.header.type:
+      dashed_name: process-parent-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.parent.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.parent.elf.header.version:
+      dashed_name: process-parent-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.parent.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.parent.elf.import_hash:
+      dashed_name: process-parent-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
 
-        This is a synonym for symhash.'
+        This is an ELF implementation of the Windows PE imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.parent.session_leader.macho.import_hash
+      flat_name: process.parent.elf.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
       normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
       type: keyword
-    process.session_leader.parent.session_leader.macho.imports:
-      dashed_name: process-session-leader-parent-session-leader-macho-imports
+    process.parent.elf.imports:
+      dashed_name: process-parent-elf-imports
       description: List of imported element names and types.
-      flat_name: process.session_leader.parent.session_leader.macho.imports
+      flat_name: process.parent.elf.imports
       level: extended
       name: imports
       normalize:
       - array
-      original_fieldset: macho
+      original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
-    process.session_leader.parent.session_leader.macho.imports_names_entropy:
-      dashed_name: process-session-leader-parent-session-leader-macho-imports-names-entropy
+    process.parent.elf.imports_names_entropy:
+      dashed_name: process-parent-elf-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.session_leader.parent.session_leader.macho.imports_names_entropy
+      flat_name: process.parent.elf.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
       normalize: []
-      original_fieldset: macho
+      original_fieldset: elf
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.session_leader.parent.session_leader.macho.imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-macho-imports-names-var-entropy
+    process.parent.elf.imports_names_var_entropy:
+      dashed_name: process-parent-elf-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.session_leader.parent.session_leader.macho.imports_names_var_entropy
+      flat_name: process.parent.elf.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
       normalize: []
-      original_fieldset: macho
+      original_fieldset: elf
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.session_leader.parent.session_leader.macho.sections:
-      dashed_name: process-session-leader-parent-session-leader-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
+    process.parent.elf.sections:
+      dashed_name: process-parent-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
 
         The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.session_leader.parent.session_leader.macho.sections
+        underneath `elf.sections.*`.'
+      flat_name: process.parent.elf.sections
       level: extended
       name: sections
       normalize:
       - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
+      original_fieldset: elf
+      short: Section information of the ELF file.
       type: nested
-    process.session_leader.parent.session_leader.macho.sections.entropy:
-      dashed_name: process-session-leader-parent-session-leader-macho-sections-entropy
+    process.parent.elf.sections.chi2:
+      dashed_name: process-parent-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.parent.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.parent.elf.sections.entropy:
+      dashed_name: process-parent-elf-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.session_leader.macho.sections.entropy
+      flat_name: process.parent.elf.sections.entropy
       format: number
       level: extended
       name: sections.entropy
       normalize: []
-      original_fieldset: macho
+      original_fieldset: elf
       short: Shannon entropy calculation from the section.
       type: long
-    process.session_leader.parent.session_leader.macho.sections.name:
-      dashed_name: process-session-leader-parent-session-leader-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.session_leader.parent.session_leader.macho.sections.name
+    process.parent.elf.sections.flags:
+      dashed_name: process-parent-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.parent.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.parent.elf.sections.name:
+      dashed_name: process-parent-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.parent.elf.sections.name
       ignore_above: 1024
       level: extended
       name: sections.name
       normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
+      original_fieldset: elf
+      short: ELF Section List name.
       type: keyword
-    process.session_leader.parent.session_leader.macho.sections.physical_size:
-      dashed_name: process-session-leader-parent-session-leader-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.session_leader.parent.session_leader.macho.sections.physical_size
+    process.parent.elf.sections.physical_offset:
+      dashed_name: process-parent-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.parent.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.parent.elf.sections.physical_size:
+      dashed_name: process-parent-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.parent.elf.sections.physical_size
       format: bytes
       level: extended
       name: sections.physical_size
       normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
+      original_fieldset: elf
+      short: ELF Section List physical size.
       type: long
-    process.session_leader.parent.session_leader.macho.sections.var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-macho-sections-var-entropy
+    process.parent.elf.sections.type:
+      dashed_name: process-parent-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.parent.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.parent.elf.sections.var_entropy:
+      dashed_name: process-parent-elf-sections-var-entropy
       description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.session_leader.macho.sections.var_entropy
+      flat_name: process.parent.elf.sections.var_entropy
       format: number
       level: extended
       name: sections.var_entropy
       normalize: []
-      original_fieldset: macho
+      original_fieldset: elf
       short: Variance for Shannon entropy calculation from the section.
       type: long
-    process.session_leader.parent.session_leader.macho.sections.virtual_size:
-      dashed_name: process-session-leader-parent-session-leader-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.session_leader.parent.session_leader.macho.sections.virtual_size
+    process.parent.elf.sections.virtual_address:
+      dashed_name: process-parent-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.parent.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.parent.elf.sections.virtual_size:
+      dashed_name: process-parent-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.parent.elf.sections.virtual_size
       format: string
       level: extended
       name: sections.virtual_size
       normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      original_fieldset: elf
+      short: ELF Section List virtual size.
       type: long
-    process.session_leader.parent.session_leader.macho.symhash:
-      dashed_name: process-session-leader-parent-session-leader-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+    process.parent.elf.segments:
+      dashed_name: process-parent-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
 
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.session_leader.parent.session_leader.macho.symhash
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.parent.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.parent.elf.segments.sections:
+      dashed_name: process-parent-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.parent.elf.segments.sections
       ignore_above: 1024
       level: extended
-      name: symhash
+      name: segments.sections
       normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
+      original_fieldset: elf
+      short: ELF object segment sections.
       type: keyword
-    process.session_leader.parent.session_leader.name:
-      dashed_name: process-session-leader-parent-session-leader-name
-      description: 'Process name.
+    process.parent.elf.segments.type:
+      dashed_name: process-parent-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.parent.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.parent.elf.shared_libraries:
+      dashed_name: process-parent-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.parent.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.parent.elf.telfhash:
+      dashed_name: process-parent-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.parent.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.parent.end:
+      dashed_name: process-parent-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.parent.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.parent.entity_id:
+      dashed_name: process-parent-entity-id
+      description: 'Unique identifier for the process.
 
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.session_leader.parent.session_leader.name
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.parent.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.parent.executable:
+      dashed_name: process-parent-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.parent.executable
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.name.text
+      - flat_name: process.parent.executable.text
         name: text
         type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.parent.exit_code:
+      dashed_name: process-parent-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.parent.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.parent.group.id:
+      dashed_name: process-parent-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group.name:
+      dashed_name: process-parent-group-name
+      description: Name of the group.
+      flat_name: process.parent.group.name
+      ignore_above: 1024
+      level: extended
       name: name
       normalize: []
-      original_fieldset: process
-      short: Process name.
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.entity_id:
+      dashed_name: process-parent-group-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.parent.group_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.parent.group_leader.pid:
+      dashed_name: process-parent-group-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.parent.group_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.parent.group_leader.start:
+      dashed_name: process-parent-group-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.parent.group_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.parent.group_leader.vpid:
+      dashed_name: process-parent-group-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.parent.group_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.parent.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.parent.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.parent.hash.md5:
+      dashed_name: process-parent-hash-md5
+      description: MD5 hash.
+      flat_name: process.parent.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
       type: keyword
-    process.session_leader.parent.session_leader.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.session_leader.parent.session_leader.origin_referrer_url
-      ignore_above: 8192
+    process.parent.hash.sha1:
+      dashed_name: process-parent-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.parent.hash.sha1
+      ignore_above: 1024
       level: extended
-      name: origin_referrer_url
+      name: sha1
       normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
+      original_fieldset: hash
+      short: SHA1 hash.
       type: keyword
-    process.session_leader.parent.session_leader.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.session_leader.parent.session_leader.origin_url
-      ignore_above: 8192
+    process.parent.hash.sha256:
+      dashed_name: process-parent-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.parent.hash.sha256
+      ignore_above: 1024
       level: extended
-      name: origin_url
+      name: sha256
       normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
+      original_fieldset: hash
+      short: SHA256 hash.
       type: keyword
-    process.session_leader.parent.session_leader.pe.architecture:
-      dashed_name: process-session-leader-parent-session-leader-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.session_leader.parent.session_leader.pe.architecture
+    process.parent.hash.sha384:
+      dashed_name: process-parent-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.parent.hash.sha384
       ignore_above: 1024
       level: extended
-      name: architecture
+      name: sha384
       normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
+      original_fieldset: hash
+      short: SHA384 hash.
       type: keyword
-    process.session_leader.parent.session_leader.pe.company:
-      dashed_name: process-session-leader-parent-session-leader-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.session_leader.parent.session_leader.pe.company
+    process.parent.hash.sha512:
+      dashed_name: process-parent-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.parent.hash.sha512
       ignore_above: 1024
       level: extended
-      name: company
+      name: sha512
       normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
+      original_fieldset: hash
+      short: SHA512 hash.
       type: keyword
-    process.session_leader.parent.session_leader.pe.description:
-      dashed_name: process-session-leader-parent-session-leader-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.session_leader.parent.session_leader.pe.description
+    process.parent.hash.ssdeep:
+      dashed_name: process-parent-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.parent.hash.ssdeep
       ignore_above: 1024
       level: extended
-      name: description
+      name: ssdeep
       normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
+      original_fieldset: hash
+      short: SSDEEP hash.
       type: keyword
-    process.session_leader.parent.session_leader.pe.file_version:
-      dashed_name: process-session-leader-parent-session-leader-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.session_leader.parent.session_leader.pe.file_version
+    process.parent.hash.tlsh:
+      dashed_name: process-parent-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.parent.hash.tlsh
       ignore_above: 1024
       level: extended
-      name: file_version
+      name: tlsh
       normalize: []
-      original_fieldset: pe
-      short: Process name.
+      original_fieldset: hash
+      short: TLSH hash.
       type: keyword
-    process.session_leader.parent.session_leader.pe.go_import_hash:
-      dashed_name: process-session-leader-parent-session-leader-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
+    process.parent.interactive:
+      dashed_name: process-parent-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.parent.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.parent.macho.go_import_hash:
+      dashed_name: process-parent-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
         change more traditional hash values.
@@ -45595,1039 +14471,516 @@ process:
         The algorithm used to calculate the Go symbol hash and a reference implementation
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.parent.session_leader.pe.go_import_hash
+      flat_name: process.parent.macho.go_import_hash
       ignore_above: 1024
       level: extended
       name: go_import_hash
       normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
       type: keyword
-    process.session_leader.parent.session_leader.pe.go_imports:
-      dashed_name: process-session-leader-parent-session-leader-pe-go-imports
+    process.parent.macho.go_imports:
+      dashed_name: process-parent-macho-go-imports
       description: List of imported Go language element names and types.
-      flat_name: process.session_leader.parent.session_leader.pe.go_imports
+      flat_name: process.parent.macho.go_imports
       level: extended
       name: go_imports
       normalize: []
-      original_fieldset: pe
+      original_fieldset: macho
       short: List of imported Go language element names and types.
       type: flattened
-    process.session_leader.parent.session_leader.pe.go_imports_names_entropy:
-      dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-entropy
+    process.parent.macho.go_imports_names_entropy:
+      dashed_name: process-parent-macho-go-imports-names-entropy
       description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_entropy
+      flat_name: process.parent.macho.go_imports_names_entropy
       format: number
       level: extended
       name: go_imports_names_entropy
       normalize: []
-      original_fieldset: pe
+      original_fieldset: macho
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-var-entropy
+    process.parent.macho.go_imports_names_var_entropy:
+      dashed_name: process-parent-macho-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy
+      flat_name: process.parent.macho.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
       normalize: []
-      original_fieldset: pe
+      original_fieldset: macho
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.session_leader.parent.session_leader.pe.go_stripped:
-      dashed_name: process-session-leader-parent-session-leader-pe-go-stripped
+    process.parent.macho.go_stripped:
+      dashed_name: process-parent-macho-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.parent.session_leader.pe.go_stripped
+      flat_name: process.parent.macho.go_stripped
       level: extended
       name: go_stripped
       normalize: []
-      original_fieldset: pe
+      original_fieldset: macho
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.session_leader.parent.session_leader.pe.imphash:
-      dashed_name: process-session-leader-parent-session-leader-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
+    process.parent.macho.import_hash:
+      dashed_name: process-parent-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.session_leader.parent.session_leader.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.import_hash:
-      dashed_name: process-session-leader-parent-session-leader-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
+        This is a synonym for symhash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.parent.session_leader.pe.import_hash
+      flat_name: process.parent.macho.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
       normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
       type: keyword
-    process.session_leader.parent.session_leader.pe.imports:
-      dashed_name: process-session-leader-parent-session-leader-pe-imports
+    process.parent.macho.imports:
+      dashed_name: process-parent-macho-imports
       description: List of imported element names and types.
-      flat_name: process.session_leader.parent.session_leader.pe.imports
+      flat_name: process.parent.macho.imports
       level: extended
       name: imports
       normalize:
       - array
-      original_fieldset: pe
+      original_fieldset: macho
       short: List of imported element names and types.
       type: flattened
-    process.session_leader.parent.session_leader.pe.imports_names_entropy:
-      dashed_name: process-session-leader-parent-session-leader-pe-imports-names-entropy
+    process.parent.macho.imports_names_entropy:
+      dashed_name: process-parent-macho-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.session_leader.parent.session_leader.pe.imports_names_entropy
+      flat_name: process.parent.macho.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
       normalize: []
-      original_fieldset: pe
+      original_fieldset: macho
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.session_leader.parent.session_leader.pe.imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-pe-imports-names-var-entropy
+    process.parent.macho.imports_names_var_entropy:
+      dashed_name: process-parent-macho-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.session_leader.parent.session_leader.pe.imports_names_var_entropy
+      flat_name: process.parent.macho.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
       normalize: []
-      original_fieldset: pe
+      original_fieldset: macho
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.session_leader.parent.session_leader.pe.original_file_name:
-      dashed_name: process-session-leader-parent-session-leader-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.session_leader.parent.session_leader.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.pehash:
-      dashed_name: process-session-leader-parent-session-leader-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.session_leader.parent.session_leader.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.product:
-      dashed_name: process-session-leader-parent-session-leader-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.session_leader.parent.session_leader.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.sections:
-      dashed_name: process-session-leader-parent-session-leader-pe-sections
-      description: 'An array containing an object for each section of the PE file.
+    process.parent.macho.sections:
+      dashed_name: process-parent-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
 
         The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.session_leader.parent.session_leader.pe.sections
+        underneath `macho.sections.*`.'
+      flat_name: process.parent.macho.sections
       level: extended
       name: sections
       normalize:
       - array
-      original_fieldset: pe
-      short: Section information of the PE file.
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
       type: nested
-    process.session_leader.parent.session_leader.pe.sections.entropy:
-      dashed_name: process-session-leader-parent-session-leader-pe-sections-entropy
+    process.parent.macho.sections.entropy:
+      dashed_name: process-parent-macho-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.session_leader.pe.sections.entropy
+      flat_name: process.parent.macho.sections.entropy
       format: number
       level: extended
       name: sections.entropy
       normalize: []
-      original_fieldset: pe
+      original_fieldset: macho
       short: Shannon entropy calculation from the section.
       type: long
-    process.session_leader.parent.session_leader.pe.sections.name:
-      dashed_name: process-session-leader-parent-session-leader-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.session_leader.parent.session_leader.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.sections.physical_size:
-      dashed_name: process-session-leader-parent-session-leader-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.session_leader.parent.session_leader.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.session_leader.parent.session_leader.pe.sections.var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.session_leader.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.session_leader.pe.sections.virtual_size:
-      dashed_name: process-session-leader-parent-session-leader-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.session_leader.parent.session_leader.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.session_leader.parent.session_leader.pid:
-      dashed_name: process-session-leader-parent-session-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.session_leader.parent.session_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.session_leader.parent.session_leader.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.session_leader.parent.session_leader.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.session_leader.parent.session_leader.real_group.domain:
-      dashed_name: process-session-leader-parent-session-leader-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.real_group.id:
-      dashed_name: process-session-leader-parent-session-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.real_group.name:
-      dashed_name: process-session-leader-parent-session-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.domain:
-      dashed_name: process-session-leader-parent-session-leader-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.email:
-      dashed_name: process-session-leader-parent-session-leader-real-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.session_leader.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.full_name:
-      dashed_name: process-session-leader-parent-session-leader-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.session_leader.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.group.domain:
-      dashed_name: process-session-leader-parent-session-leader-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.group.id:
-      dashed_name: process-session-leader-parent-session-leader-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.group.name:
-      dashed_name: process-session-leader-parent-session-leader-real-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.hash:
-      dashed_name: process-session-leader-parent-session-leader-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.session_leader.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.id:
-      dashed_name: process-session-leader-parent-session-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.session_leader.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.name:
-      dashed_name: process-session-leader-parent-session-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.parent.session_leader.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.session_leader.real_user.risk.static_level:
-      dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.risk.static_score:
-      dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.session_leader.real_user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.session_leader.real_user.roles:
-      dashed_name: process-session-leader-parent-session-leader-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.session_leader.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.same_as_process:
-      dashed_name: process-session-leader-parent-session-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.session_leader.parent.session_leader.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.session_leader.parent.session_leader.saved_group.domain:
-      dashed_name: process-session-leader-parent-session-leader-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_group.id:
-      dashed_name: process-session-leader-parent-session-leader-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_group.name:
-      dashed_name: process-session-leader-parent-session-leader-saved-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.domain:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.saved_user.domain
+    process.parent.macho.sections.name:
+      dashed_name: process-parent-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.parent.macho.sections.name
       ignore_above: 1024
       level: extended
-      name: domain
+      name: sections.name
       normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
+      original_fieldset: macho
+      short: Mach-O Section List name.
       type: keyword
-    process.session_leader.parent.session_leader.saved_user.email:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.session_leader.saved_user.email
-      ignore_above: 1024
+    process.parent.macho.sections.physical_size:
+      dashed_name: process-parent-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.parent.macho.sections.physical_size
+      format: bytes
       level: extended
-      name: email
+      name: sections.physical_size
       normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.full_name:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.session_leader.saved_user.full_name
-      ignore_above: 1024
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.parent.macho.sections.var_entropy:
+      dashed_name: process-parent-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.macho.sections.var_entropy
+      format: number
       level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
+      name: sections.var_entropy
       normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.group.domain:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.saved_user.group.domain
-      ignore_above: 1024
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.macho.sections.virtual_size:
+      dashed_name: process-parent-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.macho.sections.virtual_size
+      format: string
       level: extended
-      name: domain
+      name: sections.virtual_size
       normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.group.id:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.saved_user.group.id
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.parent.macho.symhash:
+      dashed_name: process-parent-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.parent.macho.symhash
       ignore_above: 1024
       level: extended
-      name: id
+      name: symhash
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
       type: keyword
-    process.session_leader.parent.session_leader.saved_user.group.name:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.saved_user.group.name
+    process.parent.name:
+      dashed_name: process-parent-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.parent.name
       ignore_above: 1024
       level: extended
+      multi_fields:
+      - flat_name: process.parent.name.text
+        name: text
+        type: match_only_text
       name: name
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: process
+      short: Process name.
       type: keyword
-    process.session_leader.parent.session_leader.saved_user.hash:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.session_leader.saved_user.hash
+    process.parent.pe.architecture:
+      dashed_name: process-parent-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.parent.pe.architecture
       ignore_above: 1024
       level: extended
-      name: hash
+      name: architecture
       normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
+      original_fieldset: pe
+      short: CPU architecture target for the file.
       type: keyword
-    process.session_leader.parent.session_leader.saved_user.id:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.session_leader.saved_user.id
+    process.parent.pe.company:
+      dashed_name: process-parent-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.parent.pe.company
       ignore_above: 1024
-      level: core
-      name: id
+      level: extended
+      name: company
       normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
       type: keyword
-    process.session_leader.parent.session_leader.saved_user.name:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.parent.session_leader.saved_user.name
+    process.parent.pe.description:
+      dashed_name: process-parent-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.parent.pe.description
       ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
+      level: extended
+      name: description
       normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
       type: keyword
-    process.session_leader.parent.session_leader.saved_user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_level
+    process.parent.pe.file_version:
+      dashed_name: process-parent-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.parent.pe.file_version
       ignore_above: 1024
       level: extended
-      name: calculated_level
+      name: file_version
       normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
+      original_fieldset: pe
+      short: Process name.
       type: keyword
-    process.session_leader.parent.session_leader.saved_user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.session_leader.saved_user.risk.static_level:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_level
+    process.parent.pe.go_import_hash:
+      dashed_name: process-parent-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.pe.go_import_hash
       ignore_above: 1024
       level: extended
-      name: static_level
+      name: go_import_hash
       normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
       type: keyword
-    process.session_leader.parent.session_leader.saved_user.risk.static_score:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score
+    process.parent.pe.go_imports:
+      dashed_name: process-parent-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.pe.go_imports
       level: extended
-      name: static_score
+      name: go_imports
       normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.session_leader.saved_user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score_norm
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.pe.go_imports_names_entropy:
+      dashed_name: process-parent-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.pe.go_imports_names_entropy
+      format: number
       level: extended
-      name: static_score_norm
+      name: go_imports_names_entropy
       normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.session_leader.saved_user.roles:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.session_leader.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.start:
-      dashed_name: process-session-leader-parent-session-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.parent.session_leader.start
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.pe.go_imports_names_var_entropy:
+      dashed_name: process-parent-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.pe.go_imports_names_var_entropy
+      format: number
       level: extended
-      name: start
+      name: go_imports_names_var_entropy
       normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.session_leader.parent.session_leader.supplemental_groups.domain:
-      dashed_name: process-session-leader-parent-session-leader-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.supplemental_groups.domain
-      ignore_above: 1024
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.pe.go_stripped:
+      dashed_name: process-parent-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.pe.go_stripped
       level: extended
-      name: domain
+      name: go_stripped
       normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.supplemental_groups.id:
-      dashed_name: process-session-leader-parent-session-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.supplemental_groups.id
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.pe.imphash:
+      dashed_name: process-parent-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.parent.pe.imphash
       ignore_above: 1024
       level: extended
-      name: id
+      name: imphash
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
       type: keyword
-    process.session_leader.parent.session_leader.supplemental_groups.name:
-      dashed_name: process-session-leader-parent-session-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.supplemental_groups.name
+    process.parent.pe.import_hash:
+      dashed_name: process-parent-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.pe.import_hash
       ignore_above: 1024
       level: extended
-      name: name
+      name: import_hash
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
       type: keyword
-    process.session_leader.parent.session_leader.thread.capabilities.effective:
-      dashed_name: process-session-leader-parent-session-leader-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.session_leader.parent.session_leader.thread.capabilities.effective
-      ignore_above: 1024
+    process.parent.pe.imports:
+      dashed_name: process-parent-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.pe.imports
       level: extended
-      name: thread.capabilities.effective
+      name: imports
       normalize:
       - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.thread.capabilities.permitted:
-      dashed_name: process-session-leader-parent-session-leader-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.session_leader.parent.session_leader.thread.capabilities.permitted
-      ignore_above: 1024
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.pe.imports_names_entropy:
+      dashed_name: process-parent-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.pe.imports_names_entropy
+      format: number
       level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.thread.id:
-      dashed_name: process-session-leader-parent-session-leader-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.session_leader.parent.session_leader.thread.id
-      format: string
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.pe.imports_names_var_entropy:
+      dashed_name: process-parent-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.pe.imports_names_var_entropy
+      format: number
       level: extended
-      name: thread.id
+      name: imports_names_var_entropy
       normalize: []
-      original_fieldset: process
-      short: Thread ID.
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
       type: long
-    process.session_leader.parent.session_leader.thread.name:
-      dashed_name: process-session-leader-parent-session-leader-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.session_leader.parent.session_leader.thread.name
+    process.parent.pe.original_file_name:
+      dashed_name: process-parent-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.parent.pe.original_file_name
       ignore_above: 1024
       level: extended
-      name: thread.name
+      name: original_file_name
       normalize: []
-      original_fieldset: process
-      short: Thread name.
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
       type: keyword
-    process.session_leader.parent.session_leader.title:
-      dashed_name: process-session-leader-parent-session-leader-title
-      description: 'Process title.
+    process.parent.pe.pehash:
+      dashed_name: process-parent-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
 
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.session_leader.parent.session_leader.title
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.parent.pe.pehash
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.title.text
-        name: text
-        type: match_only_text
-      name: title
+      name: pehash
       normalize: []
-      original_fieldset: process
-      short: Process title.
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
       type: keyword
-    process.session_leader.parent.session_leader.tty:
-      dashed_name: process-session-leader-parent-session-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.session_leader.parent.session_leader.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.session_leader.parent.session_leader.tty.char_device.major:
-      dashed_name: process-session-leader-parent-session-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.session_leader.parent.session_leader.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.session_leader.parent.session_leader.tty.char_device.minor:
-      dashed_name: process-session-leader-parent-session-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.session_leader.parent.session_leader.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.session_leader.parent.session_leader.tty.columns:
-      dashed_name: process-session-leader-parent-session-leader-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.session_leader.parent.session_leader.tty.columns
+    process.parent.pe.product:
+      dashed_name: process-parent-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.parent.pe.product
+      ignore_above: 1024
       level: extended
-      name: tty.columns
+      name: product
       normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.session_leader.parent.session_leader.tty.rows:
-      dashed_name: process-session-leader-parent-session-leader-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.parent.pe.sections:
+      dashed_name: process-parent-pe-sections
+      description: 'An array containing an object for each section of the PE file.
 
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.session_leader.parent.session_leader.tty.rows
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.parent.pe.sections
       level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.session_leader.parent.session_leader.uptime:
-      dashed_name: process-session-leader-parent-session-leader-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.session_leader.parent.session_leader.uptime
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.parent.pe.sections.entropy:
+      dashed_name: process-parent-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.pe.sections.entropy
+      format: number
       level: extended
-      name: uptime
+      name: sections.entropy
       normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
       type: long
-    process.session_leader.parent.session_leader.user.domain:
-      dashed_name: process-session-leader-parent-session-leader-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.user.domain
+    process.parent.pe.sections.name:
+      dashed_name: process-parent-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.parent.pe.sections.name
       ignore_above: 1024
       level: extended
-      name: domain
+      name: sections.name
       normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
+      original_fieldset: pe
+      short: PE Section List name.
       type: keyword
-    process.session_leader.parent.session_leader.user.email:
-      dashed_name: process-session-leader-parent-session-leader-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.session_leader.user.email
-      ignore_above: 1024
+    process.parent.pe.sections.physical_size:
+      dashed_name: process-parent-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.parent.pe.sections.physical_size
+      format: bytes
       level: extended
-      name: email
+      name: sections.physical_size
       normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.session_leader.user.full_name:
-      dashed_name: process-session-leader-parent-session-leader-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.session_leader.user.full_name
-      ignore_above: 1024
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.parent.pe.sections.var_entropy:
+      dashed_name: process-parent-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.pe.sections.var_entropy
+      format: number
       level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
+      name: sections.var_entropy
       normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.session_leader.user.group.domain:
-      dashed_name: process-session-leader-parent-session-leader-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.user.group.domain
-      ignore_above: 1024
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.pe.sections.virtual_size:
+      dashed_name: process-parent-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.pe.sections.virtual_size
+      format: string
       level: extended
-      name: domain
+      name: sections.virtual_size
       normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.user.group.id:
-      dashed_name: process-session-leader-parent-session-leader-user-group-id
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.parent.pid:
+      dashed_name: process-parent-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.parent.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.parent.real_group.id:
+      dashed_name: process-parent-real-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.user.group.id
+      flat_name: process.parent.real_group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -46635,10 +14988,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.parent.session_leader.user.group.name:
-      dashed_name: process-session-leader-parent-session-leader-user-group-name
+    process.parent.real_group.name:
+      dashed_name: process-parent-real-group-name
       description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.user.group.name
+      flat_name: process.parent.real_group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -46646,26 +14999,11 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.session_leader.parent.session_leader.user.hash:
-      dashed_name: process-session-leader-parent-session-leader-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.session_leader.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.session_leader.user.id:
-      dashed_name: process-session-leader-parent-session-leader-user-id
+    process.parent.real_user.id:
+      dashed_name: process-parent-real-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.session_leader.user.id
+      flat_name: process.parent.real_user.id
       ignore_above: 1024
       level: core
       name: id
@@ -46673,15 +15011,15 @@ process:
       original_fieldset: user
       short: Unique identifier of the user.
       type: keyword
-    process.session_leader.parent.session_leader.user.name:
-      dashed_name: process-session-leader-parent-session-leader-user-name
+    process.parent.real_user.name:
+      dashed_name: process-parent-real-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.session_leader.parent.session_leader.user.name
+      flat_name: process.parent.real_user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.user.name.text
+      - flat_name: process.parent.real_user.name.text
         name: text
         type: match_only_text
       name: name
@@ -46689,160 +15027,71 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.session_leader.parent.session_leader.user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.user.risk.calculated_level
+    process.parent.saved_group.id:
+      dashed_name: process-parent-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.saved_group.id
       ignore_above: 1024
       level: extended
-      name: calculated_level
+      name: id
       normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.parent.session_leader.user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.session_leader.user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.session_leader.user.risk.static_level:
-      dashed_name: process-session-leader-parent-session-leader-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.user.risk.static_level
+    process.parent.saved_group.name:
+      dashed_name: process-parent-saved-group-name
+      description: Name of the group.
+      flat_name: process.parent.saved_group.name
       ignore_above: 1024
       level: extended
-      name: static_level
+      name: name
       normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.session_leader.parent.session_leader.user.risk.static_score:
-      dashed_name: process-session-leader-parent-session-leader-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.session_leader.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.session_leader.user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.session_leader.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.session_leader.user.roles:
-      dashed_name: process-session-leader-parent-session-leader-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.session_leader.user.roles
+    process.parent.saved_user.id:
+      dashed_name: process-parent-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.saved_user.id
       ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.vpid:
-      dashed_name: process-session-leader-parent-session-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.session_leader.parent.session_leader.vpid
-      format: string
       level: core
-      name: vpid
+      name: id
       normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.session_leader.parent.session_leader.working_directory:
-      dashed_name: process-session-leader-parent-session-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.session_leader.parent.session_leader.working_directory
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.saved_user.name:
+      dashed_name: process-parent-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.saved_user.name
       ignore_above: 1024
-      level: extended
+      level: core
       multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.working_directory.text
+      - flat_name: process.parent.saved_user.name.text
         name: text
         type: match_only_text
-      name: working_directory
+      name: name
       normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
+      original_fieldset: user
+      short: Short name or login of the user.
       type: keyword
-    process.session_leader.parent.start:
-      dashed_name: process-session-leader-parent-start
+    process.parent.start:
+      dashed_name: process-parent-start
       description: The time the process started.
       example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.parent.start
+      flat_name: process.parent.start
       level: extended
       name: start
       normalize: []
       original_fieldset: process
       short: The time the process started.
       type: date
-    process.session_leader.parent.supplemental_groups.domain:
-      dashed_name: process-session-leader-parent-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.supplemental_groups.id:
-      dashed_name: process-session-leader-parent-supplemental-groups-id
+    process.parent.supplemental_groups.id:
+      dashed_name: process-parent-supplemental-groups-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.supplemental_groups.id
+      flat_name: process.parent.supplemental_groups.id
       ignore_above: 1024
       level: extended
       name: id
@@ -46850,10 +15099,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.parent.supplemental_groups.name:
-      dashed_name: process-session-leader-parent-supplemental-groups-name
+    process.parent.supplemental_groups.name:
+      dashed_name: process-parent-supplemental-groups-name
       description: Name of the group.
-      flat_name: process.session_leader.parent.supplemental_groups.name
+      flat_name: process.parent.supplemental_groups.name
       ignore_above: 1024
       level: extended
       name: name
@@ -46861,12 +15110,12 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.session_leader.parent.thread.capabilities.effective:
-      dashed_name: process-session-leader-parent-thread-capabilities-effective
+    process.parent.thread.capabilities.effective:
+      dashed_name: process-parent-thread-capabilities-effective
       description: This is the set of capabilities used by the kernel to perform permission
         checks for the thread.
       example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.session_leader.parent.thread.capabilities.effective
+      flat_name: process.parent.thread.capabilities.effective
       ignore_above: 1024
       level: extended
       name: thread.capabilities.effective
@@ -46877,12 +15126,12 @@ process:
       short: Array of capabilities used for permission checks.
       synthetic_source_keep: none
       type: keyword
-    process.session_leader.parent.thread.capabilities.permitted:
-      dashed_name: process-session-leader-parent-thread-capabilities-permitted
+    process.parent.thread.capabilities.permitted:
+      dashed_name: process-parent-thread-capabilities-permitted
       description: This is a limiting superset for the effective capabilities that
         the thread may assume.
       example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.session_leader.parent.thread.capabilities.permitted
+      flat_name: process.parent.thread.capabilities.permitted
       ignore_above: 1024
       level: extended
       name: thread.capabilities.permitted
@@ -46893,11 +15142,11 @@ process:
       short: Array of capabilities a thread could assume.
       synthetic_source_keep: none
       type: keyword
-    process.session_leader.parent.thread.id:
-      dashed_name: process-session-leader-parent-thread-id
+    process.parent.thread.id:
+      dashed_name: process-parent-thread-id
       description: Thread ID.
       example: 4242
-      flat_name: process.session_leader.parent.thread.id
+      flat_name: process.parent.thread.id
       format: string
       level: extended
       name: thread.id
@@ -46905,11 +15154,11 @@ process:
       original_fieldset: process
       short: Thread ID.
       type: long
-    process.session_leader.parent.thread.name:
-      dashed_name: process-session-leader-parent-thread-name
+    process.parent.thread.name:
+      dashed_name: process-parent-thread-name
       description: Thread name.
       example: thread-0
-      flat_name: process.session_leader.parent.thread.name
+      flat_name: process.parent.thread.name
       ignore_above: 1024
       level: extended
       name: thread.name
@@ -46917,17 +15166,17 @@ process:
       original_fieldset: process
       short: Thread name.
       type: keyword
-    process.session_leader.parent.title:
-      dashed_name: process-session-leader-parent-title
+    process.parent.title:
+      dashed_name: process-parent-title
       description: 'Process title.
 
         The proctitle, some times the same as process name. Can also be different:
         for example a browser setting its title to the web page currently opened.'
-      flat_name: process.session_leader.parent.title
+      flat_name: process.parent.title
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.session_leader.parent.title.text
+      - flat_name: process.parent.title.text
         name: text
         type: match_only_text
       name: title
@@ -46935,179 +15184,61 @@ process:
       original_fieldset: process
       short: Process title.
       type: keyword
-    process.session_leader.parent.tty:
-      dashed_name: process-session-leader-parent-tty
+    process.parent.tty:
+      dashed_name: process-parent-tty
       description: Information about the controlling TTY device. If set, the process
         belongs to an interactive session.
-      flat_name: process.session_leader.parent.tty
+      flat_name: process.parent.tty
       level: extended
       name: tty
       normalize: []
       original_fieldset: process
       short: Information about the controlling TTY device.
       type: object
-    process.session_leader.parent.tty.char_device.major:
-      dashed_name: process-session-leader-parent-tty-char-device-major
+    process.parent.tty.char_device.major:
+      dashed_name: process-parent-tty-char-device-major
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
         to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
       example: 4
-      flat_name: process.session_leader.parent.tty.char_device.major
+      flat_name: process.parent.tty.char_device.major
       level: extended
       name: tty.char_device.major
       normalize: []
       original_fieldset: process
       short: The TTY character device's major number.
       type: long
-    process.session_leader.parent.tty.char_device.minor:
-      dashed_name: process-session-leader-parent-tty-char-device-minor
+    process.parent.tty.char_device.minor:
+      dashed_name: process-parent-tty-char-device-minor
       description: The minor number is used only by the driver specified by the major
         number; other parts of the kernel don’t use it, and merely pass it along to
         the driver. It is common for a driver to control several devices; the minor
         number provides a way for the driver to differentiate among them.
       example: 1
-      flat_name: process.session_leader.parent.tty.char_device.minor
+      flat_name: process.parent.tty.char_device.minor
       level: extended
       name: tty.char_device.minor
       normalize: []
       original_fieldset: process
       short: The TTY character device's minor number.
       type: long
-    process.session_leader.parent.tty.columns:
-      dashed_name: process-session-leader-parent-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.session_leader.parent.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.session_leader.parent.tty.rows:
-      dashed_name: process-session-leader-parent-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.session_leader.parent.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.session_leader.parent.uptime:
-      dashed_name: process-session-leader-parent-uptime
+    process.parent.uptime:
+      dashed_name: process-parent-uptime
       description: Seconds the process has been up.
       example: 1325
-      flat_name: process.session_leader.parent.uptime
+      flat_name: process.parent.uptime
       level: extended
       name: uptime
       normalize: []
       original_fieldset: process
       short: Seconds the process has been up.
       type: long
-    process.session_leader.parent.user.domain:
-      dashed_name: process-session-leader-parent-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.user.email:
-      dashed_name: process-session-leader-parent-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.user.full_name:
-      dashed_name: process-session-leader-parent-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.user.group.domain:
-      dashed_name: process-session-leader-parent-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.user.group.id:
-      dashed_name: process-session-leader-parent-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.user.group.name:
-      dashed_name: process-session-leader-parent-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.user.hash:
-      dashed_name: process-session-leader-parent-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.user.id:
-      dashed_name: process-session-leader-parent-user-id
+    process.parent.user.id:
+      dashed_name: process-parent-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.user.id
+      flat_name: process.parent.user.id
       ignore_above: 1024
       level: core
       name: id
@@ -47115,15 +15246,15 @@ process:
       original_fieldset: user
       short: Unique identifier of the user.
       type: keyword
-    process.session_leader.parent.user.name:
-      dashed_name: process-session-leader-parent-user-name
+    process.parent.user.name:
+      dashed_name: process-parent-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.session_leader.parent.user.name
+      flat_name: process.parent.user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.session_leader.parent.user.name.text
+      - flat_name: process.parent.user.name.text
         name: text
         type: match_only_text
       name: name
@@ -47131,109 +15262,15 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.session_leader.parent.user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.user.risk.static_level:
-      dashed_name: process-session-leader-parent-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.user.risk.static_score:
-      dashed_name: process-session-leader-parent-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.user.roles:
-      dashed_name: process-session-leader-parent-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.vpid:
-      dashed_name: process-session-leader-parent-vpid
+    process.parent.vpid:
+      dashed_name: process-parent-vpid
       description: 'Virtual process id.
 
         The process id within a pid namespace. This is not necessarily unique across
         all processes on the host but it is unique within the process namespace that
         the process exists within.'
       example: 4242
-      flat_name: process.session_leader.parent.vpid
+      flat_name: process.parent.vpid
       format: string
       level: core
       name: vpid
@@ -47241,15 +15278,15 @@ process:
       original_fieldset: process
       short: Virtual process id.
       type: long
-    process.session_leader.parent.working_directory:
-      dashed_name: process-session-leader-parent-working-directory
+    process.parent.working_directory:
+      dashed_name: process-parent-working-directory
       description: The working directory of the process.
       example: /home/alice
-      flat_name: process.session_leader.parent.working_directory
+      flat_name: process.parent.working_directory
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.session_leader.parent.working_directory.text
+      - flat_name: process.parent.working_directory.text
         name: text
         type: match_only_text
       name: working_directory
@@ -47257,11 +15294,11 @@ process:
       original_fieldset: process
       short: The working directory of the process.
       type: keyword
-    process.session_leader.pe.architecture:
-      dashed_name: process-session-leader-pe-architecture
+    process.pe.architecture:
+      dashed_name: process-pe-architecture
       description: CPU architecture target for the file.
       example: x64
-      flat_name: process.session_leader.pe.architecture
+      flat_name: process.pe.architecture
       ignore_above: 1024
       level: extended
       name: architecture
@@ -47269,11 +15306,11 @@ process:
       original_fieldset: pe
       short: CPU architecture target for the file.
       type: keyword
-    process.session_leader.pe.company:
-      dashed_name: process-session-leader-pe-company
+    process.pe.company:
+      dashed_name: process-pe-company
       description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
-      flat_name: process.session_leader.pe.company
+      flat_name: process.pe.company
       ignore_above: 1024
       level: extended
       name: company
@@ -47281,11 +15318,11 @@ process:
       original_fieldset: pe
       short: Internal company name of the file, provided at compile-time.
       type: keyword
-    process.session_leader.pe.description:
-      dashed_name: process-session-leader-pe-description
+    process.pe.description:
+      dashed_name: process-pe-description
       description: Internal description of the file, provided at compile-time.
       example: Paint
-      flat_name: process.session_leader.pe.description
+      flat_name: process.pe.description
       ignore_above: 1024
       level: extended
       name: description
@@ -47293,11 +15330,11 @@ process:
       original_fieldset: pe
       short: Internal description of the file, provided at compile-time.
       type: keyword
-    process.session_leader.pe.file_version:
-      dashed_name: process-session-leader-pe-file-version
+    process.pe.file_version:
+      dashed_name: process-pe-file-version
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
-      flat_name: process.session_leader.pe.file_version
+      flat_name: process.pe.file_version
       ignore_above: 1024
       level: extended
       name: file_version
@@ -47305,8 +15342,8 @@ process:
       original_fieldset: pe
       short: Process name.
       type: keyword
-    process.session_leader.pe.go_import_hash:
-      dashed_name: process-session-leader-pe-go-import-hash
+    process.pe.go_import_hash:
+      dashed_name: process-pe-go-import-hash
       description: 'A hash of the Go language imports in a PE file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
@@ -47315,7 +15352,7 @@ process:
         The algorithm used to calculate the Go symbol hash and a reference implementation
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.pe.go_import_hash
+      flat_name: process.pe.go_import_hash
       ignore_above: 1024
       level: extended
       name: go_import_hash
@@ -47323,20 +15360,20 @@ process:
       original_fieldset: pe
       short: A hash of the Go language imports in a PE file.
       type: keyword
-    process.session_leader.pe.go_imports:
-      dashed_name: process-session-leader-pe-go-imports
+    process.pe.go_imports:
+      dashed_name: process-pe-go-imports
       description: List of imported Go language element names and types.
-      flat_name: process.session_leader.pe.go_imports
+      flat_name: process.pe.go_imports
       level: extended
       name: go_imports
       normalize: []
       original_fieldset: pe
       short: List of imported Go language element names and types.
       type: flattened
-    process.session_leader.pe.go_imports_names_entropy:
-      dashed_name: process-session-leader-pe-go-imports-names-entropy
+    process.pe.go_imports_names_entropy:
+      dashed_name: process-pe-go-imports-names-entropy
       description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.pe.go_imports_names_entropy
+      flat_name: process.pe.go_imports_names_entropy
       format: number
       level: extended
       name: go_imports_names_entropy
@@ -47344,10 +15381,10 @@ process:
       original_fieldset: pe
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.session_leader.pe.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-pe-go-imports-names-var-entropy
+    process.pe.go_imports_names_var_entropy:
+      dashed_name: process-pe-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.pe.go_imports_names_var_entropy
+      flat_name: process.pe.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
@@ -47355,26 +15392,26 @@ process:
       original_fieldset: pe
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.session_leader.pe.go_stripped:
-      dashed_name: process-session-leader-pe-go-stripped
+    process.pe.go_stripped:
+      dashed_name: process-pe-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.pe.go_stripped
+      flat_name: process.pe.go_stripped
       level: extended
       name: go_stripped
       normalize: []
       original_fieldset: pe
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.session_leader.pe.imphash:
-      dashed_name: process-session-leader-pe-imphash
+    process.pe.imphash:
+      dashed_name: process-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
         -- can be used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.session_leader.pe.imphash
+      flat_name: process.pe.imphash
       ignore_above: 1024
       level: extended
       name: imphash
@@ -47382,15 +15419,15 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
-    process.session_leader.pe.import_hash:
-      dashed_name: process-session-leader-pe-import-hash
+    process.pe.import_hash:
+      dashed_name: process-pe-import-hash
       description: 'A hash of the imports in a PE file. An import hash can be used
         to fingerprint binaries even after recompilation or other code-level transformations
         have occurred, which would change more traditional hash values.
 
         This is a synonym for imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.pe.import_hash
+      flat_name: process.pe.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
@@ -47398,10 +15435,10 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
-    process.session_leader.pe.imports:
-      dashed_name: process-session-leader-pe-imports
+    process.pe.imports:
+      dashed_name: process-pe-imports
       description: List of imported element names and types.
-      flat_name: process.session_leader.pe.imports
+      flat_name: process.pe.imports
       level: extended
       name: imports
       normalize:
@@ -47409,11 +15446,11 @@ process:
       original_fieldset: pe
       short: List of imported element names and types.
       type: flattened
-    process.session_leader.pe.imports_names_entropy:
-      dashed_name: process-session-leader-pe-imports-names-entropy
+    process.pe.imports_names_entropy:
+      dashed_name: process-pe-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.session_leader.pe.imports_names_entropy
+      flat_name: process.pe.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
@@ -47422,11 +15459,11 @@ process:
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.session_leader.pe.imports_names_var_entropy:
-      dashed_name: process-session-leader-pe-imports-names-var-entropy
+    process.pe.imports_names_var_entropy:
+      dashed_name: process-pe-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.session_leader.pe.imports_names_var_entropy
+      flat_name: process.pe.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
@@ -47435,11 +15472,11 @@ process:
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.session_leader.pe.original_file_name:
-      dashed_name: process-session-leader-pe-original-file-name
+    process.pe.original_file_name:
+      dashed_name: process-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
-      flat_name: process.session_leader.pe.original_file_name
+      flat_name: process.pe.original_file_name
       ignore_above: 1024
       level: extended
       name: original_file_name
@@ -47447,15 +15484,15 @@ process:
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
       type: keyword
-    process.session_leader.pe.pehash:
-      dashed_name: process-session-leader-pe-pehash
+    process.pe.pehash:
+      dashed_name: process-pe-pehash
       description: 'A hash of the PE header and data from one or more PE sections.
         An pehash can be used to cluster files by transforming structural information
         about a file into a hash value.
 
         Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
       example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.session_leader.pe.pehash
+      flat_name: process.pe.pehash
       ignore_above: 1024
       level: extended
       name: pehash
@@ -47463,11 +15500,11 @@ process:
       original_fieldset: pe
       short: A hash of the PE header and data from one or more PE sections.
       type: keyword
-    process.session_leader.pe.product:
-      dashed_name: process-session-leader-pe-product
+    process.pe.product:
+      dashed_name: process-pe-product
       description: Internal product name of the file, provided at compile-time.
       example: Microsoft® Windows® Operating System
-      flat_name: process.session_leader.pe.product
+      flat_name: process.pe.product
       ignore_above: 1024
       level: extended
       name: product
@@ -47475,13 +15512,13 @@ process:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
-    process.session_leader.pe.sections:
-      dashed_name: process-session-leader-pe-sections
+    process.pe.sections:
+      dashed_name: process-pe-sections
       description: 'An array containing an object for each section of the PE file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `pe.sections.*`.'
-      flat_name: process.session_leader.pe.sections
+      flat_name: process.pe.sections
       level: extended
       name: sections
       normalize:
@@ -47489,10 +15526,10 @@ process:
       original_fieldset: pe
       short: Section information of the PE file.
       type: nested
-    process.session_leader.pe.sections.entropy:
-      dashed_name: process-session-leader-pe-sections-entropy
+    process.pe.sections.entropy:
+      dashed_name: process-pe-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.pe.sections.entropy
+      flat_name: process.pe.sections.entropy
       format: number
       level: extended
       name: sections.entropy
@@ -47500,10 +15537,10 @@ process:
       original_fieldset: pe
       short: Shannon entropy calculation from the section.
       type: long
-    process.session_leader.pe.sections.name:
-      dashed_name: process-session-leader-pe-sections-name
+    process.pe.sections.name:
+      dashed_name: process-pe-sections-name
       description: PE Section List name.
-      flat_name: process.session_leader.pe.sections.name
+      flat_name: process.pe.sections.name
       ignore_above: 1024
       level: extended
       name: sections.name
@@ -47511,10 +15548,10 @@ process:
       original_fieldset: pe
       short: PE Section List name.
       type: keyword
-    process.session_leader.pe.sections.physical_size:
-      dashed_name: process-session-leader-pe-sections-physical-size
+    process.pe.sections.physical_size:
+      dashed_name: process-pe-sections-physical-size
       description: PE Section List physical size.
-      flat_name: process.session_leader.pe.sections.physical_size
+      flat_name: process.pe.sections.physical_size
       format: bytes
       level: extended
       name: sections.physical_size
@@ -47522,10 +15559,10 @@ process:
       original_fieldset: pe
       short: PE Section List physical size.
       type: long
-    process.session_leader.pe.sections.var_entropy:
-      dashed_name: process-session-leader-pe-sections-var-entropy
+    process.pe.sections.var_entropy:
+      dashed_name: process-pe-sections-var-entropy
       description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.pe.sections.var_entropy
+      flat_name: process.pe.sections.var_entropy
       format: number
       level: extended
       name: sections.var_entropy
@@ -47533,10 +15570,10 @@ process:
       original_fieldset: pe
       short: Variance for Shannon entropy calculation from the section.
       type: long
-    process.session_leader.pe.sections.virtual_size:
-      dashed_name: process-session-leader-pe-sections-virtual-size
+    process.pe.sections.virtual_size:
+      dashed_name: process-pe-sections-virtual-size
       description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.session_leader.pe.sections.virtual_size
+      flat_name: process.pe.sections.virtual_size
       format: string
       level: extended
       name: sections.virtual_size
@@ -47544,51 +15581,71 @@ process:
       original_fieldset: pe
       short: PE Section List virtual size. This is always the same as `physical_size`.
       type: long
-    process.session_leader.pid:
-      dashed_name: process-session-leader-pid
+    process.pid:
+      dashed_name: process-pid
       description: Process id.
       example: 4242
-      flat_name: process.session_leader.pid
+      flat_name: process.pid
       format: string
       level: core
       name: pid
       normalize: []
-      original_fieldset: process
       otel:
       - relation: match
         stability: development
       short: Process id.
       type: long
-    process.session_leader.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.session_leader.platform_binary
+    process.previous.args:
+      dashed_name: process-previous-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.previous.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.previous.args_count:
+      dashed_name: process-previous-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.previous.args_count
       level: extended
-      name: platform_binary
+      name: args_count
       normalize: []
       original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.session_leader.real_group.domain:
-      dashed_name: process-session-leader-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.real_group.domain
+      short: Length of the process.args array.
+      type: long
+    process.previous.executable:
+      dashed_name: process-previous-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.previous.executable
       ignore_above: 1024
       level: extended
-      name: domain
+      multi_fields:
+      - flat_name: process.previous.executable.text
+        name: text
+        type: match_only_text
+      name: executable
       normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
+      original_fieldset: process
+      short: Absolute path to the process executable.
       type: keyword
-    process.session_leader.real_group.id:
-      dashed_name: process-session-leader-real-group-id
+    process.real_group.id:
+      dashed_name: process-real-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.real_group.id
+      flat_name: process.real_group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -47596,10 +15653,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.real_group.name:
-      dashed_name: process-session-leader-real-group-name
+    process.real_group.name:
+      dashed_name: process-real-group-name
       description: Name of the group.
-      flat_name: process.session_leader.real_group.name
+      flat_name: process.real_group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -47607,63 +15664,44 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.session_leader.real_user.domain:
-      dashed_name: process-session-leader-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.real_user.email:
-      dashed_name: process-session-leader-real-user-email
-      description: User email address.
-      flat_name: process.session_leader.real_user.email
+    process.real_user.id:
+      dashed_name: process-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.real_user.id
       ignore_above: 1024
-      level: extended
-      name: email
+      level: core
+      name: id
       normalize: []
       original_fieldset: user
-      short: User email address.
+      otel:
+      - relation: match
+        stability: development
+      short: Unique identifier of the user.
       type: keyword
-    process.session_leader.real_user.full_name:
-      dashed_name: process-session-leader-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.real_user.full_name
+    process.real_user.name:
+      dashed_name: process-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.real_user.name
       ignore_above: 1024
-      level: extended
+      level: core
       multi_fields:
-      - flat_name: process.session_leader.real_user.full_name.text
+      - flat_name: process.real_user.name.text
         name: text
         type: match_only_text
-      name: full_name
+      name: name
       normalize: []
       original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.real_user.group.domain:
-      dashed_name: process-session-leader-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
+      otel:
+      - relation: match
+        stability: development
+      short: Short name or login of the user.
       type: keyword
-    process.session_leader.real_user.group.id:
-      dashed_name: process-session-leader-real-user-group-id
+    process.saved_group.id:
+      dashed_name: process-saved-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.real_user.group.id
+      flat_name: process.saved_group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -47671,10 +15709,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.real_user.group.name:
-      dashed_name: process-session-leader-real-user-group-name
+    process.saved_group.name:
+      dashed_name: process-saved-group-name
       description: Name of the group.
-      flat_name: process.session_leader.real_user.group.name
+      flat_name: process.saved_group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -47682,190 +15720,323 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.session_leader.real_user.hash:
-      dashed_name: process-session-leader-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.real_user.id:
-      dashed_name: process-session-leader-real-user-id
+    process.saved_user.id:
+      dashed_name: process-saved-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.real_user.id
+      flat_name: process.saved_user.id
       ignore_above: 1024
       level: core
       name: id
       normalize: []
       original_fieldset: user
+      otel:
+      - relation: match
+        stability: development
       short: Unique identifier of the user.
       type: keyword
-    process.session_leader.real_user.name:
-      dashed_name: process-session-leader-real-user-name
+    process.saved_user.name:
+      dashed_name: process-saved-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.session_leader.real_user.name
+      flat_name: process.saved_user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.session_leader.real_user.name.text
+      - flat_name: process.saved_user.name.text
         name: text
         type: match_only_text
       name: name
       normalize: []
       original_fieldset: user
+      otel:
+      - relation: match
+        stability: development
       short: Short name or login of the user.
       type: keyword
-    process.session_leader.real_user.risk.calculated_level:
-      dashed_name: process-session-leader-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.real_user.risk.calculated_level
+    process.session_leader.args:
+      dashed_name: process-session-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.session_leader.args
       ignore_above: 1024
       level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
       type: keyword
-    process.session_leader.real_user.risk.calculated_score:
-      dashed_name: process-session-leader-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.real_user.risk.calculated_score
+    process.session_leader.args_count:
+      dashed_name: process-session-leader-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.session_leader.args_count
       level: extended
-      name: calculated_score
+      name: args_count
       normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.real_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.real_user.risk.calculated_score_norm
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.session_leader.command_line:
+      dashed_name: process-session-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.session_leader.command_line
       level: extended
-      name: calculated_score_norm
+      multi_fields:
+      - flat_name: process.session_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
       normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.real_user.risk.static_level:
-      dashed_name: process-session-leader-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.real_user.risk.static_level
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.session_leader.entity_id:
+      dashed_name: process-session-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.session_leader.entity_id
       ignore_above: 1024
       level: extended
-      name: static_level
+      name: entity_id
       normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
+      original_fieldset: process
+      short: Unique identifier for the process.
       type: keyword
-    process.session_leader.real_user.risk.static_score:
-      dashed_name: process-session-leader-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.real_user.risk.static_score
+    process.session_leader.executable:
+      dashed_name: process-session-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.session_leader.executable
+      ignore_above: 1024
       level: extended
-      name: static_score
+      multi_fields:
+      - flat_name: process.session_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
       normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.real_user.risk.static_score_norm:
-      dashed_name: process-session-leader-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.real_user.risk.static_score_norm
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.session_leader.group.id:
+      dashed_name: process-session-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.group.id
+      ignore_above: 1024
       level: extended
-      name: static_score_norm
+      name: id
       normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.real_user.roles:
-      dashed_name: process-session-leader-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.real_user.roles
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.group.name:
+      dashed_name: process-session-leader-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.group.name
       ignore_above: 1024
       level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.session_leader.same_as_process:
-      dashed_name: process-session-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
+    process.session_leader.interactive:
+      dashed_name: process-session-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
 
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
 
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
       example: true
-      flat_name: process.session_leader.same_as_process
+      flat_name: process.session_leader.interactive
       level: extended
-      name: same_as_process
+      name: interactive
       normalize: []
       original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
+      short: Whether the process is connected to an interactive shell.
       type: boolean
-    process.session_leader.saved_group.domain:
-      dashed_name: process-session-leader-saved-group-domain
-      description: 'Name of the directory the group is a member of.
+    process.session_leader.name:
+      dashed_name: process-session-leader-name
+      description: 'Process name.
 
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.saved_group.domain
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.session_leader.name
       ignore_above: 1024
       level: extended
-      name: domain
+      multi_fields:
+      - flat_name: process.session_leader.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
+      original_fieldset: process
+      short: Process name.
       type: keyword
-    process.session_leader.saved_group.id:
-      dashed_name: process-session-leader-saved-group-id
+    process.session_leader.parent.entity_id:
+      dashed_name: process-session-leader-parent-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.session_leader.parent.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.session_leader.parent.pid:
+      dashed_name: process-session-leader-parent-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.session_leader.parent.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.session_leader.parent.session_leader.entity_id:
+      dashed_name: process-session-leader-parent-session-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.session_leader.parent.session_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.session_leader.parent.session_leader.pid:
+      dashed_name: process-session-leader-parent-session-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.session_leader.parent.session_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.session_leader.parent.session_leader.start:
+      dashed_name: process-session-leader-parent-session-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.parent.session_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.session_leader.parent.session_leader.vpid:
+      dashed_name: process-session-leader-parent-session-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.parent.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.session_leader.parent.start:
+      dashed_name: process-session-leader-parent-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.parent.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.session_leader.parent.vpid:
+      dashed_name: process-session-leader-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.session_leader.pid:
+      dashed_name: process-session-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.session_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      otel:
+      - relation: match
+        stability: development
+      short: Process id.
+      type: long
+    process.session_leader.real_group.id:
+      dashed_name: process-session-leader-real-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.saved_group.id
+      flat_name: process.session_leader.real_group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -47873,10 +16044,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.saved_group.name:
-      dashed_name: process-session-leader-saved-group-name
+    process.session_leader.real_group.name:
+      dashed_name: process-session-leader-real-group-name
       description: Name of the group.
-      flat_name: process.session_leader.saved_group.name
+      flat_name: process.session_leader.real_group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -47884,63 +16055,68 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.session_leader.saved_user.domain:
-      dashed_name: process-session-leader-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.saved_user.email:
-      dashed_name: process-session-leader-saved-user-email
-      description: User email address.
-      flat_name: process.session_leader.saved_user.email
+    process.session_leader.real_user.id:
+      dashed_name: process-session-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.real_user.id
       ignore_above: 1024
-      level: extended
-      name: email
+      level: core
+      name: id
       normalize: []
       original_fieldset: user
-      short: User email address.
+      short: Unique identifier of the user.
       type: keyword
-    process.session_leader.saved_user.full_name:
-      dashed_name: process-session-leader-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.saved_user.full_name
+    process.session_leader.real_user.name:
+      dashed_name: process-session-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.real_user.name
       ignore_above: 1024
-      level: extended
+      level: core
       multi_fields:
-      - flat_name: process.session_leader.saved_user.full_name.text
+      - flat_name: process.session_leader.real_user.name.text
         name: text
         type: match_only_text
-      name: full_name
+      name: name
       normalize: []
       original_fieldset: user
-      short: User's full name, if available.
+      short: Short name or login of the user.
       type: keyword
-    process.session_leader.saved_user.group.domain:
-      dashed_name: process-session-leader-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
+    process.session_leader.same_as_process:
+      dashed_name: process-session-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
 
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.saved_user.group.domain
-      ignore_above: 1024
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.session_leader.same_as_process
       level: extended
-      name: domain
+      name: same_as_process
       normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.saved_user.group.id:
-      dashed_name: process-session-leader-saved-user-group-id
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.session_leader.saved_group.id:
+      dashed_name: process-session-leader-saved-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.saved_user.group.id
+      flat_name: process.session_leader.saved_group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -47948,10 +16124,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.saved_user.group.name:
-      dashed_name: process-session-leader-saved-user-group-name
+    process.session_leader.saved_group.name:
+      dashed_name: process-session-leader-saved-group-name
       description: Name of the group.
-      flat_name: process.session_leader.saved_user.group.name
+      flat_name: process.session_leader.saved_group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -47959,21 +16135,6 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.session_leader.saved_user.hash:
-      dashed_name: process-session-leader-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
     process.session_leader.saved_user.id:
       dashed_name: process-session-leader-saved-user-id
       description: Unique identifier of the user.
@@ -48002,100 +16163,6 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.session_leader.saved_user.risk.calculated_level:
-      dashed_name: process-session-leader-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.saved_user.risk.calculated_score:
-      dashed_name: process-session-leader-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.saved_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.saved_user.risk.static_level:
-      dashed_name: process-session-leader-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.saved_user.risk.static_score:
-      dashed_name: process-session-leader-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.saved_user.risk.static_score_norm:
-      dashed_name: process-session-leader-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.saved_user.roles:
-      dashed_name: process-session-leader-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
     process.session_leader.start:
       dashed_name: process-session-leader-start
       description: The time the process started.
@@ -48107,19 +16174,6 @@ process:
       original_fieldset: process
       short: The time the process started.
       type: date
-    process.session_leader.supplemental_groups.domain:
-      dashed_name: process-session-leader-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
     process.session_leader.supplemental_groups.id:
       dashed_name: process-session-leader-supplemental-groups-id
       description: Unique identifier for the group on the system/platform.
@@ -48142,80 +16196,6 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.session_leader.thread.capabilities.effective:
-      dashed_name: process-session-leader-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.session_leader.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.thread.capabilities.permitted:
-      dashed_name: process-session-leader-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.session_leader.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.thread.id:
-      dashed_name: process-session-leader-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.session_leader.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.session_leader.thread.name:
-      dashed_name: process-session-leader-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.session_leader.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.session_leader.title:
-      dashed_name: process-session-leader-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.session_leader.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
     process.session_leader.tty:
       dashed_name: process-session-leader-tty
       description: Information about the controlling TTY device. If set, the process
@@ -48255,135 +16235,6 @@ process:
       original_fieldset: process
       short: The TTY character device's minor number.
       type: long
-    process.session_leader.tty.columns:
-      dashed_name: process-session-leader-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.session_leader.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.session_leader.tty.rows:
-      dashed_name: process-session-leader-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.session_leader.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.session_leader.uptime:
-      dashed_name: process-session-leader-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.session_leader.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.session_leader.user.domain:
-      dashed_name: process-session-leader-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.user.email:
-      dashed_name: process-session-leader-user-email
-      description: User email address.
-      flat_name: process.session_leader.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.user.full_name:
-      dashed_name: process-session-leader-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.user.group.domain:
-      dashed_name: process-session-leader-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.user.group.id:
-      dashed_name: process-session-leader-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.user.group.name:
-      dashed_name: process-session-leader-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.user.hash:
-      dashed_name: process-session-leader-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
     process.session_leader.user.id:
       dashed_name: process-session-leader-user-id
       description: Unique identifier of the user.
@@ -48412,100 +16263,6 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.session_leader.user.risk.calculated_level:
-      dashed_name: process-session-leader-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.user.risk.calculated_score:
-      dashed_name: process-session-leader-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.user.risk.static_level:
-      dashed_name: process-session-leader-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.user.risk.static_score:
-      dashed_name: process-session-leader-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.user.risk.static_score_norm:
-      dashed_name: process-session-leader-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.user.roles:
-      dashed_name: process-session-leader-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
     process.session_leader.vpid:
       dashed_name: process-session-leader-vpid
       description: 'Virtual process id.
@@ -48548,19 +16305,6 @@ process:
       normalize: []
       short: The time the process started.
       type: date
-    process.supplemental_groups.domain:
-      dashed_name: process-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
     process.supplemental_groups.id:
       dashed_name: process-supplemental-groups-id
       description: Unique identifier for the group on the system/platform.
@@ -48731,96 +16475,6 @@ process:
         stability: development
       short: Seconds the process has been up.
       type: long
-    process.user.domain:
-      dashed_name: process-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.user.email:
-      dashed_name: process-user-email
-      description: User email address.
-      flat_name: process.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.user.full_name:
-      dashed_name: process-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.user.group.domain:
-      dashed_name: process-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.user.group.id:
-      dashed_name: process-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.user.group.name:
-      dashed_name: process-user-group-name
-      description: Name of the group.
-      flat_name: process.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.user.hash:
-      dashed_name: process-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
     process.user.id:
       dashed_name: process-user-id
       description: Unique identifier of the user.
@@ -48855,100 +16509,6 @@ process:
         stability: development
       short: Short name or login of the user.
       type: keyword
-    process.user.risk.calculated_level:
-      dashed_name: process-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.user.risk.calculated_score:
-      dashed_name: process-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.user.risk.calculated_score_norm:
-      dashed_name: process-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.user.risk.static_level:
-      dashed_name: process-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.user.risk.static_score:
-      dashed_name: process-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.user.risk.static_score_norm:
-      dashed_name: process-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.user.roles:
-      dashed_name: process-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
     process.vpid:
       dashed_name: process-vpid
       description: 'Virtual process id.
@@ -50067,86 +17627,6 @@ server:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    server.user.risk.calculated_level:
-      dashed_name: server-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: server.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    server.user.risk.calculated_score:
-      dashed_name: server-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: server.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    server.user.risk.calculated_score_norm:
-      dashed_name: server-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: server.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    server.user.risk.static_level:
-      dashed_name: server-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: server.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    server.user.risk.static_score:
-      dashed_name: server-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: server.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    server.user.risk.static_score_norm:
-      dashed_name: server-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: server.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     server.user.roles:
       dashed_name: server-user-roles
       description: Array of user roles at the time of the event.
@@ -51565,86 +19045,6 @@ source:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    source.user.risk.calculated_level:
-      dashed_name: source-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: source.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    source.user.risk.calculated_score:
-      dashed_name: source-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: source.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    source.user.risk.calculated_score_norm:
-      dashed_name: source-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: source.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    source.user.risk.static_level:
-      dashed_name: source-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: source.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    source.user.risk.static_score:
-      dashed_name: source-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: source.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    source.user.risk.static_score_norm:
-      dashed_name: source-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: source.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     source.user.roles:
       dashed_name: source-user-roles
       description: Array of user roles at the time of the event.
@@ -58942,86 +26342,6 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    user.changes.risk.calculated_level:
-      dashed_name: user-changes-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: user.changes.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    user.changes.risk.calculated_score:
-      dashed_name: user-changes-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: user.changes.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    user.changes.risk.calculated_score_norm:
-      dashed_name: user-changes-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: user.changes.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    user.changes.risk.static_level:
-      dashed_name: user-changes-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: user.changes.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    user.changes.risk.static_score:
-      dashed_name: user-changes-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: user.changes.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    user.changes.risk.static_score_norm:
-      dashed_name: user-changes-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: user.changes.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     user.changes.roles:
       dashed_name: user-changes-roles
       description: Array of user roles at the time of the event.
@@ -59166,86 +26486,6 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    user.effective.risk.calculated_level:
-      dashed_name: user-effective-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: user.effective.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    user.effective.risk.calculated_score:
-      dashed_name: user-effective-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: user.effective.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    user.effective.risk.calculated_score_norm:
-      dashed_name: user-effective-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: user.effective.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    user.effective.risk.static_level:
-      dashed_name: user-effective-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: user.effective.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    user.effective.risk.static_score:
-      dashed_name: user-effective-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: user.effective.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    user.effective.risk.static_score_norm:
-      dashed_name: user-effective-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: user.effective.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     user.effective.roles:
       dashed_name: user-effective-roles
       description: Array of user roles at the time of the event.
@@ -59844,86 +27084,6 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    user.target.risk.calculated_level:
-      dashed_name: user-target-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: user.target.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    user.target.risk.calculated_score:
-      dashed_name: user-target-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: user.target.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    user.target.risk.calculated_score_norm:
-      dashed_name: user-target-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: user.target.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    user.target.risk.static_level:
-      dashed_name: user-target-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: user.target.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    user.target.risk.static_score:
-      dashed_name: user-target-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: user.target.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    user.target.risk.static_score_norm:
-      dashed_name: user-target-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: user.target.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     user.target.roles:
       dashed_name: user-target-roles
       description: Array of user roles at the time of the event.
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index fc8c6b7fcb..08cadb7b8a 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -173,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index 9e69df2d3d..12d0c9d349 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -173,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 486956361a..a2b964c83c 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -15,105 +15,6 @@
             "args_count": {
               "type": "long"
             },
-            "attested_groups": {
-              "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "attested_user": {
-              "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "full_name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
-                "roles": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                }
-              }
-            },
             "code_signature": {
               "properties": {
                 "digest_algorithm": {
@@ -315,9 +216,6 @@
             "end": {
               "type": "date"
             },
-            "endpoint_security_client": {
-              "type": "boolean"
-            },
             "entity_id": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -333,14 +231,6 @@
                 },
                 "attested_groups": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -349,15 +239,11 @@
                 },
                 "attested_user": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "full_name": {
+                    "name": {
                       "fields": {
                         "text": {
                           "type": "match_only_text"
@@ -365,407 +251,276 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "group": {
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entry_meta": {
+                  "properties": {
+                    "source": {
                       "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "ip": {
+                          "type": "ip"
                         }
                       }
                     },
-                    "hash": {
+                    "type": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
+                    }
+                  }
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
                     "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "parent": {
+                  "properties": {
+                    "entity_id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "risk": {
+                    "pid": {
+                      "type": "long"
+                    },
+                    "session_leader": {
                       "properties": {
-                        "calculated_level": {
+                        "entity_id": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "pid": {
+                          "type": "long"
                         },
-                        "static_score": {
-                          "type": "float"
+                        "start": {
+                          "type": "date"
                         },
-                        "static_score_norm": {
-                          "type": "float"
+                        "vpid": {
+                          "type": "long"
                         }
                       }
                     },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
+                    "start": {
+                      "type": "date"
+                    },
+                    "vpid": {
+                      "type": "long"
                     }
                   }
                 },
-                "code_signature": {
+                "pid": {
+                  "type": "long"
+                },
+                "real_group": {
                   "properties": {
-                    "digest_algorithm": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
+                    "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "signing_id": {
+                    }
+                  }
+                },
+                "real_user": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "status": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "subject_name": {
+                    }
+                  }
+                },
+                "same_as_process": {
+                  "type": "boolean"
+                },
+                "saved_group": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "team_id": {
+                    "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
                     }
                   }
                 },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
+                "saved_user": {
                   "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "byte_order": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "cpu_type": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "header": {
-                      "properties": {
-                        "abi_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "class": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "data": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entrypoint": {
-                          "type": "long"
-                        },
-                        "object_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "os_abi": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "import_hash": {
+                    "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
+                    }
+                  }
+                },
+                "tty": {
+                  "properties": {
+                    "char_device": {
                       "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
+                        "major": {
                           "type": "long"
                         },
-                        "virtual_size": {
+                        "minor": {
                           "type": "long"
                         }
-                      },
-                      "type": "nested"
-                    },
-                    "segments": {
-                      "properties": {
-                        "sections": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
+                      }
+                    }
+                  },
+                  "type": "object"
+                },
+                "user": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "telfhash": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "end": {
-                  "type": "date"
+                "vpid": {
+                  "type": "long"
                 },
-                "endpoint_security_client": {
-                  "type": "boolean"
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "env_vars": {
+              "ignore_above": 1024,
+              "synthetic_source_keep": "none",
+              "type": "keyword"
+            },
+            "executable": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "exit_code": {
+              "type": "long"
+            },
+            "group": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
-                "entity_id": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "group_leader": {
+              "properties": {
+                "args": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
-                      "properties": {
-                        "address": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "as": {
-                          "properties": {
-                            "number": {
-                              "type": "long"
-                            },
-                            "organization": {
-                              "properties": {
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "type": "match_only_text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "bytes": {
-                          "type": "long"
-                        },
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "geo": {
-                          "properties": {
-                            "city_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "location": {
-                              "type": "geo_point"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "postal_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "timezone": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "mac": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "nat": {
-                          "properties": {
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "port": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "packets": {
-                          "type": "long"
-                        },
-                        "port": {
-                          "type": "long"
-                        },
-                        "registered_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subdomain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "top_level_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                "args_count": {
+                  "type": "long"
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
                     }
-                  }
+                  },
+                  "type": "wildcard"
                 },
-                "env_vars": {
+                "entity_id": {
                   "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
                   "type": "keyword"
                 },
                 "executable": {
@@ -777,15 +532,35 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "exit_code": {
-                  "type": "long"
-                },
                 "group": {
                   "properties": {
-                    "domain": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "real_group": {
+                  "properties": {
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -796,136 +571,106 @@
                     }
                   }
                 },
-                "hash": {
+                "real_user": {
                   "properties": {
-                    "cdhash": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "md5": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "sha1": {
+                    }
+                  }
+                },
+                "same_as_process": {
+                  "type": "boolean"
+                },
+                "saved_group": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "sha256": {
+                    "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "sha384": {
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "sha512": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "ssdeep": {
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "tlsh": {
+                    "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "io": {
+                "tty": {
                   "properties": {
-                    "bytes_skipped": {
+                    "char_device": {
                       "properties": {
-                        "length": {
+                        "major": {
                           "type": "long"
                         },
-                        "offset": {
+                        "minor": {
                           "type": "long"
                         }
-                      },
-                      "type": "object"
-                    },
-                    "max_bytes_per_process_exceeded": {
-                      "type": "boolean"
-                    },
-                    "text": {
-                      "type": "wildcard"
-                    },
-                    "total_bytes_captured": {
-                      "type": "long"
-                    },
-                    "total_bytes_skipped": {
-                      "type": "long"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   },
                   "type": "object"
                 },
-                "macho": {
+                "user": {
                   "properties": {
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
                         }
                       },
-                      "type": "nested"
-                    },
-                    "symhash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "name": {
+                "vpid": {
+                  "type": "long"
+                },
+                "working_directory": {
                   "fields": {
                     "text": {
                       "type": "match_only_text"
@@ -933,2189 +678,508 @@
                   },
                   "ignore_above": 1024,
                   "type": "keyword"
+                }
+              }
+            },
+            "hash": {
+              "properties": {
+                "cdhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
-                "origin_referrer_url": {
-                  "ignore_above": 8192,
+                "md5": {
+                  "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "origin_url": {
-                  "ignore_above": 8192,
+                "sha1": {
+                  "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "parent": {
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha384": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ssdeep": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tlsh": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "interactive": {
+              "type": "boolean"
+            },
+            "io": {
+              "properties": {
+                "bytes_skipped": {
                   "properties": {
-                    "args": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "args_count": {
+                    "length": {
                       "type": "long"
                     },
-                    "attested_groups": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "attested_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "code_signature": {
-                      "properties": {
-                        "digest_algorithm": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "exists": {
-                          "type": "boolean"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "signing_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "status": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subject_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "team_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "thumbprint_sha256": {
-                          "ignore_above": 64,
-                          "type": "keyword"
-                        },
-                        "timestamp": {
-                          "type": "date"
-                        },
-                        "trusted": {
-                          "type": "boolean"
-                        },
-                        "valid": {
-                          "type": "boolean"
-                        }
-                      }
+                    "offset": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "object"
+                },
+                "max_bytes_per_process_exceeded": {
+                  "type": "boolean"
+                },
+                "text": {
+                  "type": "wildcard"
+                },
+                "total_bytes_captured": {
+                  "type": "long"
+                },
+                "total_bytes_skipped": {
+                  "type": "long"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "object"
+            },
+            "macho": {
+              "properties": {
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
                     },
-                    "command_line": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "type": "wildcard"
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "symhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "parent": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "code_signature": {
+                  "properties": {
+                    "digest_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "byte_order": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "cpu_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "elf": {
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "header": {
                       "properties": {
-                        "architecture": {
+                        "abi_version": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "byte_order": {
+                        "class": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "cpu_type": {
+                        "data": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "creation_date": {
-                          "type": "date"
-                        },
-                        "exports": {
-                          "type": "flattened"
+                        "entrypoint": {
+                          "type": "long"
                         },
-                        "go_import_hash": {
+                        "object_version": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "header": {
-                          "properties": {
-                            "abi_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "class": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "data": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entrypoint": {
-                              "type": "long"
-                            },
-                            "object_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "os_abi": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "import_hash": {
+                        "os_abi": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "sections": {
-                          "properties": {
-                            "chi2": {
-                              "type": "long"
-                            },
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "flags": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_offset": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_address": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "segments": {
-                          "properties": {
-                            "sections": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "shared_libraries": {
+                        "type": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "telfhash": {
+                        "version": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         }
                       }
                     },
-                    "end": {
-                      "type": "date"
-                    },
-                    "endpoint_security_client": {
-                      "type": "boolean"
-                    },
-                    "entity_id": {
+                    "import_hash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "entry_meta": {
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
                       "properties": {
-                        "source": {
-                          "properties": {
-                            "address": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "as": {
-                              "properties": {
-                                "number": {
-                                  "type": "long"
-                                },
-                                "organization": {
-                                  "properties": {
-                                    "name": {
-                                      "fields": {
-                                        "text": {
-                                          "type": "match_only_text"
-                                        }
-                                      },
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    }
-                                  }
-                                }
-                              }
-                            },
-                            "bytes": {
-                              "type": "long"
-                            },
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "geo": {
-                              "properties": {
-                                "city_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "continent_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "continent_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "country_iso_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "country_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "location": {
-                                  "type": "geo_point"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "postal_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "region_iso_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "region_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "timezone": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "mac": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "nat": {
-                              "properties": {
-                                "ip": {
-                                  "type": "ip"
-                                },
-                                "port": {
-                                  "type": "long"
-                                }
-                              }
-                            },
-                            "packets": {
-                              "type": "long"
-                            },
-                            "port": {
-                              "type": "long"
-                            },
-                            "registered_domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "subdomain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "top_level_domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
+                        "chi2": {
+                          "type": "long"
                         },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "env_vars": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    },
-                    "executable": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exit_code": {
-                      "type": "long"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
                         "name": {
                           "ignore_above": 1024,
                           "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "properties": {
-                        "cdhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "md5": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha1": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha256": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
                         },
-                        "sha384": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha512": {
+                        "physical_offset": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "ssdeep": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "physical_size": {
+                          "type": "long"
                         },
-                        "tlsh": {
+                        "type": {
                           "ignore_above": 1024,
                           "type": "keyword"
-                        }
-                      }
-                    },
-                    "interactive": {
-                      "type": "boolean"
-                    },
-                    "io": {
-                      "properties": {
-                        "bytes_skipped": {
-                          "properties": {
-                            "length": {
-                              "type": "long"
-                            },
-                            "offset": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "max_bytes_per_process_exceeded": {
-                          "type": "boolean"
                         },
-                        "text": {
-                          "type": "wildcard"
-                        },
-                        "total_bytes_captured": {
+                        "var_entropy": {
                           "type": "long"
                         },
-                        "total_bytes_skipped": {
+                        "virtual_address": {
                           "type": "long"
                         },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "virtual_size": {
+                          "type": "long"
                         }
                       },
-                      "type": "object"
+                      "type": "nested"
                     },
-                    "macho": {
+                    "segments": {
                       "properties": {
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "import_hash": {
+                        "sections": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "sections": {
-                          "properties": {
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "symhash": {
+                        "type": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         }
-                      }
+                      },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "end": {
+                  "type": "date"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "group": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
                     "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "group_leader": {
+                  "properties": {
+                    "entity_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pid": {
+                      "type": "long"
+                    },
+                    "start": {
+                      "type": "date"
+                    },
+                    "vpid": {
+                      "type": "long"
+                    }
+                  }
+                },
+                "hash": {
+                  "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha384": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "ssdeep": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "origin_referrer_url": {
-                      "ignore_above": 8192,
+                    "tlsh": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "origin_url": {
-                      "ignore_above": 8192,
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "pe": {
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
                       "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "company": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "description": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "file_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
+                        "entropy": {
                           "type": "long"
                         },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "imphash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "import_hash": {
+                        "name": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
+                        "physical_size": {
                           "type": "long"
                         },
-                        "imports_names_var_entropy": {
+                        "var_entropy": {
                           "type": "long"
                         },
-                        "original_file_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "pehash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "product": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sections": {
-                          "properties": {
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
+                        "virtual_size": {
+                          "type": "long"
                         }
-                      }
-                    },
-                    "pid": {
-                      "type": "long"
+                      },
+                      "type": "nested"
                     },
-                    "platform_binary": {
-                      "type": "boolean"
-                    },
-                    "real_group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "real_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "same_as_process": {
-                      "type": "boolean"
-                    },
-                    "saved_group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "saved_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "session_leader": {
-                      "properties": {
-                        "args": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "args_count": {
-                          "type": "long"
-                        },
-                        "attested_groups": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "attested_user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "code_signature": {
-                          "properties": {
-                            "digest_algorithm": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "exists": {
-                              "type": "boolean"
-                            },
-                            "flags": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "signing_id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "status": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "subject_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "team_id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "thumbprint_sha256": {
-                              "ignore_above": 64,
-                              "type": "keyword"
-                            },
-                            "timestamp": {
-                              "type": "date"
-                            },
-                            "trusted": {
-                              "type": "boolean"
-                            },
-                            "valid": {
-                              "type": "boolean"
-                            }
-                          }
-                        },
-                        "command_line": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "type": "wildcard"
-                        },
-                        "elf": {
-                          "properties": {
-                            "architecture": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "byte_order": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "cpu_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "creation_date": {
-                              "type": "date"
-                            },
-                            "exports": {
-                              "type": "flattened"
-                            },
-                            "go_import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_imports": {
-                              "type": "flattened"
-                            },
-                            "go_imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "go_imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "go_stripped": {
-                              "type": "boolean"
-                            },
-                            "header": {
-                              "properties": {
-                                "abi_version": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "class": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "data": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "entrypoint": {
-                                  "type": "long"
-                                },
-                                "object_version": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "os_abi": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "version": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "imports": {
-                              "type": "flattened"
-                            },
-                            "imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "sections": {
-                              "properties": {
-                                "chi2": {
-                                  "type": "long"
-                                },
-                                "entropy": {
-                                  "type": "long"
-                                },
-                                "flags": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_offset": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_size": {
-                                  "type": "long"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "var_entropy": {
-                                  "type": "long"
-                                },
-                                "virtual_address": {
-                                  "type": "long"
-                                },
-                                "virtual_size": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "nested"
-                            },
-                            "segments": {
-                              "properties": {
-                                "sections": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              },
-                              "type": "nested"
-                            },
-                            "shared_libraries": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "telfhash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "end": {
-                          "type": "date"
-                        },
-                        "endpoint_security_client": {
-                          "type": "boolean"
-                        },
-                        "entity_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entry_meta": {
-                          "properties": {
-                            "source": {
-                              "properties": {
-                                "address": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "as": {
-                                  "properties": {
-                                    "number": {
-                                      "type": "long"
-                                    },
-                                    "organization": {
-                                      "properties": {
-                                        "name": {
-                                          "fields": {
-                                            "text": {
-                                              "type": "match_only_text"
-                                            }
-                                          },
-                                          "ignore_above": 1024,
-                                          "type": "keyword"
-                                        }
-                                      }
-                                    }
-                                  }
-                                },
-                                "bytes": {
-                                  "type": "long"
-                                },
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "geo": {
-                                  "properties": {
-                                    "city_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "continent_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "continent_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "country_iso_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "country_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "location": {
-                                      "type": "geo_point"
-                                    },
-                                    "name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "postal_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "region_iso_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "region_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "timezone": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    }
-                                  }
-                                },
-                                "ip": {
-                                  "type": "ip"
-                                },
-                                "mac": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "nat": {
-                                  "properties": {
-                                    "ip": {
-                                      "type": "ip"
-                                    },
-                                    "port": {
-                                      "type": "long"
-                                    }
-                                  }
-                                },
-                                "packets": {
-                                  "type": "long"
-                                },
-                                "port": {
-                                  "type": "long"
-                                },
-                                "registered_domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "subdomain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "top_level_domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "env_vars": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "executable": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "exit_code": {
-                          "type": "long"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "properties": {
-                            "cdhash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "md5": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha1": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha256": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha384": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha512": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "ssdeep": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "tlsh": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "interactive": {
-                          "type": "boolean"
-                        },
-                        "io": {
-                          "properties": {
-                            "bytes_skipped": {
-                              "properties": {
-                                "length": {
-                                  "type": "long"
-                                },
-                                "offset": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "object"
-                            },
-                            "max_bytes_per_process_exceeded": {
-                              "type": "boolean"
-                            },
-                            "text": {
-                              "type": "wildcard"
-                            },
-                            "total_bytes_captured": {
-                              "type": "long"
-                            },
-                            "total_bytes_skipped": {
-                              "type": "long"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "macho": {
-                          "properties": {
-                            "go_import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_imports": {
-                              "type": "flattened"
-                            },
-                            "go_imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "go_imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "go_stripped": {
-                              "type": "boolean"
-                            },
-                            "import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "imports": {
-                              "type": "flattened"
-                            },
-                            "imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "sections": {
-                              "properties": {
-                                "entropy": {
-                                  "type": "long"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_size": {
-                                  "type": "long"
-                                },
-                                "var_entropy": {
-                                  "type": "long"
-                                },
-                                "virtual_size": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "nested"
-                            },
-                            "symhash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "origin_referrer_url": {
-                          "ignore_above": 8192,
-                          "type": "keyword"
-                        },
-                        "origin_url": {
-                          "ignore_above": 8192,
-                          "type": "keyword"
-                        },
-                        "pe": {
-                          "properties": {
-                            "architecture": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "company": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "description": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "file_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_imports": {
-                              "type": "flattened"
-                            },
-                            "go_imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "go_imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "go_stripped": {
-                              "type": "boolean"
-                            },
-                            "imphash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "imports": {
-                              "type": "flattened"
-                            },
-                            "imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "original_file_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "pehash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "product": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sections": {
-                              "properties": {
-                                "entropy": {
-                                  "type": "long"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_size": {
-                                  "type": "long"
-                                },
-                                "var_entropy": {
-                                  "type": "long"
-                                },
-                                "virtual_size": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "nested"
-                            }
-                          }
-                        },
-                        "pid": {
-                          "type": "long"
-                        },
-                        "platform_binary": {
-                          "type": "boolean"
-                        },
-                        "real_group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "real_user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "same_as_process": {
-                          "type": "boolean"
-                        },
-                        "saved_group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "saved_user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "start": {
-                          "type": "date"
-                        },
-                        "supplemental_groups": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "thread": {
-                          "properties": {
-                            "capabilities": {
-                              "properties": {
-                                "effective": {
-                                  "ignore_above": 1024,
-                                  "synthetic_source_keep": "none",
-                                  "type": "keyword"
-                                },
-                                "permitted": {
-                                  "ignore_above": 1024,
-                                  "synthetic_source_keep": "none",
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "id": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "title": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "tty": {
-                          "properties": {
-                            "char_device": {
-                              "properties": {
-                                "major": {
-                                  "type": "long"
-                                },
-                                "minor": {
-                                  "type": "long"
-                                }
-                              }
-                            },
-                            "columns": {
-                              "type": "long"
-                            },
-                            "rows": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "uptime": {
-                          "type": "long"
-                        },
-                        "user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "vpid": {
-                          "type": "long"
-                        },
-                        "working_directory": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "start": {
-                      "type": "date"
-                    },
-                    "supplemental_groups": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "thread": {
-                      "properties": {
-                        "capabilities": {
-                          "properties": {
-                            "effective": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            },
-                            "permitted": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "id": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "title": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tty": {
-                      "properties": {
-                        "char_device": {
-                          "properties": {
-                            "major": {
-                              "type": "long"
-                            },
-                            "minor": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "columns": {
-                          "type": "long"
-                        },
-                        "rows": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "uptime": {
-                      "type": "long"
-                    },
-                    "user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "vpid": {
-                      "type": "long"
-                    },
-                    "working_directory": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                    "symhash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "pe": {
                   "properties": {
                     "architecture": {
@@ -3205,15 +1269,8 @@
                 "pid": {
                   "type": "long"
                 },
-                "platform_binary": {
-                  "type": "boolean"
-                },
                 "real_group": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -3226,44 +1283,7 @@
                 },
                 "real_user": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
@@ -3275,47 +1295,11 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
                     }
                   }
                 },
-                "same_as_process": {
-                  "type": "boolean"
-                },
                 "saved_group": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -3328,43 +1312,6 @@
                 },
                 "saved_user": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -3377,35 +1324,6 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
                     }
                   }
                 },
@@ -3414,10 +1332,6 @@
                 },
                 "supplemental_groups": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -3473,12 +1387,6 @@
                           "type": "long"
                         }
                       }
-                    },
-                    "columns": {
-                      "type": "long"
-                    },
-                    "rows": {
-                      "type": "long"
                     }
                   },
                   "type": "object"
@@ -3488,43 +1396,6 @@
                 },
                 "user": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -3537,35 +1408,6 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
                     }
                   }
                 },
@@ -3583,165 +1425,174 @@
                 }
               }
             },
-            "entry_meta": {
+            "pe": {
               "properties": {
-                "source": {
+                "architecture": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
+                "imphash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "original_file_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "pehash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sections": {
                   "properties": {
-                    "address": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "as": {
-                      "properties": {
-                        "number": {
-                          "type": "long"
-                        },
-                        "organization": {
-                          "properties": {
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        }
-                      }
-                    },
-                    "bytes": {
+                    "physical_size": {
                       "type": "long"
                     },
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "var_entropy": {
+                      "type": "long"
                     },
-                    "geo": {
-                      "properties": {
-                        "city_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "continent_code": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "continent_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "country_iso_code": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "country_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "location": {
-                          "type": "geo_point"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "postal_code": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "region_iso_code": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "region_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "timezone": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "ip": {
-                      "type": "ip"
-                    },
-                    "mac": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "nat": {
-                      "properties": {
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "port": {
-                          "type": "long"
-                        }
-                      }
-                    },
-                    "packets": {
-                      "type": "long"
-                    },
-                    "port": {
+                    "virtual_size": {
                       "type": "long"
-                    },
-                    "registered_domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subdomain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "top_level_domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
                     }
-                  }
+                  },
+                  "type": "nested"
+                }
+              }
+            },
+            "pid": {
+              "type": "long"
+            },
+            "previous": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
-                "type": {
+                "args_count": {
+                  "type": "long"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
                   "ignore_above": 1024,
                   "type": "keyword"
                 }
               }
             },
-            "env_vars": {
-              "ignore_above": 1024,
-              "synthetic_source_keep": "none",
-              "type": "keyword"
-            },
-            "executable": {
-              "fields": {
-                "text": {
-                  "type": "match_only_text"
+            "real_group": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
+              }
             },
-            "exit_code": {
-              "type": "long"
+            "real_user": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
             },
-            "group": {
+            "saved_group": {
               "properties": {
-                "domain": {
+                "id": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "saved_user": {
+              "properties": {
                 "id": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
                 "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
                   "ignore_above": 1024,
                   "type": "keyword"
                 }
               }
             },
-            "group_leader": {
+            "session_leader": {
               "properties": {
                 "args": {
                   "ignore_above": 1024,
@@ -3750,8763 +1601,90 @@
                 "args_count": {
                   "type": "long"
                 },
-                "attested_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
                     }
-                  }
+                  },
+                  "type": "wildcard"
                 },
-                "attested_user": {
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
                     "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
                       "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
                       "type": "keyword"
                     }
                   }
                 },
-                "code_signature": {
-                  "properties": {
-                    "digest_algorithm": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "signing_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "team_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
-                    }
-                  }
+                "interactive": {
+                  "type": "boolean"
                 },
-                "command_line": {
+                "name": {
                   "fields": {
                     "text": {
                       "type": "match_only_text"
                     }
                   },
-                  "type": "wildcard"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
-                "elf": {
+                "parent": {
                   "properties": {
-                    "architecture": {
+                    "entity_id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "byte_order": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "cpu_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "header": {
-                      "properties": {
-                        "abi_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "class": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "data": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entrypoint": {
-                          "type": "long"
-                        },
-                        "object_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "os_abi": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "segments": {
-                      "properties": {
-                        "sections": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "telfhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "end": {
-                  "type": "date"
-                },
-                "endpoint_security_client": {
-                  "type": "boolean"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
-                      "properties": {
-                        "address": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "as": {
-                          "properties": {
-                            "number": {
-                              "type": "long"
-                            },
-                            "organization": {
-                              "properties": {
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "type": "match_only_text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "bytes": {
-                          "type": "long"
-                        },
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "geo": {
-                          "properties": {
-                            "city_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "location": {
-                              "type": "geo_point"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "postal_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "timezone": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "mac": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "nat": {
-                          "properties": {
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "port": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "packets": {
-                          "type": "long"
-                        },
-                        "port": {
-                          "type": "long"
-                        },
-                        "registered_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subdomain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "top_level_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "env_vars": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "properties": {
-                    "cdhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha384": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tlsh": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "io": {
-                  "properties": {
-                    "bytes_skipped": {
-                      "properties": {
-                        "length": {
-                          "type": "long"
-                        },
-                        "offset": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "max_bytes_per_process_exceeded": {
-                      "type": "boolean"
-                    },
-                    "text": {
-                      "type": "wildcard"
-                    },
-                    "total_bytes_captured": {
-                      "type": "long"
-                    },
-                    "total_bytes_skipped": {
-                      "type": "long"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  },
-                  "type": "object"
-                },
-                "macho": {
-                  "properties": {
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "symhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "origin_referrer_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "origin_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pehash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    }
-                  }
-                },
-                "pid": {
-                  "type": "long"
-                },
-                "platform_binary": {
-                  "type": "boolean"
-                },
-                "real_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "same_as_process": {
-                  "type": "boolean"
-                },
-                "saved_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "thread": {
-                  "properties": {
-                    "capabilities": {
-                      "properties": {
-                        "effective": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "permitted": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "id": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "title": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "tty": {
-                  "properties": {
-                    "char_device": {
-                      "properties": {
-                        "major": {
-                          "type": "long"
-                        },
-                        "minor": {
-                          "type": "long"
-                        }
-                      }
-                    },
-                    "columns": {
-                      "type": "long"
-                    },
-                    "rows": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                },
-                "uptime": {
-                  "type": "long"
-                },
-                "user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "vpid": {
-                  "type": "long"
-                },
-                "working_directory": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "hash": {
-              "properties": {
-                "cdhash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha384": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha512": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ssdeep": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "tlsh": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "interactive": {
-              "type": "boolean"
-            },
-            "io": {
-              "properties": {
-                "bytes_skipped": {
-                  "properties": {
-                    "length": {
-                      "type": "long"
-                    },
-                    "offset": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                },
-                "max_bytes_per_process_exceeded": {
-                  "type": "boolean"
-                },
-                "text": {
-                  "type": "wildcard"
-                },
-                "total_bytes_captured": {
-                  "type": "long"
-                },
-                "total_bytes_skipped": {
-                  "type": "long"
-                },
-                "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              },
-              "type": "object"
-            },
-            "macho": {
-              "properties": {
-                "go_import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "go_imports": {
-                  "type": "flattened"
-                },
-                "go_imports_names_entropy": {
-                  "type": "long"
-                },
-                "go_imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "go_stripped": {
-                  "type": "boolean"
-                },
-                "import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "imports": {
-                  "type": "flattened"
-                },
-                "imports_names_entropy": {
-                  "type": "long"
-                },
-                "imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "sections": {
-                  "properties": {
-                    "entropy": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "physical_size": {
-                      "type": "long"
-                    },
-                    "var_entropy": {
-                      "type": "long"
-                    },
-                    "virtual_size": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "nested"
-                },
-                "symhash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "name": {
-              "fields": {
-                "text": {
-                  "type": "match_only_text"
-                }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "origin_referrer_url": {
-              "ignore_above": 8192,
-              "type": "keyword"
-            },
-            "origin_url": {
-              "ignore_above": 8192,
-              "type": "keyword"
-            },
-            "parent": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "attested_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "attested_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "code_signature": {
-                  "properties": {
-                    "digest_algorithm": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "signing_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "team_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "byte_order": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "cpu_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "header": {
-                      "properties": {
-                        "abi_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "class": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "data": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entrypoint": {
-                          "type": "long"
-                        },
-                        "object_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "os_abi": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "segments": {
-                      "properties": {
-                        "sections": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "telfhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "end": {
-                  "type": "date"
-                },
-                "endpoint_security_client": {
-                  "type": "boolean"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
-                      "properties": {
-                        "address": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "as": {
-                          "properties": {
-                            "number": {
-                              "type": "long"
-                            },
-                            "organization": {
-                              "properties": {
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "type": "match_only_text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "bytes": {
-                          "type": "long"
-                        },
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "geo": {
-                          "properties": {
-                            "city_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "location": {
-                              "type": "geo_point"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "postal_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "timezone": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "mac": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "nat": {
-                          "properties": {
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "port": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "packets": {
-                          "type": "long"
-                        },
-                        "port": {
-                          "type": "long"
-                        },
-                        "registered_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subdomain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "top_level_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "env_vars": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "group_leader": {
-                  "properties": {
-                    "args": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "args_count": {
-                      "type": "long"
-                    },
-                    "attested_groups": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "attested_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "code_signature": {
-                      "properties": {
-                        "digest_algorithm": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "exists": {
-                          "type": "boolean"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "signing_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "status": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subject_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "team_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "thumbprint_sha256": {
-                          "ignore_above": 64,
-                          "type": "keyword"
-                        },
-                        "timestamp": {
-                          "type": "date"
-                        },
-                        "trusted": {
-                          "type": "boolean"
-                        },
-                        "valid": {
-                          "type": "boolean"
-                        }
-                      }
-                    },
-                    "command_line": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "type": "wildcard"
-                    },
-                    "elf": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "byte_order": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "cpu_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "creation_date": {
-                          "type": "date"
-                        },
-                        "exports": {
-                          "type": "flattened"
-                        },
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "header": {
-                          "properties": {
-                            "abi_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "class": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "data": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entrypoint": {
-                              "type": "long"
-                            },
-                            "object_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "os_abi": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "sections": {
-                          "properties": {
-                            "chi2": {
-                              "type": "long"
-                            },
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "flags": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_offset": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_address": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "segments": {
-                          "properties": {
-                            "sections": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "shared_libraries": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "telfhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "end": {
-                      "type": "date"
-                    },
-                    "endpoint_security_client": {
-                      "type": "boolean"
-                    },
-                    "entity_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entry_meta": {
-                      "properties": {
-                        "source": {
-                          "properties": {
-                            "address": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "as": {
-                              "properties": {
-                                "number": {
-                                  "type": "long"
-                                },
-                                "organization": {
-                                  "properties": {
-                                    "name": {
-                                      "fields": {
-                                        "text": {
-                                          "type": "match_only_text"
-                                        }
-                                      },
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    }
-                                  }
-                                }
-                              }
-                            },
-                            "bytes": {
-                              "type": "long"
-                            },
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "geo": {
-                              "properties": {
-                                "city_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "continent_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "continent_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "country_iso_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "country_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "location": {
-                                  "type": "geo_point"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "postal_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "region_iso_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "region_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "timezone": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "mac": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "nat": {
-                              "properties": {
-                                "ip": {
-                                  "type": "ip"
-                                },
-                                "port": {
-                                  "type": "long"
-                                }
-                              }
-                            },
-                            "packets": {
-                              "type": "long"
-                            },
-                            "port": {
-                              "type": "long"
-                            },
-                            "registered_domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "subdomain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "top_level_domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "env_vars": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    },
-                    "executable": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exit_code": {
-                      "type": "long"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "properties": {
-                        "cdhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "md5": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha1": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha256": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha384": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha512": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "ssdeep": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "tlsh": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "interactive": {
-                      "type": "boolean"
-                    },
-                    "io": {
-                      "properties": {
-                        "bytes_skipped": {
-                          "properties": {
-                            "length": {
-                              "type": "long"
-                            },
-                            "offset": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "max_bytes_per_process_exceeded": {
-                          "type": "boolean"
-                        },
-                        "text": {
-                          "type": "wildcard"
-                        },
-                        "total_bytes_captured": {
-                          "type": "long"
-                        },
-                        "total_bytes_skipped": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "macho": {
-                      "properties": {
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "sections": {
-                          "properties": {
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "symhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "origin_referrer_url": {
-                      "ignore_above": 8192,
-                      "type": "keyword"
-                    },
-                    "origin_url": {
-                      "ignore_above": 8192,
-                      "type": "keyword"
-                    },
-                    "pe": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "company": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "description": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "file_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "imphash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "original_file_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "pehash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "product": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sections": {
-                          "properties": {
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        }
-                      }
-                    },
-                    "pid": {
-                      "type": "long"
-                    },
-                    "platform_binary": {
-                      "type": "boolean"
-                    },
-                    "real_group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "real_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "same_as_process": {
-                      "type": "boolean"
-                    },
-                    "saved_group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "saved_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "start": {
-                      "type": "date"
-                    },
-                    "supplemental_groups": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "thread": {
-                      "properties": {
-                        "capabilities": {
-                          "properties": {
-                            "effective": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            },
-                            "permitted": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "id": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "title": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tty": {
-                      "properties": {
-                        "char_device": {
-                          "properties": {
-                            "major": {
-                              "type": "long"
-                            },
-                            "minor": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "columns": {
-                          "type": "long"
-                        },
-                        "rows": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "uptime": {
-                      "type": "long"
-                    },
-                    "user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "vpid": {
-                      "type": "long"
-                    },
-                    "working_directory": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "properties": {
-                    "cdhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha384": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tlsh": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "io": {
-                  "properties": {
-                    "bytes_skipped": {
-                      "properties": {
-                        "length": {
-                          "type": "long"
-                        },
-                        "offset": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "max_bytes_per_process_exceeded": {
-                      "type": "boolean"
-                    },
-                    "text": {
-                      "type": "wildcard"
-                    },
-                    "total_bytes_captured": {
-                      "type": "long"
-                    },
-                    "total_bytes_skipped": {
-                      "type": "long"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  },
-                  "type": "object"
-                },
-                "macho": {
-                  "properties": {
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "symhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "origin_referrer_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "origin_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pehash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    }
-                  }
-                },
-                "pid": {
-                  "type": "long"
-                },
-                "platform_binary": {
-                  "type": "boolean"
-                },
-                "real_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "same_as_process": {
-                  "type": "boolean"
-                },
-                "saved_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "thread": {
-                  "properties": {
-                    "capabilities": {
-                      "properties": {
-                        "effective": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "permitted": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "id": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "title": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "tty": {
-                  "properties": {
-                    "char_device": {
-                      "properties": {
-                        "major": {
-                          "type": "long"
-                        },
-                        "minor": {
-                          "type": "long"
-                        }
-                      }
-                    },
-                    "columns": {
-                      "type": "long"
-                    },
-                    "rows": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                },
-                "uptime": {
-                  "type": "long"
-                },
-                "user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "vpid": {
-                  "type": "long"
-                },
-                "working_directory": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "pe": {
-              "properties": {
-                "architecture": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "company": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "description": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "file_version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "go_import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "go_imports": {
-                  "type": "flattened"
-                },
-                "go_imports_names_entropy": {
-                  "type": "long"
-                },
-                "go_imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "go_stripped": {
-                  "type": "boolean"
-                },
-                "imphash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "imports": {
-                  "type": "flattened"
-                },
-                "imports_names_entropy": {
-                  "type": "long"
-                },
-                "imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "original_file_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "pehash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "product": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sections": {
-                  "properties": {
-                    "entropy": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "physical_size": {
-                      "type": "long"
-                    },
-                    "var_entropy": {
-                      "type": "long"
-                    },
-                    "virtual_size": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "nested"
-                }
-              }
-            },
-            "pid": {
-              "type": "long"
-            },
-            "platform_binary": {
-              "type": "boolean"
-            },
-            "previous": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "attested_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "attested_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "code_signature": {
-                  "properties": {
-                    "digest_algorithm": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "signing_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "team_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "byte_order": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "cpu_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "header": {
-                      "properties": {
-                        "abi_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "class": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "data": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entrypoint": {
-                          "type": "long"
-                        },
-                        "object_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "os_abi": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "segments": {
-                      "properties": {
-                        "sections": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "telfhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "end": {
-                  "type": "date"
-                },
-                "endpoint_security_client": {
-                  "type": "boolean"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
-                      "properties": {
-                        "address": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "as": {
-                          "properties": {
-                            "number": {
-                              "type": "long"
-                            },
-                            "organization": {
-                              "properties": {
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "type": "match_only_text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "bytes": {
-                          "type": "long"
-                        },
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "geo": {
-                          "properties": {
-                            "city_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "location": {
-                              "type": "geo_point"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "postal_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "timezone": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "mac": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "nat": {
-                          "properties": {
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "port": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "packets": {
-                          "type": "long"
-                        },
-                        "port": {
-                          "type": "long"
-                        },
-                        "registered_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subdomain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "top_level_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "env_vars": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "properties": {
-                    "cdhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha384": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tlsh": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "io": {
-                  "properties": {
-                    "bytes_skipped": {
-                      "properties": {
-                        "length": {
-                          "type": "long"
-                        },
-                        "offset": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "max_bytes_per_process_exceeded": {
-                      "type": "boolean"
-                    },
-                    "text": {
-                      "type": "wildcard"
-                    },
-                    "total_bytes_captured": {
-                      "type": "long"
-                    },
-                    "total_bytes_skipped": {
-                      "type": "long"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  },
-                  "type": "object"
-                },
-                "macho": {
-                  "properties": {
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "symhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "origin_referrer_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "origin_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pehash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    }
-                  }
-                },
-                "pid": {
-                  "type": "long"
-                },
-                "platform_binary": {
-                  "type": "boolean"
-                },
-                "real_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "same_as_process": {
-                  "type": "boolean"
-                },
-                "saved_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "thread": {
-                  "properties": {
-                    "capabilities": {
-                      "properties": {
-                        "effective": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "permitted": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "id": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "title": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "tty": {
-                  "properties": {
-                    "char_device": {
-                      "properties": {
-                        "major": {
-                          "type": "long"
-                        },
-                        "minor": {
-                          "type": "long"
-                        }
-                      }
-                    },
-                    "columns": {
-                      "type": "long"
-                    },
-                    "rows": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                },
-                "uptime": {
-                  "type": "long"
-                },
-                "user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "vpid": {
-                  "type": "long"
-                },
-                "working_directory": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "real_group": {
-              "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "real_user": {
-              "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "full_name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
-                "roles": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                }
-              }
-            },
-            "responsible": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "attested_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "attested_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "code_signature": {
-                  "properties": {
-                    "digest_algorithm": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "signing_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "team_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "byte_order": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "cpu_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "header": {
-                      "properties": {
-                        "abi_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "class": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "data": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entrypoint": {
-                          "type": "long"
-                        },
-                        "object_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "os_abi": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "segments": {
-                      "properties": {
-                        "sections": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "telfhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "end": {
-                  "type": "date"
-                },
-                "endpoint_security_client": {
-                  "type": "boolean"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
-                      "properties": {
-                        "address": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "as": {
-                          "properties": {
-                            "number": {
-                              "type": "long"
-                            },
-                            "organization": {
-                              "properties": {
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "type": "match_only_text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "bytes": {
-                          "type": "long"
-                        },
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "geo": {
-                          "properties": {
-                            "city_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "location": {
-                              "type": "geo_point"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "postal_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "timezone": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "mac": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "nat": {
-                          "properties": {
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "port": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "packets": {
-                          "type": "long"
-                        },
-                        "port": {
-                          "type": "long"
-                        },
-                        "registered_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subdomain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "top_level_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "env_vars": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "properties": {
-                    "cdhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha384": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tlsh": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "io": {
-                  "properties": {
-                    "bytes_skipped": {
-                      "properties": {
-                        "length": {
-                          "type": "long"
-                        },
-                        "offset": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "max_bytes_per_process_exceeded": {
-                      "type": "boolean"
-                    },
-                    "text": {
-                      "type": "wildcard"
-                    },
-                    "total_bytes_captured": {
-                      "type": "long"
-                    },
-                    "total_bytes_skipped": {
-                      "type": "long"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  },
-                  "type": "object"
-                },
-                "macho": {
-                  "properties": {
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "symhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "origin_referrer_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "origin_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pehash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    }
-                  }
-                },
-                "pid": {
-                  "type": "long"
-                },
-                "platform_binary": {
-                  "type": "boolean"
-                },
-                "real_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "same_as_process": {
-                  "type": "boolean"
-                },
-                "saved_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "thread": {
-                  "properties": {
-                    "capabilities": {
-                      "properties": {
-                        "effective": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "permitted": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "id": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "title": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "tty": {
-                  "properties": {
-                    "char_device": {
-                      "properties": {
-                        "major": {
-                          "type": "long"
-                        },
-                        "minor": {
-                          "type": "long"
-                        }
-                      }
-                    },
-                    "columns": {
-                      "type": "long"
-                    },
-                    "rows": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                },
-                "uptime": {
-                  "type": "long"
-                },
-                "user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "vpid": {
-                  "type": "long"
-                },
-                "working_directory": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "same_as_process": {
-              "type": "boolean"
-            },
-            "saved_group": {
-              "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "saved_user": {
-              "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "full_name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
-                "roles": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                }
-              }
-            },
-            "session_leader": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "attested_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "attested_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "code_signature": {
-                  "properties": {
-                    "digest_algorithm": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "signing_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "team_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "byte_order": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "cpu_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "header": {
-                      "properties": {
-                        "abi_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "class": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "data": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entrypoint": {
-                          "type": "long"
-                        },
-                        "object_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "os_abi": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "segments": {
-                      "properties": {
-                        "sections": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "telfhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "end": {
-                  "type": "date"
-                },
-                "endpoint_security_client": {
-                  "type": "boolean"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
-                      "properties": {
-                        "address": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "as": {
-                          "properties": {
-                            "number": {
-                              "type": "long"
-                            },
-                            "organization": {
-                              "properties": {
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "type": "match_only_text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "bytes": {
-                          "type": "long"
-                        },
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "geo": {
-                          "properties": {
-                            "city_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "location": {
-                              "type": "geo_point"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "postal_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "timezone": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "mac": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "nat": {
-                          "properties": {
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "port": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "packets": {
-                          "type": "long"
-                        },
-                        "port": {
-                          "type": "long"
-                        },
-                        "registered_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subdomain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "top_level_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "env_vars": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "properties": {
-                    "cdhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha384": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tlsh": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "io": {
-                  "properties": {
-                    "bytes_skipped": {
-                      "properties": {
-                        "length": {
-                          "type": "long"
-                        },
-                        "offset": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "max_bytes_per_process_exceeded": {
-                      "type": "boolean"
-                    },
-                    "text": {
-                      "type": "wildcard"
-                    },
-                    "total_bytes_captured": {
-                      "type": "long"
-                    },
-                    "total_bytes_skipped": {
-                      "type": "long"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  },
-                  "type": "object"
-                },
-                "macho": {
-                  "properties": {
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "symhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "origin_referrer_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "origin_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "parent": {
-                  "properties": {
-                    "args": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "args_count": {
-                      "type": "long"
-                    },
-                    "attested_groups": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "attested_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "code_signature": {
-                      "properties": {
-                        "digest_algorithm": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "exists": {
-                          "type": "boolean"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "signing_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "status": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subject_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "team_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "thumbprint_sha256": {
-                          "ignore_above": 64,
-                          "type": "keyword"
-                        },
-                        "timestamp": {
-                          "type": "date"
-                        },
-                        "trusted": {
-                          "type": "boolean"
-                        },
-                        "valid": {
-                          "type": "boolean"
-                        }
-                      }
-                    },
-                    "command_line": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "type": "wildcard"
-                    },
-                    "elf": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "byte_order": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "cpu_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "creation_date": {
-                          "type": "date"
-                        },
-                        "exports": {
-                          "type": "flattened"
-                        },
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "header": {
-                          "properties": {
-                            "abi_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "class": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "data": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entrypoint": {
-                              "type": "long"
-                            },
-                            "object_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "os_abi": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "sections": {
-                          "properties": {
-                            "chi2": {
-                              "type": "long"
-                            },
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "flags": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_offset": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_address": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "segments": {
-                          "properties": {
-                            "sections": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "shared_libraries": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "telfhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "end": {
-                      "type": "date"
-                    },
-                    "endpoint_security_client": {
-                      "type": "boolean"
-                    },
-                    "entity_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entry_meta": {
-                      "properties": {
-                        "source": {
-                          "properties": {
-                            "address": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "as": {
-                              "properties": {
-                                "number": {
-                                  "type": "long"
-                                },
-                                "organization": {
-                                  "properties": {
-                                    "name": {
-                                      "fields": {
-                                        "text": {
-                                          "type": "match_only_text"
-                                        }
-                                      },
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    }
-                                  }
-                                }
-                              }
-                            },
-                            "bytes": {
-                              "type": "long"
-                            },
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "geo": {
-                              "properties": {
-                                "city_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "continent_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "continent_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "country_iso_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "country_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "location": {
-                                  "type": "geo_point"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "postal_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "region_iso_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "region_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "timezone": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "mac": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "nat": {
-                              "properties": {
-                                "ip": {
-                                  "type": "ip"
-                                },
-                                "port": {
-                                  "type": "long"
-                                }
-                              }
-                            },
-                            "packets": {
-                              "type": "long"
-                            },
-                            "port": {
-                              "type": "long"
-                            },
-                            "registered_domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "subdomain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "top_level_domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "env_vars": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    },
-                    "executable": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exit_code": {
-                      "type": "long"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "properties": {
-                        "cdhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "md5": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha1": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha256": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha384": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha512": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "ssdeep": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "tlsh": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "interactive": {
-                      "type": "boolean"
-                    },
-                    "io": {
-                      "properties": {
-                        "bytes_skipped": {
-                          "properties": {
-                            "length": {
-                              "type": "long"
-                            },
-                            "offset": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "max_bytes_per_process_exceeded": {
-                          "type": "boolean"
-                        },
-                        "text": {
-                          "type": "wildcard"
-                        },
-                        "total_bytes_captured": {
-                          "type": "long"
-                        },
-                        "total_bytes_skipped": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "macho": {
-                      "properties": {
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "sections": {
-                          "properties": {
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "symhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "origin_referrer_url": {
-                      "ignore_above": 8192,
-                      "type": "keyword"
-                    },
-                    "origin_url": {
-                      "ignore_above": 8192,
-                      "type": "keyword"
-                    },
-                    "pe": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "company": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "description": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "file_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "imphash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "original_file_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "pehash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "product": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sections": {
-                          "properties": {
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        }
-                      }
-                    },
-                    "pid": {
-                      "type": "long"
-                    },
-                    "platform_binary": {
-                      "type": "boolean"
-                    },
-                    "real_group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "real_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "same_as_process": {
-                      "type": "boolean"
-                    },
-                    "saved_group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "saved_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
+                    "pid": {
+                      "type": "long"
                     },
                     "session_leader": {
                       "properties": {
-                        "args": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "args_count": {
-                          "type": "long"
-                        },
-                        "attested_groups": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "attested_user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "code_signature": {
-                          "properties": {
-                            "digest_algorithm": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "exists": {
-                              "type": "boolean"
-                            },
-                            "flags": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "signing_id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "status": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "subject_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "team_id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "thumbprint_sha256": {
-                              "ignore_above": 64,
-                              "type": "keyword"
-                            },
-                            "timestamp": {
-                              "type": "date"
-                            },
-                            "trusted": {
-                              "type": "boolean"
-                            },
-                            "valid": {
-                              "type": "boolean"
-                            }
-                          }
-                        },
-                        "command_line": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "type": "wildcard"
-                        },
-                        "elf": {
-                          "properties": {
-                            "architecture": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "byte_order": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "cpu_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "creation_date": {
-                              "type": "date"
-                            },
-                            "exports": {
-                              "type": "flattened"
-                            },
-                            "go_import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_imports": {
-                              "type": "flattened"
-                            },
-                            "go_imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "go_imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "go_stripped": {
-                              "type": "boolean"
-                            },
-                            "header": {
-                              "properties": {
-                                "abi_version": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "class": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "data": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "entrypoint": {
-                                  "type": "long"
-                                },
-                                "object_version": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "os_abi": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "version": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "imports": {
-                              "type": "flattened"
-                            },
-                            "imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "sections": {
-                              "properties": {
-                                "chi2": {
-                                  "type": "long"
-                                },
-                                "entropy": {
-                                  "type": "long"
-                                },
-                                "flags": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_offset": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_size": {
-                                  "type": "long"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "var_entropy": {
-                                  "type": "long"
-                                },
-                                "virtual_address": {
-                                  "type": "long"
-                                },
-                                "virtual_size": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "nested"
-                            },
-                            "segments": {
-                              "properties": {
-                                "sections": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              },
-                              "type": "nested"
-                            },
-                            "shared_libraries": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "telfhash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "end": {
-                          "type": "date"
-                        },
-                        "endpoint_security_client": {
-                          "type": "boolean"
-                        },
                         "entity_id": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "entry_meta": {
-                          "properties": {
-                            "source": {
-                              "properties": {
-                                "address": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "as": {
-                                  "properties": {
-                                    "number": {
-                                      "type": "long"
-                                    },
-                                    "organization": {
-                                      "properties": {
-                                        "name": {
-                                          "fields": {
-                                            "text": {
-                                              "type": "match_only_text"
-                                            }
-                                          },
-                                          "ignore_above": 1024,
-                                          "type": "keyword"
-                                        }
-                                      }
-                                    }
-                                  }
-                                },
-                                "bytes": {
-                                  "type": "long"
-                                },
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "geo": {
-                                  "properties": {
-                                    "city_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "continent_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "continent_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "country_iso_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "country_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "location": {
-                                      "type": "geo_point"
-                                    },
-                                    "name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "postal_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "region_iso_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "region_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "timezone": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    }
-                                  }
-                                },
-                                "ip": {
-                                  "type": "ip"
-                                },
-                                "mac": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "nat": {
-                                  "properties": {
-                                    "ip": {
-                                      "type": "ip"
-                                    },
-                                    "port": {
-                                      "type": "long"
-                                    }
-                                  }
-                                },
-                                "packets": {
-                                  "type": "long"
-                                },
-                                "port": {
-                                  "type": "long"
-                                },
-                                "registered_domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "subdomain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "top_level_domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "env_vars": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "executable": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "exit_code": {
-                          "type": "long"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "properties": {
-                            "cdhash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "md5": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha1": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha256": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha384": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha512": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "ssdeep": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "tlsh": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "interactive": {
-                          "type": "boolean"
-                        },
-                        "io": {
-                          "properties": {
-                            "bytes_skipped": {
-                              "properties": {
-                                "length": {
-                                  "type": "long"
-                                },
-                                "offset": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "object"
-                            },
-                            "max_bytes_per_process_exceeded": {
-                              "type": "boolean"
-                            },
-                            "text": {
-                              "type": "wildcard"
-                            },
-                            "total_bytes_captured": {
-                              "type": "long"
-                            },
-                            "total_bytes_skipped": {
-                              "type": "long"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "macho": {
-                          "properties": {
-                            "go_import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_imports": {
-                              "type": "flattened"
-                            },
-                            "go_imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "go_imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "go_stripped": {
-                              "type": "boolean"
-                            },
-                            "import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "imports": {
-                              "type": "flattened"
-                            },
-                            "imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "sections": {
-                              "properties": {
-                                "entropy": {
-                                  "type": "long"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_size": {
-                                  "type": "long"
-                                },
-                                "var_entropy": {
-                                  "type": "long"
-                                },
-                                "virtual_size": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "nested"
-                            },
-                            "symhash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "origin_referrer_url": {
-                          "ignore_above": 8192,
-                          "type": "keyword"
-                        },
-                        "origin_url": {
-                          "ignore_above": 8192,
-                          "type": "keyword"
-                        },
-                        "pe": {
-                          "properties": {
-                            "architecture": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "company": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "description": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "file_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_imports": {
-                              "type": "flattened"
-                            },
-                            "go_imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "go_imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "go_stripped": {
-                              "type": "boolean"
-                            },
-                            "imphash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "imports": {
-                              "type": "flattened"
-                            },
-                            "imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "original_file_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "pehash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "product": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sections": {
-                              "properties": {
-                                "entropy": {
-                                  "type": "long"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_size": {
-                                  "type": "long"
-                                },
-                                "var_entropy": {
-                                  "type": "long"
-                                },
-                                "virtual_size": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "nested"
-                            }
-                          }
-                        },
                         "pid": {
                           "type": "long"
                         },
-                        "platform_binary": {
-                          "type": "boolean"
-                        },
-                        "real_group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "real_user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "same_as_process": {
-                          "type": "boolean"
-                        },
-                        "saved_group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "saved_user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
                         "start": {
                           "type": "date"
                         },
-                        "supplemental_groups": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "thread": {
-                          "properties": {
-                            "capabilities": {
-                              "properties": {
-                                "effective": {
-                                  "ignore_above": 1024,
-                                  "synthetic_source_keep": "none",
-                                  "type": "keyword"
-                                },
-                                "permitted": {
-                                  "ignore_above": 1024,
-                                  "synthetic_source_keep": "none",
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "id": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "title": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "tty": {
-                          "properties": {
-                            "char_device": {
-                              "properties": {
-                                "major": {
-                                  "type": "long"
-                                },
-                                "minor": {
-                                  "type": "long"
-                                }
-                              }
-                            },
-                            "columns": {
-                              "type": "long"
-                            },
-                            "rows": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "uptime": {
-                          "type": "long"
-                        },
-                        "user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "vpid": {
-                          "type": "long"
-                        },
-                        "working_directory": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "start": {
-                      "type": "date"
-                    },
-                    "supplemental_groups": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "thread": {
-                      "properties": {
-                        "capabilities": {
-                          "properties": {
-                            "effective": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            },
-                            "permitted": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "id": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "title": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tty": {
-                      "properties": {
-                        "char_device": {
-                          "properties": {
-                            "major": {
-                              "type": "long"
-                            },
-                            "minor": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "columns": {
-                          "type": "long"
-                        },
-                        "rows": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "uptime": {
-                      "type": "long"
-                    },
-                    "user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "vpid": {
-                      "type": "long"
-                    },
-                    "working_directory": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pehash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
+                        "vpid": {
                           "type": "long"
                         }
-                      },
-                      "type": "nested"
+                      }
+                    },
+                    "start": {
+                      "type": "date"
+                    },
+                    "vpid": {
+                      "type": "long"
                     }
                   }
                 },
                 "pid": {
                   "type": "long"
                 },
-                "platform_binary": {
-                  "type": "boolean"
-                },
                 "real_group": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -12519,43 +1697,6 @@
                 },
                 "real_user": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -12568,35 +1709,6 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
                     }
                   }
                 },
@@ -12605,10 +1717,6 @@
                 },
                 "saved_group": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -12621,43 +1729,6 @@
                 },
                 "saved_user": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -12670,35 +1741,6 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
                     }
                   }
                 },
@@ -12707,10 +1749,6 @@
                 },
                 "supplemental_groups": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -12721,40 +1759,6 @@
                     }
                   }
                 },
-                "thread": {
-                  "properties": {
-                    "capabilities": {
-                      "properties": {
-                        "effective": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "permitted": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "id": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "title": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
                 "tty": {
                   "properties": {
                     "char_device": {
@@ -12766,58 +1770,12 @@
                           "type": "long"
                         }
                       }
-                    },
-                    "columns": {
-                      "type": "long"
-                    },
-                    "rows": {
-                      "type": "long"
                     }
                   },
                   "type": "object"
                 },
-                "uptime": {
-                  "type": "long"
-                },
                 "user": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -12830,35 +1788,6 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
                     }
                   }
                 },
@@ -12881,10 +1810,6 @@
             },
             "supplemental_groups": {
               "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
                 "id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -12955,43 +1880,6 @@
             },
             "user": {
               "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "full_name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
                 "id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -13004,35 +1892,6 @@
                   },
                   "ignore_above": 1024,
                   "type": "keyword"
-                },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
-                "roles": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index 3fca2eed3c..76d7be670f 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -173,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index a90539a3d1..fbdd349235 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -173,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index 690c665b64..affa8f0284 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -60,30 +60,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
@@ -147,30 +123,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
@@ -367,30 +319,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index 4c647d2914..ce90e997d0 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -4,47 +4,47 @@
     "ecs_version": "9.3.0-dev"
   },
   "composed_of": [
-    "ecs_9.2.0-dev_agent",
-    "ecs_9.2.0-dev_base",
-    "ecs_9.2.0-dev_client",
-    "ecs_9.2.0-dev_cloud",
-    "ecs_9.2.0-dev_container",
-    "ecs_9.2.0-dev_data_stream",
-    "ecs_9.2.0-dev_destination",
-    "ecs_9.2.0-dev_device",
-    "ecs_9.2.0-dev_dll",
-    "ecs_9.2.0-dev_dns",
-    "ecs_9.2.0-dev_ecs",
-    "ecs_9.2.0-dev_email",
-    "ecs_9.2.0-dev_error",
-    "ecs_9.2.0-dev_event",
-    "ecs_9.2.0-dev_faas",
-    "ecs_9.2.0-dev_file",
-    "ecs_9.2.0-dev_gen_ai",
-    "ecs_9.2.0-dev_group",
-    "ecs_9.2.0-dev_host",
-    "ecs_9.2.0-dev_http",
-    "ecs_9.2.0-dev_log",
-    "ecs_9.2.0-dev_network",
-    "ecs_9.2.0-dev_observer",
-    "ecs_9.2.0-dev_orchestrator",
-    "ecs_9.2.0-dev_organization",
-    "ecs_9.2.0-dev_package",
-    "ecs_9.2.0-dev_process",
-    "ecs_9.2.0-dev_registry",
-    "ecs_9.2.0-dev_related",
-    "ecs_9.2.0-dev_rule",
-    "ecs_9.2.0-dev_server",
-    "ecs_9.2.0-dev_service",
-    "ecs_9.2.0-dev_source",
-    "ecs_9.2.0-dev_threat",
-    "ecs_9.2.0-dev_tls",
-    "ecs_9.2.0-dev_tracing",
-    "ecs_9.2.0-dev_url",
-    "ecs_9.2.0-dev_user",
-    "ecs_9.2.0-dev_user_agent",
-    "ecs_9.2.0-dev_volume",
-    "ecs_9.2.0-dev_vulnerability"
+    "ecs_9.3.0-dev_base",
+    "ecs_9.3.0-dev_agent",
+    "ecs_9.3.0-dev_client",
+    "ecs_9.3.0-dev_cloud",
+    "ecs_9.3.0-dev_container",
+    "ecs_9.3.0-dev_data_stream",
+    "ecs_9.3.0-dev_destination",
+    "ecs_9.3.0-dev_device",
+    "ecs_9.3.0-dev_dll",
+    "ecs_9.3.0-dev_dns",
+    "ecs_9.3.0-dev_ecs",
+    "ecs_9.3.0-dev_email",
+    "ecs_9.3.0-dev_error",
+    "ecs_9.3.0-dev_event",
+    "ecs_9.3.0-dev_faas",
+    "ecs_9.3.0-dev_file",
+    "ecs_9.3.0-dev_gen_ai",
+    "ecs_9.3.0-dev_group",
+    "ecs_9.3.0-dev_host",
+    "ecs_9.3.0-dev_http",
+    "ecs_9.3.0-dev_log",
+    "ecs_9.3.0-dev_network",
+    "ecs_9.3.0-dev_observer",
+    "ecs_9.3.0-dev_orchestrator",
+    "ecs_9.3.0-dev_organization",
+    "ecs_9.3.0-dev_package",
+    "ecs_9.3.0-dev_process",
+    "ecs_9.3.0-dev_registry",
+    "ecs_9.3.0-dev_related",
+    "ecs_9.3.0-dev_rule",
+    "ecs_9.3.0-dev_server",
+    "ecs_9.3.0-dev_service",
+    "ecs_9.3.0-dev_source",
+    "ecs_9.3.0-dev_threat",
+    "ecs_9.3.0-dev_tls",
+    "ecs_9.3.0-dev_tracing",
+    "ecs_9.3.0-dev_url",
+    "ecs_9.3.0-dev_user_agent",
+    "ecs_9.3.0-dev_user",
+    "ecs_9.3.0-dev_volume",
+    "ecs_9.3.0-dev_vulnerability"
   ],
   "index_patterns": [
     "try-ecs-*"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 2d4bf5a244..cb2dbd54ed 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -221,30 +221,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -799,30 +775,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -3095,105 +3047,6 @@
           "args_count": {
             "type": "long"
           },
-          "attested_groups": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "attested_user": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              }
-            }
-          },
           "code_signature": {
             "properties": {
               "digest_algorithm": {
@@ -3395,9 +3248,6 @@
           "end": {
             "type": "date"
           },
-          "endpoint_security_client": {
-            "type": "boolean"
-          },
           "entity_id": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -3413,14 +3263,6 @@
               },
               "attested_groups": {
                 "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
                   "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -3429,15 +3271,11 @@
               },
               "attested_user": {
                 "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "full_name": {
+                  "name": {
                     "fields": {
                       "text": {
                         "type": "match_only_text"
@@ -3445,410 +3283,303 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "group": {
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entry_meta": {
+                "properties": {
+                  "source": {
                     "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "ip": {
+                        "type": "ip"
                       }
                     }
                   },
-                  "hash": {
+                  "type": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
+                  }
+                }
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
                   "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
                     "ignore_above": 1024,
                     "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "parent": {
+                "properties": {
+                  "entity_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pid": {
+                    "type": "long"
                   },
-                  "risk": {
+                  "session_leader": {
                     "properties": {
-                      "calculated_level": {
+                      "entity_id": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "pid": {
+                        "type": "long"
                       },
-                      "static_score": {
-                        "type": "float"
+                      "start": {
+                        "type": "date"
                       },
-                      "static_score_norm": {
-                        "type": "float"
+                      "vpid": {
+                        "type": "long"
                       }
                     }
                   },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
+                  "start": {
+                    "type": "date"
+                  },
+                  "vpid": {
+                    "type": "long"
                   }
                 }
               },
-              "code_signature": {
+              "pid": {
+                "type": "long"
+              },
+              "real_group": {
                 "properties": {
-                  "digest_algorithm": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "signing_id": {
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "status": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "subject_name": {
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "team_id": {
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
                   }
                 }
               },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
+              "saved_user": {
                 "properties": {
-                  "architecture": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "byte_order": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "cpu_type": {
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
+                  }
+                }
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
                     "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
+                      "major": {
                         "type": "long"
                       },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "minor": {
+                        "type": "long"
                       }
                     }
-                  },
-                  "import_hash": {
+                  }
+                },
+                "type": "object"
+              },
+              "user": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
                       }
                     },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "end": {
-                "type": "date"
+              "vpid": {
+                "type": "long"
               },
-              "endpoint_security_client": {
-                "type": "boolean"
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "env_vars": {
+            "ignore_above": 1024,
+            "synthetic_source_keep": "none",
+            "type": "keyword"
+          },
+          "executable": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "exit_code": {
+            "type": "long"
+          },
+          "group": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "group_leader": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
               },
               "entity_id": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "entry_meta": {
-                "properties": {
-                  "source": {
-                    "properties": {
-                      "address": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "as": {
-                        "properties": {
-                          "number": {
-                            "type": "long"
-                          },
-                          "organization": {
-                            "properties": {
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "type": "match_only_text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "bytes": {
-                        "type": "long"
-                      },
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "geo": {
-                        "properties": {
-                          "city_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "location": {
-                            "type": "geo_point"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "postal_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "timezone": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "mac": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "nat": {
-                        "properties": {
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "port": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "packets": {
-                        "type": "long"
-                      },
-                      "port": {
-                        "type": "long"
-                      },
-                      "registered_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subdomain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "top_level_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "type": {
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "env_vars": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
+              "interactive": {
+                "type": "boolean"
               },
-              "executable": {
+              "name": {
                 "fields": {
                   "text": {
                     "type": "match_only_text"
@@ -3857,15 +3588,11 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "exit_code": {
+              "pid": {
                 "type": "long"
               },
-              "group": {
+              "real_group": {
                 "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -3876,136 +3603,106 @@
                   }
                 }
               },
-              "hash": {
+              "real_user": {
                 "properties": {
-                  "cdhash": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "md5": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "sha1": {
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "sha256": {
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "sha384": {
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "sha512": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "ssdeep": {
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "tlsh": {
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "interactive": {
-                "type": "boolean"
-              },
-              "io": {
+              "tty": {
                 "properties": {
-                  "bytes_skipped": {
+                  "char_device": {
                     "properties": {
-                      "length": {
+                      "major": {
                         "type": "long"
                       },
-                      "offset": {
+                      "minor": {
                         "type": "long"
                       }
-                    },
-                    "type": "object"
-                  },
-                  "max_bytes_per_process_exceeded": {
-                    "type": "boolean"
-                  },
-                  "text": {
-                    "type": "wildcard"
-                  },
-                  "total_bytes_captured": {
-                    "type": "long"
-                  },
-                  "total_bytes_skipped": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    }
                   }
                 },
                 "type": "object"
               },
-              "macho": {
+              "user": {
                 "properties": {
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "import_hash": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
                       }
                     },
-                    "type": "nested"
-                  },
-                  "symhash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "name": {
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
                 "fields": {
                   "text": {
                     "type": "match_only_text"
@@ -4013,617 +3710,614 @@
                 },
                 "ignore_above": 1024,
                 "type": "keyword"
+              }
+            }
+          },
+          "hash": {
+            "properties": {
+              "cdhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
               },
-              "origin_referrer_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "origin_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "parent": {
+              "md5": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha1": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha256": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha384": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha512": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ssdeep": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tlsh": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "interactive": {
+            "type": "boolean"
+          },
+          "io": {
+            "properties": {
+              "bytes_skipped": {
+                "properties": {
+                  "length": {
+                    "type": "long"
+                  },
+                  "offset": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "max_bytes_per_process_exceeded": {
+                "type": "boolean"
+              },
+              "text": {
+                "type": "wildcard"
+              },
+              "total_bytes_captured": {
+                "type": "long"
+              },
+              "total_bytes_skipped": {
+                "type": "long"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "object"
+          },
+          "macho": {
+            "properties": {
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              },
+              "symhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "parent": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "code_signature": {
+                "properties": {
+                  "digest_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
                 "properties": {
-                  "args": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "byte_order": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "args_count": {
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
                     "type": "long"
                   },
-                  "attested_groups": {
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
                     "properties": {
-                      "domain": {
+                      "abi_version": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "id": {
+                      "class": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "name": {
+                      "data": {
                         "ignore_above": 1024,
                         "type": "keyword"
-                      }
-                    }
-                  },
-                  "attested_user": {
-                    "properties": {
-                      "domain": {
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "email": {
+                      "os_abi": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
+                      "type": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
+                      "version": {
                         "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
                         "type": "keyword"
                       }
                     }
                   },
-                  "code_signature": {
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
                     "properties": {
-                      "digest_algorithm": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "chi2": {
+                        "type": "long"
                       },
-                      "exists": {
-                        "type": "boolean"
+                      "entropy": {
+                        "type": "long"
                       },
                       "flags": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "signing_id": {
+                      "name": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "status": {
+                      "physical_offset": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "subject_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "physical_size": {
+                        "type": "long"
                       },
-                      "team_id": {
+                      "type": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "thumbprint_sha256": {
-                        "ignore_above": 64,
-                        "type": "keyword"
-                      },
-                      "timestamp": {
-                        "type": "date"
+                      "var_entropy": {
+                        "type": "long"
                       },
-                      "trusted": {
-                        "type": "boolean"
+                      "virtual_address": {
+                        "type": "long"
                       },
-                      "valid": {
-                        "type": "boolean"
-                      }
-                    }
-                  },
-                  "command_line": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
+                      "virtual_size": {
+                        "type": "long"
                       }
                     },
-                    "type": "wildcard"
+                    "type": "nested"
                   },
-                  "elf": {
+                  "segments": {
                     "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "byte_order": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "cpu_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "creation_date": {
-                        "type": "date"
-                      },
-                      "exports": {
-                        "type": "flattened"
-                      },
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "header": {
-                        "properties": {
-                          "abi_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "class": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "data": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entrypoint": {
-                            "type": "long"
-                          },
-                          "object_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "os_abi": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
                       "sections": {
-                        "properties": {
-                          "chi2": {
-                            "type": "long"
-                          },
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_offset": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_address": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "segments": {
-                        "properties": {
-                          "sections": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "shared_libraries": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "telfhash": {
+                      "type": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       }
-                    }
-                  },
-                  "end": {
-                    "type": "date"
-                  },
-                  "endpoint_security_client": {
-                    "type": "boolean"
+                    },
+                    "type": "nested"
                   },
-                  "entity_id": {
+                  "shared_libraries": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "entry_meta": {
-                    "properties": {
-                      "source": {
-                        "properties": {
-                          "address": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "as": {
-                            "properties": {
-                              "number": {
-                                "type": "long"
-                              },
-                              "organization": {
-                                "properties": {
-                                  "name": {
-                                    "fields": {
-                                      "text": {
-                                        "type": "match_only_text"
-                                      }
-                                    },
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  }
-                                }
-                              }
-                            }
-                          },
-                          "bytes": {
-                            "type": "long"
-                          },
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "geo": {
-                            "properties": {
-                              "city_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "continent_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "continent_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country_iso_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "location": {
-                                "type": "geo_point"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "postal_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "region_iso_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "region_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "timezone": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "mac": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "nat": {
-                            "properties": {
-                              "ip": {
-                                "type": "ip"
-                              },
-                              "port": {
-                                "type": "long"
-                              }
-                            }
-                          },
-                          "packets": {
-                            "type": "long"
-                          },
-                          "port": {
-                            "type": "long"
-                          },
-                          "registered_domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "subdomain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "top_level_domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "end": {
+                "type": "date"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "env_vars": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "group_leader": {
+                "properties": {
+                  "entity_id": {
                     "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
                     "type": "keyword"
                   },
-                  "executable": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "pid": {
+                    "type": "long"
+                  },
+                  "start": {
+                    "type": "date"
+                  },
+                  "vpid": {
+                    "type": "long"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha384": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "exit_code": {
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
                     "type": "long"
                   },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
                   },
-                  "hash": {
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
                     "properties": {
-                      "cdhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "md5": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha1": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha256": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "entropy": {
+                        "type": "long"
                       },
-                      "sha384": {
+                      "name": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "sha512": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "physical_size": {
+                        "type": "long"
                       },
-                      "ssdeep": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "var_entropy": {
+                        "type": "long"
                       },
-                      "tlsh": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "virtual_size": {
+                        "type": "long"
                       }
-                    }
-                  },
-                  "interactive": {
-                    "type": "boolean"
+                    },
+                    "type": "nested"
                   },
-                  "io": {
-                    "properties": {
-                      "bytes_skipped": {
-                        "properties": {
-                          "length": {
-                            "type": "long"
-                          },
-                          "offset": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "max_bytes_per_process_exceeded": {
-                        "type": "boolean"
-                      },
-                      "text": {
-                        "type": "wildcard"
-                      },
-                      "total_bytes_captured": {
-                        "type": "long"
-                      },
-                      "total_bytes_skipped": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "object"
+                  "symhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
                   },
-                  "macho": {
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sections": {
                     "properties": {
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
+                      "entropy": {
                         "type": "long"
                       },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "import_hash": {
+                      "name": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
+                      "physical_size": {
                         "type": "long"
                       },
-                      "imports_names_var_entropy": {
+                      "var_entropy": {
                         "type": "long"
                       },
-                      "sections": {
-                        "properties": {
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "symhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "virtual_size": {
+                        "type": "long"
                       }
-                    }
+                    },
+                    "type": "nested"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "real_group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
                   "name": {
                     "fields": {
@@ -4633,10733 +4327,112 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
+                  }
+                }
+              },
+              "saved_group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "origin_referrer_url": {
-                    "ignore_above": 8192,
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "origin_url": {
-                    "ignore_above": 8192,
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "pe": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "thread": {
+                "properties": {
+                  "capabilities": {
                     "properties": {
-                      "architecture": {
+                      "effective": {
                         "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
                         "type": "keyword"
                       },
-                      "company": {
+                      "permitted": {
                         "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
                         "type": "keyword"
+                      }
+                    }
+                  },
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
                       },
-                      "description": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "file_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "imphash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "original_file_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "pehash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "product": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sections": {
-                        "properties": {
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      }
-                    }
-                  },
-                  "pid": {
-                    "type": "long"
-                  },
-                  "platform_binary": {
-                    "type": "boolean"
-                  },
-                  "real_group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "real_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "same_as_process": {
-                    "type": "boolean"
-                  },
-                  "saved_group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "saved_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "session_leader": {
-                    "properties": {
-                      "args": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "args_count": {
-                        "type": "long"
-                      },
-                      "attested_groups": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "attested_user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "code_signature": {
-                        "properties": {
-                          "digest_algorithm": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "exists": {
-                            "type": "boolean"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "signing_id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "status": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "subject_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "team_id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "thumbprint_sha256": {
-                            "ignore_above": 64,
-                            "type": "keyword"
-                          },
-                          "timestamp": {
-                            "type": "date"
-                          },
-                          "trusted": {
-                            "type": "boolean"
-                          },
-                          "valid": {
-                            "type": "boolean"
-                          }
-                        }
-                      },
-                      "command_line": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "type": "wildcard"
-                      },
-                      "elf": {
-                        "properties": {
-                          "architecture": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "byte_order": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "cpu_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "creation_date": {
-                            "type": "date"
-                          },
-                          "exports": {
-                            "type": "flattened"
-                          },
-                          "go_import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_imports": {
-                            "type": "flattened"
-                          },
-                          "go_imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "go_imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "go_stripped": {
-                            "type": "boolean"
-                          },
-                          "header": {
-                            "properties": {
-                              "abi_version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "class": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "data": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "entrypoint": {
-                                "type": "long"
-                              },
-                              "object_version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "os_abi": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "imports": {
-                            "type": "flattened"
-                          },
-                          "imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "sections": {
-                            "properties": {
-                              "chi2": {
-                                "type": "long"
-                              },
-                              "entropy": {
-                                "type": "long"
-                              },
-                              "flags": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_offset": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_size": {
-                                "type": "long"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "var_entropy": {
-                                "type": "long"
-                              },
-                              "virtual_address": {
-                                "type": "long"
-                              },
-                              "virtual_size": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "segments": {
-                            "properties": {
-                              "sections": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "shared_libraries": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "telfhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "end": {
-                        "type": "date"
-                      },
-                      "endpoint_security_client": {
-                        "type": "boolean"
-                      },
-                      "entity_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entry_meta": {
-                        "properties": {
-                          "source": {
-                            "properties": {
-                              "address": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "as": {
-                                "properties": {
-                                  "number": {
-                                    "type": "long"
-                                  },
-                                  "organization": {
-                                    "properties": {
-                                      "name": {
-                                        "fields": {
-                                          "text": {
-                                            "type": "match_only_text"
-                                          }
-                                        },
-                                        "ignore_above": 1024,
-                                        "type": "keyword"
-                                      }
-                                    }
-                                  }
-                                }
-                              },
-                              "bytes": {
-                                "type": "long"
-                              },
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "geo": {
-                                "properties": {
-                                  "city_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "continent_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "continent_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "country_iso_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "country_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "location": {
-                                    "type": "geo_point"
-                                  },
-                                  "name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "postal_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "region_iso_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "region_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "timezone": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  }
-                                }
-                              },
-                              "ip": {
-                                "type": "ip"
-                              },
-                              "mac": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "nat": {
-                                "properties": {
-                                  "ip": {
-                                    "type": "ip"
-                                  },
-                                  "port": {
-                                    "type": "long"
-                                  }
-                                }
-                              },
-                              "packets": {
-                                "type": "long"
-                              },
-                              "port": {
-                                "type": "long"
-                              },
-                              "registered_domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "subdomain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "top_level_domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "env_vars": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "executable": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "exit_code": {
-                        "type": "long"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "properties": {
-                          "cdhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "md5": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha1": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha256": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha384": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha512": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "ssdeep": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "tlsh": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "interactive": {
-                        "type": "boolean"
-                      },
-                      "io": {
-                        "properties": {
-                          "bytes_skipped": {
-                            "properties": {
-                              "length": {
-                                "type": "long"
-                              },
-                              "offset": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "object"
-                          },
-                          "max_bytes_per_process_exceeded": {
-                            "type": "boolean"
-                          },
-                          "text": {
-                            "type": "wildcard"
-                          },
-                          "total_bytes_captured": {
-                            "type": "long"
-                          },
-                          "total_bytes_skipped": {
-                            "type": "long"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "macho": {
-                        "properties": {
-                          "go_import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_imports": {
-                            "type": "flattened"
-                          },
-                          "go_imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "go_imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "go_stripped": {
-                            "type": "boolean"
-                          },
-                          "import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "imports": {
-                            "type": "flattened"
-                          },
-                          "imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "sections": {
-                            "properties": {
-                              "entropy": {
-                                "type": "long"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_size": {
-                                "type": "long"
-                              },
-                              "var_entropy": {
-                                "type": "long"
-                              },
-                              "virtual_size": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "symhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "origin_referrer_url": {
-                        "ignore_above": 8192,
-                        "type": "keyword"
-                      },
-                      "origin_url": {
-                        "ignore_above": 8192,
-                        "type": "keyword"
-                      },
-                      "pe": {
-                        "properties": {
-                          "architecture": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "company": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "description": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "file_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_imports": {
-                            "type": "flattened"
-                          },
-                          "go_imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "go_imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "go_stripped": {
-                            "type": "boolean"
-                          },
-                          "imphash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "imports": {
-                            "type": "flattened"
-                          },
-                          "imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "original_file_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "pehash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "product": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sections": {
-                            "properties": {
-                              "entropy": {
-                                "type": "long"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_size": {
-                                "type": "long"
-                              },
-                              "var_entropy": {
-                                "type": "long"
-                              },
-                              "virtual_size": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "nested"
-                          }
-                        }
-                      },
-                      "pid": {
-                        "type": "long"
-                      },
-                      "platform_binary": {
-                        "type": "boolean"
-                      },
-                      "real_group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "real_user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "same_as_process": {
-                        "type": "boolean"
-                      },
-                      "saved_group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "saved_user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "start": {
-                        "type": "date"
-                      },
-                      "supplemental_groups": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "thread": {
-                        "properties": {
-                          "capabilities": {
-                            "properties": {
-                              "effective": {
-                                "ignore_above": 1024,
-                                "synthetic_source_keep": "none",
-                                "type": "keyword"
-                              },
-                              "permitted": {
-                                "ignore_above": 1024,
-                                "synthetic_source_keep": "none",
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "id": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "title": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "tty": {
-                        "properties": {
-                          "char_device": {
-                            "properties": {
-                              "major": {
-                                "type": "long"
-                              },
-                              "minor": {
-                                "type": "long"
-                              }
-                            }
-                          },
-                          "columns": {
-                            "type": "long"
-                          },
-                          "rows": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "uptime": {
-                        "type": "long"
-                      },
-                      "user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "vpid": {
-                        "type": "long"
-                      },
-                      "working_directory": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "start": {
-                    "type": "date"
-                  },
-                  "supplemental_groups": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "thread": {
-                    "properties": {
-                      "capabilities": {
-                        "properties": {
-                          "effective": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          },
-                          "permitted": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "id": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "title": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tty": {
-                    "properties": {
-                      "char_device": {
-                        "properties": {
-                          "major": {
-                            "type": "long"
-                          },
-                          "minor": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "columns": {
-                        "type": "long"
-                      },
-                      "rows": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "uptime": {
-                    "type": "long"
-                  },
-                  "user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "vpid": {
-                    "type": "long"
-                  },
-                  "working_directory": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "platform_binary": {
-                "type": "boolean"
-              },
-              "real_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "thread": {
-                "properties": {
-                  "capabilities": {
-                    "properties": {
-                      "effective": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "permitted": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  },
-                  "columns": {
-                    "type": "long"
-                  },
-                  "rows": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "entry_meta": {
-            "properties": {
-              "source": {
-                "properties": {
-                  "address": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "as": {
-                    "properties": {
-                      "number": {
-                        "type": "long"
-                      },
-                      "organization": {
-                        "properties": {
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      }
-                    }
-                  },
-                  "bytes": {
-                    "type": "long"
-                  },
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "geo": {
-                    "properties": {
-                      "city_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "continent_code": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "continent_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "country_iso_code": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "country_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "location": {
-                        "type": "geo_point"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "postal_code": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "region_iso_code": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "region_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "timezone": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "mac": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "nat": {
-                    "properties": {
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "port": {
-                        "type": "long"
-                      }
-                    }
-                  },
-                  "packets": {
-                    "type": "long"
-                  },
-                  "port": {
-                    "type": "long"
-                  },
-                  "registered_domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subdomain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "top_level_domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "env_vars": {
-            "ignore_above": 1024,
-            "synthetic_source_keep": "none",
-            "type": "keyword"
-          },
-          "executable": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "exit_code": {
-            "type": "long"
-          },
-          "group": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "group_leader": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "attested_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "attested_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "code_signature": {
-                "properties": {
-                  "digest_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signing_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "status": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "team_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "endpoint_security_client": {
-                "type": "boolean"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entry_meta": {
-                "properties": {
-                  "source": {
-                    "properties": {
-                      "address": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "as": {
-                        "properties": {
-                          "number": {
-                            "type": "long"
-                          },
-                          "organization": {
-                            "properties": {
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "type": "match_only_text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "bytes": {
-                        "type": "long"
-                      },
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "geo": {
-                        "properties": {
-                          "city_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "location": {
-                            "type": "geo_point"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "postal_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "timezone": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "mac": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "nat": {
-                        "properties": {
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "port": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "packets": {
-                        "type": "long"
-                      },
-                      "port": {
-                        "type": "long"
-                      },
-                      "registered_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subdomain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "top_level_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "env_vars": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "properties": {
-                  "cdhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tlsh": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "io": {
-                "properties": {
-                  "bytes_skipped": {
-                    "properties": {
-                      "length": {
-                        "type": "long"
-                      },
-                      "offset": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "max_bytes_per_process_exceeded": {
-                    "type": "boolean"
-                  },
-                  "text": {
-                    "type": "wildcard"
-                  },
-                  "total_bytes_captured": {
-                    "type": "long"
-                  },
-                  "total_bytes_skipped": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                },
-                "type": "object"
-              },
-              "macho": {
-                "properties": {
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "symhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "origin_referrer_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "origin_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "platform_binary": {
-                "type": "boolean"
-              },
-              "real_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "thread": {
-                "properties": {
-                  "capabilities": {
-                    "properties": {
-                      "effective": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "permitted": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  },
-                  "columns": {
-                    "type": "long"
-                  },
-                  "rows": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "hash": {
-            "properties": {
-              "cdhash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "md5": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha1": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha256": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha384": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha512": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "ssdeep": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tlsh": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "interactive": {
-            "type": "boolean"
-          },
-          "io": {
-            "properties": {
-              "bytes_skipped": {
-                "properties": {
-                  "length": {
-                    "type": "long"
-                  },
-                  "offset": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "max_bytes_per_process_exceeded": {
-                "type": "boolean"
-              },
-              "text": {
-                "type": "wildcard"
-              },
-              "total_bytes_captured": {
-                "type": "long"
-              },
-              "total_bytes_skipped": {
-                "type": "long"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            },
-            "type": "object"
-          },
-          "macho": {
-            "properties": {
-              "go_import_hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "go_imports": {
-                "type": "flattened"
-              },
-              "go_imports_names_entropy": {
-                "type": "long"
-              },
-              "go_imports_names_var_entropy": {
-                "type": "long"
-              },
-              "go_stripped": {
-                "type": "boolean"
-              },
-              "import_hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "imports": {
-                "type": "flattened"
-              },
-              "imports_names_entropy": {
-                "type": "long"
-              },
-              "imports_names_var_entropy": {
-                "type": "long"
-              },
-              "sections": {
-                "properties": {
-                  "entropy": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "physical_size": {
-                    "type": "long"
-                  },
-                  "var_entropy": {
-                    "type": "long"
-                  },
-                  "virtual_size": {
-                    "type": "long"
-                  }
-                },
-                "type": "nested"
-              },
-              "symhash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "name": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "origin_referrer_url": {
-            "ignore_above": 8192,
-            "type": "keyword"
-          },
-          "origin_url": {
-            "ignore_above": 8192,
-            "type": "keyword"
-          },
-          "parent": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "attested_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "attested_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "code_signature": {
-                "properties": {
-                  "digest_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signing_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "status": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "team_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "endpoint_security_client": {
-                "type": "boolean"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entry_meta": {
-                "properties": {
-                  "source": {
-                    "properties": {
-                      "address": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "as": {
-                        "properties": {
-                          "number": {
-                            "type": "long"
-                          },
-                          "organization": {
-                            "properties": {
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "type": "match_only_text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "bytes": {
-                        "type": "long"
-                      },
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "geo": {
-                        "properties": {
-                          "city_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "location": {
-                            "type": "geo_point"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "postal_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "timezone": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "mac": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "nat": {
-                        "properties": {
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "port": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "packets": {
-                        "type": "long"
-                      },
-                      "port": {
-                        "type": "long"
-                      },
-                      "registered_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subdomain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "top_level_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "env_vars": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "group_leader": {
-                "properties": {
-                  "args": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "args_count": {
-                    "type": "long"
-                  },
-                  "attested_groups": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "attested_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "code_signature": {
-                    "properties": {
-                      "digest_algorithm": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "exists": {
-                        "type": "boolean"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "signing_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "status": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subject_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "team_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "thumbprint_sha256": {
-                        "ignore_above": 64,
-                        "type": "keyword"
-                      },
-                      "timestamp": {
-                        "type": "date"
-                      },
-                      "trusted": {
-                        "type": "boolean"
-                      },
-                      "valid": {
-                        "type": "boolean"
-                      }
-                    }
-                  },
-                  "command_line": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "type": "wildcard"
-                  },
-                  "elf": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "byte_order": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "cpu_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "creation_date": {
-                        "type": "date"
-                      },
-                      "exports": {
-                        "type": "flattened"
-                      },
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "header": {
-                        "properties": {
-                          "abi_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "class": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "data": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entrypoint": {
-                            "type": "long"
-                          },
-                          "object_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "os_abi": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "sections": {
-                        "properties": {
-                          "chi2": {
-                            "type": "long"
-                          },
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_offset": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_address": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "segments": {
-                        "properties": {
-                          "sections": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "shared_libraries": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "telfhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "end": {
-                    "type": "date"
-                  },
-                  "endpoint_security_client": {
-                    "type": "boolean"
-                  },
-                  "entity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entry_meta": {
-                    "properties": {
-                      "source": {
-                        "properties": {
-                          "address": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "as": {
-                            "properties": {
-                              "number": {
-                                "type": "long"
-                              },
-                              "organization": {
-                                "properties": {
-                                  "name": {
-                                    "fields": {
-                                      "text": {
-                                        "type": "match_only_text"
-                                      }
-                                    },
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  }
-                                }
-                              }
-                            }
-                          },
-                          "bytes": {
-                            "type": "long"
-                          },
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "geo": {
-                            "properties": {
-                              "city_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "continent_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "continent_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country_iso_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "location": {
-                                "type": "geo_point"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "postal_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "region_iso_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "region_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "timezone": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "mac": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "nat": {
-                            "properties": {
-                              "ip": {
-                                "type": "ip"
-                              },
-                              "port": {
-                                "type": "long"
-                              }
-                            }
-                          },
-                          "packets": {
-                            "type": "long"
-                          },
-                          "port": {
-                            "type": "long"
-                          },
-                          "registered_domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "subdomain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "top_level_domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "env_vars": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  },
-                  "executable": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exit_code": {
-                    "type": "long"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "properties": {
-                      "cdhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "md5": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha1": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha256": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha384": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha512": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ssdeep": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "tlsh": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "interactive": {
-                    "type": "boolean"
-                  },
-                  "io": {
-                    "properties": {
-                      "bytes_skipped": {
-                        "properties": {
-                          "length": {
-                            "type": "long"
-                          },
-                          "offset": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "max_bytes_per_process_exceeded": {
-                        "type": "boolean"
-                      },
-                      "text": {
-                        "type": "wildcard"
-                      },
-                      "total_bytes_captured": {
-                        "type": "long"
-                      },
-                      "total_bytes_skipped": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "macho": {
-                    "properties": {
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "sections": {
-                        "properties": {
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "symhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "origin_referrer_url": {
-                    "ignore_above": 8192,
-                    "type": "keyword"
-                  },
-                  "origin_url": {
-                    "ignore_above": 8192,
-                    "type": "keyword"
-                  },
-                  "pe": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "company": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "description": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "file_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "imphash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "original_file_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "pehash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "product": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sections": {
-                        "properties": {
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      }
-                    }
-                  },
-                  "pid": {
-                    "type": "long"
-                  },
-                  "platform_binary": {
-                    "type": "boolean"
-                  },
-                  "real_group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "real_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "same_as_process": {
-                    "type": "boolean"
-                  },
-                  "saved_group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "saved_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "start": {
-                    "type": "date"
-                  },
-                  "supplemental_groups": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "thread": {
-                    "properties": {
-                      "capabilities": {
-                        "properties": {
-                          "effective": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          },
-                          "permitted": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "id": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "title": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tty": {
-                    "properties": {
-                      "char_device": {
-                        "properties": {
-                          "major": {
-                            "type": "long"
-                          },
-                          "minor": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "columns": {
-                        "type": "long"
-                      },
-                      "rows": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "uptime": {
-                    "type": "long"
-                  },
-                  "user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "vpid": {
-                    "type": "long"
-                  },
-                  "working_directory": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "properties": {
-                  "cdhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tlsh": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "io": {
-                "properties": {
-                  "bytes_skipped": {
-                    "properties": {
-                      "length": {
-                        "type": "long"
-                      },
-                      "offset": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "max_bytes_per_process_exceeded": {
-                    "type": "boolean"
-                  },
-                  "text": {
-                    "type": "wildcard"
-                  },
-                  "total_bytes_captured": {
-                    "type": "long"
-                  },
-                  "total_bytes_skipped": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                },
-                "type": "object"
-              },
-              "macho": {
-                "properties": {
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "symhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "origin_referrer_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "origin_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "platform_binary": {
-                "type": "boolean"
-              },
-              "real_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "thread": {
-                "properties": {
-                  "capabilities": {
-                    "properties": {
-                      "effective": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "permitted": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  },
-                  "columns": {
-                    "type": "long"
-                  },
-                  "rows": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "pe": {
-            "properties": {
-              "architecture": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "company": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "description": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "file_version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "go_import_hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "go_imports": {
-                "type": "flattened"
-              },
-              "go_imports_names_entropy": {
-                "type": "long"
-              },
-              "go_imports_names_var_entropy": {
-                "type": "long"
-              },
-              "go_stripped": {
-                "type": "boolean"
-              },
-              "imphash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "import_hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "imports": {
-                "type": "flattened"
-              },
-              "imports_names_entropy": {
-                "type": "long"
-              },
-              "imports_names_var_entropy": {
-                "type": "long"
-              },
-              "original_file_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "pehash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "product": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sections": {
-                "properties": {
-                  "entropy": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "physical_size": {
-                    "type": "long"
-                  },
-                  "var_entropy": {
-                    "type": "long"
-                  },
-                  "virtual_size": {
-                    "type": "long"
-                  }
-                },
-                "type": "nested"
-              }
-            }
-          },
-          "pid": {
-            "type": "long"
-          },
-          "platform_binary": {
-            "type": "boolean"
-          },
-          "previous": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "attested_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "attested_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "code_signature": {
-                "properties": {
-                  "digest_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signing_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "status": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "team_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "endpoint_security_client": {
-                "type": "boolean"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entry_meta": {
-                "properties": {
-                  "source": {
-                    "properties": {
-                      "address": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "as": {
-                        "properties": {
-                          "number": {
-                            "type": "long"
-                          },
-                          "organization": {
-                            "properties": {
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "type": "match_only_text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "bytes": {
-                        "type": "long"
-                      },
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "geo": {
-                        "properties": {
-                          "city_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "location": {
-                            "type": "geo_point"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "postal_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "timezone": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "mac": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "nat": {
-                        "properties": {
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "port": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "packets": {
-                        "type": "long"
-                      },
-                      "port": {
-                        "type": "long"
-                      },
-                      "registered_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subdomain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "top_level_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "env_vars": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "properties": {
-                  "cdhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tlsh": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "io": {
-                "properties": {
-                  "bytes_skipped": {
-                    "properties": {
-                      "length": {
-                        "type": "long"
-                      },
-                      "offset": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "max_bytes_per_process_exceeded": {
-                    "type": "boolean"
-                  },
-                  "text": {
-                    "type": "wildcard"
-                  },
-                  "total_bytes_captured": {
-                    "type": "long"
-                  },
-                  "total_bytes_skipped": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                },
-                "type": "object"
-              },
-              "macho": {
-                "properties": {
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "symhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "origin_referrer_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "origin_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "platform_binary": {
-                "type": "boolean"
-              },
-              "real_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "thread": {
-                "properties": {
-                  "capabilities": {
-                    "properties": {
-                      "effective": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "permitted": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  },
-                  "columns": {
-                    "type": "long"
-                  },
-                  "rows": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "real_group": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "real_user": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              }
-            }
-          },
-          "responsible": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "attested_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "attested_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "code_signature": {
-                "properties": {
-                  "digest_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signing_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "status": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "team_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "endpoint_security_client": {
-                "type": "boolean"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entry_meta": {
-                "properties": {
-                  "source": {
-                    "properties": {
-                      "address": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "as": {
-                        "properties": {
-                          "number": {
-                            "type": "long"
-                          },
-                          "organization": {
-                            "properties": {
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "type": "match_only_text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "bytes": {
-                        "type": "long"
-                      },
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "geo": {
-                        "properties": {
-                          "city_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "location": {
-                            "type": "geo_point"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "postal_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "timezone": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "mac": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "nat": {
-                        "properties": {
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "port": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "packets": {
-                        "type": "long"
-                      },
-                      "port": {
-                        "type": "long"
-                      },
-                      "registered_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subdomain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "top_level_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "env_vars": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "properties": {
-                  "cdhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tlsh": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "io": {
-                "properties": {
-                  "bytes_skipped": {
-                    "properties": {
-                      "length": {
-                        "type": "long"
-                      },
-                      "offset": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "max_bytes_per_process_exceeded": {
-                    "type": "boolean"
-                  },
-                  "text": {
-                    "type": "wildcard"
-                  },
-                  "total_bytes_captured": {
-                    "type": "long"
-                  },
-                  "total_bytes_skipped": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                },
-                "type": "object"
-              },
-              "macho": {
-                "properties": {
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "symhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "origin_referrer_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "origin_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "platform_binary": {
-                "type": "boolean"
-              },
-              "real_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "thread": {
-                "properties": {
-                  "capabilities": {
-                    "properties": {
-                      "effective": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "permitted": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  },
-                  "columns": {
-                    "type": "long"
-                  },
-                  "rows": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "same_as_process": {
-            "type": "boolean"
-          },
-          "saved_group": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "saved_user": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              }
-            }
-          },
-          "session_leader": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "attested_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "attested_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "code_signature": {
-                "properties": {
-                  "digest_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signing_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "status": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "team_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "endpoint_security_client": {
-                "type": "boolean"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entry_meta": {
-                "properties": {
-                  "source": {
-                    "properties": {
-                      "address": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "as": {
-                        "properties": {
-                          "number": {
-                            "type": "long"
-                          },
-                          "organization": {
-                            "properties": {
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "type": "match_only_text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "bytes": {
-                        "type": "long"
-                      },
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "geo": {
-                        "properties": {
-                          "city_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "location": {
-                            "type": "geo_point"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "postal_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "timezone": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "mac": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "nat": {
-                        "properties": {
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "port": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "packets": {
-                        "type": "long"
-                      },
-                      "port": {
-                        "type": "long"
-                      },
-                      "registered_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subdomain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "top_level_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "env_vars": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "properties": {
-                  "cdhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tlsh": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "io": {
-                "properties": {
-                  "bytes_skipped": {
-                    "properties": {
-                      "length": {
-                        "type": "long"
-                      },
-                      "offset": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "max_bytes_per_process_exceeded": {
-                    "type": "boolean"
-                  },
-                  "text": {
-                    "type": "wildcard"
-                  },
-                  "total_bytes_captured": {
-                    "type": "long"
-                  },
-                  "total_bytes_skipped": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                },
-                "type": "object"
-              },
-              "macho": {
-                "properties": {
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "symhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "origin_referrer_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "origin_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "parent": {
-                "properties": {
-                  "args": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "args_count": {
-                    "type": "long"
-                  },
-                  "attested_groups": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "attested_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "code_signature": {
-                    "properties": {
-                      "digest_algorithm": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "exists": {
-                        "type": "boolean"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "signing_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "status": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subject_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "team_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "thumbprint_sha256": {
-                        "ignore_above": 64,
-                        "type": "keyword"
-                      },
-                      "timestamp": {
-                        "type": "date"
-                      },
-                      "trusted": {
-                        "type": "boolean"
-                      },
-                      "valid": {
-                        "type": "boolean"
-                      }
-                    }
-                  },
-                  "command_line": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "type": "wildcard"
-                  },
-                  "elf": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "byte_order": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "cpu_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "creation_date": {
-                        "type": "date"
-                      },
-                      "exports": {
-                        "type": "flattened"
-                      },
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "header": {
-                        "properties": {
-                          "abi_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "class": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "data": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entrypoint": {
-                            "type": "long"
-                          },
-                          "object_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "os_abi": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "sections": {
-                        "properties": {
-                          "chi2": {
-                            "type": "long"
-                          },
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_offset": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_address": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "segments": {
-                        "properties": {
-                          "sections": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "shared_libraries": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "telfhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "end": {
-                    "type": "date"
-                  },
-                  "endpoint_security_client": {
-                    "type": "boolean"
-                  },
-                  "entity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entry_meta": {
-                    "properties": {
-                      "source": {
-                        "properties": {
-                          "address": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "as": {
-                            "properties": {
-                              "number": {
-                                "type": "long"
-                              },
-                              "organization": {
-                                "properties": {
-                                  "name": {
-                                    "fields": {
-                                      "text": {
-                                        "type": "match_only_text"
-                                      }
-                                    },
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  }
-                                }
-                              }
-                            }
-                          },
-                          "bytes": {
-                            "type": "long"
-                          },
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "geo": {
-                            "properties": {
-                              "city_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "continent_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "continent_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country_iso_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "location": {
-                                "type": "geo_point"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "postal_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "region_iso_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "region_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "timezone": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "mac": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "nat": {
-                            "properties": {
-                              "ip": {
-                                "type": "ip"
-                              },
-                              "port": {
-                                "type": "long"
-                              }
-                            }
-                          },
-                          "packets": {
-                            "type": "long"
-                          },
-                          "port": {
-                            "type": "long"
-                          },
-                          "registered_domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "subdomain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "top_level_domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "env_vars": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  },
-                  "executable": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exit_code": {
-                    "type": "long"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "properties": {
-                      "cdhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "md5": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha1": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha256": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha384": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha512": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ssdeep": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "tlsh": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "interactive": {
-                    "type": "boolean"
-                  },
-                  "io": {
-                    "properties": {
-                      "bytes_skipped": {
-                        "properties": {
-                          "length": {
-                            "type": "long"
-                          },
-                          "offset": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "max_bytes_per_process_exceeded": {
-                        "type": "boolean"
-                      },
-                      "text": {
-                        "type": "wildcard"
-                      },
-                      "total_bytes_captured": {
-                        "type": "long"
-                      },
-                      "total_bytes_skipped": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "macho": {
-                    "properties": {
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "sections": {
-                        "properties": {
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "symhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "origin_referrer_url": {
-                    "ignore_above": 8192,
-                    "type": "keyword"
-                  },
-                  "origin_url": {
-                    "ignore_above": 8192,
-                    "type": "keyword"
-                  },
-                  "pe": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "company": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "description": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "file_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "imphash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "original_file_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "pehash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "product": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sections": {
-                        "properties": {
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      }
-                    }
-                  },
-                  "pid": {
-                    "type": "long"
-                  },
-                  "platform_binary": {
-                    "type": "boolean"
-                  },
-                  "real_group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "real_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "same_as_process": {
-                    "type": "boolean"
-                  },
-                  "saved_group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "saved_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "session_leader": {
-                    "properties": {
-                      "args": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "args_count": {
-                        "type": "long"
-                      },
-                      "attested_groups": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "attested_user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "code_signature": {
-                        "properties": {
-                          "digest_algorithm": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "exists": {
-                            "type": "boolean"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "signing_id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "status": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "subject_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "team_id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "thumbprint_sha256": {
-                            "ignore_above": 64,
-                            "type": "keyword"
-                          },
-                          "timestamp": {
-                            "type": "date"
-                          },
-                          "trusted": {
-                            "type": "boolean"
-                          },
-                          "valid": {
-                            "type": "boolean"
-                          }
-                        }
-                      },
-                      "command_line": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "type": "wildcard"
-                      },
-                      "elf": {
-                        "properties": {
-                          "architecture": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "byte_order": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "cpu_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "creation_date": {
-                            "type": "date"
-                          },
-                          "exports": {
-                            "type": "flattened"
-                          },
-                          "go_import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_imports": {
-                            "type": "flattened"
-                          },
-                          "go_imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "go_imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "go_stripped": {
-                            "type": "boolean"
-                          },
-                          "header": {
-                            "properties": {
-                              "abi_version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "class": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "data": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "entrypoint": {
-                                "type": "long"
-                              },
-                              "object_version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "os_abi": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "imports": {
-                            "type": "flattened"
-                          },
-                          "imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "sections": {
-                            "properties": {
-                              "chi2": {
-                                "type": "long"
-                              },
-                              "entropy": {
-                                "type": "long"
-                              },
-                              "flags": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_offset": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_size": {
-                                "type": "long"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "var_entropy": {
-                                "type": "long"
-                              },
-                              "virtual_address": {
-                                "type": "long"
-                              },
-                              "virtual_size": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "segments": {
-                            "properties": {
-                              "sections": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "shared_libraries": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "telfhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "end": {
-                        "type": "date"
-                      },
-                      "endpoint_security_client": {
-                        "type": "boolean"
-                      },
-                      "entity_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entry_meta": {
-                        "properties": {
-                          "source": {
-                            "properties": {
-                              "address": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "as": {
-                                "properties": {
-                                  "number": {
-                                    "type": "long"
-                                  },
-                                  "organization": {
-                                    "properties": {
-                                      "name": {
-                                        "fields": {
-                                          "text": {
-                                            "type": "match_only_text"
-                                          }
-                                        },
-                                        "ignore_above": 1024,
-                                        "type": "keyword"
-                                      }
-                                    }
-                                  }
-                                }
-                              },
-                              "bytes": {
-                                "type": "long"
-                              },
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "geo": {
-                                "properties": {
-                                  "city_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "continent_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "continent_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "country_iso_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "country_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "location": {
-                                    "type": "geo_point"
-                                  },
-                                  "name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "postal_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "region_iso_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "region_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "timezone": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  }
-                                }
-                              },
-                              "ip": {
-                                "type": "ip"
-                              },
-                              "mac": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "nat": {
-                                "properties": {
-                                  "ip": {
-                                    "type": "ip"
-                                  },
-                                  "port": {
-                                    "type": "long"
-                                  }
-                                }
-                              },
-                              "packets": {
-                                "type": "long"
-                              },
-                              "port": {
-                                "type": "long"
-                              },
-                              "registered_domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "subdomain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "top_level_domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "env_vars": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "executable": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "exit_code": {
-                        "type": "long"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "properties": {
-                          "cdhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "md5": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha1": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha256": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha384": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha512": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "ssdeep": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "tlsh": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "interactive": {
-                        "type": "boolean"
-                      },
-                      "io": {
-                        "properties": {
-                          "bytes_skipped": {
-                            "properties": {
-                              "length": {
-                                "type": "long"
-                              },
-                              "offset": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "object"
-                          },
-                          "max_bytes_per_process_exceeded": {
-                            "type": "boolean"
-                          },
-                          "text": {
-                            "type": "wildcard"
-                          },
-                          "total_bytes_captured": {
-                            "type": "long"
-                          },
-                          "total_bytes_skipped": {
-                            "type": "long"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "macho": {
-                        "properties": {
-                          "go_import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_imports": {
-                            "type": "flattened"
-                          },
-                          "go_imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "go_imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "go_stripped": {
-                            "type": "boolean"
-                          },
-                          "import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "imports": {
-                            "type": "flattened"
-                          },
-                          "imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "sections": {
-                            "properties": {
-                              "entropy": {
-                                "type": "long"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_size": {
-                                "type": "long"
-                              },
-                              "var_entropy": {
-                                "type": "long"
-                              },
-                              "virtual_size": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "symhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "origin_referrer_url": {
-                        "ignore_above": 8192,
-                        "type": "keyword"
-                      },
-                      "origin_url": {
-                        "ignore_above": 8192,
-                        "type": "keyword"
-                      },
-                      "pe": {
-                        "properties": {
-                          "architecture": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "company": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "description": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "file_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_imports": {
-                            "type": "flattened"
-                          },
-                          "go_imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "go_imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "go_stripped": {
-                            "type": "boolean"
-                          },
-                          "imphash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "imports": {
-                            "type": "flattened"
-                          },
-                          "imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "original_file_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "pehash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "product": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sections": {
-                            "properties": {
-                              "entropy": {
-                                "type": "long"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_size": {
-                                "type": "long"
-                              },
-                              "var_entropy": {
-                                "type": "long"
-                              },
-                              "virtual_size": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "nested"
-                          }
-                        }
-                      },
-                      "pid": {
-                        "type": "long"
-                      },
-                      "platform_binary": {
-                        "type": "boolean"
-                      },
-                      "real_group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "real_user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "same_as_process": {
-                        "type": "boolean"
-                      },
-                      "saved_group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "saved_user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "start": {
-                        "type": "date"
-                      },
-                      "supplemental_groups": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "thread": {
-                        "properties": {
-                          "capabilities": {
-                            "properties": {
-                              "effective": {
-                                "ignore_above": 1024,
-                                "synthetic_source_keep": "none",
-                                "type": "keyword"
-                              },
-                              "permitted": {
-                                "ignore_above": 1024,
-                                "synthetic_source_keep": "none",
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "id": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "title": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "tty": {
-                        "properties": {
-                          "char_device": {
-                            "properties": {
-                              "major": {
-                                "type": "long"
-                              },
-                              "minor": {
-                                "type": "long"
-                              }
-                            }
-                          },
-                          "columns": {
-                            "type": "long"
-                          },
-                          "rows": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "uptime": {
-                        "type": "long"
-                      },
-                      "user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "vpid": {
-                        "type": "long"
-                      },
-                      "working_directory": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "start": {
-                    "type": "date"
-                  },
-                  "supplemental_groups": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "thread": {
-                    "properties": {
-                      "capabilities": {
-                        "properties": {
-                          "effective": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          },
-                          "permitted": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "id": {
+                      "minor": {
                         "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
                       }
                     }
+                  }
+                },
+                "type": "object"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "title": {
+                  "name": {
                     "fields": {
                       "text": {
                         "type": "match_only_text"
@@ -15367,226 +4440,222 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
+                  }
+                }
+              },
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "pe": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "company": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "description": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "file_version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
+              "imphash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
+              "original_file_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "pehash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "product": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
                   },
-                  "tty": {
-                    "properties": {
-                      "char_device": {
-                        "properties": {
-                          "major": {
-                            "type": "long"
-                          },
-                          "minor": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "columns": {
-                        "type": "long"
-                      },
-                      "rows": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "uptime": {
+                  "physical_size": {
                     "type": "long"
                   },
-                  "user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "vpid": {
+                  "var_entropy": {
                     "type": "long"
                   },
-                  "working_directory": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              }
+            }
+          },
+          "pid": {
+            "type": "long"
+          },
+          "previous": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "real_group": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "real_user": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "saved_group": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "saved_user": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
                   }
-                }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "session_leader": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
               },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
+              "args_count": {
+                "type": "long"
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
                   }
-                }
+                },
+                "type": "wildcard"
               },
-              "pid": {
-                "type": "long"
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
               },
-              "platform_binary": {
-                "type": "boolean"
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
               },
-              "real_group": {
+              "group": {
                 "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -15597,98 +4666,57 @@
                   }
                 }
               },
-              "real_user": {
+              "interactive": {
+                "type": "boolean"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "parent": {
                 "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
+                  "entity_id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                  "pid": {
+                    "type": "long"
                   },
-                  "risk": {
+                  "session_leader": {
                     "properties": {
-                      "calculated_level": {
+                      "entity_id": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "pid": {
+                        "type": "long"
                       },
-                      "static_score": {
-                        "type": "float"
+                      "start": {
+                        "type": "date"
                       },
-                      "static_score_norm": {
-                        "type": "float"
+                      "vpid": {
+                        "type": "long"
                       }
                     }
                   },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
+                  "start": {
+                    "type": "date"
+                  },
+                  "vpid": {
+                    "type": "long"
                   }
                 }
               },
-              "same_as_process": {
-                "type": "boolean"
+              "pid": {
+                "type": "long"
               },
-              "saved_group": {
+              "real_group": {
                 "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -15699,45 +4727,8 @@
                   }
                 }
               },
-              "saved_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
+              "real_user": {
+                "properties": {
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -15750,75 +4741,49 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
                   }
                 }
               },
-              "start": {
-                "type": "date"
+              "same_as_process": {
+                "type": "boolean"
               },
-              "supplemental_groups": {
+              "saved_group": {
                 "properties": {
-                  "domain": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
                   "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "thread": {
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
                 "properties": {
-                  "capabilities": {
-                    "properties": {
-                      "effective": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "permitted": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
                   "id": {
-                    "type": "long"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
                   "name": {
                     "ignore_above": 1024,
@@ -15826,15 +4791,6 @@
                   }
                 }
               },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
               "tty": {
                 "properties": {
                   "char_device": {
@@ -15846,58 +4802,12 @@
                         "type": "long"
                       }
                     }
-                  },
-                  "columns": {
-                    "type": "long"
-                  },
-                  "rows": {
-                    "type": "long"
                   }
                 },
                 "type": "object"
               },
-              "uptime": {
-                "type": "long"
-              },
               "user": {
                 "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -15910,35 +4820,6 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
                   }
                 }
               },
@@ -15961,10 +4842,6 @@
           },
           "supplemental_groups": {
             "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
               "id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -16035,43 +4912,6 @@
           },
           "user": {
             "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
               "id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -16084,35 +4924,6 @@
                 },
                 "ignore_above": 1024,
                 "type": "keyword"
-              },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
               }
             }
           },
@@ -16399,30 +5210,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -16820,30 +5607,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -19253,30 +8016,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -19340,30 +8079,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -19560,30 +8275,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",

From 9b1cc754bc8c9ae30c1f7abecb37b83dbb73548a Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Thu, 2 Oct 2025 12:14:08 -0400
Subject: [PATCH 05/20] Checkout files from main

---
 docs/reference/ecs-otel-alignment-details.md  | 10 +++++-----
 docs/reference/ecs-otel-alignment-overview.md |  2 +-
 docs/reference/ecs-process.md                 |  6 ------
 3 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/docs/reference/ecs-otel-alignment-details.md b/docs/reference/ecs-otel-alignment-details.md
index 910be29ea5..579643a85d 100644
--- a/docs/reference/ecs-otel-alignment-details.md
+++ b/docs/reference/ecs-otel-alignment-details.md
@@ -158,16 +158,16 @@ The following table gives an overview of mappings between individual ECS fields
 | $$$otel-mapping-for-process-args-count$$$ [process.args_count](/reference/ecs-process.md#field-process-args-count) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.args_count](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-args-count) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-command-line$$$ [process.command_line](/reference/ecs-process.md#field-process-command-line) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.command_line](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-command-line) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-executable$$$ [process.executable](/reference/ecs-process.md#field-process-executable) | [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.executable.path](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-executable-path) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-user-id$$$ process.user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-saved-user-id$$$ process.saved_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-real-user-id$$$ process.real_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-saved-user-id$$$ process.saved_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-user-id$$$ process.user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-interactive$$$ [process.interactive](/reference/ecs-process.md#field-process-interactive) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.interactive](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-interactive) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-user-name$$$ process.user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-saved-user-name$$$ process.saved_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-real-user-name$$$ process.real_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-saved-user-name$$$ process.saved_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-user-name$$$ process.user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-group-leader-pid$$$ process.group_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.group_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-group-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-pid$$$ [process.pid](/reference/ecs-process.md#field-process-pid) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-session-leader-pid$$$ process.session_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.session_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-session-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-group-leader-pid$$$ process.group_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.group_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-group-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-title$$$ [process.title](/reference/ecs-process.md#field-process-title) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.title](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-title) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-uptime$$$ [process.uptime](/reference/ecs-process.md#field-process-uptime) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.uptime](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.process.uptime+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-vpid$$$ [process.vpid](/reference/ecs-process.md#field-process-vpid) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.vpid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-vpid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
diff --git a/docs/reference/ecs-otel-alignment-overview.md b/docs/reference/ecs-otel-alignment-overview.md
index 4668c4ad8e..886c26b816 100644
--- a/docs/reference/ecs-otel-alignment-overview.md
+++ b/docs/reference/ecs-otel-alignment-overview.md
@@ -85,7 +85,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | Package | [13](/reference/ecs-package.md) | · | · | · | · | · | · | · | · |
 | PE Header | [23](/reference/ecs-pe.md) | · | · | · | · | · | · | · | · |
 | Peer | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/peer) | · | · | · | · | · | · |  |
-| Process | [40](/reference/ecs-process.md) | [34](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process) | 15 | 2 | · | · | 1 | · | · |
+| Process | [34](/reference/ecs-process.md) | [34](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process) | 15 | 2 | · | · | 1 | · | · |
 | Profile Frame | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/profile) | · | · | · | · | · | · |  |
 | Registry | [7](/reference/ecs-registry.md) | · | · | · | · | · | · | · | · |
 | Related | [4](/reference/ecs-related.md) | · | · | · | · | · | · | · | 4 |
diff --git a/docs/reference/ecs-process.md b/docs/reference/ecs-process.md
index 8438ca3433..1fc7c77613 100644
--- a/docs/reference/ecs-process.md
+++ b/docs/reference/ecs-process.md
@@ -21,9 +21,7 @@ These fields can help you correlate metrics information with a process id/name f
 | $$$field-process-args-count$$$ [process.args_count](#field-process-args-count) | Length of the process.args array.<br><br>This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.<br><br>type: long<br><br>example: `4`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.args_count](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-args-count) | extended |
 | $$$field-process-command-line$$$ [process.command_line](#field-process-command-line) | Full command line that started the process, including the absolute path to the executable, and all arguments.<br><br>Some arguments may be filtered to protect sensitive information.<br><br>type: wildcard<br><br>Multi-fields:<br><br>* process.command_line.text (type: match_only_text)<br><br>example: `/usr/bin/ssh -l user 10.0.0.16`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.command_line](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-command-line) | extended |
 | $$$field-process-end$$$ [process.end](#field-process-end) | The time the process ended.<br><br>type: date<br><br>example: `2016-05-23T08:05:34.853Z` | extended |
-| $$$field-process-endpoint-security-client$$$ [process.endpoint_security_client](#field-process-endpoint-security-client) | _This field is beta and subject to change._ Processes that have an endpoint security client must have the com.apple.endpointsecurity entitlement and the value is set to true in the message.<br><br>type: boolean | extended |
 | $$$field-process-entity-id$$$ [process.entity_id](#field-process-entity-id) | Unique identifier for the process.<br><br>The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.<br><br>Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.<br><br>type: keyword<br><br>example: `c2c455d9f99375d` | extended |
-| $$$field-process-entry-meta-type$$$ [process.entry_meta.type](#field-process-entry-meta-type) | The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console<br><br>Note: This field is only set on process.session_leader.<br><br>type: keyword | extended |
 | $$$field-process-env-vars$$$ [process.env_vars](#field-process-env-vars) | Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.<br><br>May be filtered to protect sensitive information.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]` | extended |
 | $$$field-process-executable$$$ [process.executable](#field-process-executable) | Absolute path to the process executable.<br><br>type: keyword<br><br>Multi-fields:<br><br>* process.executable.text (type: match_only_text)<br><br>example: `/usr/bin/ssh`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.executable.path](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-executable-path) | extended |
 | $$$field-process-exit-code$$$ [process.exit_code](#field-process-exit-code) | The exit code of the process, if this is a termination event.<br><br>The field should be absent if there is no exit code for the event (e.g. process start).<br><br>type: long<br><br>example: `137` | extended |
@@ -38,11 +36,7 @@ These fields can help you correlate metrics information with a process id/name f
 | $$$field-process-io-total-bytes-skipped$$$ [process.io.total_bytes_skipped](#field-process-io-total-bytes-skipped) | The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero<br><br>type: long | extended |
 | $$$field-process-io-type$$$ [process.io.type](#field-process-io-type) | The type of object on which the IO action (read or write) was taken.<br><br>Currently only 'tty' is supported. Other types may be added in the future for 'file' and 'socket' support.<br><br>type: keyword | extended |
 | $$$field-process-name$$$ [process.name](#field-process-name) | Process name.<br><br>Sometimes called program name or similar.<br><br>type: keyword<br><br>Multi-fields:<br><br>* process.name.text (type: match_only_text)<br><br>example: `ssh` | extended |
-| $$$field-process-origin-referrer-url$$$ [process.origin_referrer_url](#field-process-origin-referrer-url) | _This field is beta and subject to change._ The URL of the webpage that linked to the process's executable file.<br><br>type: keyword<br><br>example: `http://example.com/article1.html` | extended |
-| $$$field-process-origin-url$$$ [process.origin_url](#field-process-origin-url) | _This field is beta and subject to change._ The URL where the process's executable file is hosted.<br><br>type: keyword<br><br>example: `http://example.com/files/example.exe` | extended |
 | $$$field-process-pid$$$ [process.pid](#field-process-pid) | Process id.<br><br>type: long<br><br>example: `4242`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-pid) | core |
-| $$$field-process-platform-binary$$$ [process.platform_binary](#field-process-platform-binary) | _This field is beta and subject to change._ Binaries that are shipped by the operating system are defined as platform binaries, this value is then set to true.<br><br>type: boolean | extended |
-| $$$field-process-same-as-process$$$ [process.same_as_process](#field-process-same-as-process) | This boolean is used to identify if a leader process is the same as the top level process.<br><br>For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.<br><br>This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)<br><br>Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`<br><br>Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.<br><br>type: boolean<br><br>example: `True` | extended |
 | $$$field-process-start$$$ [process.start](#field-process-start) | The time the process started.<br><br>type: date<br><br>example: `2016-05-23T08:05:34.853Z` | extended |
 | $$$field-process-thread-capabilities-effective$$$ [process.thread.capabilities.effective](#field-process-thread-capabilities-effective) | This is the set of capabilities used by the kernel to perform permission checks for the thread.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["CAP_BPF", "CAP_SYS_ADMIN"]` | extended |
 | $$$field-process-thread-capabilities-permitted$$$ [process.thread.capabilities.permitted](#field-process-thread-capabilities-permitted) | This is a limiting superset for the effective capabilities that the thread may assume.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["CAP_BPF", "CAP_SYS_ADMIN"]` | extended |

From 7ef579f8fb8299c007b9018eda80df08ae343a7a Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Thu, 2 Oct 2025 12:19:02 -0400
Subject: [PATCH 06/20] Fix typo

---
 rfcs/text/0052/gen_ai.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0052/gen_ai.yaml b/rfcs/text/0052/gen_ai.yaml
index 0baaa5218d..95139ffb07 100644
--- a/rfcs/text/0052/gen_ai.yaml
+++ b/rfcs/text/0052/gen_ai.yaml
@@ -41,7 +41,7 @@
       beta: This field reuse is beta and subject to change.
       otel:
         - relation: match
-    - name: tool.call.results
+    - name: tool.call.result
       type: flattened
       description: The result returned by the tool call (if any and if execution was successful).
       example: TODO

From 22cdf785808e3c955eb1cf92c3fe0da0be55fd43 Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Thu, 2 Oct 2025 12:32:56 -0400
Subject: [PATCH 07/20] Update generated docs

---
 docs/reference/ecs-entity.md                  |     7 +-
 docs/reference/ecs-field-reference.md         |     1 +
 docs/reference/ecs-otel-alignment-details.md  |    10 +-
 docs/reference/ecs-otel-alignment-overview.md |     3 +-
 docs/reference/ecs-process.md                 |     6 +
 generated/beats/fields.ecs.yml                | 36833 +++++++++--
 generated/csv/fields.csv                      |  3560 ++
 generated/ecs/ecs_flat.yml                    | 52620 ++++++++++++++-
 generated/ecs/ecs_nested.yml                  | 53042 +++++++++++++++-
 .../composable/component/client.json          |    86 +
 .../composable/component/cloud.json           |   124 +
 .../composable/component/destination.json     |    86 +
 .../composable/component/process.json         | 16339 ++++-
 .../composable/component/server.json          |    86 +
 .../composable/component/service.json         |   124 +
 .../composable/component/source.json          |    86 +
 .../composable/component/user.json            |   258 +
 .../elasticsearch/composable/template.json    |     5 +-
 generated/elasticsearch/legacy/template.json  | 17567 ++++-
 19 files changed, 168435 insertions(+), 12408 deletions(-)

diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md
index 867fbbf47c..1cbe67b082 100644
--- a/docs/reference/ecs-entity.md
+++ b/docs/reference/ecs-entity.md
@@ -17,16 +17,17 @@ The entity fields provide a standardized way to represent and categorize differe
 | --- | --- | --- |
 | $$$field-entity-attributes$$$ [entity.attributes](#field-entity-attributes) | _This field is beta and subject to change._ A set of static or semi-static attributes of the entity. Usually boolean or keyword field data types. Use this field set when you need to track static or semi-static characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.<br><br>type: object | extended |
 | $$$field-entity-behavior$$$ [entity.behavior](#field-entity-behavior) | _This field is beta and subject to change._ A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. Usually boolean field data type. Use this field set when you need to capture and track ephemeral characteristics of an entity for advanced searching, correlation of normalized values across different providers/sources and entity types.<br><br>type: object | extended |
-| $$$field-entity-display_name$$$ [entity.display_name](#field-entity-display_name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.display_name.text (type: text) | extended |
+| $$$field-entity-display-name$$$ [entity.display_name](#field-entity-display-name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.display_name.text (type: text) | extended |
 | $$$field-entity-id$$$ [entity.id](#field-entity-id) | A unique identifier for the entity. When multiple identifiers exist, this should be the most stable and commonly used identifier that: 1) persists across the entity's lifecycle, 2) ensures uniqueness within its scope, 3) is commonly used for queries and correlation, and 4) is readily available in most observations (logs/events). For entities with dedicated field sets (e.g., host, user), this value should match the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.<br><br>type: keyword | core |
-| $$$field-entity-last_seen_timestamp$$$ [entity.last_seen_timestamp](#field-entity-last_seen_timestamp) | _This field is beta and subject to change._ Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity.<br><br>type: date | extended |
+| $$$field-entity-last-seen-timestamp$$$ [entity.last_seen_timestamp](#field-entity-last-seen-timestamp) | _This field is beta and subject to change._ Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity.<br><br>type: date | extended |
 | $$$field-entity-lifecycle$$$ [entity.lifecycle](#field-entity-lifecycle) | _This field is beta and subject to change._ A set of temporal characteristics of the entity. Usually date field data type. Use this field set when you need to track temporal characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.<br><br>type: object | extended |
 | $$$field-entity-metrics$$$ [entity.metrics](#field-entity-metrics) | _This field is beta and subject to change._ Field set for any fields containing numeric entity metrics. These use dynamic field data type mapping.<br><br>type: object | extended |
 | $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.name.text (type: text) | core |
 | $$$field-entity-raw$$$ [entity.raw](#field-entity-raw) | _This field is beta and subject to change._ Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities.<br><br>type: object | extended |
 | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.<br><br>type: keyword | extended |
 | $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).<br><br>type: keyword | core |
-| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.<br><br>type: keyword<br><br>example: `host` | core |
+| $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`.  `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.<br><br>type: keyword<br><br>example: `aws_s3_bucket` | extended |
+| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>**Important:** The field value must be one of the following:<br><br>bucket, database, container, function, queue, host, user, application, service, session<br><br>To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)<br> | core |
 
 ## Field reuse [_field_reuse]
 
diff --git a/docs/reference/ecs-field-reference.md b/docs/reference/ecs-field-reference.md
index af78a1b854..e7422a011a 100644
--- a/docs/reference/ecs-field-reference.md
+++ b/docs/reference/ecs-field-reference.md
@@ -38,6 +38,7 @@ For a single page representation of all fields, please see the [generated CSV of
 | [ECS](/reference/ecs-ecs.md) | Meta-information specific to ECS. |
 | [ELF Header](/reference/ecs-elf.md) | These fields contain Linux Executable Linkable Format (ELF) metadata. |
 | [Email](/reference/ecs-email.md) | Describes an email transaction. |
+| [Entity](/reference/ecs-entity.md) | Fields to describe various types of entities across IT environments. |
 | [Error](/reference/ecs-error.md) | Fields about errors of any kind. |
 | [Event](/reference/ecs-event.md) | Fields breaking down the event details. |
 | [FaaS](/reference/ecs-faas.md) | Fields describing functions as a service. |
diff --git a/docs/reference/ecs-otel-alignment-details.md b/docs/reference/ecs-otel-alignment-details.md
index 579643a85d..910be29ea5 100644
--- a/docs/reference/ecs-otel-alignment-details.md
+++ b/docs/reference/ecs-otel-alignment-details.md
@@ -158,16 +158,16 @@ The following table gives an overview of mappings between individual ECS fields
 | $$$otel-mapping-for-process-args-count$$$ [process.args_count](/reference/ecs-process.md#field-process-args-count) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.args_count](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-args-count) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-command-line$$$ [process.command_line](/reference/ecs-process.md#field-process-command-line) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.command_line](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-command-line) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-executable$$$ [process.executable](/reference/ecs-process.md#field-process-executable) | [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.executable.path](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-executable-path) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-real-user-id$$$ process.real_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-saved-user-id$$$ process.saved_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-user-id$$$ process.user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-saved-user-id$$$ process.saved_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-real-user-id$$$ process.real_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-interactive$$$ [process.interactive](/reference/ecs-process.md#field-process-interactive) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.interactive](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-interactive) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-real-user-name$$$ process.real_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-saved-user-name$$$ process.saved_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-user-name$$$ process.user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-group-leader-pid$$$ process.group_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.group_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-group-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-saved-user-name$$$ process.saved_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-real-user-name$$$ process.real_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-pid$$$ [process.pid](/reference/ecs-process.md#field-process-pid) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-session-leader-pid$$$ process.session_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.session_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-session-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-group-leader-pid$$$ process.group_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.group_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-group-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-title$$$ [process.title](/reference/ecs-process.md#field-process-title) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.title](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-title) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-uptime$$$ [process.uptime](/reference/ecs-process.md#field-process-uptime) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.uptime](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.process.uptime+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-vpid$$$ [process.vpid](/reference/ecs-process.md#field-process-vpid) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.vpid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-vpid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
diff --git a/docs/reference/ecs-otel-alignment-overview.md b/docs/reference/ecs-otel-alignment-overview.md
index 886c26b816..0343832935 100644
--- a/docs/reference/ecs-otel-alignment-overview.md
+++ b/docs/reference/ecs-otel-alignment-overview.md
@@ -48,6 +48,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | ELF Header | [38](/reference/ecs-elf.md) | · | · | · | · | · | · | · | · |
 | Email | [19](/reference/ecs-email.md) | · | · | · | · | · | · | · | · |
 | End User | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/enduser) | · | · | · | · | · | · |  |
+| Entity | [13](/reference/ecs-entity.md) | · | · | · | · | · | · | · | · |
 | Error | [5](/reference/ecs-error.md) | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/error) | 1 | 2 | · | · | · | · | · |
 | Event | [26](/reference/ecs-event.md) | · | · | · | · | · | · | · | · |
 | Exception | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/exception) | · | · | · | · | · | · |  |
@@ -85,7 +86,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | Package | [13](/reference/ecs-package.md) | · | · | · | · | · | · | · | · |
 | PE Header | [23](/reference/ecs-pe.md) | · | · | · | · | · | · | · | · |
 | Peer | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/peer) | · | · | · | · | · | · |  |
-| Process | [34](/reference/ecs-process.md) | [34](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process) | 15 | 2 | · | · | 1 | · | · |
+| Process | [40](/reference/ecs-process.md) | [34](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process) | 15 | 2 | · | · | 1 | · | · |
 | Profile Frame | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/profile) | · | · | · | · | · | · |  |
 | Registry | [7](/reference/ecs-registry.md) | · | · | · | · | · | · | · | · |
 | Related | [4](/reference/ecs-related.md) | · | · | · | · | · | · | · | 4 |
diff --git a/docs/reference/ecs-process.md b/docs/reference/ecs-process.md
index 1fc7c77613..8438ca3433 100644
--- a/docs/reference/ecs-process.md
+++ b/docs/reference/ecs-process.md
@@ -21,7 +21,9 @@ These fields can help you correlate metrics information with a process id/name f
 | $$$field-process-args-count$$$ [process.args_count](#field-process-args-count) | Length of the process.args array.<br><br>This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.<br><br>type: long<br><br>example: `4`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.args_count](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-args-count) | extended |
 | $$$field-process-command-line$$$ [process.command_line](#field-process-command-line) | Full command line that started the process, including the absolute path to the executable, and all arguments.<br><br>Some arguments may be filtered to protect sensitive information.<br><br>type: wildcard<br><br>Multi-fields:<br><br>* process.command_line.text (type: match_only_text)<br><br>example: `/usr/bin/ssh -l user 10.0.0.16`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.command_line](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-command-line) | extended |
 | $$$field-process-end$$$ [process.end](#field-process-end) | The time the process ended.<br><br>type: date<br><br>example: `2016-05-23T08:05:34.853Z` | extended |
+| $$$field-process-endpoint-security-client$$$ [process.endpoint_security_client](#field-process-endpoint-security-client) | _This field is beta and subject to change._ Processes that have an endpoint security client must have the com.apple.endpointsecurity entitlement and the value is set to true in the message.<br><br>type: boolean | extended |
 | $$$field-process-entity-id$$$ [process.entity_id](#field-process-entity-id) | Unique identifier for the process.<br><br>The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.<br><br>Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.<br><br>type: keyword<br><br>example: `c2c455d9f99375d` | extended |
+| $$$field-process-entry-meta-type$$$ [process.entry_meta.type](#field-process-entry-meta-type) | The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console<br><br>Note: This field is only set on process.session_leader.<br><br>type: keyword | extended |
 | $$$field-process-env-vars$$$ [process.env_vars](#field-process-env-vars) | Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.<br><br>May be filtered to protect sensitive information.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]` | extended |
 | $$$field-process-executable$$$ [process.executable](#field-process-executable) | Absolute path to the process executable.<br><br>type: keyword<br><br>Multi-fields:<br><br>* process.executable.text (type: match_only_text)<br><br>example: `/usr/bin/ssh`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.executable.path](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-executable-path) | extended |
 | $$$field-process-exit-code$$$ [process.exit_code](#field-process-exit-code) | The exit code of the process, if this is a termination event.<br><br>The field should be absent if there is no exit code for the event (e.g. process start).<br><br>type: long<br><br>example: `137` | extended |
@@ -36,7 +38,11 @@ These fields can help you correlate metrics information with a process id/name f
 | $$$field-process-io-total-bytes-skipped$$$ [process.io.total_bytes_skipped](#field-process-io-total-bytes-skipped) | The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero<br><br>type: long | extended |
 | $$$field-process-io-type$$$ [process.io.type](#field-process-io-type) | The type of object on which the IO action (read or write) was taken.<br><br>Currently only 'tty' is supported. Other types may be added in the future for 'file' and 'socket' support.<br><br>type: keyword | extended |
 | $$$field-process-name$$$ [process.name](#field-process-name) | Process name.<br><br>Sometimes called program name or similar.<br><br>type: keyword<br><br>Multi-fields:<br><br>* process.name.text (type: match_only_text)<br><br>example: `ssh` | extended |
+| $$$field-process-origin-referrer-url$$$ [process.origin_referrer_url](#field-process-origin-referrer-url) | _This field is beta and subject to change._ The URL of the webpage that linked to the process's executable file.<br><br>type: keyword<br><br>example: `http://example.com/article1.html` | extended |
+| $$$field-process-origin-url$$$ [process.origin_url](#field-process-origin-url) | _This field is beta and subject to change._ The URL where the process's executable file is hosted.<br><br>type: keyword<br><br>example: `http://example.com/files/example.exe` | extended |
 | $$$field-process-pid$$$ [process.pid](#field-process-pid) | Process id.<br><br>type: long<br><br>example: `4242`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-pid) | core |
+| $$$field-process-platform-binary$$$ [process.platform_binary](#field-process-platform-binary) | _This field is beta and subject to change._ Binaries that are shipped by the operating system are defined as platform binaries, this value is then set to true.<br><br>type: boolean | extended |
+| $$$field-process-same-as-process$$$ [process.same_as_process](#field-process-same-as-process) | This boolean is used to identify if a leader process is the same as the top level process.<br><br>For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.<br><br>This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)<br><br>Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`<br><br>Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.<br><br>type: boolean<br><br>example: `True` | extended |
 | $$$field-process-start$$$ [process.start](#field-process-start) | The time the process started.<br><br>type: date<br><br>example: `2016-05-23T08:05:34.853Z` | extended |
 | $$$field-process-thread-capabilities-effective$$$ [process.thread.capabilities.effective](#field-process-thread-capabilities-effective) | This is the set of capabilities used by the kernel to perform permission checks for the thread.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["CAP_BPF", "CAP_SYS_ADMIN"]` | extended |
 | $$$field-process-thread-capabilities-permitted$$$ [process.thread.capabilities.permitted](#field-process-thread-capabilities-permitted) | This is a limiting superset for the effective capabilities that the thread may assume.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["CAP_BPF", "CAP_SYS_ADMIN"]` | extended |
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 4826341eee..2c068b190a 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -353,6 +353,126 @@
       type: keyword
       ignore_above: 1024
       description: User email address.
+    - name: user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
     - name: user.full_name
       level: extended
       type: keyword
@@ -405,6 +525,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -460,69 +626,309 @@
       ignore_above: 1024
       description: Availability zone in which this host, resource, or service is located.
       example: us-east-1c
-    - name: instance.id
+    - name: entity.attributes
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Instance ID of the host machine.
-      example: i-1234567890abcdef0
-    - name: instance.name
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: entity.behavior
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Instance name of the host machine.
-    - name: machine.type
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entity.display_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Machine type of the host machine.
-      example: t2.medium
-    - name: origin.account.id
-      level: extended
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: entity.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'The cloud account or organization id used to identify different
-        entities in a multi-tenant environment.
-
-        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
-      example: 666777888999
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
       default_field: false
-    - name: origin.account.name
+    - name: entity.last_seen_timestamp
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The cloud account name or alias used to identify different entities
-        in a multi-tenant environment.
-
-        Examples: AWS account name, Google Cloud ORG display name.'
-      example: elastic-dev
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
       default_field: false
-    - name: origin.availability_zone
+    - name: entity.lifecycle
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Availability zone in which this host, resource, or service is located.
-      example: us-east-1c
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
       default_field: false
-    - name: origin.instance.id
+    - name: entity.metrics
       level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entity.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Instance ID of the host machine.
-      example: i-1234567890abcdef0
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
       default_field: false
-    - name: origin.instance.name
+    - name: entity.raw
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Instance name of the host machine.
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
       default_field: false
-    - name: origin.machine.type
+    - name: entity.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Machine type of the host machine.
-      example: t2.medium
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: origin.account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+      default_field: false
+    - name: origin.account.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account name or alias used to identify different entities
+        in a multi-tenant environment.
+
+        Examples: AWS account name, Google Cloud ORG display name.'
+      example: elastic-dev
+      default_field: false
+    - name: origin.availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host, resource, or service is located.
+      example: us-east-1c
+      default_field: false
+    - name: origin.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: origin.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: origin.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: origin.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: origin.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: origin.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: origin.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: origin.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: origin.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: origin.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: origin.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: origin.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: origin.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: origin.instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+      default_field: false
+    - name: origin.instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+      default_field: false
+    - name: origin.machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
       default_field: false
     - name: origin.project.id
       level: extended
@@ -1192,33 +1598,153 @@
       type: keyword
       ignore_above: 1024
       description: User email address.
-    - name: user.full_name
+    - name: user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: user.entity.display_name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: match_only_text
-        default_field: false
-      description: User's full name, if available.
-      example: Albert Einstein
-    - name: user.group.domain
-      level: extended
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: user.entity.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-    - name: user.group.id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: user.entity.last_seen_timestamp
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-    - name: user.group.name
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: user.entity.lifecycle
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+    - name: user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
     - name: user.hash
       level: extended
       type: keyword
@@ -1244,6 +1770,52 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -2138,6 +2710,137 @@
         original email message.
       example: Spambot v2.5
       default_field: false
+  - name: entity
+    title: Entity
+    group: 2
+    description: The entity fields provide a standardized way to represent and categorize
+      different types of components within an IT environment, including those that
+      don't have dedicated field sets in ECS. An entity represents a discrete, identifiable
+      component that can be described by a set of attributes and maintains its identity
+      over time.
+    type: group
+    default_field: true
+    fields:
+    - name: attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
   - name: error
     title: Error
     group: 2
@@ -5273,20 +5976,284 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
-    - name: code_signature.digest_algorithm
+    - name: attested_groups.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
+      description: 'Name of the directory the group is a member of.
 
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
+    - name: attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: attested_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: attested_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: attested_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: attested_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: attested_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: attested_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: attested_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: attested_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: attested_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: attested_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: attested_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: attested_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: attested_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
     - name: code_signature.flags
@@ -5630,6 +6597,12 @@
       description: The time the process ended.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
+    - name: endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
     - name: entity_id
       level: extended
       type: keyword
@@ -5665,225 +6638,208 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
-    - name: entry_leader.attested_groups.name
+    - name: entry_leader.attested_groups.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: entry_leader.attested_user.id
-      level: core
+    - name: entry_leader.attested_groups.id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.attested_user.name
-      level: core
-      type: keyword
+    - name: entry_leader.attested_groups.name
+      level: extended
+      type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.command_line
+    - name: entry_leader.attested_user.domain
       level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
 
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: entry_leader.entity_id
+    - name: entry_leader.attested_user.email
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+      description: User email address.
       default_field: false
-    - name: entry_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
+    - name: entry_leader.attested_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
       default_field: false
-    - name: entry_leader.entry_meta.type
+    - name: entry_leader.attested_user.entity.behavior
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
       default_field: false
-    - name: entry_leader.executable
+    - name: entry_leader.attested_user.entity.display_name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
       default_field: false
-    - name: entry_leader.group.id
-      level: extended
+    - name: entry_leader.attested_user.entity.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
       default_field: false
-    - name: entry_leader.group.name
+    - name: entry_leader.attested_user.entity.last_seen_timestamp
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
       default_field: false
-    - name: entry_leader.interactive
+    - name: entry_leader.attested_user.entity.lifecycle
       level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
       default_field: false
-    - name: entry_leader.name
+    - name: entry_leader.attested_user.entity.metrics
       level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entry_leader.attested_user.entity.name
+      level: core
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
       default_field: false
-    - name: entry_leader.parent.entity_id
+    - name: entry_leader.attested_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: entry_leader.attested_user.entity.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
       default_field: false
-    - name: entry_leader.parent.pid
+    - name: entry_leader.attested_user.entity.source
       level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
       default_field: false
-    - name: entry_leader.parent.session_leader.entity_id
+    - name: entry_leader.attested_user.entity.sub_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
       default_field: false
-    - name: entry_leader.parent.session_leader.pid
+    - name: entry_leader.attested_user.entity.type
       level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
       default_field: false
-    - name: entry_leader.parent.session_leader.start
+    - name: entry_leader.attested_user.full_name
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: entry_leader.parent.session_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
       default_field: false
-    - name: entry_leader.parent.start
+    - name: entry_leader.attested_user.group.domain
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: entry_leader.parent.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
 
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: entry_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: entry_leader.real_group.id
+    - name: entry_leader.attested_user.group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.real_group.name
+    - name: entry_leader.attested_user.group.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: entry_leader.real_user.id
+    - name: entry_leader.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.attested_user.id
       level: core
       type: keyword
       ignore_above: 1024
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.real_user.name
+    - name: entry_leader.attested_user.name
       level: core
       type: keyword
       ignore_above: 1024
@@ -5893,201 +6849,153 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: entry_leader.same_as_process
+    - name: entry_leader.attested_user.risk.calculated_level
       level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: entry_leader.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.saved_user.id
-      level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
       default_field: false
-    - name: entry_leader.start
+    - name: entry_leader.attested_user.risk.calculated_score
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
       default_field: false
-    - name: entry_leader.supplemental_groups.id
+    - name: entry_leader.attested_user.risk.calculated_score_norm
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
       default_field: false
-    - name: entry_leader.supplemental_groups.name
+    - name: entry_leader.attested_user.risk.static_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
       default_field: false
-    - name: entry_leader.tty
+    - name: entry_leader.attested_user.risk.static_score
       level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
       default_field: false
-    - name: entry_leader.tty.char_device.major
+    - name: entry_leader.attested_user.risk.static_score_norm
       level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
       default_field: false
-    - name: entry_leader.tty.char_device.minor
+    - name: entry_leader.attested_user.roles
       level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: entry_leader.user.id
-      level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: entry_leader.user.name
-      level: core
+    - name: entry_leader.code_signature.digest_algorithm
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
       default_field: false
-    - name: entry_leader.vpid
+    - name: entry_leader.code_signature.exists
       level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
       default_field: false
-    - name: entry_leader.working_directory
+    - name: entry_leader.code_signature.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
+      description: The flags used to sign the process.
+      example: 570522385
       default_field: false
-    - name: env_vars
+    - name: entry_leader.code_signature.signing_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
+      description: 'The identifier used to sign the process.
 
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
       default_field: false
-    - name: executable
+    - name: entry_leader.code_signature.status
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-    - name: exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
+      description: 'Additional information about the certificate status.
 
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
       default_field: false
-    - name: group.id
-      level: extended
+    - name: entry_leader.code_signature.subject_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: Subject name of the code signer
+      example: Microsoft Corporation
       default_field: false
-    - name: group.name
+    - name: entry_leader.code_signature.team_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
       default_field: false
-    - name: group_leader.args
+    - name: entry_leader.code_signature.thumbprint_sha256
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: entry_leader.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: entry_leader.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
 
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
       default_field: false
-    - name: group_leader.args_count
+    - name: entry_leader.code_signature.valid
       level: extended
-      type: long
-      description: 'Length of the process.args array.
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
 
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
       default_field: false
-    - name: group_leader.command_line
+    - name: entry_leader.command_line
       level: extended
       type: wildcard
       multi_fields:
@@ -6099,655 +7007,690 @@
         Some arguments may be filtered to protect sensitive information.'
       example: /usr/bin/ssh -l user 10.0.0.16
       default_field: false
-    - name: group_leader.entity_id
+    - name: entry_leader.elf.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+      description: Machine architecture of the ELF file.
+      example: x86-64
       default_field: false
-    - name: group_leader.executable
+    - name: entry_leader.elf.byte_order
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
+      description: Byte sequence of ELF file.
+      example: Little Endian
       default_field: false
-    - name: group_leader.group.id
+    - name: entry_leader.elf.cpu_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: CPU type of the ELF file.
+      example: Intel
       default_field: false
-    - name: group_leader.group.name
+    - name: entry_leader.elf.creation_date
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
       default_field: false
-    - name: group_leader.interactive
+    - name: entry_leader.elf.exports
       level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
+      type: flattened
+      description: List of exported element names and types.
       default_field: false
-    - name: group_leader.name
+    - name: entry_leader.elf.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
 
-        Sometimes called program name or similar.'
-      example: ssh
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: group_leader.pid
-      level: core
+    - name: entry_leader.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.elf.go_imports_names_entropy
+      level: extended
       type: long
-      format: string
-      description: Process id.
-      example: 4242
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: group_leader.real_group.id
+    - name: entry_leader.elf.go_imports_names_var_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: group_leader.real_group.name
+    - name: entry_leader.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.elf.header.abi_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: Version of the ELF Application Binary Interface (ABI).
       default_field: false
-    - name: group_leader.real_user.id
-      level: core
+    - name: entry_leader.elf.header.class
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: Header class of the ELF file.
       default_field: false
-    - name: group_leader.real_user.name
-      level: core
+    - name: entry_leader.elf.header.data
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: Data table of the ELF header.
       default_field: false
-    - name: group_leader.same_as_process
+    - name: entry_leader.elf.header.entrypoint
       level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
       default_field: false
-    - name: group_leader.saved_group.id
+    - name: entry_leader.elf.header.object_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: '"0x1" for original ELF files.'
       default_field: false
-    - name: group_leader.saved_group.name
+    - name: entry_leader.elf.header.os_abi
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: Application Binary Interface (ABI) of the Linux OS.
       default_field: false
-    - name: group_leader.saved_user.name
-      level: core
+    - name: entry_leader.elf.header.type
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: group_leader.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
+      description: Header type of the ELF file.
       default_field: false
-    - name: group_leader.supplemental_groups.id
+    - name: entry_leader.elf.header.version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: Version of the ELF header.
       default_field: false
-    - name: group_leader.supplemental_groups.name
+    - name: entry_leader.elf.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: group_leader.tty
+    - name: entry_leader.elf.imports
       level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: group_leader.tty.char_device.major
+    - name: entry_leader.elf.imports_names_entropy
       level: extended
       type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: group_leader.tty.char_device.minor
+    - name: entry_leader.elf.imports_names_var_entropy
       level: extended
       type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: group_leader.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: entry_leader.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
       default_field: false
-    - name: group_leader.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+    - name: entry_leader.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
       default_field: false
-    - name: group_leader.vpid
-      level: core
+    - name: entry_leader.elf.sections.entropy
+      level: extended
       type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
+      format: number
+      description: Shannon entropy calculation from the section.
       default_field: false
-    - name: group_leader.working_directory
+    - name: entry_leader.elf.sections.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
+      description: ELF Section List flags.
       default_field: false
-    - name: hash.cdhash
+    - name: entry_leader.elf.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      description: ELF Section List name.
       default_field: false
-    - name: hash.md5
+    - name: entry_leader.elf.sections.physical_offset
       level: extended
       type: keyword
       ignore_above: 1024
-      description: MD5 hash.
-    - name: hash.sha1
+      description: ELF Section List offset.
+      default_field: false
+    - name: entry_leader.elf.sections.physical_size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-    - name: hash.sha256
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: entry_leader.elf.sections.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA256 hash.
-    - name: hash.sha384
+      description: ELF Section List type.
+      default_field: false
+    - name: entry_leader.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: entry_leader.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: entry_leader.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: entry_leader.elf.segments.sections
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA384 hash.
+      description: ELF object segment sections.
       default_field: false
-    - name: hash.sha512
+    - name: entry_leader.elf.segments.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA512 hash.
-    - name: hash.ssdeep
+      description: ELF object segment type.
+      default_field: false
+    - name: entry_leader.elf.shared_libraries
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SSDEEP hash.
+      description: List of shared libraries used by this ELF object.
       default_field: false
-    - name: hash.tlsh
+    - name: entry_leader.elf.telfhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: TLSH hash.
+      description: telfhash symbol hash for ELF file.
       default_field: false
-    - name: interactive
+    - name: entry_leader.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: entry_leader.endpoint_security_client
       level: extended
       type: boolean
-      description: 'Whether the process is connected to an interactive shell.
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: entry_leader.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
 
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
 
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: io
+    - name: entry_leader.entry_meta.source.address
       level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
 
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
       default_field: false
-    - name: io.bytes_skipped.offset
+    - name: entry_leader.entry_meta.source.as.number
       level: extended
       type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
       default_field: false
-    - name: io.total_bytes_captured
+    - name: entry_leader.entry_meta.source.as.organization.name
       level: extended
-      type: long
-      description: The total number of bytes captured in this event.
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
       default_field: false
-    - name: io.total_bytes_skipped
-      level: extended
+    - name: entry_leader.entry_meta.source.bytes
+      level: core
       type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
       default_field: false
-    - name: io.type
-      level: extended
+    - name: entry_leader.entry_meta.source.domain
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
+      description: 'The domain name of the source system.
 
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
       default_field: false
-    - name: macho.go_import_hash
-      level: extended
+    - name: entry_leader.entry_meta.source.geo.city_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
+      description: City name.
+      example: Montreal
       default_field: false
-    - name: macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
+    - name: entry_leader.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
       default_field: false
-    - name: macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+    - name: entry_leader.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
       default_field: false
-    - name: macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
+    - name: entry_leader.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
       default_field: false
-    - name: macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+    - name: entry_leader.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
       default_field: false
-    - name: macho.import_hash
+    - name: entry_leader.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: entry_leader.entry_meta.source.geo.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
 
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
       default_field: false
-    - name: macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
+    - name: entry_leader.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
       default_field: false
-    - name: macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+    - name: entry_leader.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
       default_field: false
-    - name: macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+    - name: entry_leader.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
       default_field: false
-    - name: macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
+    - name: entry_leader.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
       default_field: false
-    - name: macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+    - name: entry_leader.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
       default_field: false
-    - name: macho.sections.name
-      level: extended
+    - name: entry_leader.entry_meta.source.mac
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Mach-O Section List name.
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
       default_field: false
-    - name: macho.sections.physical_size
+    - name: entry_leader.entry_meta.source.nat.ip
       level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
       default_field: false
-    - name: macho.sections.var_entropy
+    - name: entry_leader.entry_meta.source.nat.port
       level: extended
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
       default_field: false
-    - name: macho.sections.virtual_size
-      level: extended
+    - name: entry_leader.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: entry_leader.entry_meta.source.port
+      level: core
       type: long
       format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      description: Port of the source.
       default_field: false
-    - name: macho.symhash
+    - name: entry_leader.entry_meta.source.registered_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+      description: 'The highest registered source domain, stripped of the subdomain.
 
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
       default_field: false
-    - name: name
+    - name: entry_leader.entry_meta.source.subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: 'Process name.
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
 
-        Sometimes called program name or similar.'
-      example: ssh
-    - name: parent.args
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: entry_leader.entry_meta.source.top_level_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
 
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
       default_field: false
-    - name: parent.args_count
+    - name: entry_leader.entry_meta.type
       level: extended
-      type: long
-      description: 'Length of the process.args array.
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
 
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
+        Note: This field is only set on process.session_leader.'
       default_field: false
-    - name: parent.code_signature.digest_algorithm
+    - name: entry_leader.env_vars
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
 
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: parent.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       default_field: false
-    - name: parent.code_signature.flags
+    - name: entry_leader.executable
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
       default_field: false
-    - name: parent.code_signature.signing_id
+    - name: entry_leader.exit_code
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
 
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
       default_field: false
-    - name: parent.code_signature.status
+    - name: entry_leader.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Additional information about the certificate status.
+      description: 'Name of the directory the group is a member of.
 
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: parent.code_signature.subject_name
-      level: core
+    - name: entry_leader.group.id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: parent.code_signature.team_id
+    - name: entry_leader.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
+      description: Name of the group.
       default_field: false
-    - name: parent.code_signature.thumbprint_sha256
+    - name: entry_leader.hash.cdhash
       level: extended
       type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
       default_field: false
-    - name: parent.code_signature.timestamp
+    - name: entry_leader.hash.md5
       level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
       default_field: false
-    - name: parent.code_signature.trusted
+    - name: entry_leader.hash.sha1
       level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
       default_field: false
-    - name: parent.code_signature.valid
+    - name: entry_leader.hash.sha256
       level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
       default_field: false
-    - name: parent.command_line
+    - name: entry_leader.hash.sha384
       level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
       default_field: false
-    - name: parent.elf.architecture
+    - name: entry_leader.hash.sha512
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
+      description: SHA512 hash.
       default_field: false
-    - name: parent.elf.byte_order
+    - name: entry_leader.hash.ssdeep
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      description: SSDEEP hash.
       default_field: false
-    - name: parent.elf.cpu_type
+    - name: entry_leader.hash.tlsh
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
+      description: TLSH hash.
       default_field: false
-    - name: parent.elf.creation_date
+    - name: entry_leader.interactive
       level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
       default_field: false
-    - name: parent.elf.exports
+    - name: entry_leader.io
       level: extended
-      type: flattened
-      description: List of exported element names and types.
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
       default_field: false
-    - name: parent.elf.go_import_hash
+    - name: entry_leader.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: entry_leader.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: entry_leader.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: entry_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: entry_leader.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: entry_leader.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: entry_leader.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: entry_leader.io.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: entry_leader.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
         change more traditional hash values.
@@ -6756,524 +7699,561 @@
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: parent.elf.go_imports
+    - name: entry_leader.macho.go_imports
       level: extended
       type: flattened
       description: List of imported Go language element names and types.
       default_field: false
-    - name: parent.elf.go_imports_names_entropy
+    - name: entry_leader.macho.go_imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: parent.elf.go_imports_names_var_entropy
+    - name: entry_leader.macho.go_imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: parent.elf.go_stripped
+    - name: entry_leader.macho.go_stripped
       level: extended
       type: boolean
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: parent.elf.header.abi_version
+    - name: entry_leader.macho.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: parent.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: parent.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: parent.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: parent.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: parent.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: parent.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: parent.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: parent.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
 
-        This is an ELF implementation of the Windows PE imphash.'
+        This is a synonym for symhash.'
       example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: parent.elf.imports
+    - name: entry_leader.macho.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
-    - name: parent.elf.imports_names_entropy
+    - name: entry_leader.macho.imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of imported element names
         and types.
       default_field: false
-    - name: parent.elf.imports_names_var_entropy
+    - name: entry_leader.macho.imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
       default_field: false
-    - name: parent.elf.sections
+    - name: entry_leader.macho.sections
       level: extended
       type: nested
-      description: 'An array containing an object for each section of the ELF file.
+      description: 'An array containing an object for each section of the Mach-O file.
 
         The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: parent.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
+        underneath `macho.sections.*`.'
       default_field: false
-    - name: parent.elf.sections.entropy
+    - name: entry_leader.macho.sections.entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the section.
       default_field: false
-    - name: parent.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: parent.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: parent.elf.sections.physical_offset
+    - name: entry_leader.macho.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List offset.
+      description: Mach-O Section List name.
       default_field: false
-    - name: parent.elf.sections.physical_size
+    - name: entry_leader.macho.sections.physical_size
       level: extended
       type: long
       format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: parent.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
+      description: Mach-O Section List physical size.
       default_field: false
-    - name: parent.elf.sections.var_entropy
+    - name: entry_leader.macho.sections.var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: parent.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: parent.elf.sections.virtual_size
+    - name: entry_leader.macho.sections.virtual_size
       level: extended
       type: long
       format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: parent.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: parent.elf.segments.sections
+    - name: entry_leader.macho.symhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment sections.
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
       default_field: false
-    - name: parent.elf.segments.type
+    - name: entry_leader.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
       default_field: false
-    - name: parent.elf.shared_libraries
+    - name: entry_leader.origin_referrer_url
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
       default_field: false
-    - name: parent.elf.telfhash
+    - name: entry_leader.origin_url
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: parent.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
       default_field: false
-    - name: parent.entity_id
+    - name: entry_leader.parent.args
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
 
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: entry_leader.parent.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
 
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
       default_field: false
-    - name: parent.executable
+    - name: entry_leader.parent.attested_groups.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: parent.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
+      description: 'Name of the directory the group is a member of.
 
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: parent.group.id
+    - name: entry_leader.parent.attested_groups.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: parent.group.name
+    - name: entry_leader.parent.attested_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: parent.group_leader.entity_id
+    - name: entry_leader.parent.attested_user.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: parent.group_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: parent.group_leader.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: parent.group_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
+      description: 'Name of the directory the user is a member of.
 
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: parent.hash.cdhash
+    - name: entry_leader.parent.attested_user.email
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      description: User email address.
       default_field: false
-    - name: parent.hash.md5
+    - name: entry_leader.parent.attested_user.entity.attributes
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
       default_field: false
-    - name: parent.hash.sha1
+    - name: entry_leader.parent.attested_user.entity.behavior
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
       default_field: false
-    - name: parent.hash.sha256
+    - name: entry_leader.parent.attested_user.entity.display_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA256 hash.
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
       default_field: false
-    - name: parent.hash.sha384
-      level: extended
+    - name: entry_leader.parent.attested_user.entity.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SHA384 hash.
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
       default_field: false
-    - name: parent.hash.sha512
+    - name: entry_leader.parent.attested_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: entry_leader.parent.attested_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.parent.attested_user.entity.metrics
       level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entry_leader.parent.attested_user.entity.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SHA512 hash.
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
       default_field: false
-    - name: parent.hash.ssdeep
+    - name: entry_leader.parent.attested_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: entry_leader.parent.attested_user.entity.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SSDEEP hash.
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
       default_field: false
-    - name: parent.hash.tlsh
-      level: extended
+    - name: entry_leader.parent.attested_user.entity.source
+      level: core
       type: keyword
       ignore_above: 1024
-      description: TLSH hash.
+      description: The module or integration that provided this entity data (similar
+        to event.module).
       default_field: false
-    - name: parent.interactive
+    - name: entry_leader.parent.attested_user.entity.sub_type
       level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
       default_field: false
-    - name: parent.macho.go_import_hash
-      level: extended
+    - name: entry_leader.parent.attested_user.entity.type
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
       default_field: false
-    - name: parent.macho.go_imports
+    - name: entry_leader.parent.attested_user.full_name
       level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
       default_field: false
-    - name: parent.macho.go_imports_names_entropy
+    - name: entry_leader.parent.attested_user.group.domain
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: parent.macho.go_imports_names_var_entropy
+    - name: entry_leader.parent.attested_user.group.id
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: parent.macho.go_stripped
+    - name: entry_leader.parent.attested_user.group.name
       level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
       default_field: false
-    - name: parent.macho.import_hash
+    - name: entry_leader.parent.attested_user.hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
 
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
       default_field: false
-    - name: parent.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
+    - name: entry_leader.parent.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: parent.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+    - name: entry_leader.parent.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: parent.macho.imports_names_var_entropy
+    - name: entry_leader.parent.attested_user.risk.calculated_level
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
       default_field: false
-    - name: parent.macho.sections
+    - name: entry_leader.parent.attested_user.risk.calculated_score
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
       default_field: false
-    - name: parent.macho.sections.entropy
+    - name: entry_leader.parent.attested_user.risk.calculated_score_norm
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
       default_field: false
-    - name: parent.macho.sections.name
+    - name: entry_leader.parent.attested_user.risk.static_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: parent.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
       default_field: false
-    - name: parent.macho.sections.var_entropy
+    - name: entry_leader.parent.attested_user.risk.static_score
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
       default_field: false
-    - name: parent.macho.sections.virtual_size
+    - name: entry_leader.parent.attested_user.risk.static_score_norm
       level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
       default_field: false
-    - name: parent.macho.symhash
+    - name: entry_leader.parent.attested_user.roles
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: parent.name
+    - name: entry_leader.parent.code_signature.digest_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
+      description: 'The hashing algorithm used to sign the process.
 
-        Sometimes called program name or similar.'
-      example: ssh
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
       default_field: false
-    - name: parent.pe.architecture
+    - name: entry_leader.parent.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: entry_leader.parent.code_signature.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
+      description: The flags used to sign the process.
+      example: 570522385
       default_field: false
-    - name: parent.pe.company
+    - name: entry_leader.parent.code_signature.signing_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
       default_field: false
-    - name: parent.pe.description
+    - name: entry_leader.parent.code_signature.status
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
       default_field: false
-    - name: parent.pe.file_version
+    - name: entry_leader.parent.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: entry_leader.parent.code_signature.team_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
       default_field: false
-    - name: parent.pe.go_import_hash
+    - name: entry_leader.parent.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: entry_leader.parent.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: entry_leader.parent.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: entry_leader.parent.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: entry_leader.parent.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: entry_leader.parent.elf.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: entry_leader.parent.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: entry_leader.parent.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: entry_leader.parent.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: entry_leader.parent.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: entry_leader.parent.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
         change more traditional hash values.
@@ -7282,523 +8262,472 @@
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: parent.pe.go_imports
+    - name: entry_leader.parent.elf.go_imports
       level: extended
       type: flattened
       description: List of imported Go language element names and types.
       default_field: false
-    - name: parent.pe.go_imports_names_entropy
+    - name: entry_leader.parent.elf.go_imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: parent.pe.go_imports_names_var_entropy
+    - name: entry_leader.parent.elf.go_imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: parent.pe.go_stripped
+    - name: entry_leader.parent.elf.go_stripped
       level: extended
       type: boolean
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: parent.pe.imphash
+    - name: entry_leader.parent.elf.header.abi_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
+      description: Version of the ELF Application Binary Interface (ABI).
       default_field: false
-    - name: parent.pe.import_hash
+    - name: entry_leader.parent.elf.header.class
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
+      description: Header class of the ELF file.
+      default_field: false
+    - name: entry_leader.parent.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: entry_leader.parent.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: entry_leader.parent.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: entry_leader.parent.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: entry_leader.parent.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: entry_leader.parent.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: entry_leader.parent.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
         to fingerprint binaries even after recompilation or other code-level transformations
         have occurred, which would change more traditional hash values.
 
-        This is a synonym for imphash.'
+        This is an ELF implementation of the Windows PE imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: parent.pe.imports
+    - name: entry_leader.parent.elf.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
-    - name: parent.pe.imports_names_entropy
+    - name: entry_leader.parent.elf.imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of imported element names
         and types.
       default_field: false
-    - name: parent.pe.imports_names_var_entropy
+    - name: entry_leader.parent.elf.imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
       default_field: false
-    - name: parent.pe.original_file_name
+    - name: entry_leader.parent.elf.sections
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
       default_field: false
-    - name: parent.pe.pehash
+    - name: entry_leader.parent.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: entry_leader.parent.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.elf.sections.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      description: ELF Section List flags.
       default_field: false
-    - name: parent.pe.product
+    - name: entry_leader.parent.elf.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
+      description: ELF Section List name.
       default_field: false
-    - name: parent.pe.sections
+    - name: entry_leader.parent.elf.sections.physical_offset
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
       default_field: false
-    - name: parent.pe.sections.entropy
+    - name: entry_leader.parent.elf.sections.physical_size
       level: extended
       type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      format: bytes
+      description: ELF Section List physical size.
       default_field: false
-    - name: parent.pe.sections.name
+    - name: entry_leader.parent.elf.sections.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: parent.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
+      description: ELF Section List type.
       default_field: false
-    - name: parent.pe.sections.var_entropy
+    - name: entry_leader.parent.elf.sections.var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: parent.pe.sections.virtual_size
+    - name: entry_leader.parent.elf.sections.virtual_address
       level: extended
       type: long
       format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
+      description: ELF Section List virtual address.
       default_field: false
-    - name: parent.pid
-      level: core
+    - name: entry_leader.parent.elf.sections.virtual_size
+      level: extended
       type: long
       format: string
-      description: Process id.
-      example: 4242
+      description: ELF Section List virtual size.
       default_field: false
-    - name: parent.real_group.id
+    - name: entry_leader.parent.elf.segments
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
       default_field: false
-    - name: parent.real_group.name
+    - name: entry_leader.parent.elf.segments.sections
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: ELF object segment sections.
       default_field: false
-    - name: parent.real_user.id
-      level: core
+    - name: entry_leader.parent.elf.segments.type
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: ELF object segment type.
       default_field: false
-    - name: parent.real_user.name
-      level: core
+    - name: entry_leader.parent.elf.shared_libraries
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: List of shared libraries used by this ELF object.
       default_field: false
-    - name: parent.saved_group.id
+    - name: entry_leader.parent.elf.telfhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: telfhash symbol hash for ELF file.
       default_field: false
-    - name: parent.saved_group.name
+    - name: entry_leader.parent.end
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: parent.saved_user.id
-      level: core
+    - name: entry_leader.parent.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: entry_leader.parent.entity_id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: parent.saved_user.name
-      level: core
+    - name: entry_leader.parent.entry_meta.source.address
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
       default_field: false
-    - name: parent.start
+    - name: entry_leader.parent.entry_meta.source.as.number
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
       default_field: false
-    - name: parent.supplemental_groups.id
+    - name: entry_leader.parent.entry_meta.source.as.organization.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
       default_field: false
-    - name: parent.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
+    - name: entry_leader.parent.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
       default_field: false
-    - name: parent.thread.capabilities.effective
-      level: extended
+    - name: entry_leader.parent.entry_meta.source.domain
+      level: core
       type: keyword
       ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
       default_field: false
-    - name: parent.thread.capabilities.permitted
-      level: extended
+    - name: entry_leader.parent.entry_meta.source.geo.city_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: parent.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
+      description: City name.
+      example: Montreal
       default_field: false
-    - name: parent.thread.name
-      level: extended
+    - name: entry_leader.parent.entry_meta.source.geo.continent_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Thread name.
-      example: thread-0
+      description: Two-letter code representing continent's name.
+      example: NA
       default_field: false
-    - name: parent.title
-      level: extended
+    - name: entry_leader.parent.entry_meta.source.geo.continent_name
+      level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: parent.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: parent.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: parent.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: parent.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
+      description: Name of the continent.
+      example: North America
       default_field: false
-    - name: parent.user.id
+    - name: entry_leader.parent.entry_meta.source.geo.country_iso_code
       level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: Country ISO code.
+      example: CA
       default_field: false
-    - name: parent.user.name
+    - name: entry_leader.parent.entry_meta.source.geo.country_name
       level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: Country name.
+      example: Canada
       default_field: false
-    - name: parent.vpid
+    - name: entry_leader.parent.entry_meta.source.geo.location
       level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
       default_field: false
-    - name: parent.working_directory
+    - name: entry_leader.parent.entry_meta.source.geo.name
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
       default_field: false
-    - name: pe.architecture
-      level: extended
+    - name: entry_leader.parent.entry_meta.source.geo.postal_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
       default_field: false
-    - name: pe.company
-      level: extended
+    - name: entry_leader.parent.entry_meta.source.geo.region_iso_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
+      description: Region ISO code.
+      example: CA-QC
       default_field: false
-    - name: pe.description
-      level: extended
+    - name: entry_leader.parent.entry_meta.source.geo.region_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      description: Region name.
+      example: Quebec
       default_field: false
-    - name: pe.file_version
-      level: extended
+    - name: entry_leader.parent.entry_meta.source.geo.timezone
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
       default_field: false
-    - name: pe.go_import_hash
-      level: extended
+    - name: entry_leader.parent.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: entry_leader.parent.entry_meta.source.mac
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
+      description: 'MAC address of the source.
 
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
       default_field: false
-    - name: pe.go_imports
+    - name: entry_leader.parent.entry_meta.source.nat.ip
       level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
       default_field: false
-    - name: pe.go_imports_names_entropy
+    - name: entry_leader.parent.entry_meta.source.nat.port
       level: extended
       type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
       default_field: false
-    - name: pe.go_imports_names_var_entropy
-      level: extended
+    - name: entry_leader.parent.entry_meta.source.packets
+      level: core
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
+      description: Packets sent from the source to the destination.
+      example: 12
       default_field: false
-    - name: pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+    - name: entry_leader.parent.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
       default_field: false
-    - name: pe.imphash
+    - name: entry_leader.parent.entry_meta.source.registered_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+      description: 'The highest registered source domain, stripped of the subdomain.
 
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
+        For example, the registered domain for "foo.example.com" is "example.com".
 
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
       default_field: false
-    - name: pe.pehash
+    - name: entry_leader.parent.entry_meta.source.subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
 
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
       default_field: false
-    - name: pe.product
+    - name: entry_leader.parent.entry_meta.source.top_level_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
       default_field: false
-    - name: pe.sections.name
+    - name: entry_leader.parent.entry_meta.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
       default_field: false
-    - name: pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-    - name: previous.args
+    - name: entry_leader.parent.env_vars
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
 
         May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: previous.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       default_field: false
-    - name: previous.executable
+    - name: entry_leader.parent.executable
       level: extended
       type: keyword
       ignore_above: 1024
@@ -7808,134 +8737,86 @@
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
       default_field: false
-    - name: real_group.id
+    - name: entry_leader.parent.exit_code
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
       default_field: false
-    - name: real_group.name
+    - name: entry_leader.parent.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: saved_group.id
+    - name: entry_leader.parent.group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: saved_group.name
+    - name: entry_leader.parent.group.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: saved_user.id
-      level: core
+    - name: entry_leader.parent.hash.cdhash
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
       default_field: false
-    - name: saved_user.name
-      level: core
+    - name: entry_leader.parent.hash.md5
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: MD5 hash.
       default_field: false
-    - name: session_leader.args
+    - name: entry_leader.parent.hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: session_leader.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
+      description: SHA1 hash.
       default_field: false
-    - name: session_leader.command_line
+    - name: entry_leader.parent.hash.sha256
       level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
       default_field: false
-    - name: session_leader.entity_id
+    - name: entry_leader.parent.hash.sha384
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+      description: SHA384 hash.
       default_field: false
-    - name: session_leader.executable
+    - name: entry_leader.parent.hash.sha512
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
+      description: SHA512 hash.
       default_field: false
-    - name: session_leader.group.id
+    - name: entry_leader.parent.hash.ssdeep
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: SSDEEP hash.
       default_field: false
-    - name: session_leader.group.name
+    - name: entry_leader.parent.hash.tlsh
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: TLSH hash.
       default_field: false
-    - name: session_leader.interactive
+    - name: entry_leader.parent.interactive
       level: extended
       type: boolean
       description: 'Whether the process is connected to an interactive shell.
@@ -7951,1193 +8832,1000 @@
         connected to the controlling TTY.'
       example: true
       default_field: false
-    - name: session_leader.name
+    - name: entry_leader.parent.io
       level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
 
-        Sometimes called program name or similar.'
-      example: ssh
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
       default_field: false
-    - name: session_leader.parent.entity_id
+    - name: entry_leader.parent.io.bytes_skipped
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
       default_field: false
-    - name: session_leader.parent.pid
-      level: core
+    - name: entry_leader.parent.io.bytes_skipped.length
+      level: extended
       type: long
-      format: string
-      description: Process id.
-      example: 4242
+      description: The length of bytes skipped.
       default_field: false
-    - name: session_leader.parent.session_leader.entity_id
+    - name: entry_leader.parent.io.bytes_skipped.offset
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: session_leader.parent.session_leader.pid
-      level: core
       type: long
-      format: string
-      description: Process id.
-      example: 4242
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
       default_field: false
-    - name: session_leader.parent.session_leader.start
+    - name: entry_leader.parent.io.max_bytes_per_process_exceeded
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
       default_field: false
-    - name: session_leader.parent.session_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
+    - name: entry_leader.parent.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
 
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
       default_field: false
-    - name: session_leader.parent.start
+    - name: entry_leader.parent.io.total_bytes_captured
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: session_leader.parent.vpid
-      level: core
       type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
+      description: The total number of bytes captured in this event.
       default_field: false
-    - name: session_leader.pid
-      level: core
+    - name: entry_leader.parent.io.total_bytes_skipped
+      level: extended
       type: long
-      format: string
-      description: Process id.
-      example: 4242
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
       default_field: false
-    - name: session_leader.real_group.id
+    - name: entry_leader.parent.io.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
       default_field: false
-    - name: session_leader.real_group.name
+    - name: entry_leader.parent.macho.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: session_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: entry_leader.parent.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
       default_field: false
-    - name: session_leader.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+    - name: entry_leader.parent.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: session_leader.same_as_process
+    - name: entry_leader.parent.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.macho.go_stripped
       level: extended
       type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: session_leader.saved_group.id
+    - name: entry_leader.parent.macho.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: session_leader.saved_group.name
+    - name: entry_leader.parent.macho.imports
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: session_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: entry_leader.parent.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: session_leader.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+    - name: entry_leader.parent.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: session_leader.start
+    - name: entry_leader.parent.macho.sections
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
       default_field: false
-    - name: session_leader.supplemental_groups.id
+    - name: entry_leader.parent.macho.sections.entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
       default_field: false
-    - name: session_leader.supplemental_groups.name
+    - name: entry_leader.parent.macho.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: Mach-O Section List name.
       default_field: false
-    - name: session_leader.tty
+    - name: entry_leader.parent.macho.sections.physical_size
       level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
       default_field: false
-    - name: session_leader.tty.char_device.major
+    - name: entry_leader.parent.macho.sections.var_entropy
       level: extended
       type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: session_leader.tty.char_device.minor
+    - name: entry_leader.parent.macho.sections.virtual_size
       level: extended
       type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: session_leader.user.id
-      level: core
+    - name: entry_leader.parent.macho.symhash
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
       default_field: false
-    - name: session_leader.user.name
-      level: core
+    - name: entry_leader.parent.name
+      level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
+      description: 'Process name.
 
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
+        Sometimes called program name or similar.'
+      example: ssh
       default_field: false
-    - name: session_leader.working_directory
+    - name: entry_leader.parent.origin_referrer_url
       level: extended
       type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
       default_field: false
-    - name: start
+    - name: entry_leader.parent.origin_url
       level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-    - name: supplemental_groups.id
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: entry_leader.parent.pe.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: CPU architecture target for the file.
+      example: x64
       default_field: false
-    - name: supplemental_groups.name
+    - name: entry_leader.parent.pe.company
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
       default_field: false
-    - name: thread.capabilities.effective
+    - name: entry_leader.parent.pe.description
       level: extended
       type: keyword
       ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
       default_field: false
-    - name: thread.capabilities.permitted
+    - name: entry_leader.parent.pe.file_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
       default_field: false
-    - name: thread.id
+    - name: entry_leader.parent.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.parent.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.parent.pe.go_imports_names_entropy
       level: extended
       type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-    - name: thread.name
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.parent.pe.imphash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-    - name: title
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: entry_leader.parent.pe.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: 'Process title.
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
 
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-    - name: tty
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.parent.pe.imports
       level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: tty.char_device.major
+    - name: entry_leader.parent.pe.imports_names_entropy
       level: extended
       type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: tty.char_device.minor
+    - name: entry_leader.parent.pe.imports_names_var_entropy
       level: extended
       type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: tty.columns
+    - name: entry_leader.parent.pe.original_file_name
       level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
       default_field: false
-    - name: tty.rows
+    - name: entry_leader.parent.pe.pehash
       level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
 
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
       default_field: false
-    - name: uptime
+    - name: entry_leader.parent.pe.product
       level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-    - name: user.id
-      level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
       default_field: false
-    - name: user.name
-      level: core
+    - name: entry_leader.parent.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: entry_leader.parent.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.pe.sections.name
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: PE Section List name.
       default_field: false
-    - name: vpid
+    - name: entry_leader.parent.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: entry_leader.parent.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: entry_leader.parent.pid
       level: core
       type: long
       format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
+      description: Process id.
       example: 4242
       default_field: false
-    - name: working_directory
+    - name: entry_leader.parent.platform_binary
       level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: The working directory of the process.
-      example: /home/alice
-  - name: registry
-    title: Registry
-    group: 2
-    description: Fields related to Windows Registry operations.
-    type: group
-    default_field: true
-    fields:
-    - name: data.bytes
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: entry_leader.parent.real_group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Original bytes written with base64 encoding.
-
-        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
-        corresponds to the data pointed by `lp_data`. This is optional but provides
-        better recoverability and should be populated for REG_BINARY encoded values.'
-      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-      default_field: false
-    - name: data.strings
-      level: core
-      type: wildcard
-      description: 'Content when writing string types.
+      description: 'Name of the directory the group is a member of.
 
-        Populated as an array when writing string data to the registry. For single
-        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
-        one string. For sequences of string with REG_MULTI_SZ, this array will be
-        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
-        be populated with the decimal representation (e.g `"1"`).'
-      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: data.type
-      level: core
+    - name: entry_leader.parent.real_group.id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Standard registry type for encoding contents
-      example: REG_SZ
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: hive
-      level: core
+    - name: entry_leader.parent.real_group.name
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Abbreviated name for the hive.
-      example: HKLM
+      description: Name of the group.
       default_field: false
-    - name: key
-      level: core
+    - name: entry_leader.parent.real_user.domain
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Hive-relative path of keys.
-      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: path
-      level: core
+    - name: entry_leader.parent.real_user.email
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Full path, including hive, key and value
-      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
-        Options\winword.exe\Debugger
+      description: User email address.
       default_field: false
-    - name: value
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the value written.
-      example: Debugger
+    - name: entry_leader.parent.real_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
       default_field: false
-  - name: related
-    title: Related
-    group: 2
-    description: 'This field set is meant to facilitate pivoting around a piece of
-      data.
-
-      Some pieces of information can be seen in many places in an ECS event. To facilitate
-      searching for them, store an array of all seen values to their corresponding
-      field in `related.`.
-
-      A concrete example is IP addresses, which can be under host, observer, source,
-      destination, client, server, and network.forwarded_ip. If you append all IPs
-      to `related.ip`, you can then search for a given IP trivially, no matter where
-      it appeared, by querying `related.ip:192.0.2.15`.'
-    type: group
-    default_field: true
-    fields:
-    - name: hash
+    - name: entry_leader.parent.real_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.parent.real_user.entity.display_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: All the hashes seen on your event. Populating this field, then
-        using it to search for hashes can help in situations where you're unsure what
-        the hash algorithm is (and therefore which key name to search).
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
       default_field: false
-    - name: hosts
-      level: extended
+    - name: entry_leader.parent.real_user.entity.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: All hostnames or other host identifiers seen on your event. Example
-        identifiers include FQDNs, domain names, workstation names, or aliases.
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
       default_field: false
-    - name: ip
+    - name: entry_leader.parent.real_user.entity.last_seen_timestamp
       level: extended
-      type: ip
-      description: All of the IPs seen on your event.
-    - name: user
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: entry_leader.parent.real_user.entity.lifecycle
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: All the user names or other user identifiers seen on the event.
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
       default_field: false
-  - name: rule
-    title: Rule
-    group: 2
-    description: 'Rule fields are used to capture the specifics of any observer or
-      agent rules that generate alerts or other notable events.
-
-      Examples of data sources that would populate the rule fields include: network
-      admission control platforms, network or host IDS/IPS, network firewalls, web
-      application firewalls, url filters, endpoint detection and response (EDR) systems,
-      etc.'
-    type: group
-    default_field: true
-    fields:
-    - name: author
+    - name: entry_leader.parent.real_user.entity.metrics
       level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entry_leader.parent.real_user.entity.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Name, organization, or pseudonym of the author or authors who created
-        the rule used to generate this event.
-      example: '["Star-Lord"]'
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
       default_field: false
-    - name: category
+    - name: entry_leader.parent.real_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: entry_leader.parent.real_user.entity.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A categorization value keyword used by the entity using the rule
-        for detection of this event.
-      example: Attempted Information Leak
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
       default_field: false
-    - name: description
-      level: extended
+    - name: entry_leader.parent.real_user.entity.source
+      level: core
       type: keyword
       ignore_above: 1024
-      description: The description of the rule generating the event.
-      example: Block requests to public DNS over HTTPS / TLS protocols
+      description: The module or integration that provided this entity data (similar
+        to event.module).
       default_field: false
-    - name: id
+    - name: entry_leader.parent.real_user.entity.sub_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A rule ID that is unique within the scope of an agent, observer,
-        or other entity using the rule for detection of this event.
-      example: 101
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
       default_field: false
-    - name: license
-      level: extended
+    - name: entry_leader.parent.real_user.entity.type
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Name of the license under which the rule used to generate this
-        event is made available.
-      example: Apache 2.0
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
       default_field: false
-    - name: name
+    - name: entry_leader.parent.real_user.full_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The name of the rule or signature generating the event.
-      example: BLOCK_DNS_over_TLS
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
       default_field: false
-    - name: reference
+    - name: entry_leader.parent.real_user.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Reference URL to additional information about the rule used to
-        generate this event.
+      description: 'Name of the directory the group is a member of.
 
-        The URL can point to the vendor''s documentation about the rule. If that''s
-        not available, it can also be a link to a more general page describing this
-        type of alert.'
-      example: https://en.wikipedia.org/wiki/DNS_over_TLS
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: ruleset
+    - name: entry_leader.parent.real_user.group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the ruleset, policy, group, or parent category in which
-        the rule used to generate this event is a member.
-      example: Standard_Protocol_Filters
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: uuid
+    - name: entry_leader.parent.real_user.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A rule ID that is unique within the scope of a set or group of
-        agents, observers, or other entities using the rule for detection of this
-        event.
-      example: 1100110011
+      description: Name of the group.
       default_field: false
-    - name: version
+    - name: entry_leader.parent.real_user.hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The version / revision of the rule being used for analysis.
-      example: 1.1
-      default_field: false
-  - name: server
-    title: Server
-    group: 2
-    description: 'A Server is defined as the responder in a network connection for
-      events regarding sessions, connections, or bidirectional flow records.
-
-      For TCP events, the server is the receiver of the initial SYN packet(s) of the
-      TCP connection. For other protocols, the server is generally the responder in
-      the network transaction. Some systems actually use the term "responder" to refer
-      the server in TCP connections. The server fields describe details about the
-      system acting as the server in the network event. Server fields are usually
-      populated in conjunction with client fields. Server fields are generally not
-      populated for packet-level events.
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
 
-      Client / server representations can add semantic context to an exchange, which
-      is helpful to visualize the data in certain situations. If your context falls
-      in that category, you should still ensure that source and destination are filled
-      appropriately.'
-    type: group
-    default_field: true
-    fields:
-    - name: address
-      level: extended
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.parent.real_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'Some event server addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-    - name: as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-    - name: as.organization.name
-      level: extended
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.parent.real_user.name
+      level: core
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-        default_field: false
-      description: Organization name.
-      example: Google LLC
-    - name: bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the server to the client.
-      example: 184
-    - name: domain
-      level: core
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.parent.real_user.risk.calculated_level
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The domain name of the server system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-    - name: geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-    - name: geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
       default_field: false
-    - name: geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-    - name: geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-    - name: geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-    - name: geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-    - name: geo.name
+    - name: entry_leader.parent.real_user.risk.calculated_score
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-    - name: geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
       default_field: false
-    - name: geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-    - name: geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-    - name: geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
+    - name: entry_leader.parent.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
       default_field: false
-    - name: ip
-      level: core
-      type: ip
-      description: IP address of the server (IPv4 or IPv6).
-    - name: mac
-      level: core
+    - name: entry_leader.parent.real_user.risk.static_level
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'MAC address of the server.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-    - name: nat.ip
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.real_user.risk.static_score
       level: extended
-      type: ip
-      description: 'Translated ip of destination based NAT sessions (e.g. internet
-        to private DMZ)
-
-        Typically used with load balancers, firewalls, or routers.'
-    - name: nat.port
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.real_user.risk.static_score_norm
       level: extended
-      type: long
-      format: string
-      description: 'Translated port of destination based NAT sessions (e.g. internet
-        to private DMZ)
-
-        Typically used with load balancers, firewalls, or routers.'
-    - name: packets
-      level: core
-      type: long
-      description: Packets sent from the server to the client.
-      example: 12
-    - name: port
-      level: core
-      type: long
-      format: string
-      description: Port of the server.
-    - name: registered_domain
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.real_user.roles
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The highest registered server domain, stripped of the subdomain.
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
 
-        For example, the registered domain for "foo.example.com" is "example.com".
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
 
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-    - name: subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
 
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
 
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-    - name: user.domain
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: entry_leader.parent.saved_group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
+      description: 'Name of the directory the group is a member of.
 
         For example, an LDAP or Active Directory domain name.'
-    - name: user.email
+      default_field: false
+    - name: entry_leader.parent.saved_group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: User email address.
-    - name: user.full_name
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.saved_group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: User's full name, if available.
-      example: Albert Einstein
-    - name: user.group.domain
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.saved_user.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      description: 'Name of the directory the user is a member of.
 
         For example, an LDAP or Active Directory domain name.'
-    - name: user.group.id
+      default_field: false
+    - name: entry_leader.parent.saved_user.email
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-    - name: user.group.name
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.saved_user.entity.attributes
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-    - name: user.hash
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: entry_leader.parent.saved_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.parent.saved_user.entity.display_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-    - name: user.id
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: entry_leader.parent.saved_user.entity.id
       level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-    - name: user.name
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: entry_leader.parent.saved_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: entry_leader.parent.saved_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.parent.saved_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entry_leader.parent.saved_user.entity.name
       level: core
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: match_only_text
-        default_field: false
-      description: Short name or login of the user.
-      example: a.einstein
-    - name: user.roles
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: entry_leader.parent.saved_user.entity.raw
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
       default_field: false
-  - name: service
-    title: Service
-    group: 2
-    description: 'The service fields describe the service for or from which the data
-      was collected.
-
-      These fields help you find and correlate logs for a specific service and version.'
-    footnote: The service fields may be self-nested under service.origin.* and service.target.*
-      to describe origin or target services in the context of incoming or outgoing
-      requests, respectively. However, the fieldsets service.origin.* and service.target.*
-      must not be confused with the root service fieldset that is used to describe
-      the actual service under observation. The fieldset service.origin.* may only
-      be used in the context of incoming requests or events to describe the originating
-      service of the request. The fieldset service.target.* may only be used in the
-      context of outgoing requests or events to describe the target service of the
-      request.
-    type: group
-    default_field: true
-    fields:
-    - name: address
+    - name: entry_leader.parent.saved_user.entity.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Address where data about this service was collected from.
-
-        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
-        path (sockets).'
-      example: 172.26.0.2:5432
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
       default_field: false
-    - name: environment
-      level: extended
+    - name: entry_leader.parent.saved_user.entity.source
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'Identifies the environment where the service is running.
-
-        If the same service runs in different environments (production, staging, QA,
-        development, etc.), the environment can identify other instances of the same
-        service. Can also group services and applications from the same environment.'
-      example: production
+      description: The module or integration that provided this entity data (similar
+        to event.module).
       default_field: false
-    - name: ephemeral_id
+    - name: entry_leader.parent.saved_user.entity.sub_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Ephemeral identifier of this service (if one exists).
-
-        This id normally changes across restarts, but `service.id` does not.'
-      example: 8a4f500f
-    - name: id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier of the running service. If the service is comprised
-        of many nodes, the `service.id` should be the same for all nodes.
-
-        This id should uniquely identify the service. This makes it possible to correlate
-        logs and metrics for one specific service, no matter which particular node
-        emitted the event.
-
-        Note that if you need to see the events from one specific host of the service,
-        you should filter on that `host.name` or `host.id` instead.'
-      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-    - name: name
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: entry_leader.parent.saved_user.entity.type
       level: core
       type: keyword
       ignore_above: 1024
-      description: 'Name of the service data is collected from.
-
-        The name of the service is normally user given. This allows for distributed
-        services that run on multiple hosts to correlate the related instances based
-        on the name.
-
-        In the case of Elasticsearch the `service.name` could contain the cluster
-        name. For Beats the `service.name` is by default a copy of the `service.type`
-        field if no name is specified.'
-      example: elasticsearch-metrics
-    - name: node.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of a service node.
-
-        This allows for two nodes of the same service running on the same host to
-        be differentiated. Therefore, `service.node.name` should typically be unique
-        across nodes of a given service.
-
-        In the case of Elasticsearch, the `service.node.name` could contain the unique
-        node name within the Elasticsearch cluster. In cases where the service doesn''t
-        have the concept of a node name, the host name or container name can be used
-        to distinguish running instances that make up this service. If those do not
-        provide uniqueness (e.g. multiple instances of the service running on the
-        same host) - the node name can be manually set.'
-      example: instance-0000000016
-    - name: node.role
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: entry_leader.parent.saved_user.full_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Deprecated for removal in next major version release. This field
-        will be superseded by `node.roles`.
-
-        Role of a service node.
-
-        This allows for distinction between different running roles of the same service.
-
-        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
-
-        In the case of Elasticsearch, the `service.node.role` could be `master` or
-        `data`.
-
-        Other services could use this to distinguish between a `web` and `worker`
-        role running as part of the service.'
-      example: background_tasks
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
       default_field: false
-    - name: node.roles
+    - name: entry_leader.parent.saved_user.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Roles of a service node.
-
-        This allows for distinction between different running roles of the same service.
-
-        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
-        or both.
-
-        In the case of Elasticsearch, the `service.node.role` could be `master` or
-        `data` or both.
+      description: 'Name of the directory the group is a member of.
 
-        Other services could use this to distinguish between a `web` and `worker`
-        role running as part of the service.'
-      example: '["ui", "background_tasks"]'
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: origin.address
+    - name: entry_leader.parent.saved_user.group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Address where data about this service was collected from.
-
-        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
-        path (sockets).'
-      example: 172.26.0.2:5432
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: origin.environment
+    - name: entry_leader.parent.saved_user.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Identifies the environment where the service is running.
-
-        If the same service runs in different environments (production, staging, QA,
-        development, etc.), the environment can identify other instances of the same
-        service. Can also group services and applications from the same environment.'
-      example: production
+      description: Name of the group.
       default_field: false
-    - name: origin.ephemeral_id
+    - name: entry_leader.parent.saved_user.hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Ephemeral identifier of this service (if one exists).
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
 
-        This id normally changes across restarts, but `service.id` does not.'
-      example: 8a4f500f
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
       default_field: false
-    - name: origin.id
+    - name: entry_leader.parent.saved_user.id
       level: core
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier of the running service. If the service is comprised
-        of many nodes, the `service.id` should be the same for all nodes.
-
-        This id should uniquely identify the service. This makes it possible to correlate
-        logs and metrics for one specific service, no matter which particular node
-        emitted the event.
-
-        Note that if you need to see the events from one specific host of the service,
-        you should filter on that `host.name` or `host.id` instead.'
-      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: origin.name
+    - name: entry_leader.parent.saved_user.name
       level: core
       type: keyword
       ignore_above: 1024
-      description: 'Name of the service data is collected from.
-
-        The name of the service is normally user given. This allows for distributed
-        services that run on multiple hosts to correlate the related instances based
-        on the name.
-
-        In the case of Elasticsearch the `service.name` could contain the cluster
-        name. For Beats the `service.name` is by default a copy of the `service.type`
-        field if no name is specified.'
-      example: elasticsearch-metrics
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: origin.node.name
+    - name: entry_leader.parent.saved_user.risk.calculated_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of a service node.
-
-        This allows for two nodes of the same service running on the same host to
-        be differentiated. Therefore, `service.node.name` should typically be unique
-        across nodes of a given service.
-
-        In the case of Elasticsearch, the `service.node.name` could contain the unique
-        node name within the Elasticsearch cluster. In cases where the service doesn''t
-        have the concept of a node name, the host name or container name can be used
-        to distinguish running instances that make up this service. If those do not
-        provide uniqueness (e.g. multiple instances of the service running on the
-        same host) - the node name can be manually set.'
-      example: instance-0000000016
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
       default_field: false
-    - name: origin.node.role
+    - name: entry_leader.parent.saved_user.risk.calculated_score
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Deprecated for removal in next major version release. This field
-        will be superseded by `node.roles`.
-
-        Role of a service node.
-
-        This allows for distinction between different running roles of the same service.
-
-        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
-
-        In the case of Elasticsearch, the `service.node.role` could be `master` or
-        `data`.
-
-        Other services could use this to distinguish between a `web` and `worker`
-        role running as part of the service.'
-      example: background_tasks
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
       default_field: false
-    - name: origin.node.roles
+    - name: entry_leader.parent.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.saved_user.risk.static_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Roles of a service node.
-
-        This allows for distinction between different running roles of the same service.
-
-        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
-        or both.
-
-        In the case of Elasticsearch, the `service.node.role` could be `master` or
-        `data` or both.
-
-        Other services could use this to distinguish between a `web` and `worker`
-        role running as part of the service.'
-      example: '["ui", "background_tasks"]'
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
       default_field: false
-    - name: origin.state
-      level: core
+    - name: entry_leader.parent.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.saved_user.roles
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Current state of the service.
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: origin.type
-      level: core
+    - name: entry_leader.parent.session_leader.args
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The type of the service data is collected from.
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
 
-        The type can be used to group and correlate logs and metrics from one service
-        type.
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: entry_leader.parent.session_leader.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
 
-        Example: If logs or metrics are collected from Elasticsearch, `service.type`
-        would be `elasticsearch`.'
-      example: elasticsearch
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
       default_field: false
-    - name: origin.version
-      level: core
+    - name: entry_leader.parent.session_leader.attested_groups.domain
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Version of the service the data was collected from.
+      description: 'Name of the directory the group is a member of.
 
-        This allows to look at a data set only for a specific version of a service.'
-      example: 3.2.4
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: state
-      level: core
+    - name: entry_leader.parent.session_leader.attested_groups.id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Current state of the service.
-    - name: target.address
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Address where data about this service was collected from.
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
 
-        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
-        path (sockets).'
-      example: 172.26.0.2:5432
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: target.entity.attributes
+    - name: entry_leader.parent.session_leader.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.entity.attributes
       level: extended
       type: object
       description: A set of static or semi-static attributes of the entity. Usually
@@ -9146,7 +9834,7 @@
         and correlation of normalized values across different providers/sources and
         entity types.
       default_field: false
-    - name: target.entity.behavior
+    - name: entry_leader.parent.session_leader.attested_user.entity.behavior
       level: extended
       type: object
       description: A set of ephemeral characteristics of the entity, derived from
@@ -9155,7 +9843,7 @@
         of an entity for advanced searching, correlation of normalized values across
         different providers/sources and entity types.
       default_field: false
-    - name: target.entity.display_name
+    - name: entry_leader.parent.session_leader.attested_user.entity.display_name
       level: extended
       type: keyword
       ignore_above: 1024
@@ -9167,7 +9855,7 @@
         operations. This field should not be used for correlation with `*.name` fields
         for entities with dedicated field sets (e.g., `host`).
       default_field: false
-    - name: target.entity.id
+    - name: entry_leader.parent.session_leader.attested_user.entity.id
       level: core
       type: keyword
       ignore_above: 1024
@@ -9180,13 +9868,13 @@
         field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
         in the raw field.'
       default_field: false
-    - name: target.entity.last_seen_timestamp
+    - name: entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp
       level: extended
       type: date
       description: Indicates the date/time when this entity was last "seen," usually
         based upon the last event/log that is initiated by this entity.
       default_field: false
-    - name: target.entity.lifecycle
+    - name: entry_leader.parent.session_leader.attested_user.entity.lifecycle
       level: extended
       type: object
       description: A set of temporal characteristics of the entity. Usually date field
@@ -9194,13 +9882,13 @@
         of an entity for advanced searching and correlation of normalized values across
         different providers/sources and entity types.
       default_field: false
-    - name: target.entity.metrics
+    - name: entry_leader.parent.session_leader.attested_user.entity.metrics
       level: extended
       type: object
       description: Field set for any fields containing numeric entity metrics. These
         use dynamic field data type mapping.
       default_field: false
-    - name: target.entity.name
+    - name: entry_leader.parent.session_leader.attested_user.entity.name
       level: core
       type: keyword
       ignore_above: 1024
@@ -9213,7 +9901,7 @@
         For entities with dedicated field sets (e.g., `host`), this field should mirrors
         the corresponding *.name value.
       default_field: false
-    - name: target.entity.raw
+    - name: entry_leader.parent.session_leader.attested_user.entity.raw
       level: extended
       type: object
       description: Original, unmodified fields from the source system. Usually flattened
@@ -9221,7 +9909,7 @@
         fields requiring advanced queries, this field preserves all source metadata
         with basic search capabilities.
       default_field: false
-    - name: target.entity.reference
+    - name: entry_leader.parent.session_leader.attested_user.entity.reference
       level: extended
       type: keyword
       ignore_above: 1024
@@ -9229,14 +9917,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
-    - name: target.entity.source
+    - name: entry_leader.parent.session_leader.attested_user.entity.source
       level: core
       type: keyword
       ignore_above: 1024
       description: The module or integration that provided this entity data (similar
         to event.module).
       default_field: false
-    - name: target.entity.sub_type
+    - name: entry_leader.parent.session_leader.attested_user.entity.sub_type
       level: extended
       type: keyword
       ignore_above: 1024
@@ -9247,7 +9935,7 @@
         , `node` , `cloud_instance` would all map to entity type `host`.'
       example: aws_s3_bucket
       default_field: false
-    - name: target.entity.type
+    - name: entry_leader.parent.session_leader.attested_user.entity.type
       level: core
       type: keyword
       ignore_above: 1024
@@ -9257,698 +9945,26489 @@
         `user`, `application`, `session`, etc.'
       example: host
       default_field: false
-    - name: target.environment
+    - name: entry_leader.parent.session_leader.attested_user.full_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Identifies the environment where the service is running.
-
-        If the same service runs in different environments (production, staging, QA,
-        development, etc.), the environment can identify other instances of the same
-        service. Can also group services and applications from the same environment.'
-      example: production
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
       default_field: false
-    - name: target.ephemeral_id
+    - name: entry_leader.parent.session_leader.attested_user.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Ephemeral identifier of this service (if one exists).
-
-        This id normally changes across restarts, but `service.id` does not.'
-      example: 8a4f500f
-      default_field: false
-    - name: target.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier of the running service. If the service is comprised
-        of many nodes, the `service.id` should be the same for all nodes.
-
-        This id should uniquely identify the service. This makes it possible to correlate
-        logs and metrics for one specific service, no matter which particular node
-        emitted the event.
-
-        Note that if you need to see the events from one specific host of the service,
-        you should filter on that `host.name` or `host.id` instead.'
-      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-      default_field: false
-    - name: target.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the service data is collected from.
-
-        The name of the service is normally user given. This allows for distributed
-        services that run on multiple hosts to correlate the related instances based
-        on the name.
+      description: 'Name of the directory the group is a member of.
 
-        In the case of Elasticsearch the `service.name` could contain the cluster
-        name. For Beats the `service.name` is by default a copy of the `service.type`
-        field if no name is specified.'
-      example: elasticsearch-metrics
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: target.node.name
+    - name: entry_leader.parent.session_leader.attested_user.group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of a service node.
-
-        This allows for two nodes of the same service running on the same host to
-        be differentiated. Therefore, `service.node.name` should typically be unique
-        across nodes of a given service.
-
-        In the case of Elasticsearch, the `service.node.name` could contain the unique
-        node name within the Elasticsearch cluster. In cases where the service doesn''t
-        have the concept of a node name, the host name or container name can be used
-        to distinguish running instances that make up this service. If those do not
-        provide uniqueness (e.g. multiple instances of the service running on the
-        same host) - the node name can be manually set.'
-      example: instance-0000000016
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: target.node.role
+    - name: entry_leader.parent.session_leader.attested_user.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Deprecated for removal in next major version release. This field
-        will be superseded by `node.roles`.
-
-        Role of a service node.
-
-        This allows for distinction between different running roles of the same service.
-
-        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
-
-        In the case of Elasticsearch, the `service.node.role` could be `master` or
-        `data`.
-
-        Other services could use this to distinguish between a `web` and `worker`
-        role running as part of the service.'
-      example: background_tasks
+      description: Name of the group.
       default_field: false
-    - name: target.node.roles
+    - name: entry_leader.parent.session_leader.attested_user.hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Roles of a service node.
-
-        This allows for distinction between different running roles of the same service.
-
-        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
-        or both.
-
-        In the case of Elasticsearch, the `service.node.role` could be `master` or
-        `data` or both.
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
 
-        Other services could use this to distinguish between a `web` and `worker`
-        role running as part of the service.'
-      example: '["ui", "background_tasks"]'
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
       default_field: false
-    - name: target.state
+    - name: entry_leader.parent.session_leader.attested_user.id
       level: core
       type: keyword
       ignore_above: 1024
-      description: Current state of the service.
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: target.type
+    - name: entry_leader.parent.session_leader.attested_user.name
       level: core
       type: keyword
       ignore_above: 1024
-      description: 'The type of the service data is collected from.
-
-        The type can be used to group and correlate logs and metrics from one service
-        type.
-
-        Example: If logs or metrics are collected from Elasticsearch, `service.type`
-        would be `elasticsearch`.'
-      example: elasticsearch
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: target.version
-      level: core
+    - name: entry_leader.parent.session_leader.attested_user.risk.calculated_level
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Version of the service the data was collected from.
-
-        This allows to look at a data set only for a specific version of a service.'
-      example: 3.2.4
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
       default_field: false
-    - name: type
-      level: core
-      type: keyword
-      ignore_above: 1024
+    - name: entry_leader.parent.session_leader.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: entry_leader.parent.session_leader.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: entry_leader.parent.session_leader.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: entry_leader.parent.session_leader.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: entry_leader.parent.session_leader.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: entry_leader.parent.session_leader.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: entry_leader.parent.session_leader.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: entry_leader.parent.session_leader.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: entry_leader.parent.session_leader.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: entry_leader.parent.session_leader.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: entry_leader.parent.session_leader.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: entry_leader.parent.session_leader.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: entry_leader.parent.session_leader.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: entry_leader.parent.session_leader.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: entry_leader.parent.session_leader.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: entry_leader.parent.session_leader.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: entry_leader.parent.session_leader.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: entry_leader.parent.session_leader.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: entry_leader.parent.session_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: entry_leader.parent.session_leader.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.session_leader.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.session_leader.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: entry_leader.parent.session_leader.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: entry_leader.parent.session_leader.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: entry_leader.parent.session_leader.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: entry_leader.parent.session_leader.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: entry_leader.parent.session_leader.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: entry_leader.parent.session_leader.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: entry_leader.parent.session_leader.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: entry_leader.parent.session_leader.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: entry_leader.parent.session_leader.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: entry_leader.parent.session_leader.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.session_leader.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: entry_leader.parent.session_leader.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: entry_leader.parent.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: entry_leader.parent.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: entry_leader.parent.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: entry_leader.parent.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: entry_leader.parent.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: entry_leader.parent.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: entry_leader.parent.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: entry_leader.parent.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: entry_leader.parent.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: entry_leader.parent.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: entry_leader.parent.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: entry_leader.parent.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: entry_leader.parent.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.parent.user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: entry_leader.parent.user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.parent.user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: entry_leader.parent.user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: entry_leader.parent.user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: entry_leader.parent.user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.parent.user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entry_leader.parent.user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: entry_leader.parent.user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: entry_leader.parent.user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: entry_leader.parent.user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: entry_leader.parent.user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: entry_leader.parent.user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: entry_leader.parent.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.parent.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.parent.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.parent.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.parent.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.parent.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.parent.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.parent.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.parent.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.parent.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.parent.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.parent.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.parent.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: entry_leader.parent.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: entry_leader.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: entry_leader.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: entry_leader.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: entry_leader.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: entry_leader.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: entry_leader.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: entry_leader.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: entry_leader.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: entry_leader.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: entry_leader.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: entry_leader.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: entry_leader.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: entry_leader.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: entry_leader.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: entry_leader.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: entry_leader.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: entry_leader.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: entry_leader.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: entry_leader.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: entry_leader.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: entry_leader.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: entry_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: entry_leader.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: entry_leader.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.real_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: entry_leader.real_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.real_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: entry_leader.real_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: entry_leader.real_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: entry_leader.real_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.real_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entry_leader.real_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: entry_leader.real_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: entry_leader.real_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: entry_leader.real_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: entry_leader.real_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: entry_leader.real_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: entry_leader.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: entry_leader.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.saved_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: entry_leader.saved_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.saved_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: entry_leader.saved_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: entry_leader.saved_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: entry_leader.saved_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.saved_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entry_leader.saved_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: entry_leader.saved_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: entry_leader.saved_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: entry_leader.saved_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: entry_leader.saved_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: entry_leader.saved_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: entry_leader.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: entry_leader.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: entry_leader.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: entry_leader.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: entry_leader.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: entry_leader.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: entry_leader.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: entry_leader.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: entry_leader.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: entry_leader.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: entry_leader.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: entry_leader.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: entry_leader.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: entry_leader.user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: entry_leader.user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: entry_leader.user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: entry_leader.user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: entry_leader.user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entry_leader.user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entry_leader.user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: entry_leader.user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: entry_leader.user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: entry_leader.user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: entry_leader.user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: entry_leader.user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: entry_leader.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: entry_leader.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: entry_leader.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: entry_leader.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: entry_leader.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: entry_leader.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: entry_leader.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: entry_leader.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: entry_leader.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: entry_leader.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: entry_leader.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: entry_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: entry_leader.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+    - name: exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: group_leader.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: group_leader.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: group_leader.attested_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: group_leader.attested_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: group_leader.attested_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: group_leader.attested_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: group_leader.attested_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: group_leader.attested_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: group_leader.attested_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: group_leader.attested_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: group_leader.attested_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: group_leader.attested_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: group_leader.attested_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: group_leader.attested_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: group_leader.attested_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: group_leader.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: group_leader.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: group_leader.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: group_leader.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: group_leader.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: group_leader.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: group_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: group_leader.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: group_leader.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: group_leader.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: group_leader.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: group_leader.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: group_leader.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: group_leader.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: group_leader.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: group_leader.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: group_leader.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: group_leader.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: group_leader.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: group_leader.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: group_leader.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: group_leader.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: group_leader.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: group_leader.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: group_leader.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: group_leader.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: group_leader.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: group_leader.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: group_leader.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: group_leader.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: group_leader.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: group_leader.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: group_leader.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: group_leader.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: group_leader.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: group_leader.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: group_leader.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: group_leader.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: group_leader.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: group_leader.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: group_leader.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: group_leader.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: group_leader.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: group_leader.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: group_leader.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: group_leader.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: group_leader.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: group_leader.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: group_leader.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: group_leader.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: group_leader.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: group_leader.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: group_leader.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: group_leader.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: group_leader.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: group_leader.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: group_leader.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: group_leader.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: group_leader.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: group_leader.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: group_leader.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: group_leader.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: group_leader.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: group_leader.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: group_leader.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: group_leader.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: group_leader.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: group_leader.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: group_leader.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: group_leader.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: group_leader.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: group_leader.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: group_leader.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: group_leader.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: group_leader.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: group_leader.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: group_leader.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: group_leader.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: group_leader.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: group_leader.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: group_leader.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: group_leader.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: group_leader.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: group_leader.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: group_leader.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: group_leader.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: group_leader.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: group_leader.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: group_leader.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: group_leader.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: group_leader.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: group_leader.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: group_leader.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: group_leader.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: group_leader.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: group_leader.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: group_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: group_leader.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: group_leader.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: group_leader.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: group_leader.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: group_leader.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: group_leader.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: group_leader.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: group_leader.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: group_leader.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: group_leader.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: group_leader.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: group_leader.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: group_leader.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: group_leader.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: group_leader.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: group_leader.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: group_leader.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: group_leader.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: group_leader.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: group_leader.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: group_leader.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: group_leader.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: group_leader.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: group_leader.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: group_leader.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: group_leader.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: group_leader.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: group_leader.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: group_leader.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: group_leader.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: group_leader.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: group_leader.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: group_leader.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: group_leader.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: group_leader.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: group_leader.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: group_leader.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: group_leader.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: group_leader.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: group_leader.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: group_leader.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: group_leader.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: group_leader.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: group_leader.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: group_leader.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: group_leader.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: group_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: group_leader.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: group_leader.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: group_leader.real_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: group_leader.real_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: group_leader.real_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: group_leader.real_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: group_leader.real_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: group_leader.real_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: group_leader.real_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: group_leader.real_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: group_leader.real_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: group_leader.real_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: group_leader.real_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: group_leader.real_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: group_leader.real_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: group_leader.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: group_leader.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: group_leader.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: group_leader.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: group_leader.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: group_leader.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: group_leader.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: group_leader.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: group_leader.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: group_leader.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: group_leader.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: group_leader.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: group_leader.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: group_leader.saved_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: group_leader.saved_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: group_leader.saved_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: group_leader.saved_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: group_leader.saved_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: group_leader.saved_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: group_leader.saved_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: group_leader.saved_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: group_leader.saved_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: group_leader.saved_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: group_leader.saved_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: group_leader.saved_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: group_leader.saved_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: group_leader.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: group_leader.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: group_leader.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: group_leader.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: group_leader.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: group_leader.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: group_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: group_leader.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: group_leader.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: group_leader.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: group_leader.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: group_leader.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: group_leader.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: group_leader.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: group_leader.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: group_leader.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: group_leader.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: group_leader.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: group_leader.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: group_leader.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: group_leader.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: group_leader.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: group_leader.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: group_leader.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: group_leader.user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: group_leader.user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: group_leader.user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: group_leader.user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: group_leader.user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: group_leader.user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: group_leader.user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: group_leader.user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: group_leader.user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: group_leader.user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: group_leader.user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: group_leader.user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: group_leader.user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: group_leader.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: group_leader.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: group_leader.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: group_leader.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: group_leader.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: group_leader.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: group_leader.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: group_leader.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: group_leader.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: group_leader.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: group_leader.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: group_leader.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: group_leader.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: group_leader.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: group_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: group_leader.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+    - name: hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+    - name: hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+    - name: hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+    - name: hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+    - name: origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: parent.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: parent.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: parent.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.attested_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: parent.attested_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.attested_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: parent.attested_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: parent.attested_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: parent.attested_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.attested_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: parent.attested_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: parent.attested_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: parent.attested_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: parent.attested_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: parent.attested_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: parent.attested_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: parent.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: parent.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: parent.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: parent.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: parent.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: parent.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: parent.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: parent.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: parent.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: parent.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: parent.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: parent.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: parent.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: parent.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: parent.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: parent.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: parent.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: parent.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: parent.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: parent.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: parent.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: parent.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: parent.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: parent.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: parent.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: parent.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: parent.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: parent.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: parent.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: parent.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: parent.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: parent.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: parent.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: parent.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: parent.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: parent.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: parent.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: parent.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: parent.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: parent.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: parent.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: parent.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: parent.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: parent.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: parent.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: parent.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: parent.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: parent.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: parent.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: parent.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: parent.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: parent.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: parent.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: parent.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: parent.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: parent.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: parent.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: parent.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: parent.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: parent.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: parent.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: parent.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: parent.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: parent.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: parent.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: parent.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: parent.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: parent.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: parent.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: parent.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: parent.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: parent.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: parent.group_leader.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: parent.group_leader.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.group_leader.attested_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: parent.group_leader.attested_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.group_leader.attested_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: parent.group_leader.attested_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: parent.group_leader.attested_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: parent.group_leader.attested_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.group_leader.attested_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: parent.group_leader.attested_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: parent.group_leader.attested_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: parent.group_leader.attested_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: parent.group_leader.attested_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: parent.group_leader.attested_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: parent.group_leader.attested_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: parent.group_leader.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.group_leader.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.group_leader.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.group_leader.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.group_leader.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.group_leader.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.group_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.group_leader.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.group_leader.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.group_leader.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.group_leader.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.group_leader.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: parent.group_leader.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: parent.group_leader.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: parent.group_leader.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: parent.group_leader.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: parent.group_leader.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: parent.group_leader.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: parent.group_leader.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: parent.group_leader.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: parent.group_leader.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: parent.group_leader.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: parent.group_leader.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: parent.group_leader.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: parent.group_leader.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: parent.group_leader.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: parent.group_leader.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: parent.group_leader.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: parent.group_leader.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.group_leader.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.group_leader.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.group_leader.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.group_leader.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.group_leader.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: parent.group_leader.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: parent.group_leader.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: parent.group_leader.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: parent.group_leader.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: parent.group_leader.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: parent.group_leader.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: parent.group_leader.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: parent.group_leader.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.group_leader.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.group_leader.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.group_leader.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.group_leader.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: parent.group_leader.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: parent.group_leader.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.group_leader.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: parent.group_leader.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: parent.group_leader.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: parent.group_leader.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: parent.group_leader.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: parent.group_leader.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.group_leader.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: parent.group_leader.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: parent.group_leader.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: parent.group_leader.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: parent.group_leader.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: parent.group_leader.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: parent.group_leader.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: parent.group_leader.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: parent.group_leader.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: parent.group_leader.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: parent.group_leader.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: parent.group_leader.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: parent.group_leader.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: parent.group_leader.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: parent.group_leader.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: parent.group_leader.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: parent.group_leader.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: parent.group_leader.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: parent.group_leader.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: parent.group_leader.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: parent.group_leader.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: parent.group_leader.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: parent.group_leader.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: parent.group_leader.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: parent.group_leader.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: parent.group_leader.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: parent.group_leader.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: parent.group_leader.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: parent.group_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: parent.group_leader.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: parent.group_leader.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: parent.group_leader.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: parent.group_leader.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: parent.group_leader.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.group_leader.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.group_leader.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.group_leader.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.group_leader.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.group_leader.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.group_leader.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.group_leader.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.group_leader.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.group_leader.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: parent.group_leader.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.group_leader.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: parent.group_leader.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: parent.group_leader.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.group_leader.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: parent.group_leader.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: parent.group_leader.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: parent.group_leader.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: parent.group_leader.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: parent.group_leader.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: parent.group_leader.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: parent.group_leader.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: parent.group_leader.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: parent.group_leader.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.group_leader.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.group_leader.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.group_leader.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.group_leader.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.group_leader.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: parent.group_leader.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.group_leader.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.group_leader.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.group_leader.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.group_leader.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: parent.group_leader.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: parent.group_leader.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: parent.group_leader.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: parent.group_leader.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.group_leader.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: parent.group_leader.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: parent.group_leader.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.group_leader.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: parent.group_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: parent.group_leader.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: parent.group_leader.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.group_leader.real_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: parent.group_leader.real_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.group_leader.real_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: parent.group_leader.real_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: parent.group_leader.real_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: parent.group_leader.real_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.group_leader.real_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: parent.group_leader.real_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: parent.group_leader.real_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: parent.group_leader.real_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: parent.group_leader.real_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: parent.group_leader.real_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: parent.group_leader.real_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: parent.group_leader.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.group_leader.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.group_leader.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.group_leader.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.group_leader.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.group_leader.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.group_leader.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.group_leader.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.group_leader.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.group_leader.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.group_leader.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.group_leader.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: parent.group_leader.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.group_leader.saved_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: parent.group_leader.saved_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.group_leader.saved_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: parent.group_leader.saved_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: parent.group_leader.saved_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: parent.group_leader.saved_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.group_leader.saved_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: parent.group_leader.saved_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: parent.group_leader.saved_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: parent.group_leader.saved_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: parent.group_leader.saved_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: parent.group_leader.saved_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: parent.group_leader.saved_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: parent.group_leader.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.group_leader.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.group_leader.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.group_leader.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.group_leader.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.group_leader.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.group_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.group_leader.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.group_leader.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.group_leader.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.group_leader.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.group_leader.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: parent.group_leader.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: parent.group_leader.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: parent.group_leader.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: parent.group_leader.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: parent.group_leader.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: parent.group_leader.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: parent.group_leader.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: parent.group_leader.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: parent.group_leader.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: parent.group_leader.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: parent.group_leader.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: parent.group_leader.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.group_leader.user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: parent.group_leader.user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.group_leader.user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: parent.group_leader.user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: parent.group_leader.user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: parent.group_leader.user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.group_leader.user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: parent.group_leader.user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: parent.group_leader.user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: parent.group_leader.user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: parent.group_leader.user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: parent.group_leader.user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: parent.group_leader.user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: parent.group_leader.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.group_leader.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.group_leader.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.group_leader.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.group_leader.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.group_leader.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.group_leader.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.group_leader.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.group_leader.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.group_leader.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.group_leader.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.group_leader.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.group_leader.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.group_leader.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.group_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: parent.group_leader.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: parent.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: parent.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: parent.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: parent.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: parent.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: parent.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: parent.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: parent.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: parent.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: parent.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: parent.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: parent.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: parent.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: parent.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: parent.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: parent.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: parent.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: parent.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: parent.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: parent.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: parent.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: parent.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: parent.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: parent.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: parent.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: parent.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: parent.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: parent.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: parent.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: parent.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: parent.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: parent.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: parent.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: parent.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: parent.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: parent.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: parent.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: parent.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: parent.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: parent.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: parent.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: parent.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: parent.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: parent.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: parent.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: parent.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: parent.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: parent.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: parent.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.real_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: parent.real_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.real_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: parent.real_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: parent.real_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: parent.real_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.real_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: parent.real_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: parent.real_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: parent.real_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: parent.real_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: parent.real_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: parent.real_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: parent.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: parent.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.saved_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: parent.saved_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.saved_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: parent.saved_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: parent.saved_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: parent.saved_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.saved_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: parent.saved_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: parent.saved_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: parent.saved_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: parent.saved_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: parent.saved_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: parent.saved_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: parent.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: parent.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: parent.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: parent.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: parent.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: parent.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: parent.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: parent.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: parent.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: parent.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: parent.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: parent.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: parent.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: parent.user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: parent.user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: parent.user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: parent.user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: parent.user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: parent.user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: parent.user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: parent.user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: parent.user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: parent.user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: parent.user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: parent.user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: parent.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: parent.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: parent.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: parent.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: parent.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: parent.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: parent.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: parent.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: parent.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: parent.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: parent.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: parent.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: parent.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: parent.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: parent.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+    - name: platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: previous.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: previous.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: previous.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: previous.attested_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: previous.attested_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: previous.attested_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: previous.attested_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: previous.attested_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: previous.attested_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: previous.attested_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: previous.attested_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: previous.attested_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: previous.attested_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: previous.attested_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: previous.attested_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: previous.attested_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: previous.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: previous.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: previous.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: previous.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: previous.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: previous.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: previous.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: previous.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: previous.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: previous.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: previous.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: previous.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: previous.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: previous.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: previous.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: previous.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: previous.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: previous.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: previous.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: previous.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: previous.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: previous.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: previous.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: previous.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: previous.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: previous.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: previous.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: previous.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: previous.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: previous.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: previous.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: previous.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: previous.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: previous.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: previous.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: previous.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: previous.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: previous.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: previous.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: previous.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: previous.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: previous.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: previous.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: previous.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: previous.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: previous.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: previous.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: previous.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: previous.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: previous.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: previous.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: previous.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: previous.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: previous.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: previous.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: previous.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: previous.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: previous.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: previous.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: previous.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: previous.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: previous.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: previous.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: previous.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: previous.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: previous.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: previous.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: previous.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: previous.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: previous.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: previous.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: previous.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: previous.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: previous.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: previous.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: previous.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: previous.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: previous.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: previous.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: previous.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: previous.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: previous.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: previous.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: previous.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: previous.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: previous.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: previous.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: previous.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: previous.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: previous.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: previous.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: previous.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: previous.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: previous.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: previous.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: previous.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: previous.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: previous.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: previous.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: previous.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: previous.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: previous.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: previous.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: previous.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: previous.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: previous.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: previous.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: previous.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: previous.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: previous.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: previous.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: previous.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: previous.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: previous.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: previous.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: previous.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: previous.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: previous.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: previous.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: previous.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: previous.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: previous.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: previous.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: previous.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: previous.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: previous.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: previous.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: previous.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: previous.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: previous.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: previous.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: previous.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: previous.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: previous.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: previous.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: previous.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: previous.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: previous.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: previous.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: previous.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: previous.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: previous.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: previous.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: previous.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: previous.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: previous.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: previous.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: previous.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: previous.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: previous.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: previous.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: previous.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: previous.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: previous.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: previous.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: previous.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: previous.real_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: previous.real_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: previous.real_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: previous.real_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: previous.real_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: previous.real_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: previous.real_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: previous.real_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: previous.real_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: previous.real_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: previous.real_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: previous.real_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: previous.real_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: previous.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: previous.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: previous.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: previous.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: previous.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: previous.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: previous.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: previous.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: previous.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: previous.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: previous.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: previous.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: previous.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: previous.saved_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: previous.saved_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: previous.saved_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: previous.saved_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: previous.saved_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: previous.saved_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: previous.saved_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: previous.saved_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: previous.saved_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: previous.saved_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: previous.saved_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: previous.saved_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: previous.saved_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: previous.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: previous.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: previous.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: previous.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: previous.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: previous.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: previous.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: previous.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: previous.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: previous.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: previous.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: previous.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: previous.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: previous.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: previous.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: previous.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: previous.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: previous.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: previous.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: previous.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: previous.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: previous.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: previous.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: previous.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: previous.user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: previous.user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: previous.user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: previous.user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: previous.user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: previous.user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: previous.user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: previous.user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: previous.user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: previous.user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: previous.user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: previous.user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: previous.user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: previous.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: previous.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: previous.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: previous.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: previous.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: previous.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: previous.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: previous.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: previous.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: previous.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: previous.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: previous.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: previous.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: previous.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: previous.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: previous.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: real_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: real_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: real_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: real_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: real_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: real_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: real_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: real_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: real_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: real_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: real_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: real_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: real_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: responsible.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: responsible.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: responsible.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: responsible.attested_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: responsible.attested_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: responsible.attested_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: responsible.attested_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: responsible.attested_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: responsible.attested_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: responsible.attested_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: responsible.attested_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: responsible.attested_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: responsible.attested_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: responsible.attested_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: responsible.attested_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: responsible.attested_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: responsible.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: responsible.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: responsible.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: responsible.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: responsible.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: responsible.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: responsible.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: responsible.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: responsible.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: responsible.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: responsible.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: responsible.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: responsible.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: responsible.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: responsible.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: responsible.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: responsible.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: responsible.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: responsible.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: responsible.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: responsible.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: responsible.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: responsible.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: responsible.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: responsible.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: responsible.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: responsible.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: responsible.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: responsible.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: responsible.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: responsible.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: responsible.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: responsible.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: responsible.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: responsible.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: responsible.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: responsible.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: responsible.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: responsible.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: responsible.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: responsible.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: responsible.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: responsible.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: responsible.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: responsible.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: responsible.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: responsible.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: responsible.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: responsible.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: responsible.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: responsible.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: responsible.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: responsible.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: responsible.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: responsible.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: responsible.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: responsible.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: responsible.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: responsible.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: responsible.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: responsible.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: responsible.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: responsible.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: responsible.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: responsible.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: responsible.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: responsible.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: responsible.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: responsible.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: responsible.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: responsible.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: responsible.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: responsible.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: responsible.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: responsible.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: responsible.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: responsible.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: responsible.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: responsible.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: responsible.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: responsible.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: responsible.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: responsible.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: responsible.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: responsible.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: responsible.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: responsible.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: responsible.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: responsible.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: responsible.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: responsible.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: responsible.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: responsible.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: responsible.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: responsible.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: responsible.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: responsible.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: responsible.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: responsible.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: responsible.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: responsible.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: responsible.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: responsible.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: responsible.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: responsible.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: responsible.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: responsible.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: responsible.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: responsible.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: responsible.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: responsible.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: responsible.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: responsible.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: responsible.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: responsible.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: responsible.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: responsible.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: responsible.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: responsible.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: responsible.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: responsible.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: responsible.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: responsible.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: responsible.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: responsible.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: responsible.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: responsible.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: responsible.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: responsible.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: responsible.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: responsible.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: responsible.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: responsible.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: responsible.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: responsible.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: responsible.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: responsible.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: responsible.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: responsible.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: responsible.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: responsible.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: responsible.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: responsible.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: responsible.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: responsible.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: responsible.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: responsible.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: responsible.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: responsible.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: responsible.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: responsible.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: responsible.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: responsible.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: responsible.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: responsible.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: responsible.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: responsible.real_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: responsible.real_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: responsible.real_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: responsible.real_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: responsible.real_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: responsible.real_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: responsible.real_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: responsible.real_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: responsible.real_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: responsible.real_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: responsible.real_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: responsible.real_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: responsible.real_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: responsible.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: responsible.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: responsible.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: responsible.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: responsible.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: responsible.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: responsible.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: responsible.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: responsible.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: responsible.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: responsible.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: responsible.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: responsible.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: responsible.saved_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: responsible.saved_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: responsible.saved_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: responsible.saved_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: responsible.saved_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: responsible.saved_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: responsible.saved_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: responsible.saved_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: responsible.saved_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: responsible.saved_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: responsible.saved_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: responsible.saved_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: responsible.saved_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: responsible.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: responsible.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: responsible.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: responsible.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: responsible.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: responsible.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: responsible.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: responsible.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: responsible.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: responsible.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: responsible.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: responsible.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: responsible.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: responsible.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: responsible.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: responsible.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: responsible.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: responsible.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: responsible.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: responsible.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: responsible.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: responsible.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: responsible.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: responsible.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: responsible.user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: responsible.user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: responsible.user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: responsible.user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: responsible.user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: responsible.user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: responsible.user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: responsible.user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: responsible.user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: responsible.user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: responsible.user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: responsible.user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: responsible.user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: responsible.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: responsible.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: responsible.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: responsible.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: responsible.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: responsible.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: responsible.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: responsible.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: responsible.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: responsible.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: responsible.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: responsible.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: responsible.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: responsible.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: responsible.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: responsible.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: saved_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: saved_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: saved_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: saved_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: saved_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: saved_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: saved_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: saved_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: saved_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: saved_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: saved_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: saved_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: saved_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: session_leader.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: session_leader.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.attested_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: session_leader.attested_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.attested_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: session_leader.attested_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: session_leader.attested_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: session_leader.attested_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.attested_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: session_leader.attested_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: session_leader.attested_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: session_leader.attested_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: session_leader.attested_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: session_leader.attested_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: session_leader.attested_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: session_leader.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: session_leader.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: session_leader.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: session_leader.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: session_leader.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: session_leader.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: session_leader.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: session_leader.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: session_leader.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: session_leader.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: session_leader.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: session_leader.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: session_leader.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: session_leader.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: session_leader.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: session_leader.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: session_leader.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: session_leader.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: session_leader.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: session_leader.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: session_leader.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: session_leader.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: session_leader.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: session_leader.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: session_leader.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: session_leader.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: session_leader.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: session_leader.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: session_leader.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: session_leader.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: session_leader.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: session_leader.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: session_leader.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: session_leader.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: session_leader.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: session_leader.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: session_leader.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: session_leader.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: session_leader.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: session_leader.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: session_leader.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: session_leader.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: session_leader.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: session_leader.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: session_leader.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: session_leader.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: session_leader.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: session_leader.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: session_leader.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: session_leader.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: session_leader.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: session_leader.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: session_leader.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: session_leader.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: session_leader.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: session_leader.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: session_leader.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: session_leader.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: session_leader.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: session_leader.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: session_leader.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: session_leader.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: session_leader.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: session_leader.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: session_leader.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: session_leader.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: session_leader.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: session_leader.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: session_leader.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: session_leader.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: session_leader.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: session_leader.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: session_leader.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: session_leader.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: session_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: session_leader.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: session_leader.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: session_leader.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: session_leader.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: session_leader.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: session_leader.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: session_leader.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: session_leader.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: session_leader.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: session_leader.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: session_leader.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: session_leader.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: session_leader.parent.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: session_leader.parent.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: session_leader.parent.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.parent.attested_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: session_leader.parent.attested_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.attested_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: session_leader.parent.attested_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: session_leader.parent.attested_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: session_leader.parent.attested_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.attested_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: session_leader.parent.attested_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: session_leader.parent.attested_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: session_leader.parent.attested_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: session_leader.parent.attested_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: session_leader.parent.attested_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: session_leader.parent.attested_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: session_leader.parent.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.parent.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.parent.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.parent.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.parent.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.parent.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: session_leader.parent.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: session_leader.parent.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: session_leader.parent.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: session_leader.parent.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: session_leader.parent.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: session_leader.parent.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: session_leader.parent.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: session_leader.parent.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: session_leader.parent.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: session_leader.parent.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: session_leader.parent.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: session_leader.parent.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: session_leader.parent.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: session_leader.parent.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: session_leader.parent.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: session_leader.parent.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: session_leader.parent.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.parent.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.parent.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.parent.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: session_leader.parent.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: session_leader.parent.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: session_leader.parent.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: session_leader.parent.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: session_leader.parent.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: session_leader.parent.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: session_leader.parent.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: session_leader.parent.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.parent.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.parent.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.parent.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.parent.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: session_leader.parent.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: session_leader.parent.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: session_leader.parent.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: session_leader.parent.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: session_leader.parent.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: session_leader.parent.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: session_leader.parent.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: session_leader.parent.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: session_leader.parent.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: session_leader.parent.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: session_leader.parent.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: session_leader.parent.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: session_leader.parent.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: session_leader.parent.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: session_leader.parent.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: session_leader.parent.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: session_leader.parent.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: session_leader.parent.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: session_leader.parent.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: session_leader.parent.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: session_leader.parent.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: session_leader.parent.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: session_leader.parent.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: session_leader.parent.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: session_leader.parent.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: session_leader.parent.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: session_leader.parent.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: session_leader.parent.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: session_leader.parent.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: session_leader.parent.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: session_leader.parent.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: session_leader.parent.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: session_leader.parent.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: session_leader.parent.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: session_leader.parent.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: session_leader.parent.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: session_leader.parent.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: session_leader.parent.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: session_leader.parent.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: session_leader.parent.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.parent.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.parent.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.parent.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.parent.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.parent.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.parent.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.parent.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: session_leader.parent.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: session_leader.parent.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: session_leader.parent.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: session_leader.parent.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: session_leader.parent.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: session_leader.parent.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: session_leader.parent.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: session_leader.parent.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: session_leader.parent.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: session_leader.parent.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: session_leader.parent.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: session_leader.parent.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.parent.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.parent.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.parent.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: session_leader.parent.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.parent.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.parent.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.parent.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.parent.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: session_leader.parent.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: session_leader.parent.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: session_leader.parent.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: session_leader.parent.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: session_leader.parent.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: session_leader.parent.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: session_leader.parent.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: session_leader.parent.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: session_leader.parent.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.parent.real_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: session_leader.parent.real_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.real_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: session_leader.parent.real_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: session_leader.parent.real_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: session_leader.parent.real_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.real_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: session_leader.parent.real_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: session_leader.parent.real_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: session_leader.parent.real_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: session_leader.parent.real_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: session_leader.parent.real_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: session_leader.parent.real_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: session_leader.parent.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.parent.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.parent.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.parent.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.parent.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.parent.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: session_leader.parent.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.parent.saved_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: session_leader.parent.saved_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.saved_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: session_leader.parent.saved_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: session_leader.parent.saved_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: session_leader.parent.saved_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.saved_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: session_leader.parent.saved_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: session_leader.parent.saved_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: session_leader.parent.saved_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: session_leader.parent.saved_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: session_leader.parent.saved_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: session_leader.parent.saved_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: session_leader.parent.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.parent.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.parent.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.parent.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.parent.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.parent.session_leader.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: session_leader.parent.session_leader.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.session_leader.attested_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: session_leader.parent.session_leader.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: session_leader.parent.session_leader.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.byte_order
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.cpu_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.header.abi_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.flags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List flags.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.segments.sections
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment sections.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.segments.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF object segment type.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.shared_libraries
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: session_leader.parent.session_leader.elf.telfhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: telfhash symbol hash for ELF file.
+      default_field: false
+    - name: session_leader.parent.session_leader.end
+      level: extended
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: session_leader.parent.session_leader.endpoint_security_client
+      level: extended
+      type: boolean
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      default_field: false
+    - name: session_leader.parent.session_leader.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.source.top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      default_field: false
+    - name: session_leader.parent.session_leader.entry_meta.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      default_field: false
+    - name: session_leader.parent.session_leader.env_vars
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      default_field: false
+    - name: session_leader.parent.session_leader.executable
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: session_leader.parent.session_leader.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      default_field: false
+    - name: session_leader.parent.session_leader.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.session_leader.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.session_leader.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
+    - name: session_leader.parent.session_leader.hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: session_leader.parent.session_leader.hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: session_leader.parent.session_leader.hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: session_leader.parent.session_leader.hash.sha384
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA384 hash.
+      default_field: false
+    - name: session_leader.parent.session_leader.hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: session_leader.parent.session_leader.hash.ssdeep
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
+      default_field: false
+    - name: session_leader.parent.session_leader.hash.tlsh
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
+      default_field: false
+    - name: session_leader.parent.session_leader.interactive
+      level: extended
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      default_field: false
+    - name: session_leader.parent.session_leader.io
+      level: extended
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      default_field: false
+    - name: session_leader.parent.session_leader.io.bytes_skipped
+      level: extended
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      default_field: false
+    - name: session_leader.parent.session_leader.io.bytes_skipped.length
+      level: extended
+      type: long
+      description: The length of bytes skipped.
+      default_field: false
+    - name: session_leader.parent.session_leader.io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      default_field: false
+    - name: session_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      default_field: false
+    - name: session_leader.parent.session_leader.io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      default_field: false
+    - name: session_leader.parent.session_leader.io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
+      default_field: false
+    - name: session_leader.parent.session_leader.io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      default_field: false
+    - name: session_leader.parent.session_leader.io.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mach-O Section List name.
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: session_leader.parent.session_leader.macho.symhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      default_field: false
+    - name: session_leader.parent.session_leader.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      default_field: false
+    - name: session_leader.parent.session_leader.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: session_leader.parent.session_leader.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.parent.session_leader.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: session_leader.parent.session_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: session_leader.parent.session_leader.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.session_leader.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.parent.session_leader.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.session_leader.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.parent.session_leader.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: session_leader.parent.session_leader.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.session_leader.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.session_leader.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: session_leader.parent.session_leader.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: session_leader.parent.session_leader.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: session_leader.parent.session_leader.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: session_leader.parent.session_leader.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: session_leader.parent.session_leader.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: session_leader.parent.session_leader.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: session_leader.parent.session_leader.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: session_leader.parent.session_leader.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: session_leader.parent.session_leader.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: session_leader.parent.session_leader.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: session_leader.parent.session_leader.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.parent.session_leader.user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: session_leader.parent.session_leader.user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.session_leader.user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: session_leader.parent.session_leader.user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: session_leader.parent.session_leader.user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: session_leader.parent.session_leader.user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.session_leader.user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: session_leader.parent.session_leader.user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: session_leader.parent.session_leader.user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: session_leader.parent.session_leader.user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: session_leader.parent.session_leader.user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: session_leader.parent.session_leader.user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: session_leader.parent.session_leader.user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: session_leader.parent.session_leader.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.session_leader.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.session_leader.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.session_leader.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.session_leader.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.session_leader.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.parent.session_leader.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.parent.session_leader.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.parent.session_leader.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.session_leader.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.session_leader.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.parent.session_leader.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.session_leader.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.session_leader.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.parent.session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: session_leader.parent.session_leader.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: session_leader.parent.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: session_leader.parent.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: session_leader.parent.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: session_leader.parent.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: session_leader.parent.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: session_leader.parent.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: session_leader.parent.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: session_leader.parent.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: session_leader.parent.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: session_leader.parent.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: session_leader.parent.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: session_leader.parent.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: session_leader.parent.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.parent.user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: session_leader.parent.user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: session_leader.parent.user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: session_leader.parent.user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: session_leader.parent.user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.parent.user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: session_leader.parent.user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: session_leader.parent.user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: session_leader.parent.user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: session_leader.parent.user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: session_leader.parent.user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: session_leader.parent.user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: session_leader.parent.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.parent.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.parent.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.parent.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.parent.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.parent.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.parent.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.parent.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.parent.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.parent.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.parent.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.parent.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.parent.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.parent.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: session_leader.parent.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: session_leader.pe.architecture
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CPU architecture target for the file.
+      example: x64
+      default_field: false
+    - name: session_leader.pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: session_leader.pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: session_leader.pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: session_leader.pe.go_import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: session_leader.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: session_leader.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: session_leader.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: session_leader.pe.imphash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      default_field: false
+    - name: session_leader.pe.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: session_leader.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: session_leader.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: session_leader.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: session_leader.pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: session_leader.pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      default_field: false
+    - name: session_leader.pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: session_leader.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: session_leader.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.pe.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
+      default_field: false
+    - name: session_leader.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: session_leader.pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: session_leader.pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: session_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: session_leader.platform_binary
+      level: extended
+      type: boolean
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      default_field: false
+    - name: session_leader.real_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.real_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.real_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.real_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.real_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.real_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: session_leader.real_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.real_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: session_leader.real_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: session_leader.real_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: session_leader.real_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.real_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: session_leader.real_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: session_leader.real_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: session_leader.real_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: session_leader.real_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: session_leader.real_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: session_leader.real_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: session_leader.real_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.real_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.real_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.real_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.real_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.real_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.real_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.real_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.real_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.real_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.real_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.real_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.same_as_process
+      level: extended
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      default_field: false
+    - name: session_leader.saved_group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.saved_group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.saved_group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.saved_user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.saved_user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.saved_user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: session_leader.saved_user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.saved_user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: session_leader.saved_user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: session_leader.saved_user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: session_leader.saved_user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.saved_user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: session_leader.saved_user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: session_leader.saved_user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: session_leader.saved_user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: session_leader.saved_user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: session_leader.saved_user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: session_leader.saved_user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: session_leader.saved_user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.saved_user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.saved_user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.saved_user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.saved_user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.saved_user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.saved_user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.saved_user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.saved_user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.saved_user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.saved_user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: session_leader.supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: session_leader.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: session_leader.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: session_leader.thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+      default_field: false
+    - name: session_leader.title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      default_field: false
+    - name: session_leader.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: session_leader.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: session_leader.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: session_leader.tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: session_leader.tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: session_leader.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: session_leader.user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: session_leader.user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: session_leader.user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: session_leader.user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: session_leader.user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: session_leader.user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: session_leader.user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: session_leader.user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: session_leader.user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: session_leader.user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: session_leader.user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: session_leader.user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: session_leader.user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: session_leader.user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: session_leader.user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: session_leader.user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: session_leader.user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: session_leader.user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: session_leader.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: session_leader.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: session_leader.user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: session_leader.user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: session_leader.user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: session_leader.user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: session_leader.user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: session_leader.user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: session_leader.working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
+      default_field: false
+    - name: start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+    - name: supplemental_groups.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: supplemental_groups.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+    - name: thread.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Thread name.
+      example: thread-0
+    - name: title
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+    - name: tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      default_field: false
+    - name: uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+    - name: user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: working_directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: The working directory of the process.
+      example: /home/alice
+  - name: registry
+    title: Registry
+    group: 2
+    description: Fields related to Windows Registry operations.
+    type: group
+    default_field: true
+    fields:
+    - name: data.bytes
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Original bytes written with base64 encoding.
+
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+      default_field: false
+    - name: data.strings
+      level: core
+      type: wildcard
+      description: 'Content when writing string types.
+
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+      default_field: false
+    - name: data.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Standard registry type for encoding contents
+      example: REG_SZ
+      default_field: false
+    - name: hive
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Abbreviated name for the hive.
+      example: HKLM
+      default_field: false
+    - name: key
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Hive-relative path of keys.
+      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+      default_field: false
+    - name: path
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Full path, including hive, key and value
+      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+        Options\winword.exe\Debugger
+      default_field: false
+    - name: value
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the value written.
+      example: Debugger
+      default_field: false
+  - name: related
+    title: Related
+    group: 2
+    description: 'This field set is meant to facilitate pivoting around a piece of
+      data.
+
+      Some pieces of information can be seen in many places in an ECS event. To facilitate
+      searching for them, store an array of all seen values to their corresponding
+      field in `related.`.
+
+      A concrete example is IP addresses, which can be under host, observer, source,
+      destination, client, server, and network.forwarded_ip. If you append all IPs
+      to `related.ip`, you can then search for a given IP trivially, no matter where
+      it appeared, by querying `related.ip:192.0.2.15`.'
+    type: group
+    default_field: true
+    fields:
+    - name: hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: All the hashes seen on your event. Populating this field, then
+        using it to search for hashes can help in situations where you're unsure what
+        the hash algorithm is (and therefore which key name to search).
+      default_field: false
+    - name: hosts
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      default_field: false
+    - name: ip
+      level: extended
+      type: ip
+      description: All of the IPs seen on your event.
+    - name: user
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: All the user names or other user identifiers seen on the event.
+      default_field: false
+  - name: rule
+    title: Rule
+    group: 2
+    description: 'Rule fields are used to capture the specifics of any observer or
+      agent rules that generate alerts or other notable events.
+
+      Examples of data sources that would populate the rule fields include: network
+      admission control platforms, network or host IDS/IPS, network firewalls, web
+      application firewalls, url filters, endpoint detection and response (EDR) systems,
+      etc.'
+    type: group
+    default_field: true
+    fields:
+    - name: author
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name, organization, or pseudonym of the author or authors who created
+        the rule used to generate this event.
+      example: '["Star-Lord"]'
+      default_field: false
+    - name: category
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A categorization value keyword used by the entity using the rule
+        for detection of this event.
+      example: Attempted Information Leak
+      default_field: false
+    - name: description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The description of the rule generating the event.
+      example: Block requests to public DNS over HTTPS / TLS protocols
+      default_field: false
+    - name: id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A rule ID that is unique within the scope of an agent, observer,
+        or other entity using the rule for detection of this event.
+      example: 101
+      default_field: false
+    - name: license
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the license under which the rule used to generate this
+        event is made available.
+      example: Apache 2.0
+      default_field: false
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The name of the rule or signature generating the event.
+      example: BLOCK_DNS_over_TLS
+      default_field: false
+    - name: reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Reference URL to additional information about the rule used to
+        generate this event.
+
+        The URL can point to the vendor''s documentation about the rule. If that''s
+        not available, it can also be a link to a more general page describing this
+        type of alert.'
+      example: https://en.wikipedia.org/wiki/DNS_over_TLS
+      default_field: false
+    - name: ruleset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the ruleset, policy, group, or parent category in which
+        the rule used to generate this event is a member.
+      example: Standard_Protocol_Filters
+      default_field: false
+    - name: uuid
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A rule ID that is unique within the scope of a set or group of
+        agents, observers, or other entities using the rule for detection of this
+        event.
+      example: 1100110011
+      default_field: false
+    - name: version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The version / revision of the rule being used for analysis.
+      example: 1.1
+      default_field: false
+  - name: server
+    title: Server
+    group: 2
+    description: 'A Server is defined as the responder in a network connection for
+      events regarding sessions, connections, or bidirectional flow records.
+
+      For TCP events, the server is the receiver of the initial SYN packet(s) of the
+      TCP connection. For other protocols, the server is generally the responder in
+      the network transaction. Some systems actually use the term "responder" to refer
+      the server in TCP connections. The server fields describe details about the
+      system acting as the server in the network event. Server fields are usually
+      populated in conjunction with client fields. Server fields are generally not
+      populated for packet-level events.
+
+      Client / server representations can add semantic context to an exchange, which
+      is helpful to visualize the data in certain situations. If your context falls
+      in that category, you should still ensure that source and destination are filled
+      appropriately.'
+    type: group
+    default_field: true
+    fields:
+    - name: address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event server addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+    - name: as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Organization name.
+      example: Google LLC
+    - name: bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the server to the client.
+      example: 184
+    - name: domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the server system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+    - name: geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+    - name: geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+    - name: geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+    - name: geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: ip
+      level: core
+      type: ip
+      description: IP address of the server (IPv4 or IPv6).
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the server.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+    - name: nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of destination based NAT sessions (e.g. internet
+        to private DMZ)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: packets
+      level: core
+      type: long
+      description: Packets sent from the server to the client.
+      example: 12
+    - name: port
+      level: core
+      type: long
+      format: string
+      description: Port of the server.
+    - name: registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered server domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+    - name: user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: user.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+    - name: user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+    - name: user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+    - name: user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Short name or login of the user.
+      example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+  - name: service
+    title: Service
+    group: 2
+    description: 'The service fields describe the service for or from which the data
+      was collected.
+
+      These fields help you find and correlate logs for a specific service and version.'
+    footnote: The service fields may be self-nested under service.origin.* and service.target.*
+      to describe origin or target services in the context of incoming or outgoing
+      requests, respectively. However, the fieldsets service.origin.* and service.target.*
+      must not be confused with the root service fieldset that is used to describe
+      the actual service under observation. The fieldset service.origin.* may only
+      be used in the context of incoming requests or events to describe the originating
+      service of the request. The fieldset service.target.* may only be used in the
+      context of outgoing requests or events to describe the target service of the
+      request.
+    type: group
+    default_field: true
+    fields:
+    - name: address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
+      default_field: false
+    - name: entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: environment
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Identifies the environment where the service is running.
+
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
+      default_field: false
+    - name: ephemeral_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Ephemeral identifier of this service (if one exists).
+
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
+    - name: node.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of a service node.
+
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
+    - name: node.role
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data`.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: background_tasks
+      default_field: false
+    - name: node.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
+      default_field: false
+    - name: origin.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
+      default_field: false
+    - name: origin.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: origin.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: origin.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: origin.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: origin.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: origin.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: origin.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: origin.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: origin.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: origin.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: origin.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: origin.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: origin.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: origin.environment
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Identifies the environment where the service is running.
+
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
+      default_field: false
+    - name: origin.ephemeral_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Ephemeral identifier of this service (if one exists).
+
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+      default_field: false
+    - name: origin.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+      default_field: false
+    - name: origin.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
+      default_field: false
+    - name: origin.node.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of a service node.
+
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
+      default_field: false
+    - name: origin.node.role
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data`.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: background_tasks
+      default_field: false
+    - name: origin.node.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
+      default_field: false
+    - name: origin.state
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Current state of the service.
+      default_field: false
+    - name: origin.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+      default_field: false
+    - name: origin.version
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+      default_field: false
+    - name: state
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Current state of the service.
+    - name: target.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
+      default_field: false
+    - name: target.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: target.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: target.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: target.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: target.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: target.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: target.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: target.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: target.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: target.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: target.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: target.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: target.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: target.environment
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Identifies the environment where the service is running.
+
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
+      default_field: false
+    - name: target.ephemeral_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Ephemeral identifier of this service (if one exists).
+
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+      default_field: false
+    - name: target.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+      default_field: false
+    - name: target.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
+      default_field: false
+    - name: target.node.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of a service node.
+
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
+      default_field: false
+    - name: target.node.role
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data`.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: background_tasks
+      default_field: false
+    - name: target.node.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
+      default_field: false
+    - name: target.state
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Current state of the service.
+      default_field: false
+    - name: target.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+      default_field: false
+    - name: target.version
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+      default_field: false
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
       description: 'The type of the service data is collected from.
 
-        The type can be used to group and correlate logs and metrics from one service
-        type.
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+    - name: version
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+  - name: source
+    title: Source
+    group: 2
+    description: 'Source fields capture details about the sender of a network exchange/packet.
+      These fields are populated from a network event, packet, or other event containing
+      details of a network transaction.
+
+      Source fields are usually populated in conjunction with destination fields.
+      The source and destination fields are considered the baseline and should always
+      be filled if an event contains source and destination details from a network
+      transaction. If the event also contains identification of the client and server
+      roles, then the client and server fields should also be populated.'
+    type: group
+    default_field: true
+    fields:
+    - name: address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+    - name: as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Organization name.
+      example: Google LLC
+    - name: bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+    - name: domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+    - name: geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
+      default_field: false
+    - name: geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+    - name: geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+    - name: geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: geo.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+    - name: geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+    - name: nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+    - name: port
+      level: core
+      type: long
+      format: string
+      description: Port of the source.
+    - name: registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
 
-        Example: If logs or metrics are collected from Elasticsearch, `service.type`
-        would be `elasticsearch`.'
-      example: elasticsearch
-    - name: version
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: subdomain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      default_field: false
+    - name: top_level_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: user.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+    - name: user.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: user.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: user.entity.display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: user.entity.id
       level: core
       type: keyword
       ignore_above: 1024
-      description: 'Version of the service the data was collected from.
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: user.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: user.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: user.entity.metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: user.entity.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: user.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: user.entity.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: user.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: user.entity.sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: user.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: user.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: user.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
 
-        This allows to look at a data set only for a specific version of a service.'
-      example: 3.2.4
-  - name: source
-    title: Source
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+    - name: user.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+    - name: user.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+    - name: user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Short name or login of the user.
+      example: a.einstein
+    - name: user.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: user.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: user.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: user.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: user.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: user.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+  - name: threat
+    title: Threat
     group: 2
-    description: 'Source fields capture details about the sender of a network exchange/packet.
-      These fields are populated from a network event, packet, or other event containing
-      details of a network transaction.
+    description: 'Fields to classify events and alerts according to a threat taxonomy
+      such as the MITRE ATT&CK® framework.
 
-      Source fields are usually populated in conjunction with destination fields.
-      The source and destination fields are considered the baseline and should always
-      be filled if an event contains source and destination details from a network
-      transaction. If the event also contains identification of the client and server
-      roles, then the client and server fields should also be populated.'
+      These fields are for users to classify alerts from all of their sources (e.g.
+      IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant
+      to capture the high level category of the threat (e.g. "impact"). The threat.technique.*
+      fields are meant to capture which kind of approach is used by this detected
+      threat, to accomplish the goal (e.g. "endpoint denial of service").'
     type: group
     default_field: true
     fields:
-    - name: address
+    - name: enrichments
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-    - name: as.number
+      type: nested
+      description: A list of associated indicators objects enriching the event, and
+        the context of that association/enrichment.
+      default_field: false
+    - name: enrichments.indicator
+      level: extended
+      type: object
+      description: Object containing associated indicators enriching the event.
+      default_field: false
+    - name: enrichments.indicator.as.number
       level: extended
       type: long
       description: Unique number allocated to the autonomous system. The autonomous
         system number (ASN) uniquely identifies each network on the Internet.
       example: 15169
-    - name: as.organization.name
+      default_field: false
+    - name: enrichments.indicator.as.organization.name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-        default_field: false
       description: Organization name.
       example: Google LLC
-    - name: bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-    - name: domain
-      level: core
+      default_field: false
+    - name: enrichments.indicator.confidence
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The domain name of the source system.
+      description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High
+        scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence
+        scales may be added as custom fields.
+      example: Medium
+      default_field: false
+    - name: enrichments.indicator.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Describes the type of action conducted by the threat.
+      example: IP x.x.x.x was observed delivering the Angler EK.
+      default_field: false
+    - name: enrichments.indicator.email.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Identifies a threat indicator as an email address (irrespective
+        of direction).
+      example: phish@example.com
+      default_field: false
+    - name: enrichments.indicator.file.accessed
+      level: extended
+      type: date
+      description: 'Last time the file was accessed.
 
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-    - name: geo.city_name
-      level: core
+        Note that not all filesystems keep track of access time.'
+      default_field: false
+    - name: enrichments.indicator.file.attributes
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: City name.
-      example: Montreal
-    - name: geo.continent_code
-      level: core
+      description: 'Array of file attributes.
+
+        Attributes names will vary by platform. Here''s a non-exhaustive list of values
+        that are expected in this field: archive, compressed, directory, encrypted,
+        execute, hidden, read, readonly, system, write.'
+      example: '["readonly", "system"]'
+      default_field: false
+    - name: enrichments.indicator.file.code_signature.digest_algorithm
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
       default_field: false
-    - name: geo.continent_name
+    - name: enrichments.indicator.file.code_signature.exists
       level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: enrichments.indicator.file.code_signature.flags
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-    - name: geo.country_iso_code
-      level: core
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
+    - name: enrichments.indicator.file.code_signature.signing_id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-    - name: geo.country_name
-      level: core
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
+    - name: enrichments.indicator.file.code_signature.status
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Country name.
-      example: Canada
-    - name: geo.location
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: enrichments.indicator.file.code_signature.subject_name
       level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-    - name: geo.name
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: enrichments.indicator.file.code_signature.team_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
+      description: 'The team identifier used to sign the process.
 
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
+    - name: enrichments.indicator.file.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
+    - name: enrichments.indicator.file.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
+    - name: enrichments.indicator.file.code_signature.trusted
+      level: extended
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
 
-        Not typically used in automated geolocation.'
-      example: boston-dc
-    - name: geo.postal_code
-      level: core
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      default_field: false
+    - name: enrichments.indicator.file.code_signature.valid
+      level: extended
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      default_field: false
+    - name: enrichments.indicator.file.created
+      level: extended
+      type: date
+      description: 'File creation time.
+
+        Note that not all filesystems store the creation time.'
+      default_field: false
+    - name: enrichments.indicator.file.ctime
+      level: extended
+      type: date
+      description: 'Last time the file attributes or metadata changed.
+
+        Note that changes to the file content will update `mtime`. This implies `ctime`
+        will be adjusted at the same time, since `mtime` is an attribute of the file.'
+      default_field: false
+    - name: enrichments.indicator.file.device
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Postal code associated with the location.
+      description: Device that is the source of the file.
+      example: sda
+      default_field: false
+    - name: enrichments.indicator.file.directory
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Directory where the file is located. It should include the drive
+        letter, when appropriate.
+      example: /home/alice
+      default_field: false
+    - name: enrichments.indicator.file.drive_letter
+      level: extended
+      type: keyword
+      ignore_above: 1
+      description: 'Drive letter where the file is located. This field is only relevant
+        on Windows.
 
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
+        The value should be uppercase, and not include the colon.'
+      example: C
       default_field: false
-    - name: geo.region_iso_code
-      level: core
+    - name: enrichments.indicator.file.elf.architecture
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-    - name: geo.region_name
-      level: core
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      default_field: false
+    - name: enrichments.indicator.file.elf.byte_order
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Region name.
-      example: Quebec
-    - name: geo.timezone
-      level: core
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      default_field: false
+    - name: enrichments.indicator.file.elf.cpu_type
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
+      description: CPU type of the ELF file.
+      example: Intel
       default_field: false
-    - name: ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-    - name: mac
-      level: core
+    - name: enrichments.indicator.file.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: enrichments.indicator.file.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
+      default_field: false
+    - name: enrichments.indicator.file.elf.go_import_hash
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'MAC address of the source.
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
 
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-    - name: nat.ip
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      default_field: false
+    - name: enrichments.indicator.file.elf.go_imports
       level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-    - name: nat.port
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: enrichments.indicator.file.elf.go_imports_names_entropy
       level: extended
       type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-    - name: packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-    - name: port
-      level: core
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: enrichments.indicator.file.elf.go_imports_names_var_entropy
+      level: extended
       type: long
-      format: string
-      description: Port of the source.
-    - name: registered_domain
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      default_field: false
+    - name: enrichments.indicator.file.elf.go_stripped
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-    - name: subdomain
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: enrichments.indicator.file.elf.header.abi_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
+      description: Version of the ELF Application Binary Interface (ABI).
       default_field: false
-    - name: top_level_domain
+    - name: enrichments.indicator.file.elf.header.class
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-    - name: user.domain
+      description: Header class of the ELF file.
+      default_field: false
+    - name: enrichments.indicator.file.elf.header.data
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-    - name: user.email
+      description: Data table of the ELF header.
+      default_field: false
+    - name: enrichments.indicator.file.elf.header.entrypoint
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-    - name: user.full_name
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: enrichments.indicator.file.elf.header.object_version
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: User's full name, if available.
-      example: Albert Einstein
-    - name: user.group.domain
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: enrichments.indicator.file.elf.header.os_abi
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-    - name: user.group.id
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: enrichments.indicator.file.elf.header.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-    - name: user.group.name
+      description: Header type of the ELF file.
+      default_field: false
+    - name: enrichments.indicator.file.elf.header.version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
-    - name: user.hash
+      description: Version of the ELF header.
+      default_field: false
+    - name: enrichments.indicator.file.elf.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
 
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-    - name: user.id
-      level: core
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: enrichments.indicator.file.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: enrichments.indicator.file.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: enrichments.indicator.file.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.flags
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-    - name: user.name
-      level: core
+      description: ELF Section List flags.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.name
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Short name or login of the user.
-      example: a.einstein
-    - name: user.roles
+      description: ELF Section List name.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.physical_offset
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-  - name: threat
-    title: Threat
-    group: 2
-    description: 'Fields to classify events and alerts according to a threat taxonomy
-      such as the MITRE ATT&CK® framework.
-
-      These fields are for users to classify alerts from all of their sources (e.g.
-      IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant
-      to capture the high level category of the threat (e.g. "impact"). The threat.technique.*
-      fields are meant to capture which kind of approach is used by this detected
-      threat, to accomplish the goal (e.g. "endpoint denial of service").'
-    type: group
-    default_field: true
-    fields:
-    - name: enrichments
+      description: ELF Section List offset.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.physical_size
       level: extended
-      type: nested
-      description: A list of associated indicators objects enriching the event, and
-        the context of that association/enrichment.
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
       default_field: false
-    - name: enrichments.indicator
+    - name: enrichments.indicator.file.elf.sections.type
       level: extended
-      type: object
-      description: Object containing associated indicators enriching the event.
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
       default_field: false
-    - name: enrichments.indicator.as.number
+    - name: enrichments.indicator.file.elf.sections.var_entropy
       level: extended
       type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: enrichments.indicator.as.organization.name
+    - name: enrichments.indicator.file.elf.sections.virtual_address
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: enrichments.indicator.file.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: enrichments.indicator.file.elf.segments.sections
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
+      description: ELF object segment sections.
       default_field: false
-    - name: enrichments.indicator.confidence
+    - name: enrichments.indicator.file.elf.segments.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High
-        scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence
-        scales may be added as custom fields.
-      example: Medium
+      description: ELF object segment type.
       default_field: false
-    - name: enrichments.indicator.description
+    - name: enrichments.indicator.file.elf.shared_libraries
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Describes the type of action conducted by the threat.
-      example: IP x.x.x.x was observed delivering the Angler EK.
+      description: List of shared libraries used by this ELF object.
       default_field: false
-    - name: enrichments.indicator.email.address
+    - name: enrichments.indicator.file.elf.telfhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies a threat indicator as an email address (irrespective
-        of direction).
-      example: phish@example.com
+      description: telfhash symbol hash for ELF file.
       default_field: false
-    - name: enrichments.indicator.file.accessed
+    - name: enrichments.indicator.file.extension
       level: extended
-      type: date
-      description: 'Last time the file was accessed.
+      type: keyword
+      ignore_above: 1024
+      description: 'File extension, excluding the leading dot.
 
-        Note that not all filesystems keep track of access time.'
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
       default_field: false
-    - name: enrichments.indicator.file.attributes
+    - name: enrichments.indicator.file.fork_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of file attributes.
+      description: 'A fork is additional data associated with a filesystem object.
 
-        Attributes names will vary by platform. Here''s a non-exhaustive list of values
-        that are expected in this field: archive, compressed, directory, encrypted,
-        execute, hidden, read, readonly, system, write.'
-      example: '["readonly", "system"]'
+        On Linux, a resource fork is used to store additional data with a filesystem
+        object. A file always has at least one fork for the data portion, and additional
+        forks may exist.
+
+        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+        data stream for a file is just called $DATA. Zone.Identifier is commonly used
+        by Windows to track contents downloaded from the Internet. An ADS is typically
+        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+        is the value that should populate `fork_name`. `filename.extension` should
+        populate `file.name`, and `extension` should populate `file.extension`. The
+        full path, `file.path`, will include the fork name.'
+      example: Zone.Identifer
       default_field: false
-    - name: enrichments.indicator.file.code_signature.digest_algorithm
+    - name: enrichments.indicator.file.gid
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
+      description: Primary group ID (GID) of the file.
+      example: '1001'
       default_field: false
-    - name: enrichments.indicator.file.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
+    - name: enrichments.indicator.file.group
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Primary group name of the file.
+      example: alice
       default_field: false
-    - name: enrichments.indicator.file.code_signature.flags
+    - name: enrichments.indicator.file.hash.cdhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
       default_field: false
-    - name: enrichments.indicator.file.code_signature.signing_id
+    - name: enrichments.indicator.file.hash.md5
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
+      description: MD5 hash.
       default_field: false
-    - name: enrichments.indicator.file.code_signature.status
+    - name: enrichments.indicator.file.hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
+      description: SHA1 hash.
       default_field: false
-    - name: enrichments.indicator.file.code_signature.subject_name
-      level: core
+    - name: enrichments.indicator.file.hash.sha256
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
+      description: SHA256 hash.
       default_field: false
-    - name: enrichments.indicator.file.code_signature.team_id
+    - name: enrichments.indicator.file.hash.sha384
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
+      description: SHA384 hash.
       default_field: false
-    - name: enrichments.indicator.file.code_signature.thumbprint_sha256
+    - name: enrichments.indicator.file.hash.sha512
       level: extended
       type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
+      ignore_above: 1024
+      description: SHA512 hash.
       default_field: false
-    - name: enrichments.indicator.file.code_signature.timestamp
+    - name: enrichments.indicator.file.hash.ssdeep
       level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
+      type: keyword
+      ignore_above: 1024
+      description: SSDEEP hash.
       default_field: false
-    - name: enrichments.indicator.file.code_signature.trusted
+    - name: enrichments.indicator.file.hash.tlsh
       level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
       default_field: false
-    - name: enrichments.indicator.file.code_signature.valid
+    - name: enrichments.indicator.file.inode
       level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
+      type: keyword
+      ignore_above: 1024
+      description: Inode representing the file in the filesystem.
+      example: '256383'
       default_field: false
-    - name: enrichments.indicator.file.created
+    - name: enrichments.indicator.file.mime_type
       level: extended
-      type: date
-      description: 'File creation time.
-
-        Note that not all filesystems store the creation time.'
+      type: keyword
+      ignore_above: 1024
+      description: 'MIME type should identify the format of the file or stream of
+        bytes using IANA official types: https://www.iana.org/assignments/media-types/media-types.xhtml,
+        where possible. When more than one type is applicable, the most specific type
+        should be used.'
       default_field: false
-    - name: enrichments.indicator.file.ctime
+    - name: enrichments.indicator.file.mode
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Mode of the file in octal representation.
+      example: '0640'
+      default_field: false
+    - name: enrichments.indicator.file.mtime
       level: extended
       type: date
-      description: 'Last time the file attributes or metadata changed.
-
-        Note that changes to the file content will update `mtime`. This implies `ctime`
-        will be adjusted at the same time, since `mtime` is an attribute of the file.'
+      description: Last time the file content was modified.
       default_field: false
-    - name: enrichments.indicator.file.device
+    - name: enrichments.indicator.file.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Device that is the source of the file.
-      example: sda
+      description: Name of the file including the extension, without the directory.
+      example: example.png
       default_field: false
-    - name: enrichments.indicator.file.directory
+    - name: enrichments.indicator.file.origin_referrer_url
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: Directory where the file is located. It should include the drive
-        letter, when appropriate.
-      example: /home/alice
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the file.
+      example: http://example.com/article1.html
       default_field: false
-    - name: enrichments.indicator.file.drive_letter
+    - name: enrichments.indicator.file.origin_url
       level: extended
       type: keyword
-      ignore_above: 1
-      description: 'Drive letter where the file is located. This field is only relevant
-        on Windows.
-
-        The value should be uppercase, and not include the colon.'
-      example: C
+      ignore_above: 8192
+      description: The URL where the file is hosted.
+      example: http://example.com/imgs/article1_img1.jpg
+      default_field: false
+    - name: enrichments.indicator.file.owner
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File owner's username.
+      example: alice
       default_field: false
-    - name: enrichments.indicator.file.elf.architecture
+    - name: enrichments.indicator.file.path
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Full path to the file, including the file name. It should include
+        the drive letter, when appropriate.
+      example: /home/alice/example.png
       default_field: false
-    - name: enrichments.indicator.file.elf.byte_order
+    - name: enrichments.indicator.file.pe.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      description: CPU architecture target for the file.
+      example: x64
       default_field: false
-    - name: enrichments.indicator.file.elf.cpu_type
+    - name: enrichments.indicator.file.pe.company
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
       default_field: false
-    - name: enrichments.indicator.file.elf.creation_date
+    - name: enrichments.indicator.file.pe.description
       level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
       default_field: false
-    - name: enrichments.indicator.file.elf.exports
+    - name: enrichments.indicator.file.pe.file_version
       level: extended
-      type: flattened
-      description: List of exported element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
       default_field: false
-    - name: enrichments.indicator.file.elf.go_import_hash
+    - name: enrichments.indicator.file.pe.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
+      description: 'A hash of the Go language imports in a PE file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
         change more traditional hash values.
@@ -9957,567 +36436,722 @@
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: enrichments.indicator.file.elf.go_imports
+    - name: enrichments.indicator.file.pe.go_imports
       level: extended
       type: flattened
       description: List of imported Go language element names and types.
       default_field: false
-    - name: enrichments.indicator.file.elf.go_imports_names_entropy
+    - name: enrichments.indicator.file.pe.go_imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: enrichments.indicator.file.elf.go_imports_names_var_entropy
+    - name: enrichments.indicator.file.pe.go_imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: enrichments.indicator.file.elf.go_stripped
+    - name: enrichments.indicator.file.pe.go_stripped
       level: extended
       type: boolean
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: enrichments.indicator.file.elf.header.abi_version
+    - name: enrichments.indicator.file.pe.imphash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
-    - name: enrichments.indicator.file.elf.header.class
+    - name: enrichments.indicator.file.pe.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header class of the ELF file.
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: enrichments.indicator.file.elf.header.data
+    - name: enrichments.indicator.file.pe.imports
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: enrichments.indicator.file.elf.header.entrypoint
+    - name: enrichments.indicator.file.pe.imports_names_entropy
       level: extended
       type: long
-      format: string
-      description: Header entrypoint of the ELF file.
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: enrichments.indicator.file.elf.header.object_version
+    - name: enrichments.indicator.file.pe.imports_names_var_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: enrichments.indicator.file.elf.header.os_abi
+    - name: enrichments.indicator.file.pe.original_file_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
       default_field: false
-    - name: enrichments.indicator.file.elf.header.type
+    - name: enrichments.indicator.file.pe.pehash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header type of the ELF file.
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
       default_field: false
-    - name: enrichments.indicator.file.elf.header.version
+    - name: enrichments.indicator.file.pe.product
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
       default_field: false
-    - name: enrichments.indicator.file.elf.import_hash
+    - name: enrichments.indicator.file.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: enrichments.indicator.file.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: enrichments.indicator.file.pe.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
+      description: PE Section List name.
       default_field: false
-    - name: enrichments.indicator.file.elf.imports
+    - name: enrichments.indicator.file.pe.sections.physical_size
       level: extended
-      type: flattened
-      description: List of imported element names and types.
+      type: long
+      format: bytes
+      description: PE Section List physical size.
       default_field: false
-    - name: enrichments.indicator.file.elf.imports_names_entropy
+    - name: enrichments.indicator.file.pe.sections.var_entropy
       level: extended
       type: long
       format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+      description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: enrichments.indicator.file.elf.imports_names_var_entropy
+    - name: enrichments.indicator.file.pe.sections.virtual_size
       level: extended
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: enrichments.indicator.file.elf.sections
+    - name: enrichments.indicator.file.size
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
+      type: long
+      description: 'File size in bytes.
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
+        Only relevant when `file.type` is "file".'
+      example: 16384
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.chi2
+    - name: enrichments.indicator.file.target_path
       level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Target path for symlinks.
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.entropy
+    - name: enrichments.indicator.file.type
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      type: keyword
+      ignore_above: 1024
+      description: File type (file, dir, or symlink).
+      example: file
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.flags
+    - name: enrichments.indicator.file.uid
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List flags.
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.name
+    - name: enrichments.indicator.file.x509.alternative_names
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List name.
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.common_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.country
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of country \(C) codes
+      example: US
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.distinguished_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.locality
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: Mountain View
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.organization
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.organizational_unit
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
+      default_field: false
+    - name: enrichments.indicator.file.x509.issuer.state_or_province
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of state or province names (ST, S, or P)
+      example: California
+      default_field: false
+    - name: enrichments.indicator.file.x509.not_after
+      level: extended
+      type: date
+      description: Time at which the certificate is no longer considered valid.
+      example: '2020-07-16T03:15:39Z'
+      default_field: false
+    - name: enrichments.indicator.file.x509.not_before
+      level: extended
+      type: date
+      description: Time at which the certificate is first considered valid.
+      example: '2019-08-16T01:40:25Z'
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.physical_offset
+    - name: enrichments.indicator.file.x509.public_key_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: enrichments.indicator.file.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
+      description: Algorithm used to generate the public key.
+      example: RSA
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.type
+    - name: enrichments.indicator.file.x509.public_key_curve
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List type.
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.var_entropy
+    - name: enrichments.indicator.file.x509.public_key_exponent
       level: extended
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      doc_values: false
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.virtual_address
+    - name: enrichments.indicator.file.x509.public_key_size
       level: extended
       type: long
-      format: string
-      description: ELF Section List virtual address.
+      description: The size of the public key space in bits.
+      example: 2048
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.virtual_size
+    - name: enrichments.indicator.file.x509.serial_number
       level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
+      type: keyword
+      ignore_above: 1024
+      description: Unique serial number issued by the certificate authority. For consistency,
+        this must be encoded in base 16 and formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: enrichments.indicator.file.elf.segments
+    - name: enrichments.indicator.file.x509.signature_algorithm
       level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
+      type: keyword
+      ignore_above: 1024
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
       default_field: false
-    - name: enrichments.indicator.file.elf.segments.sections
+    - name: enrichments.indicator.file.x509.subject.common_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment sections.
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
       default_field: false
-    - name: enrichments.indicator.file.elf.segments.type
+    - name: enrichments.indicator.file.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
+      description: List of country \(C) code
+      example: US
       default_field: false
-    - name: enrichments.indicator.file.elf.shared_libraries
+    - name: enrichments.indicator.file.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: enrichments.indicator.file.elf.telfhash
+    - name: enrichments.indicator.file.x509.subject.locality
       level: extended
       type: keyword
       ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
+      description: List of locality names (L)
+      example: San Francisco
       default_field: false
-    - name: enrichments.indicator.file.extension
+    - name: enrichments.indicator.file.x509.subject.organization
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'File extension, excluding the leading dot.
-
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
       default_field: false
-    - name: enrichments.indicator.file.fork_name
+    - name: enrichments.indicator.file.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A fork is additional data associated with a filesystem object.
-
-        On Linux, a resource fork is used to store additional data with a filesystem
-        object. A file always has at least one fork for the data portion, and additional
-        forks may exist.
-
-        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
-        data stream for a file is just called $DATA. Zone.Identifier is commonly used
-        by Windows to track contents downloaded from the Internet. An ADS is typically
-        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
-        is the value that should populate `fork_name`. `filename.extension` should
-        populate `file.name`, and `extension` should populate `file.extension`. The
-        full path, `file.path`, will include the fork name.'
-      example: Zone.Identifer
+      description: List of organizational units (OU) of subject.
       default_field: false
-    - name: enrichments.indicator.file.gid
+    - name: enrichments.indicator.file.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group ID (GID) of the file.
-      example: '1001'
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: enrichments.indicator.file.group
+    - name: enrichments.indicator.file.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group name of the file.
-      example: alice
+      description: Version of x509 format.
+      example: 3
       default_field: false
-    - name: enrichments.indicator.file.hash.cdhash
+    - name: enrichments.indicator.first_seen
       level: extended
+      type: date
+      description: The date and time when intelligence source first reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: enrichments.indicator.geo.city_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      description: City name.
+      example: Montreal
       default_field: false
-    - name: enrichments.indicator.file.hash.md5
-      level: extended
+    - name: enrichments.indicator.geo.continent_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: MD5 hash.
+      description: Two-letter code representing continent's name.
+      example: NA
       default_field: false
-    - name: enrichments.indicator.file.hash.sha1
-      level: extended
+    - name: enrichments.indicator.geo.continent_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SHA1 hash.
+      description: Name of the continent.
+      example: North America
       default_field: false
-    - name: enrichments.indicator.file.hash.sha256
-      level: extended
+    - name: enrichments.indicator.geo.country_iso_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SHA256 hash.
+      description: Country ISO code.
+      example: CA
       default_field: false
-    - name: enrichments.indicator.file.hash.sha384
-      level: extended
+    - name: enrichments.indicator.geo.country_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SHA384 hash.
+      description: Country name.
+      example: Canada
       default_field: false
-    - name: enrichments.indicator.file.hash.sha512
+    - name: enrichments.indicator.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: enrichments.indicator.geo.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA512 hash.
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
       default_field: false
-    - name: enrichments.indicator.file.hash.ssdeep
-      level: extended
+    - name: enrichments.indicator.geo.postal_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SSDEEP hash.
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
       default_field: false
-    - name: enrichments.indicator.file.hash.tlsh
-      level: extended
+    - name: enrichments.indicator.geo.region_iso_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: TLSH hash.
+      description: Region ISO code.
+      example: CA-QC
       default_field: false
-    - name: enrichments.indicator.file.inode
-      level: extended
+    - name: enrichments.indicator.geo.region_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Inode representing the file in the filesystem.
-      example: '256383'
+      description: Region name.
+      example: Quebec
       default_field: false
-    - name: enrichments.indicator.file.mime_type
+    - name: enrichments.indicator.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: enrichments.indicator.ip
+      level: extended
+      type: ip
+      description: Identifies a threat indicator as an IP address (irrespective of
+        direction).
+      example: 1.2.3.4
+      default_field: false
+    - name: enrichments.indicator.last_seen
+      level: extended
+      type: date
+      description: The date and time when intelligence source last reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: enrichments.indicator.marking.tlp
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'MIME type should identify the format of the file or stream of
-        bytes using IANA official types: https://www.iana.org/assignments/media-types/media-types.xhtml,
-        where possible. When more than one type is applicable, the most specific type
-        should be used.'
+      description: Traffic Light Protocol sharing markings.
+      example: CLEAR
       default_field: false
-    - name: enrichments.indicator.file.mode
+    - name: enrichments.indicator.marking.tlp_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Mode of the file in octal representation.
-      example: '0640'
+      description: Traffic Light Protocol version.
+      example: 2.0
       default_field: false
-    - name: enrichments.indicator.file.mtime
+    - name: enrichments.indicator.modified_at
       level: extended
       type: date
-      description: Last time the file content was modified.
+      description: The date and time when intelligence source last modified information
+        for this indicator.
+      example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: enrichments.indicator.file.name
+    - name: enrichments.indicator.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the file including the extension, without the directory.
-      example: example.png
+      description: 'The display name indicator in an UI friendly format
+
+        URL, IP address, email address, registry key, port number, hash value, or
+        other relevant name can serve as the display name.'
+      example: 5.2.75.227
       default_field: false
-    - name: enrichments.indicator.file.origin_referrer_url
+    - name: enrichments.indicator.port
       level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the file.
-      example: http://example.com/article1.html
+      type: long
+      description: Identifies a threat indicator as a port number (irrespective of
+        direction).
+      example: 443
       default_field: false
-    - name: enrichments.indicator.file.origin_url
+    - name: enrichments.indicator.provider
       level: extended
       type: keyword
-      ignore_above: 8192
-      description: The URL where the file is hosted.
-      example: http://example.com/imgs/article1_img1.jpg
+      ignore_above: 1024
+      description: The name of the indicator's provider.
+      example: lrz_urlhaus
       default_field: false
-    - name: enrichments.indicator.file.owner
+    - name: enrichments.indicator.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File owner's username.
-      example: alice
+      description: Reference URL linking to additional information about this indicator.
+      example: https://system.example.com/indicator/0001234
       default_field: false
-    - name: enrichments.indicator.file.path
+    - name: enrichments.indicator.registry.data.bytes
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Full path to the file, including the file name. It should include
-        the drive letter, when appropriate.
-      example: /home/alice/example.png
+      description: 'Original bytes written with base64 encoding.
+
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
       default_field: false
-    - name: enrichments.indicator.file.pe.architecture
-      level: extended
+    - name: enrichments.indicator.registry.data.strings
+      level: core
+      type: wildcard
+      description: 'Content when writing string types.
+
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+      default_field: false
+    - name: enrichments.indicator.registry.data.type
+      level: core
       type: keyword
       ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
+      description: Standard registry type for encoding contents
+      example: REG_SZ
       default_field: false
-    - name: enrichments.indicator.file.pe.company
-      level: extended
+    - name: enrichments.indicator.registry.hive
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
+      description: Abbreviated name for the hive.
+      example: HKLM
       default_field: false
-    - name: enrichments.indicator.file.pe.description
-      level: extended
+    - name: enrichments.indicator.registry.key
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      description: Hive-relative path of keys.
+      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
       default_field: false
-    - name: enrichments.indicator.file.pe.file_version
-      level: extended
+    - name: enrichments.indicator.registry.path
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      description: Full path, including hive, key and value
+      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+        Options\winword.exe\Debugger
       default_field: false
-    - name: enrichments.indicator.file.pe.go_import_hash
-      level: extended
+    - name: enrichments.indicator.registry.value
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: enrichments.indicator.file.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
+      description: Name of the value written.
+      example: Debugger
       default_field: false
-    - name: enrichments.indicator.file.pe.go_imports_names_entropy
+    - name: enrichments.indicator.scanner_stats
       level: extended
       type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+      description: Count of AV/EDR vendors that successfully detected malicious file
+        or URL.
+      example: 4
       default_field: false
-    - name: enrichments.indicator.file.pe.go_imports_names_var_entropy
+    - name: enrichments.indicator.sightings
       level: extended
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: enrichments.indicator.file.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+      description: Number of times this indicator was observed conducting threat activity.
+      example: 20
       default_field: false
-    - name: enrichments.indicator.file.pe.imphash
+    - name: enrichments.indicator.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
+      description: Type of indicator as represented by Cyber Observable in STIX 2.0.
+      example: ipv4-addr
       default_field: false
-    - name: enrichments.indicator.file.pe.import_hash
+    - name: enrichments.indicator.url.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
+      description: 'Domain of the url, such as "www.elastic.co".
 
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: enrichments.indicator.file.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: enrichments.indicator.file.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: enrichments.indicator.file.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+        In some cases a URL may refer to an IP and/or port directly, without a domain
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
+      example: www.elastic.co
       default_field: false
-    - name: enrichments.indicator.file.pe.original_file_name
+    - name: enrichments.indicator.url.extension
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
+      description: 'The field contains the file extension from the original request
+        url, excluding the leading dot.
+
+        The file extension is only set if it exists, as not every url has a file extension.
+
+        The leading period must not be included. For example, the value must be "png",
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
       default_field: false
-    - name: enrichments.indicator.file.pe.pehash
+    - name: enrichments.indicator.url.fragment
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
+      description: 'Portion of the url after the `#`, such as "top".
 
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
+        The `#` is not part of the fragment.'
       default_field: false
-    - name: enrichments.indicator.file.pe.product
+    - name: enrichments.indicator.url.full
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: If full URLs are important to your use case, they should be stored
+        in `url.full`, whether this field is reconstructed or present in the event
+        source.
+      example: https://www.elastic.co:443/search?q=elasticsearch#top
       default_field: false
-    - name: enrichments.indicator.file.pe.sections
+    - name: enrichments.indicator.url.original
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Unmodified original url as seen in the event source.
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: enrichments.indicator.file.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+        Note that in network monitoring, the observed URL may be a full URL, whereas
+        in access logs, the URL is often just represented as a path.
+
+        This field is meant to represent the URL as it was observed, complete or not.'
+      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
       default_field: false
-    - name: enrichments.indicator.file.pe.sections.name
+    - name: enrichments.indicator.url.password
       level: extended
       type: keyword
       ignore_above: 1024
-      description: PE Section List name.
+      description: Password of the request.
       default_field: false
-    - name: enrichments.indicator.file.pe.sections.physical_size
+    - name: enrichments.indicator.url.path
       level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
+      type: wildcard
+      description: Path of the request, such as "/search".
       default_field: false
-    - name: enrichments.indicator.file.pe.sections.var_entropy
+    - name: enrichments.indicator.url.port
       level: extended
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
+      format: string
+      description: Port of the request, such as 443.
+      example: 443
       default_field: false
-    - name: enrichments.indicator.file.pe.sections.virtual_size
+    - name: enrichments.indicator.url.query
       level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
+      type: keyword
+      ignore_above: 2083
+      description: 'The query field describes the query string of the request, such
+        as "q=elasticsearch".
+
+        The `?` is excluded from the query string. If a URL contains no `?`, there
+        is no query field. If there is a `?` but no query, the query field exists
+        with an empty string. The `exists` query can be used to differentiate between
+        the two cases.'
+      default_field: false
+    - name: enrichments.indicator.url.registered_domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered url domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
       default_field: false
-    - name: enrichments.indicator.file.size
+    - name: enrichments.indicator.url.scheme
       level: extended
-      type: long
-      description: 'File size in bytes.
+      type: keyword
+      ignore_above: 1024
+      description: 'Scheme of the request, such as "https".
 
-        Only relevant when `file.type` is "file".'
-      example: 16384
+        Note: The `:` is not part of the scheme.'
+      example: https
       default_field: false
-    - name: enrichments.indicator.file.target_path
+    - name: enrichments.indicator.url.subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Target path for symlinks.
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
       default_field: false
-    - name: enrichments.indicator.file.type
+    - name: enrichments.indicator.url.top_level_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File type (file, dir, or symlink).
-      example: file
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
       default_field: false
-    - name: enrichments.indicator.file.uid
+    - name: enrichments.indicator.url.username
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The user ID (UID) or security identifier (SID) of the file owner.
-      example: '1001'
+      description: Username of the request.
       default_field: false
-    - name: enrichments.indicator.file.x509.alternative_names
+    - name: enrichments.indicator.x509.alternative_names
       level: extended
       type: keyword
       ignore_above: 1024
@@ -10526,21 +37160,21 @@
         (and wildcards), and email addresses.
       example: '*.elastic.co'
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.common_name
+    - name: enrichments.indicator.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common name (CN) of issuing certificate authority.
       example: Example SHA2 High Assurance Server CA
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.country
+    - name: enrichments.indicator.x509.issuer.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) codes
       example: US
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.distinguished_name
+    - name: enrichments.indicator.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
@@ -10548,54 +37182,54 @@
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.locality
+    - name: enrichments.indicator.x509.issuer.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: Mountain View
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.organization
+    - name: enrichments.indicator.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of issuing certificate authority.
       example: Example Inc
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.organizational_unit
+    - name: enrichments.indicator.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of issuing certificate authority.
       example: www.example.com
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.state_or_province
+    - name: enrichments.indicator.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: enrichments.indicator.file.x509.not_after
+    - name: enrichments.indicator.x509.not_after
       level: extended
       type: date
       description: Time at which the certificate is no longer considered valid.
       example: '2020-07-16T03:15:39Z'
       default_field: false
-    - name: enrichments.indicator.file.x509.not_before
+    - name: enrichments.indicator.x509.not_before
       level: extended
       type: date
       description: Time at which the certificate is first considered valid.
       example: '2019-08-16T01:40:25Z'
       default_field: false
-    - name: enrichments.indicator.file.x509.public_key_algorithm
+    - name: enrichments.indicator.x509.public_key_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
       description: Algorithm used to generate the public key.
       example: RSA
       default_field: false
-    - name: enrichments.indicator.file.x509.public_key_curve
+    - name: enrichments.indicator.x509.public_key_curve
       level: extended
       type: keyword
       ignore_above: 1024
@@ -10603,7 +37237,7 @@
         is algorithm specific.
       example: nistp521
       default_field: false
-    - name: enrichments.indicator.file.x509.public_key_exponent
+    - name: enrichments.indicator.x509.public_key_exponent
       level: extended
       type: long
       description: Exponent used to derive the public key. This is algorithm specific.
@@ -10611,13 +37245,13 @@
       index: false
       doc_values: false
       default_field: false
-    - name: enrichments.indicator.file.x509.public_key_size
+    - name: enrichments.indicator.x509.public_key_size
       level: extended
       type: long
       description: The size of the public key space in bits.
       example: 2048
       default_field: false
-    - name: enrichments.indicator.file.x509.serial_number
+    - name: enrichments.indicator.x509.serial_number
       level: extended
       type: keyword
       ignore_above: 1024
@@ -10626,7 +37260,7 @@
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: enrichments.indicator.file.x509.signature_algorithm
+    - name: enrichments.indicator.x509.signature_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
@@ -10634,969 +37268,814 @@
         names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
       example: SHA256-RSA
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.common_name
+    - name: enrichments.indicator.x509.subject.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common names (CN) of subject.
       example: shared.global.example.net
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.country
+    - name: enrichments.indicator.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) code
       example: US
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.distinguished_name
+    - name: enrichments.indicator.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.locality
+    - name: enrichments.indicator.x509.subject.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: San Francisco
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.organization
+    - name: enrichments.indicator.x509.subject.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of subject.
       example: Example, Inc.
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.organizational_unit
+    - name: enrichments.indicator.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of subject.
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.state_or_province
+    - name: enrichments.indicator.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: enrichments.indicator.file.x509.version_number
+    - name: enrichments.indicator.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
       description: Version of x509 format.
       example: 3
       default_field: false
-    - name: enrichments.indicator.first_seen
+    - name: enrichments.matched.atomic
       level: extended
-      type: date
-      description: The date and time when intelligence source first reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: enrichments.indicator.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: enrichments.indicator.geo.continent_code
-      level: core
       type: keyword
       ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
+      description: Identifies the atomic indicator value that matched a local environment
+        endpoint or network event.
+      example: bad-domain.com
       default_field: false
-    - name: enrichments.indicator.geo.continent_name
-      level: core
+    - name: enrichments.matched.field
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the continent.
-      example: North America
+      description: Identifies the field of the atomic indicator that matched a local
+        environment endpoint or network event.
+      example: file.hash.sha256
       default_field: false
-    - name: enrichments.indicator.geo.country_iso_code
-      level: core
+    - name: enrichments.matched.id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Country ISO code.
-      example: CA
+      description: Identifies the _id of the indicator document enriching the event.
+      example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
       default_field: false
-    - name: enrichments.indicator.geo.country_name
-      level: core
+    - name: enrichments.matched.index
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Country name.
-      example: Canada
+      description: Identifies the _index of the indicator document enriching the event.
+      example: filebeat-8.0.0-2021.05.23-000011
       default_field: false
-    - name: enrichments.indicator.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: enrichments.matched.occurred
+      level: extended
+      type: date
+      description: Indicates when the indicator match was generated
+      example: '2021-10-05T17:00:58.326Z'
       default_field: false
-    - name: enrichments.indicator.geo.name
+    - name: enrichments.matched.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
+      description: Identifies the type of match that caused the event to be enriched
+        with the given indicator
+      example: indicator_match_rule
       default_field: false
-    - name: enrichments.indicator.geo.postal_code
-      level: core
+    - name: feed.dashboard_id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
+      description: The saved object ID of the dashboard belonging to the threat feed
+        for displaying dashboard links to threat feeds in Kibana.
+      example: 5ba16340-72e6-11eb-a3e3-b3cc7c78a70f
       default_field: false
-    - name: enrichments.indicator.geo.region_iso_code
-      level: core
+    - name: feed.description
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
+      description: Description of the threat feed in a UI friendly format.
+      example: Threat feed from the AlienVault Open Threat eXchange network.
       default_field: false
-    - name: enrichments.indicator.geo.region_name
-      level: core
+    - name: feed.name
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Region name.
-      example: Quebec
+      description: The name of the threat feed in UI friendly format.
+      example: AlienVault OTX
       default_field: false
-    - name: enrichments.indicator.geo.timezone
-      level: core
+    - name: feed.reference
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: enrichments.indicator.ip
-      level: extended
-      type: ip
-      description: Identifies a threat indicator as an IP address (irrespective of
-        direction).
-      example: 1.2.3.4
+      description: Reference information for the threat feed in a UI friendly format.
+      example: https://otx.alienvault.com
       default_field: false
-    - name: enrichments.indicator.last_seen
+    - name: framework
       level: extended
-      type: date
-      description: The date and time when intelligence source last reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: enrichments.indicator.marking.tlp
+      type: keyword
+      ignore_above: 1024
+      description: Name of the threat framework used to further categorize and classify
+        the tactic and technique of the reported threat. Framework classification
+        can be provided by detecting systems, evaluated at ingest time, or retrospectively
+        tagged to events.
+      example: MITRE ATT&CK
+    - name: group.alias
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Traffic Light Protocol sharing markings.
-      example: CLEAR
+      description: 'The alias(es) of the group for a set of related intrusion activity
+        that are tracked by a common name in the security community.
+
+        While not required, you can use a MITRE ATT&CK® group alias(es).'
+      example: '[ "Magecart Group 6" ]'
       default_field: false
-    - name: enrichments.indicator.marking.tlp_version
+    - name: group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Traffic Light Protocol version.
-      example: 2.0
+      description: 'The id of the group for a set of related intrusion activity that
+        are tracked by a common name in the security community.
+
+        While not required, you can use a MITRE ATT&CK® group id.'
+      example: G0037
       default_field: false
-    - name: enrichments.indicator.modified_at
+    - name: group.name
       level: extended
-      type: date
-      description: The date and time when intelligence source last modified information
-        for this indicator.
-      example: '2020-11-05T17:25:47.000Z'
+      type: keyword
+      ignore_above: 1024
+      description: 'The name of the group for a set of related intrusion activity
+        that are tracked by a common name in the security community.
+
+        While not required, you can use a MITRE ATT&CK® group name.'
+      example: FIN6
       default_field: false
-    - name: enrichments.indicator.name
+    - name: group.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The display name indicator in an UI friendly format
+      description: 'The reference URL of the group for a set of related intrusion
+        activity that are tracked by a common name in the security community.
 
-        URL, IP address, email address, registry key, port number, hash value, or
-        other relevant name can serve as the display name.'
-      example: 5.2.75.227
+        While not required, you can use a MITRE ATT&CK® group reference URL.'
+      example: https://attack.mitre.org/groups/G0037/
       default_field: false
-    - name: enrichments.indicator.port
+    - name: indicator.as.number
       level: extended
       type: long
-      description: Identifies a threat indicator as a port number (irrespective of
-        direction).
-      example: 443
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
       default_field: false
-    - name: enrichments.indicator.provider
+    - name: indicator.as.organization.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The name of the indicator's provider.
-      example: lrz_urlhaus
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
       default_field: false
-    - name: enrichments.indicator.reference
+    - name: indicator.confidence
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Reference URL linking to additional information about this indicator.
-      example: https://system.example.com/indicator/0001234
+      description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High
+        scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence
+        scales may be added as custom fields.
+      example: Medium
       default_field: false
-    - name: enrichments.indicator.registry.data.bytes
+    - name: indicator.description
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Original bytes written with base64 encoding.
-
-        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
-        corresponds to the data pointed by `lp_data`. This is optional but provides
-        better recoverability and should be populated for REG_BINARY encoded values.'
-      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-      default_field: false
-    - name: enrichments.indicator.registry.data.strings
-      level: core
-      type: wildcard
-      description: 'Content when writing string types.
-
-        Populated as an array when writing string data to the registry. For single
-        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
-        one string. For sequences of string with REG_MULTI_SZ, this array will be
-        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
-        be populated with the decimal representation (e.g `"1"`).'
-      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+      description: Describes the type of action conducted by the threat.
+      example: IP x.x.x.x was observed delivering the Angler EK.
       default_field: false
-    - name: enrichments.indicator.registry.data.type
-      level: core
+    - name: indicator.email.address
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Standard registry type for encoding contents
-      example: REG_SZ
+      description: Identifies a threat indicator as an email address (irrespective
+        of direction).
+      example: phish@example.com
       default_field: false
-    - name: enrichments.indicator.registry.hive
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Abbreviated name for the hive.
-      example: HKLM
+    - name: indicator.file.accessed
+      level: extended
+      type: date
+      description: 'Last time the file was accessed.
+
+        Note that not all filesystems keep track of access time.'
       default_field: false
-    - name: enrichments.indicator.registry.key
-      level: core
+    - name: indicator.file.attributes
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Hive-relative path of keys.
-      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+      description: 'Array of file attributes.
+
+        Attributes names will vary by platform. Here''s a non-exhaustive list of values
+        that are expected in this field: archive, compressed, directory, encrypted,
+        execute, hidden, read, readonly, system, write.'
+      example: '["readonly", "system"]'
       default_field: false
-    - name: enrichments.indicator.registry.path
-      level: core
+    - name: indicator.file.code_signature.digest_algorithm
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Full path, including hive, key and value
-      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
-        Options\winword.exe\Debugger
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
       default_field: false
-    - name: enrichments.indicator.registry.value
+    - name: indicator.file.code_signature.exists
       level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the value written.
-      example: Debugger
-      default_field: false
-    - name: enrichments.indicator.scanner_stats
-      level: extended
-      type: long
-      description: Count of AV/EDR vendors that successfully detected malicious file
-        or URL.
-      example: 4
-      default_field: false
-    - name: enrichments.indicator.sightings
-      level: extended
-      type: long
-      description: Number of times this indicator was observed conducting threat activity.
-      example: 20
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
       default_field: false
-    - name: enrichments.indicator.type
+    - name: indicator.file.code_signature.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Type of indicator as represented by Cyber Observable in STIX 2.0.
-      example: ipv4-addr
+      description: The flags used to sign the process.
+      example: 570522385
       default_field: false
-    - name: enrichments.indicator.url.domain
+    - name: indicator.file.code_signature.signing_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Domain of the url, such as "www.elastic.co".
-
-        In some cases a URL may refer to an IP and/or port directly, without a domain
-        name. In this case, the IP address would go to the `domain` field.
+      description: 'The identifier used to sign the process.
 
-        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
-        2732), the `[` and `]` characters should also be captured in the `domain`
-        field.'
-      example: www.elastic.co
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
       default_field: false
-    - name: enrichments.indicator.url.extension
+    - name: indicator.file.code_signature.status
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The field contains the file extension from the original request
-        url, excluding the leading dot.
-
-        The file extension is only set if it exists, as not every url has a file extension.
-
-        The leading period must not be included. For example, the value must be "png",
-        not ".png".
+      description: 'Additional information about the certificate status.
 
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
       default_field: false
-    - name: enrichments.indicator.url.fragment
-      level: extended
+    - name: indicator.file.code_signature.subject_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'Portion of the url after the `#`, such as "top".
-
-        The `#` is not part of the fragment.'
-      default_field: false
-    - name: enrichments.indicator.url.full
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: If full URLs are important to your use case, they should be stored
-        in `url.full`, whether this field is reconstructed or present in the event
-        source.
-      example: https://www.elastic.co:443/search?q=elasticsearch#top
-      default_field: false
-    - name: enrichments.indicator.url.original
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Unmodified original url as seen in the event source.
-
-        Note that in network monitoring, the observed URL may be a full URL, whereas
-        in access logs, the URL is often just represented as a path.
-
-        This field is meant to represent the URL as it was observed, complete or not.'
-      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+      description: Subject name of the code signer
+      example: Microsoft Corporation
       default_field: false
-    - name: enrichments.indicator.url.password
+    - name: indicator.file.code_signature.team_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Password of the request.
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
       default_field: false
-    - name: enrichments.indicator.url.path
+    - name: indicator.file.code_signature.thumbprint_sha256
       level: extended
-      type: wildcard
-      description: Path of the request, such as "/search".
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
       default_field: false
-    - name: enrichments.indicator.url.port
+    - name: indicator.file.code_signature.timestamp
       level: extended
-      type: long
-      format: string
-      description: Port of the request, such as 443.
-      example: 443
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
       default_field: false
-    - name: enrichments.indicator.url.query
+    - name: indicator.file.code_signature.trusted
       level: extended
-      type: keyword
-      ignore_above: 2083
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
 
-        The `?` is excluded from the query string. If a URL contains no `?`, there
-        is no query field. If there is a `?` but no query, the query field exists
-        with an empty string. The `exists` query can be used to differentiate between
-        the two cases.'
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
       default_field: false
-    - name: enrichments.indicator.url.registered_domain
+    - name: indicator.file.code_signature.valid
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered url domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
 
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
       default_field: false
-    - name: enrichments.indicator.url.scheme
+    - name: indicator.file.created
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Scheme of the request, such as "https".
+      type: date
+      description: 'File creation time.
 
-        Note: The `:` is not part of the scheme.'
-      example: https
+        Note that not all filesystems store the creation time.'
       default_field: false
-    - name: enrichments.indicator.url.subdomain
+    - name: indicator.file.ctime
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
+      type: date
+      description: 'Last time the file attributes or metadata changed.
 
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
+        Note that changes to the file content will update `mtime`. This implies `ctime`
+        will be adjusted at the same time, since `mtime` is an attribute of the file.'
       default_field: false
-    - name: enrichments.indicator.url.top_level_domain
+    - name: indicator.file.device
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
+      description: Device that is the source of the file.
+      example: sda
       default_field: false
-    - name: enrichments.indicator.url.username
+    - name: indicator.file.directory
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Username of the request.
+      description: Directory where the file is located. It should include the drive
+        letter, when appropriate.
+      example: /home/alice
       default_field: false
-    - name: enrichments.indicator.x509.alternative_names
+    - name: indicator.file.drive_letter
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: List of subject alternative names (SAN). Name types vary by certificate
-        authority and certificate type but commonly contain IP addresses, DNS names
-        (and wildcards), and email addresses.
-      example: '*.elastic.co'
+      ignore_above: 1
+      description: 'Drive letter where the file is located. This field is only relevant
+        on Windows.
+
+        The value should be uppercase, and not include the colon.'
+      example: C
       default_field: false
-    - name: enrichments.indicator.x509.issuer.common_name
+    - name: indicator.file.elf.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of common name (CN) of issuing certificate authority.
-      example: Example SHA2 High Assurance Server CA
+      description: Machine architecture of the ELF file.
+      example: x86-64
       default_field: false
-    - name: enrichments.indicator.x509.issuer.country
+    - name: indicator.file.elf.byte_order
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of country \(C) codes
-      example: US
+      description: Byte sequence of ELF file.
+      example: Little Endian
       default_field: false
-    - name: enrichments.indicator.x509.issuer.distinguished_name
+    - name: indicator.file.elf.cpu_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Distinguished name (DN) of issuing certificate authority.
-      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
-        Server CA
+      description: CPU type of the ELF file.
+      example: Intel
       default_field: false
-    - name: enrichments.indicator.x509.issuer.locality
+    - name: indicator.file.elf.creation_date
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of locality names (L)
-      example: Mountain View
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
       default_field: false
-    - name: enrichments.indicator.x509.issuer.organization
+    - name: indicator.file.elf.exports
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizations (O) of issuing certificate authority.
-      example: Example Inc
+      type: flattened
+      description: List of exported element names and types.
       default_field: false
-    - name: enrichments.indicator.x509.issuer.organizational_unit
+    - name: indicator.file.elf.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizational units (OU) of issuing certificate authority.
-      example: www.example.com
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: enrichments.indicator.x509.issuer.state_or_province
+    - name: indicator.file.elf.go_imports
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
+      type: flattened
+      description: List of imported Go language element names and types.
       default_field: false
-    - name: enrichments.indicator.x509.not_after
+    - name: indicator.file.elf.go_imports_names_entropy
       level: extended
-      type: date
-      description: Time at which the certificate is no longer considered valid.
-      example: '2020-07-16T03:15:39Z'
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: enrichments.indicator.x509.not_before
+    - name: indicator.file.elf.go_imports_names_var_entropy
       level: extended
-      type: date
-      description: Time at which the certificate is first considered valid.
-      example: '2019-08-16T01:40:25Z'
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: enrichments.indicator.x509.public_key_algorithm
+    - name: indicator.file.elf.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: indicator.file.elf.header.abi_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Algorithm used to generate the public key.
-      example: RSA
+      description: Version of the ELF Application Binary Interface (ABI).
       default_field: false
-    - name: enrichments.indicator.x509.public_key_curve
+    - name: indicator.file.elf.header.class
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The curve used by the elliptic curve public key algorithm. This
-        is algorithm specific.
-      example: nistp521
+      description: Header class of the ELF file.
       default_field: false
-    - name: enrichments.indicator.x509.public_key_exponent
+    - name: indicator.file.elf.header.data
       level: extended
-      type: long
-      description: Exponent used to derive the public key. This is algorithm specific.
-      example: 65537
-      index: false
-      doc_values: false
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
       default_field: false
-    - name: enrichments.indicator.x509.public_key_size
+    - name: indicator.file.elf.header.entrypoint
       level: extended
       type: long
-      description: The size of the public key space in bits.
-      example: 2048
+      format: string
+      description: Header entrypoint of the ELF file.
       default_field: false
-    - name: enrichments.indicator.x509.serial_number
+    - name: indicator.file.elf.header.object_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique serial number issued by the certificate authority. For consistency,
-        this must be encoded in base 16 and formatted without colons and uppercase
-        characters.
-      example: 55FBB9C7DEBF09809D12CCAA
+      description: '"0x1" for original ELF files.'
       default_field: false
-    - name: enrichments.indicator.x509.signature_algorithm
+    - name: indicator.file.elf.header.os_abi
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifier for certificate signature algorithm. We recommend using
-        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-      example: SHA256-RSA
+      description: Application Binary Interface (ABI) of the Linux OS.
       default_field: false
-    - name: enrichments.indicator.x509.subject.common_name
+    - name: indicator.file.elf.header.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of common names (CN) of subject.
-      example: shared.global.example.net
+      description: Header type of the ELF file.
       default_field: false
-    - name: enrichments.indicator.x509.subject.country
+    - name: indicator.file.elf.header.version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of country \(C) code
-      example: US
+      description: Version of the ELF header.
       default_field: false
-    - name: enrichments.indicator.x509.subject.distinguished_name
+    - name: indicator.file.elf.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Distinguished name (DN) of the certificate subject entity.
-      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: enrichments.indicator.x509.subject.locality
+    - name: indicator.file.elf.imports
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of locality names (L)
-      example: San Francisco
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: enrichments.indicator.x509.subject.organization
+    - name: indicator.file.elf.imports_names_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizations (O) of subject.
-      example: Example, Inc.
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: enrichments.indicator.x509.subject.organizational_unit
+    - name: indicator.file.elf.imports_names_var_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizational units (OU) of subject.
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: enrichments.indicator.x509.subject.state_or_province
+    - name: indicator.file.elf.sections
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
       default_field: false
-    - name: enrichments.indicator.x509.version_number
+    - name: indicator.file.elf.sections.chi2
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of x509 format.
-      example: 3
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
       default_field: false
-    - name: enrichments.matched.atomic
+    - name: indicator.file.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: indicator.file.elf.sections.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies the atomic indicator value that matched a local environment
-        endpoint or network event.
-      example: bad-domain.com
+      description: ELF Section List flags.
       default_field: false
-    - name: enrichments.matched.field
+    - name: indicator.file.elf.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies the field of the atomic indicator that matched a local
-        environment endpoint or network event.
-      example: file.hash.sha256
+      description: ELF Section List name.
       default_field: false
-    - name: enrichments.matched.id
+    - name: indicator.file.elf.sections.physical_offset
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies the _id of the indicator document enriching the event.
-      example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
+      description: ELF Section List offset.
       default_field: false
-    - name: enrichments.matched.index
+    - name: indicator.file.elf.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
+      default_field: false
+    - name: indicator.file.elf.sections.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies the _index of the indicator document enriching the event.
-      example: filebeat-8.0.0-2021.05.23-000011
+      description: ELF Section List type.
       default_field: false
-    - name: enrichments.matched.occurred
+    - name: indicator.file.elf.sections.var_entropy
       level: extended
-      type: date
-      description: Indicates when the indicator match was generated
-      example: '2021-10-05T17:00:58.326Z'
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: enrichments.matched.type
+    - name: indicator.file.elf.sections.virtual_address
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Identifies the type of match that caused the event to be enriched
-        with the given indicator
-      example: indicator_match_rule
+      type: long
+      format: string
+      description: ELF Section List virtual address.
       default_field: false
-    - name: feed.dashboard_id
+    - name: indicator.file.elf.sections.virtual_size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The saved object ID of the dashboard belonging to the threat feed
-        for displaying dashboard links to threat feeds in Kibana.
-      example: 5ba16340-72e6-11eb-a3e3-b3cc7c78a70f
+      type: long
+      format: string
+      description: ELF Section List virtual size.
       default_field: false
-    - name: feed.description
+    - name: indicator.file.elf.segments
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Description of the threat feed in a UI friendly format.
-      example: Threat feed from the AlienVault Open Threat eXchange network.
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
       default_field: false
-    - name: feed.name
+    - name: indicator.file.elf.segments.sections
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The name of the threat feed in UI friendly format.
-      example: AlienVault OTX
+      description: ELF object segment sections.
       default_field: false
-    - name: feed.reference
+    - name: indicator.file.elf.segments.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Reference information for the threat feed in a UI friendly format.
-      example: https://otx.alienvault.com
+      description: ELF object segment type.
       default_field: false
-    - name: framework
+    - name: indicator.file.elf.shared_libraries
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the threat framework used to further categorize and classify
-        the tactic and technique of the reported threat. Framework classification
-        can be provided by detecting systems, evaluated at ingest time, or retrospectively
-        tagged to events.
-      example: MITRE ATT&CK
-    - name: group.alias
+      description: List of shared libraries used by this ELF object.
+      default_field: false
+    - name: indicator.file.elf.telfhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The alias(es) of the group for a set of related intrusion activity
-        that are tracked by a common name in the security community.
-
-        While not required, you can use a MITRE ATT&CK® group alias(es).'
-      example: '[ "Magecart Group 6" ]'
+      description: telfhash symbol hash for ELF file.
       default_field: false
-    - name: group.id
+    - name: indicator.file.extension
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The id of the group for a set of related intrusion activity that
-        are tracked by a common name in the security community.
+      description: 'File extension, excluding the leading dot.
 
-        While not required, you can use a MITRE ATT&CK® group id.'
-      example: G0037
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
       default_field: false
-    - name: group.name
+    - name: indicator.file.fork_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The name of the group for a set of related intrusion activity
-        that are tracked by a common name in the security community.
+      description: 'A fork is additional data associated with a filesystem object.
 
-        While not required, you can use a MITRE ATT&CK® group name.'
-      example: FIN6
+        On Linux, a resource fork is used to store additional data with a filesystem
+        object. A file always has at least one fork for the data portion, and additional
+        forks may exist.
+
+        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+        data stream for a file is just called $DATA. Zone.Identifier is commonly used
+        by Windows to track contents downloaded from the Internet. An ADS is typically
+        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+        is the value that should populate `fork_name`. `filename.extension` should
+        populate `file.name`, and `extension` should populate `file.extension`. The
+        full path, `file.path`, will include the fork name.'
+      example: Zone.Identifer
       default_field: false
-    - name: group.reference
+    - name: indicator.file.gid
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The reference URL of the group for a set of related intrusion
-        activity that are tracked by a common name in the security community.
-
-        While not required, you can use a MITRE ATT&CK® group reference URL.'
-      example: https://attack.mitre.org/groups/G0037/
-      default_field: false
-    - name: indicator.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
+      description: Primary group ID (GID) of the file.
+      example: '1001'
       default_field: false
-    - name: indicator.as.organization.name
+    - name: indicator.file.group
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
+      description: Primary group name of the file.
+      example: alice
       default_field: false
-    - name: indicator.confidence
+    - name: indicator.file.hash.cdhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High
-        scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence
-        scales may be added as custom fields.
-      example: Medium
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
       default_field: false
-    - name: indicator.description
+    - name: indicator.file.hash.md5
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Describes the type of action conducted by the threat.
-      example: IP x.x.x.x was observed delivering the Angler EK.
+      description: MD5 hash.
       default_field: false
-    - name: indicator.email.address
+    - name: indicator.file.hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies a threat indicator as an email address (irrespective
-        of direction).
-      example: phish@example.com
-      default_field: false
-    - name: indicator.file.accessed
-      level: extended
-      type: date
-      description: 'Last time the file was accessed.
-
-        Note that not all filesystems keep track of access time.'
+      description: SHA1 hash.
       default_field: false
-    - name: indicator.file.attributes
+    - name: indicator.file.hash.sha256
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of file attributes.
-
-        Attributes names will vary by platform. Here''s a non-exhaustive list of values
-        that are expected in this field: archive, compressed, directory, encrypted,
-        execute, hidden, read, readonly, system, write.'
-      example: '["readonly", "system"]'
+      description: SHA256 hash.
       default_field: false
-    - name: indicator.file.code_signature.digest_algorithm
+    - name: indicator.file.hash.sha384
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: indicator.file.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
+      description: SHA384 hash.
       default_field: false
-    - name: indicator.file.code_signature.flags
+    - name: indicator.file.hash.sha512
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
+      description: SHA512 hash.
       default_field: false
-    - name: indicator.file.code_signature.signing_id
+    - name: indicator.file.hash.ssdeep
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
+      description: SSDEEP hash.
       default_field: false
-    - name: indicator.file.code_signature.status
+    - name: indicator.file.hash.tlsh
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
+      description: TLSH hash.
       default_field: false
-    - name: indicator.file.code_signature.subject_name
-      level: core
+    - name: indicator.file.inode
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
+      description: Inode representing the file in the filesystem.
+      example: '256383'
       default_field: false
-    - name: indicator.file.code_signature.team_id
+    - name: indicator.file.mime_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
+      description: 'MIME type should identify the format of the file or stream of
+        bytes using IANA official types: https://www.iana.org/assignments/media-types/media-types.xhtml,
+        where possible. When more than one type is applicable, the most specific type
+        should be used.'
       default_field: false
-    - name: indicator.file.code_signature.thumbprint_sha256
+    - name: indicator.file.mode
       level: extended
       type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: indicator.file.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: indicator.file.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: indicator.file.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
+      ignore_above: 1024
+      description: Mode of the file in octal representation.
+      example: '0640'
       default_field: false
-    - name: indicator.file.created
+    - name: indicator.file.mtime
       level: extended
       type: date
-      description: 'File creation time.
-
-        Note that not all filesystems store the creation time.'
+      description: Last time the file content was modified.
       default_field: false
-    - name: indicator.file.ctime
+    - name: indicator.file.name
       level: extended
-      type: date
-      description: 'Last time the file attributes or metadata changed.
-
-        Note that changes to the file content will update `mtime`. This implies `ctime`
-        will be adjusted at the same time, since `mtime` is an attribute of the file.'
+      type: keyword
+      ignore_above: 1024
+      description: Name of the file including the extension, without the directory.
+      example: example.png
       default_field: false
-    - name: indicator.file.device
+    - name: indicator.file.origin_referrer_url
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: Device that is the source of the file.
-      example: sda
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the file.
+      example: http://example.com/article1.html
       default_field: false
-    - name: indicator.file.directory
+    - name: indicator.file.origin_url
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: Directory where the file is located. It should include the drive
-        letter, when appropriate.
-      example: /home/alice
+      ignore_above: 8192
+      description: The URL where the file is hosted.
+      example: http://example.com/imgs/article1_img1.jpg
       default_field: false
-    - name: indicator.file.drive_letter
+    - name: indicator.file.owner
       level: extended
       type: keyword
-      ignore_above: 1
-      description: 'Drive letter where the file is located. This field is only relevant
-        on Windows.
-
-        The value should be uppercase, and not include the colon.'
-      example: C
+      ignore_above: 1024
+      description: File owner's username.
+      example: alice
       default_field: false
-    - name: indicator.file.elf.architecture
+    - name: indicator.file.path
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Full path to the file, including the file name. It should include
+        the drive letter, when appropriate.
+      example: /home/alice/example.png
       default_field: false
-    - name: indicator.file.elf.byte_order
+    - name: indicator.file.pe.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      description: CPU architecture target for the file.
+      example: x64
       default_field: false
-    - name: indicator.file.elf.cpu_type
+    - name: indicator.file.pe.company
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
       default_field: false
-    - name: indicator.file.elf.creation_date
+    - name: indicator.file.pe.description
       level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
       default_field: false
-    - name: indicator.file.elf.exports
+    - name: indicator.file.pe.file_version
       level: extended
-      type: flattened
-      description: List of exported element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
       default_field: false
-    - name: indicator.file.elf.go_import_hash
+    - name: indicator.file.pe.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
+      description: 'A hash of the Go language imports in a PE file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
         change more traditional hash values.
@@ -11605,567 +38084,734 @@
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: indicator.file.elf.go_imports
+    - name: indicator.file.pe.go_imports
       level: extended
       type: flattened
       description: List of imported Go language element names and types.
       default_field: false
-    - name: indicator.file.elf.go_imports_names_entropy
+    - name: indicator.file.pe.go_imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: indicator.file.elf.go_imports_names_var_entropy
+    - name: indicator.file.pe.go_imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: indicator.file.elf.go_stripped
+    - name: indicator.file.pe.go_stripped
       level: extended
       type: boolean
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: indicator.file.elf.header.abi_version
+    - name: indicator.file.pe.imphash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
-    - name: indicator.file.elf.header.class
+    - name: indicator.file.pe.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header class of the ELF file.
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: indicator.file.elf.header.data
+    - name: indicator.file.pe.imports
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: indicator.file.elf.header.entrypoint
+    - name: indicator.file.pe.imports_names_entropy
       level: extended
       type: long
-      format: string
-      description: Header entrypoint of the ELF file.
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: indicator.file.elf.header.object_version
+    - name: indicator.file.pe.imports_names_var_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: indicator.file.elf.header.os_abi
+    - name: indicator.file.pe.original_file_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
       default_field: false
-    - name: indicator.file.elf.header.type
+    - name: indicator.file.pe.pehash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header type of the ELF file.
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
       default_field: false
-    - name: indicator.file.elf.header.version
+    - name: indicator.file.pe.product
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
       default_field: false
-    - name: indicator.file.elf.import_hash
+    - name: indicator.file.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      default_field: false
+    - name: indicator.file.pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: indicator.file.pe.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
+      description: PE Section List name.
       default_field: false
-    - name: indicator.file.elf.imports
+    - name: indicator.file.pe.sections.physical_size
       level: extended
-      type: flattened
-      description: List of imported element names and types.
+      type: long
+      format: bytes
+      description: PE Section List physical size.
       default_field: false
-    - name: indicator.file.elf.imports_names_entropy
+    - name: indicator.file.pe.sections.var_entropy
       level: extended
       type: long
       format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+      description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: indicator.file.elf.imports_names_var_entropy
+    - name: indicator.file.pe.sections.virtual_size
       level: extended
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: indicator.file.elf.sections
+    - name: indicator.file.size
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
+      type: long
+      description: 'File size in bytes.
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
+        Only relevant when `file.type` is "file".'
+      example: 16384
+      default_field: false
+    - name: indicator.file.target_path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Target path for symlinks.
+      default_field: false
+    - name: indicator.file.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: File type (file, dir, or symlink).
+      example: file
+      default_field: false
+    - name: indicator.file.uid
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
+      default_field: false
+    - name: indicator.file.x509.alternative_names
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      default_field: false
+    - name: indicator.file.x509.issuer.common_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      default_field: false
+    - name: indicator.file.x509.issuer.country
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of country \(C) codes
+      example: US
       default_field: false
-    - name: indicator.file.elf.sections.chi2
+    - name: indicator.file.x509.issuer.distinguished_name
       level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
+      type: keyword
+      ignore_above: 1024
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
       default_field: false
-    - name: indicator.file.elf.sections.entropy
+    - name: indicator.file.x509.issuer.locality
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: Mountain View
       default_field: false
-    - name: indicator.file.elf.sections.flags
+    - name: indicator.file.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List flags.
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
       default_field: false
-    - name: indicator.file.elf.sections.name
+    - name: indicator.file.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List name.
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
       default_field: false
-    - name: indicator.file.elf.sections.physical_offset
+    - name: indicator.file.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List offset.
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: indicator.file.elf.sections.physical_size
+    - name: indicator.file.x509.not_after
       level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
+      type: date
+      description: Time at which the certificate is no longer considered valid.
+      example: '2020-07-16T03:15:39Z'
       default_field: false
-    - name: indicator.file.elf.sections.type
+    - name: indicator.file.x509.not_before
+      level: extended
+      type: date
+      description: Time at which the certificate is first considered valid.
+      example: '2019-08-16T01:40:25Z'
+      default_field: false
+    - name: indicator.file.x509.public_key_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List type.
+      description: Algorithm used to generate the public key.
+      example: RSA
       default_field: false
-    - name: indicator.file.elf.sections.var_entropy
+    - name: indicator.file.x509.public_key_curve
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
+      type: keyword
+      ignore_above: 1024
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
       default_field: false
-    - name: indicator.file.elf.sections.virtual_address
+    - name: indicator.file.x509.public_key_exponent
       level: extended
       type: long
-      format: string
-      description: ELF Section List virtual address.
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      doc_values: false
       default_field: false
-    - name: indicator.file.elf.sections.virtual_size
+    - name: indicator.file.x509.public_key_size
       level: extended
       type: long
-      format: string
-      description: ELF Section List virtual size.
+      description: The size of the public key space in bits.
+      example: 2048
       default_field: false
-    - name: indicator.file.elf.segments
+    - name: indicator.file.x509.serial_number
       level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
+      type: keyword
+      ignore_above: 1024
+      description: Unique serial number issued by the certificate authority. For consistency,
+        this must be encoded in base 16 and formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: indicator.file.elf.segments.sections
+    - name: indicator.file.x509.signature_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment sections.
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
       default_field: false
-    - name: indicator.file.elf.segments.type
+    - name: indicator.file.x509.subject.common_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
       default_field: false
-    - name: indicator.file.elf.shared_libraries
+    - name: indicator.file.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
+      description: List of country \(C) code
+      example: US
       default_field: false
-    - name: indicator.file.elf.telfhash
+    - name: indicator.file.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: indicator.file.extension
+    - name: indicator.file.x509.subject.locality
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'File extension, excluding the leading dot.
-
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
+      description: List of locality names (L)
+      example: San Francisco
       default_field: false
-    - name: indicator.file.fork_name
+    - name: indicator.file.x509.subject.organization
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A fork is additional data associated with a filesystem object.
-
-        On Linux, a resource fork is used to store additional data with a filesystem
-        object. A file always has at least one fork for the data portion, and additional
-        forks may exist.
-
-        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
-        data stream for a file is just called $DATA. Zone.Identifier is commonly used
-        by Windows to track contents downloaded from the Internet. An ADS is typically
-        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
-        is the value that should populate `fork_name`. `filename.extension` should
-        populate `file.name`, and `extension` should populate `file.extension`. The
-        full path, `file.path`, will include the fork name.'
-      example: Zone.Identifer
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
       default_field: false
-    - name: indicator.file.gid
+    - name: indicator.file.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group ID (GID) of the file.
-      example: '1001'
+      description: List of organizational units (OU) of subject.
       default_field: false
-    - name: indicator.file.group
+    - name: indicator.file.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group name of the file.
-      example: alice
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: indicator.file.hash.cdhash
+    - name: indicator.file.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      description: Version of x509 format.
+      example: 3
       default_field: false
-    - name: indicator.file.hash.md5
+    - name: indicator.first_seen
       level: extended
+      type: date
+      description: The date and time when intelligence source first reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: indicator.geo.city_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: MD5 hash.
+      description: City name.
+      example: Montreal
       default_field: false
-    - name: indicator.file.hash.sha1
-      level: extended
+    - name: indicator.geo.continent_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SHA1 hash.
+      description: Two-letter code representing continent's name.
+      example: NA
       default_field: false
-    - name: indicator.file.hash.sha256
-      level: extended
+    - name: indicator.geo.continent_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SHA256 hash.
+      description: Name of the continent.
+      example: North America
       default_field: false
-    - name: indicator.file.hash.sha384
-      level: extended
+    - name: indicator.geo.country_iso_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SHA384 hash.
+      description: Country ISO code.
+      example: CA
       default_field: false
-    - name: indicator.file.hash.sha512
+    - name: indicator.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: indicator.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: indicator.geo.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA512 hash.
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
       default_field: false
-    - name: indicator.file.hash.ssdeep
+    - name: indicator.geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      default_field: false
+    - name: indicator.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: indicator.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: indicator.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: indicator.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SSDEEP hash.
+      description: 'The ID of the indicator used by this threat to conduct behavior
+        commonly modeled using MITRE ATT&CK®. This field can have multiple values
+        to allow for the identification of the same indicator across systems that
+        use different ID formats.
+
+        While not required, a common approach is to use a STIX 2.x indicator ID.'
+      example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]'
       default_field: false
-    - name: indicator.file.hash.tlsh
+    - name: indicator.ip
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
+      type: ip
+      description: Identifies a threat indicator as an IP address (irrespective of
+        direction).
+      example: 1.2.3.4
       default_field: false
-    - name: indicator.file.inode
+    - name: indicator.last_seen
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Inode representing the file in the filesystem.
-      example: '256383'
+      type: date
+      description: The date and time when intelligence source last reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: indicator.file.mime_type
+    - name: indicator.marking.tlp
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'MIME type should identify the format of the file or stream of
-        bytes using IANA official types: https://www.iana.org/assignments/media-types/media-types.xhtml,
-        where possible. When more than one type is applicable, the most specific type
-        should be used.'
+      description: Traffic Light Protocol sharing markings.
+      example: CLEAR
       default_field: false
-    - name: indicator.file.mode
+    - name: indicator.marking.tlp_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Mode of the file in octal representation.
-      example: '0640'
+      description: Traffic Light Protocol version.
+      example: 2.0
       default_field: false
-    - name: indicator.file.mtime
+    - name: indicator.modified_at
       level: extended
       type: date
-      description: Last time the file content was modified.
+      description: The date and time when intelligence source last modified information
+        for this indicator.
+      example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: indicator.file.name
+    - name: indicator.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the file including the extension, without the directory.
-      example: example.png
+      description: 'The display name indicator in an UI friendly format
+
+        URL, IP address, email address, registry key, port number, hash value, or
+        other relevant name can serve as the display name.'
+      example: 5.2.75.227
       default_field: false
-    - name: indicator.file.origin_referrer_url
+    - name: indicator.port
       level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the file.
-      example: http://example.com/article1.html
+      type: long
+      description: Identifies a threat indicator as a port number (irrespective of
+        direction).
+      example: 443
       default_field: false
-    - name: indicator.file.origin_url
+    - name: indicator.provider
       level: extended
       type: keyword
-      ignore_above: 8192
-      description: The URL where the file is hosted.
-      example: http://example.com/imgs/article1_img1.jpg
+      ignore_above: 1024
+      description: The name of the indicator's provider.
+      example: lrz_urlhaus
       default_field: false
-    - name: indicator.file.owner
+    - name: indicator.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File owner's username.
-      example: alice
+      description: Reference URL linking to additional information about this indicator.
+      example: https://system.example.com/indicator/0001234
       default_field: false
-    - name: indicator.file.path
+    - name: indicator.registry.data.bytes
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Full path to the file, including the file name. It should include
-        the drive letter, when appropriate.
-      example: /home/alice/example.png
+      description: 'Original bytes written with base64 encoding.
+
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
       default_field: false
-    - name: indicator.file.pe.architecture
-      level: extended
+    - name: indicator.registry.data.strings
+      level: core
+      type: wildcard
+      description: 'Content when writing string types.
+
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+      default_field: false
+    - name: indicator.registry.data.type
+      level: core
       type: keyword
       ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
+      description: Standard registry type for encoding contents
+      example: REG_SZ
       default_field: false
-    - name: indicator.file.pe.company
-      level: extended
+    - name: indicator.registry.hive
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
+      description: Abbreviated name for the hive.
+      example: HKLM
       default_field: false
-    - name: indicator.file.pe.description
-      level: extended
+    - name: indicator.registry.key
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      description: Hive-relative path of keys.
+      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
       default_field: false
-    - name: indicator.file.pe.file_version
-      level: extended
+    - name: indicator.registry.path
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      description: Full path, including hive, key and value
+      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+        Options\winword.exe\Debugger
       default_field: false
-    - name: indicator.file.pe.go_import_hash
-      level: extended
+    - name: indicator.registry.value
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: indicator.file.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
+      description: Name of the value written.
+      example: Debugger
       default_field: false
-    - name: indicator.file.pe.go_imports_names_entropy
+    - name: indicator.scanner_stats
       level: extended
       type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+      description: Count of AV/EDR vendors that successfully detected malicious file
+        or URL.
+      example: 4
       default_field: false
-    - name: indicator.file.pe.go_imports_names_var_entropy
+    - name: indicator.sightings
       level: extended
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
+      description: Number of times this indicator was observed conducting threat activity.
+      example: 20
       default_field: false
-    - name: indicator.file.pe.go_stripped
+    - name: indicator.type
       level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+      type: keyword
+      ignore_above: 1024
+      description: Type of indicator as represented by Cyber Observable in STIX 2.0.
+      example: ipv4-addr
       default_field: false
-    - name: indicator.file.pe.imphash
+    - name: indicator.url.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+      description: 'Domain of the url, such as "www.elastic.co".
 
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
+        In some cases a URL may refer to an IP and/or port directly, without a domain
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
+      example: www.elastic.co
       default_field: false
-    - name: indicator.file.pe.import_hash
+    - name: indicator.url.extension
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
+      description: 'The field contains the file extension from the original request
+        url, excluding the leading dot.
 
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: indicator.file.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: indicator.file.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: indicator.file.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+        The file extension is only set if it exists, as not every url has a file extension.
+
+        The leading period must not be included. For example, the value must be "png",
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
       default_field: false
-    - name: indicator.file.pe.original_file_name
+    - name: indicator.url.fragment
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
+      description: 'Portion of the url after the `#`, such as "top".
+
+        The `#` is not part of the fragment.'
       default_field: false
-    - name: indicator.file.pe.pehash
+    - name: indicator.url.full
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: If full URLs are important to your use case, they should be stored
+        in `url.full`, whether this field is reconstructed or present in the event
+        source.
+      example: https://www.elastic.co:443/search?q=elasticsearch#top
+      default_field: false
+    - name: indicator.url.original
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Unmodified original url as seen in the event source.
 
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
+        Note that in network monitoring, the observed URL may be a full URL, whereas
+        in access logs, the URL is often just represented as a path.
+
+        This field is meant to represent the URL as it was observed, complete or not.'
+      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
       default_field: false
-    - name: indicator.file.pe.product
+    - name: indicator.url.password
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
+      description: Password of the request.
       default_field: false
-    - name: indicator.file.pe.sections
+    - name: indicator.url.path
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
+      type: wildcard
+      description: Path of the request, such as "/search".
       default_field: false
-    - name: indicator.file.pe.sections.entropy
+    - name: indicator.url.port
       level: extended
       type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      format: string
+      description: Port of the request, such as 443.
+      example: 443
       default_field: false
-    - name: indicator.file.pe.sections.name
+    - name: indicator.url.query
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: indicator.file.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: indicator.file.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
+      ignore_above: 2083
+      description: 'The query field describes the query string of the request, such
+        as "q=elasticsearch".
+
+        The `?` is excluded from the query string. If a URL contains no `?`, there
+        is no query field. If there is a `?` but no query, the query field exists
+        with an empty string. The `exists` query can be used to differentiate between
+        the two cases.'
       default_field: false
-    - name: indicator.file.pe.sections.virtual_size
+    - name: indicator.url.registered_domain
       level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered url domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
       default_field: false
-    - name: indicator.file.size
+    - name: indicator.url.scheme
       level: extended
-      type: long
-      description: 'File size in bytes.
+      type: keyword
+      ignore_above: 1024
+      description: 'Scheme of the request, such as "https".
 
-        Only relevant when `file.type` is "file".'
-      example: 16384
+        Note: The `:` is not part of the scheme.'
+      example: https
       default_field: false
-    - name: indicator.file.target_path
+    - name: indicator.url.subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Target path for symlinks.
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
       default_field: false
-    - name: indicator.file.type
+    - name: indicator.url.top_level_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File type (file, dir, or symlink).
-      example: file
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
       default_field: false
-    - name: indicator.file.uid
+    - name: indicator.url.username
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The user ID (UID) or security identifier (SID) of the file owner.
-      example: '1001'
+      description: Username of the request.
       default_field: false
-    - name: indicator.file.x509.alternative_names
+    - name: indicator.x509.alternative_names
       level: extended
       type: keyword
       ignore_above: 1024
@@ -12174,21 +38820,21 @@
         (and wildcards), and email addresses.
       example: '*.elastic.co'
       default_field: false
-    - name: indicator.file.x509.issuer.common_name
+    - name: indicator.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common name (CN) of issuing certificate authority.
       example: Example SHA2 High Assurance Server CA
       default_field: false
-    - name: indicator.file.x509.issuer.country
+    - name: indicator.x509.issuer.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) codes
       example: US
       default_field: false
-    - name: indicator.file.x509.issuer.distinguished_name
+    - name: indicator.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
@@ -12196,545 +38842,398 @@
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       default_field: false
-    - name: indicator.file.x509.issuer.locality
+    - name: indicator.x509.issuer.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: Mountain View
       default_field: false
-    - name: indicator.file.x509.issuer.organization
+    - name: indicator.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of issuing certificate authority.
       example: Example Inc
       default_field: false
-    - name: indicator.file.x509.issuer.organizational_unit
+    - name: indicator.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of issuing certificate authority.
       example: www.example.com
       default_field: false
-    - name: indicator.file.x509.issuer.state_or_province
+    - name: indicator.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: indicator.file.x509.not_after
+    - name: indicator.x509.not_after
       level: extended
       type: date
       description: Time at which the certificate is no longer considered valid.
       example: '2020-07-16T03:15:39Z'
       default_field: false
-    - name: indicator.file.x509.not_before
+    - name: indicator.x509.not_before
       level: extended
       type: date
       description: Time at which the certificate is first considered valid.
       example: '2019-08-16T01:40:25Z'
       default_field: false
-    - name: indicator.file.x509.public_key_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Algorithm used to generate the public key.
-      example: RSA
-      default_field: false
-    - name: indicator.file.x509.public_key_curve
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The curve used by the elliptic curve public key algorithm. This
-        is algorithm specific.
-      example: nistp521
-      default_field: false
-    - name: indicator.file.x509.public_key_exponent
-      level: extended
-      type: long
-      description: Exponent used to derive the public key. This is algorithm specific.
-      example: 65537
-      index: false
-      doc_values: false
-      default_field: false
-    - name: indicator.file.x509.public_key_size
-      level: extended
-      type: long
-      description: The size of the public key space in bits.
-      example: 2048
-      default_field: false
-    - name: indicator.file.x509.serial_number
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique serial number issued by the certificate authority. For consistency,
-        this must be encoded in base 16 and formatted without colons and uppercase
-        characters.
-      example: 55FBB9C7DEBF09809D12CCAA
-      default_field: false
-    - name: indicator.file.x509.signature_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Identifier for certificate signature algorithm. We recommend using
-        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-      example: SHA256-RSA
-      default_field: false
-    - name: indicator.file.x509.subject.common_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of common names (CN) of subject.
-      example: shared.global.example.net
-      default_field: false
-    - name: indicator.file.x509.subject.country
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of country \(C) code
-      example: US
-      default_field: false
-    - name: indicator.file.x509.subject.distinguished_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Distinguished name (DN) of the certificate subject entity.
-      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
-      default_field: false
-    - name: indicator.file.x509.subject.locality
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of locality names (L)
-      example: San Francisco
-      default_field: false
-    - name: indicator.file.x509.subject.organization
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizations (O) of subject.
-      example: Example, Inc.
-      default_field: false
-    - name: indicator.file.x509.subject.organizational_unit
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizational units (OU) of subject.
-      default_field: false
-    - name: indicator.file.x509.subject.state_or_province
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
-      default_field: false
-    - name: indicator.file.x509.version_number
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of x509 format.
-      example: 3
-      default_field: false
-    - name: indicator.first_seen
-      level: extended
-      type: date
-      description: The date and time when intelligence source first reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: indicator.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: indicator.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: indicator.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: indicator.geo.country_iso_code
-      level: core
+    - name: indicator.x509.public_key_algorithm
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Country ISO code.
-      example: CA
+      description: Algorithm used to generate the public key.
+      example: RSA
       default_field: false
-    - name: indicator.geo.country_name
-      level: core
+    - name: indicator.x509.public_key_curve
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Country name.
-      example: Canada
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
       default_field: false
-    - name: indicator.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: indicator.x509.public_key_exponent
+      level: extended
+      type: long
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      doc_values: false
       default_field: false
-    - name: indicator.geo.name
+    - name: indicator.x509.public_key_size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
+      type: long
+      description: The size of the public key space in bits.
+      example: 2048
       default_field: false
-    - name: indicator.geo.postal_code
-      level: core
+    - name: indicator.x509.serial_number
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
+      description: Unique serial number issued by the certificate authority. For consistency,
+        this must be encoded in base 16 and formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: indicator.geo.region_iso_code
-      level: core
+    - name: indicator.x509.signature_algorithm
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
       default_field: false
-    - name: indicator.geo.region_name
-      level: core
+    - name: indicator.x509.subject.common_name
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Region name.
-      example: Quebec
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
       default_field: false
-    - name: indicator.geo.timezone
-      level: core
+    - name: indicator.x509.subject.country
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
+      description: List of country \(C) code
+      example: US
       default_field: false
-    - name: indicator.id
+    - name: indicator.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The ID of the indicator used by this threat to conduct behavior
-        commonly modeled using MITRE ATT&CK®. This field can have multiple values
-        to allow for the identification of the same indicator across systems that
-        use different ID formats.
-
-        While not required, a common approach is to use a STIX 2.x indicator ID.'
-      example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]'
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: indicator.ip
+    - name: indicator.x509.subject.locality
       level: extended
-      type: ip
-      description: Identifies a threat indicator as an IP address (irrespective of
-        direction).
-      example: 1.2.3.4
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: San Francisco
       default_field: false
-    - name: indicator.last_seen
+    - name: indicator.x509.subject.organization
       level: extended
-      type: date
-      description: The date and time when intelligence source last reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
       default_field: false
-    - name: indicator.marking.tlp
+    - name: indicator.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Traffic Light Protocol sharing markings.
-      example: CLEAR
+      description: List of organizational units (OU) of subject.
       default_field: false
-    - name: indicator.marking.tlp_version
+    - name: indicator.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Traffic Light Protocol version.
-      example: 2.0
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: indicator.modified_at
+    - name: indicator.x509.version_number
       level: extended
-      type: date
-      description: The date and time when intelligence source last modified information
-        for this indicator.
-      example: '2020-11-05T17:25:47.000Z'
+      type: keyword
+      ignore_above: 1024
+      description: Version of x509 format.
+      example: 3
       default_field: false
-    - name: indicator.name
+    - name: software.alias
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The display name indicator in an UI friendly format
+      description: 'The alias(es) of the software for a set of related intrusion activity
+        that are tracked by a common name in the security community.
 
-        URL, IP address, email address, registry key, port number, hash value, or
-        other relevant name can serve as the display name.'
-      example: 5.2.75.227
-      default_field: false
-    - name: indicator.port
-      level: extended
-      type: long
-      description: Identifies a threat indicator as a port number (irrespective of
-        direction).
-      example: 443
+        While not required, you can use a MITRE ATT&CK® associated software description.'
+      example: '[ "X-Agent" ]'
       default_field: false
-    - name: indicator.provider
+    - name: software.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The name of the indicator's provider.
-      example: lrz_urlhaus
+      description: 'The id of the software used by this threat to conduct behavior
+        commonly modeled using MITRE ATT&CK®.
+
+        While not required, you can use a MITRE ATT&CK® software id.'
+      example: S0552
       default_field: false
-    - name: indicator.reference
+    - name: software.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Reference URL linking to additional information about this indicator.
-      example: https://system.example.com/indicator/0001234
+      description: 'The name of the software used by this threat to conduct behavior
+        commonly modeled using MITRE ATT&CK®.
+
+        While not required, you can use a MITRE ATT&CK® software name.'
+      example: AdFind
       default_field: false
-    - name: indicator.registry.data.bytes
+    - name: software.platforms
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Original bytes written with base64 encoding.
-
-        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
-        corresponds to the data pointed by `lp_data`. This is optional but provides
-        better recoverability and should be populated for REG_BINARY encoded values.'
-      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-      default_field: false
-    - name: indicator.registry.data.strings
-      level: core
-      type: wildcard
-      description: 'Content when writing string types.
+      description: 'The platforms of the software used by this threat to conduct behavior
+        commonly modeled using MITRE ATT&CK®.
 
-        Populated as an array when writing string data to the registry. For single
-        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
-        one string. For sequences of string with REG_MULTI_SZ, this array will be
-        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
-        be populated with the decimal representation (e.g `"1"`).'
-      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+        While not required, you can use MITRE ATT&CK® software platform values.'
+      example: '[ "Windows" ]'
       default_field: false
-    - name: indicator.registry.data.type
-      level: core
+    - name: software.reference
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Standard registry type for encoding contents
-      example: REG_SZ
+      description: 'The reference URL of the software used by this threat to conduct
+        behavior commonly modeled using MITRE ATT&CK®.
+
+        While not required, you can use a MITRE ATT&CK® software reference URL.'
+      example: https://attack.mitre.org/software/S0552/
       default_field: false
-    - name: indicator.registry.hive
-      level: core
+    - name: software.type
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Abbreviated name for the hive.
-      example: HKLM
+      description: 'The type of software used by this threat to conduct behavior commonly
+        modeled using MITRE ATT&CK®.
+
+        While not required, you can use a MITRE ATT&CK® software type.'
+      example: Tool
       default_field: false
-    - name: indicator.registry.key
-      level: core
+    - name: tactic.id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Hive-relative path of keys.
-      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
-      default_field: false
-    - name: indicator.registry.path
-      level: core
+      description: The id of tactic used by this threat. You can use a MITRE ATT&CK®
+        tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
+      example: TA0002
+    - name: tactic.name
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Full path, including hive, key and value
-      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
-        Options\winword.exe\Debugger
-      default_field: false
-    - name: indicator.registry.value
-      level: core
+      description: Name of the type of tactic used by this threat. You can use a MITRE
+        ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
+      example: Execution
+    - name: tactic.reference
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the value written.
-      example: Debugger
-      default_field: false
-    - name: indicator.scanner_stats
-      level: extended
-      type: long
-      description: Count of AV/EDR vendors that successfully detected malicious file
-        or URL.
-      example: 4
-      default_field: false
-    - name: indicator.sightings
-      level: extended
-      type: long
-      description: Number of times this indicator was observed conducting threat activity.
-      example: 20
-      default_field: false
-    - name: indicator.type
+      description: The reference url of tactic used by this threat. You can use a
+        MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/
+        )
+      example: https://attack.mitre.org/tactics/TA0002/
+    - name: technique.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Type of indicator as represented by Cyber Observable in STIX 2.0.
-      example: ipv4-addr
-      default_field: false
-    - name: indicator.url.domain
+      description: The id of technique used by this threat. You can use a MITRE ATT&CK®
+        technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
+      example: T1059
+    - name: technique.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Domain of the url, such as "www.elastic.co".
-
-        In some cases a URL may refer to an IP and/or port directly, without a domain
-        name. In this case, the IP address would go to the `domain` field.
-
-        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
-        2732), the `[` and `]` characters should also be captured in the `domain`
-        field.'
-      example: www.elastic.co
-      default_field: false
-    - name: indicator.url.extension
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: The name of technique used by this threat. You can use a MITRE
+        ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
+      example: Command and Scripting Interpreter
+    - name: technique.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The field contains the file extension from the original request
-        url, excluding the leading dot.
-
-        The file extension is only set if it exists, as not every url has a file extension.
-
-        The leading period must not be included. For example, the value must be "png",
-        not ".png".
-
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
-      default_field: false
-    - name: indicator.url.fragment
+      description: The reference url of technique used by this threat. You can use
+        a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
+      example: https://attack.mitre.org/techniques/T1059/
+    - name: technique.subtechnique.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Portion of the url after the `#`, such as "top".
-
-        The `#` is not part of the fragment.'
+      description: The full id of subtechnique used by this threat. You can use a
+        MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
+      example: T1059.001
       default_field: false
-    - name: indicator.url.full
+    - name: technique.subtechnique.name
       level: extended
-      type: wildcard
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: If full URLs are important to your use case, they should be stored
-        in `url.full`, whether this field is reconstructed or present in the event
-        source.
-      example: https://www.elastic.co:443/search?q=elasticsearch#top
+      description: The name of subtechnique used by this threat. You can use a MITRE
+        ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
+      example: PowerShell
       default_field: false
-    - name: indicator.url.original
+    - name: technique.subtechnique.reference
       level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Unmodified original url as seen in the event source.
-
-        Note that in network monitoring, the observed URL may be a full URL, whereas
-        in access logs, the URL is often just represented as a path.
-
-        This field is meant to represent the URL as it was observed, complete or not.'
-      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+      type: keyword
+      ignore_above: 1024
+      description: The reference url of subtechnique used by this threat. You can
+        use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
+      example: https://attack.mitre.org/techniques/T1059/001/
       default_field: false
-    - name: indicator.url.password
+  - name: tls
+    title: TLS
+    group: 2
+    description: Fields related to a TLS connection. These fields focus on the TLS
+      protocol itself and intentionally avoids in-depth analysis of the related x.509
+      certificate files.
+    type: group
+    default_field: true
+    fields:
+    - name: cipher
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Password of the request.
+      description: String indicating the cipher used during the current connection.
+      example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
       default_field: false
-    - name: indicator.url.path
+    - name: client.certificate
       level: extended
-      type: wildcard
-      description: Path of the request, such as "/search".
+      type: keyword
+      ignore_above: 1024
+      description: PEM-encoded stand-alone certificate offered by the client. This
+        is usually mutually-exclusive of `client.certificate_chain` since this value
+        also exists in that list.
+      example: MII...
       default_field: false
-    - name: indicator.url.port
+    - name: client.certificate_chain
       level: extended
-      type: long
-      format: string
-      description: Port of the request, such as 443.
-      example: 443
+      type: keyword
+      ignore_above: 1024
+      description: Array of PEM-encoded certificates that make up the certificate
+        chain offered by the client. This is usually mutually-exclusive of `client.certificate`
+        since that value should be the first certificate in the chain.
+      example: '["MII...", "MII..."]'
       default_field: false
-    - name: indicator.url.query
+    - name: client.hash.md5
       level: extended
       type: keyword
-      ignore_above: 2083
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
-
-        The `?` is excluded from the query string. If a URL contains no `?`, there
-        is no query field. If there is a `?` but no query, the query field exists
-        with an empty string. The `exists` query can be used to differentiate between
-        the two cases.'
+      ignore_above: 1024
+      description: Certificate fingerprint using the MD5 digest of DER-encoded version
+        of certificate offered by the client. For consistency with other hash values,
+        this value should be formatted as an uppercase hash.
+      example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
       default_field: false
-    - name: indicator.url.registered_domain
+    - name: client.hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The highest registered url domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
+      description: Certificate fingerprint using the SHA1 digest of DER-encoded version
+        of certificate offered by the client. For consistency with other hash values,
+        this value should be formatted as an uppercase hash.
+      example: 9E393D93138888D288266C2D915214D1D1CCEB2A
       default_field: false
-    - name: indicator.url.scheme
+    - name: client.hash.sha256
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Scheme of the request, such as "https".
-
-        Note: The `:` is not part of the scheme.'
-      example: https
+      description: Certificate fingerprint using the SHA256 digest of DER-encoded
+        version of certificate offered by the client. For consistency with other hash
+        values, this value should be formatted as an uppercase hash.
+      example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
       default_field: false
-    - name: indicator.url.subdomain
+    - name: client.issuer
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
+      description: Distinguished name of subject of the issuer of the x.509 certificate
+        presented by the client.
+      example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
       default_field: false
-    - name: indicator.url.top_level_domain
+    - name: client.ja3
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
+      description: A hash that identifies clients based on how they perform an SSL/TLS
+        handshake.
+      example: d4e5b18d6b55c71272893221c96ba240
       default_field: false
-    - name: indicator.url.username
+    - name: client.not_after
+      level: extended
+      type: date
+      description: Date/Time indicating when client certificate is no longer considered
+        valid.
+      example: '2021-01-01T00:00:00.000Z'
+      default_field: false
+    - name: client.not_before
+      level: extended
+      type: date
+      description: Date/Time indicating when client certificate is first considered
+        valid.
+      example: '1970-01-01T00:00:00.000Z'
+      default_field: false
+    - name: client.server_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Username of the request.
+      description: Also called an SNI, this tells the server which hostname to which
+        the client is attempting to connect to. When this value is available, it should
+        get copied to `destination.domain`.
+      example: www.elastic.co
       default_field: false
-    - name: indicator.x509.alternative_names
+    - name: client.subject
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Distinguished name of subject of the x.509 certificate presented
+        by the client.
+      example: CN=myclient, OU=Documentation Team, DC=example, DC=com
+      default_field: false
+    - name: client.supported_ciphers
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of ciphers offered by the client during the client hello.
+      example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        "..."]'
+      default_field: false
+    - name: client.x509.alternative_names
       level: extended
       type: keyword
       ignore_above: 1024
@@ -12743,21 +39242,21 @@
         (and wildcards), and email addresses.
       example: '*.elastic.co'
       default_field: false
-    - name: indicator.x509.issuer.common_name
+    - name: client.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common name (CN) of issuing certificate authority.
       example: Example SHA2 High Assurance Server CA
       default_field: false
-    - name: indicator.x509.issuer.country
+    - name: client.x509.issuer.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) codes
       example: US
       default_field: false
-    - name: indicator.x509.issuer.distinguished_name
+    - name: client.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
@@ -12765,54 +39264,54 @@
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       default_field: false
-    - name: indicator.x509.issuer.locality
+    - name: client.x509.issuer.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: Mountain View
       default_field: false
-    - name: indicator.x509.issuer.organization
+    - name: client.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of issuing certificate authority.
       example: Example Inc
       default_field: false
-    - name: indicator.x509.issuer.organizational_unit
+    - name: client.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of issuing certificate authority.
       example: www.example.com
       default_field: false
-    - name: indicator.x509.issuer.state_or_province
+    - name: client.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: indicator.x509.not_after
+    - name: client.x509.not_after
       level: extended
       type: date
       description: Time at which the certificate is no longer considered valid.
       example: '2020-07-16T03:15:39Z'
       default_field: false
-    - name: indicator.x509.not_before
+    - name: client.x509.not_before
       level: extended
       type: date
       description: Time at which the certificate is first considered valid.
       example: '2019-08-16T01:40:25Z'
       default_field: false
-    - name: indicator.x509.public_key_algorithm
+    - name: client.x509.public_key_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
       description: Algorithm used to generate the public key.
       example: RSA
       default_field: false
-    - name: indicator.x509.public_key_curve
+    - name: client.x509.public_key_curve
       level: extended
       type: keyword
       ignore_above: 1024
@@ -12820,7 +39319,7 @@
         is algorithm specific.
       example: nistp521
       default_field: false
-    - name: indicator.x509.public_key_exponent
+    - name: client.x509.public_key_exponent
       level: extended
       type: long
       description: Exponent used to derive the public key. This is algorithm specific.
@@ -12828,13 +39327,13 @@
       index: false
       doc_values: false
       default_field: false
-    - name: indicator.x509.public_key_size
+    - name: client.x509.public_key_size
       level: extended
       type: long
       description: The size of the public key space in bits.
       example: 2048
       default_field: false
-    - name: indicator.x509.serial_number
+    - name: client.x509.serial_number
       level: extended
       type: keyword
       ignore_above: 1024
@@ -12843,7 +39342,7 @@
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: indicator.x509.signature_algorithm
+    - name: client.x509.signature_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
@@ -12851,312 +39350,172 @@
         names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
       example: SHA256-RSA
       default_field: false
-    - name: indicator.x509.subject.common_name
+    - name: client.x509.subject.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common names (CN) of subject.
       example: shared.global.example.net
       default_field: false
-    - name: indicator.x509.subject.country
+    - name: client.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) code
       example: US
       default_field: false
-    - name: indicator.x509.subject.distinguished_name
+    - name: client.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: indicator.x509.subject.locality
+    - name: client.x509.subject.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: San Francisco
       default_field: false
-    - name: indicator.x509.subject.organization
+    - name: client.x509.subject.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of subject.
       example: Example, Inc.
       default_field: false
-    - name: indicator.x509.subject.organizational_unit
+    - name: client.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of subject.
       default_field: false
-    - name: indicator.x509.subject.state_or_province
+    - name: client.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: indicator.x509.version_number
+    - name: client.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
       description: Version of x509 format.
       example: 3
       default_field: false
-    - name: software.alias
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The alias(es) of the software for a set of related intrusion activity
-        that are tracked by a common name in the security community.
-
-        While not required, you can use a MITRE ATT&CK® associated software description.'
-      example: '[ "X-Agent" ]'
-      default_field: false
-    - name: software.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The id of the software used by this threat to conduct behavior
-        commonly modeled using MITRE ATT&CK®.
-
-        While not required, you can use a MITRE ATT&CK® software id.'
-      example: S0552
-      default_field: false
-    - name: software.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The name of the software used by this threat to conduct behavior
-        commonly modeled using MITRE ATT&CK®.
-
-        While not required, you can use a MITRE ATT&CK® software name.'
-      example: AdFind
-      default_field: false
-    - name: software.platforms
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The platforms of the software used by this threat to conduct behavior
-        commonly modeled using MITRE ATT&CK®.
-
-        While not required, you can use MITRE ATT&CK® software platform values.'
-      example: '[ "Windows" ]'
-      default_field: false
-    - name: software.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The reference URL of the software used by this threat to conduct
-        behavior commonly modeled using MITRE ATT&CK®.
-
-        While not required, you can use a MITRE ATT&CK® software reference URL.'
-      example: https://attack.mitre.org/software/S0552/
-      default_field: false
-    - name: software.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of software used by this threat to conduct behavior commonly
-        modeled using MITRE ATT&CK®.
-
-        While not required, you can use a MITRE ATT&CK® software type.'
-      example: Tool
-      default_field: false
-    - name: tactic.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The id of tactic used by this threat. You can use a MITRE ATT&CK®
-        tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
-      example: TA0002
-    - name: tactic.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the type of tactic used by this threat. You can use a MITRE
-        ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
-      example: Execution
-    - name: tactic.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The reference url of tactic used by this threat. You can use a
-        MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/
-        )
-      example: https://attack.mitre.org/tactics/TA0002/
-    - name: technique.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The id of technique used by this threat. You can use a MITRE ATT&CK®
-        technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-      example: T1059
-    - name: technique.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: The name of technique used by this threat. You can use a MITRE
-        ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-      example: Command and Scripting Interpreter
-    - name: technique.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The reference url of technique used by this threat. You can use
-        a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-      example: https://attack.mitre.org/techniques/T1059/
-    - name: technique.subtechnique.id
+    - name: curve
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The full id of subtechnique used by this threat. You can use a
-        MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-      example: T1059.001
+      description: String indicating the curve used for the given cipher, when applicable.
+      example: secp256r1
       default_field: false
-    - name: technique.subtechnique.name
+    - name: established
       level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The name of subtechnique used by this threat. You can use a MITRE
-        ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-      example: PowerShell
+      type: boolean
+      description: Boolean flag indicating if the TLS negotiation was successful and
+        transitioned to an encrypted tunnel.
       default_field: false
-    - name: technique.subtechnique.reference
+    - name: next_protocol
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The reference url of subtechnique used by this threat. You can
-        use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-      example: https://attack.mitre.org/techniques/T1059/001/
+      description: String indicating the protocol being tunneled. Per the values in
+        the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
+        this string should be lower case.
+      example: http/1.1
       default_field: false
-  - name: tls
-    title: TLS
-    group: 2
-    description: Fields related to a TLS connection. These fields focus on the TLS
-      protocol itself and intentionally avoids in-depth analysis of the related x.509
-      certificate files.
-    type: group
-    default_field: true
-    fields:
-    - name: cipher
+    - name: resumed
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: String indicating the cipher used during the current connection.
-      example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+      type: boolean
+      description: Boolean flag indicating if this TLS connection was resumed from
+        an existing TLS negotiation.
       default_field: false
-    - name: client.certificate
+    - name: server.certificate
       level: extended
       type: keyword
       ignore_above: 1024
-      description: PEM-encoded stand-alone certificate offered by the client. This
-        is usually mutually-exclusive of `client.certificate_chain` since this value
+      description: PEM-encoded stand-alone certificate offered by the server. This
+        is usually mutually-exclusive of `server.certificate_chain` since this value
         also exists in that list.
       example: MII...
       default_field: false
-    - name: client.certificate_chain
+    - name: server.certificate_chain
       level: extended
       type: keyword
       ignore_above: 1024
       description: Array of PEM-encoded certificates that make up the certificate
-        chain offered by the client. This is usually mutually-exclusive of `client.certificate`
+        chain offered by the server. This is usually mutually-exclusive of `server.certificate`
         since that value should be the first certificate in the chain.
       example: '["MII...", "MII..."]'
       default_field: false
-    - name: client.hash.md5
+    - name: server.hash.md5
       level: extended
       type: keyword
       ignore_above: 1024
       description: Certificate fingerprint using the MD5 digest of DER-encoded version
-        of certificate offered by the client. For consistency with other hash values,
+        of certificate offered by the server. For consistency with other hash values,
         this value should be formatted as an uppercase hash.
       example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
       default_field: false
-    - name: client.hash.sha1
+    - name: server.hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
       description: Certificate fingerprint using the SHA1 digest of DER-encoded version
-        of certificate offered by the client. For consistency with other hash values,
+        of certificate offered by the server. For consistency with other hash values,
         this value should be formatted as an uppercase hash.
       example: 9E393D93138888D288266C2D915214D1D1CCEB2A
       default_field: false
-    - name: client.hash.sha256
+    - name: server.hash.sha256
       level: extended
       type: keyword
       ignore_above: 1024
       description: Certificate fingerprint using the SHA256 digest of DER-encoded
-        version of certificate offered by the client. For consistency with other hash
+        version of certificate offered by the server. For consistency with other hash
         values, this value should be formatted as an uppercase hash.
       example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
       default_field: false
-    - name: client.issuer
+    - name: server.issuer
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Distinguished name of subject of the issuer of the x.509 certificate
-        presented by the client.
+      description: Subject of the issuer of the x.509 certificate presented by the
+        server.
       example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
       default_field: false
-    - name: client.ja3
+    - name: server.ja3s
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A hash that identifies clients based on how they perform an SSL/TLS
+      description: A hash that identifies servers based on how they perform an SSL/TLS
         handshake.
-      example: d4e5b18d6b55c71272893221c96ba240
+      example: 394441ab65754e2207b1e1b457b3641d
       default_field: false
-    - name: client.not_after
+    - name: server.not_after
       level: extended
       type: date
-      description: Date/Time indicating when client certificate is no longer considered
+      description: Timestamp indicating when server certificate is no longer considered
         valid.
       example: '2021-01-01T00:00:00.000Z'
       default_field: false
-    - name: client.not_before
+    - name: server.not_before
       level: extended
       type: date
-      description: Date/Time indicating when client certificate is first considered
+      description: Timestamp indicating when server certificate is first considered
         valid.
       example: '1970-01-01T00:00:00.000Z'
       default_field: false
-    - name: client.server_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Also called an SNI, this tells the server which hostname to which
-        the client is attempting to connect to. When this value is available, it should
-        get copied to `destination.domain`.
-      example: www.elastic.co
-      default_field: false
-    - name: client.subject
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Distinguished name of subject of the x.509 certificate presented
-        by the client.
-      example: CN=myclient, OU=Documentation Team, DC=example, DC=com
-      default_field: false
-    - name: client.supported_ciphers
+    - name: server.subject
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of ciphers offered by the client during the client hello.
-      example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-        "..."]'
+      description: Subject of the x.509 certificate presented by the server.
+      example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
       default_field: false
-    - name: client.x509.alternative_names
+    - name: server.x509.alternative_names
       level: extended
       type: keyword
       ignore_above: 1024
@@ -13165,21 +39524,21 @@
         (and wildcards), and email addresses.
       example: '*.elastic.co'
       default_field: false
-    - name: client.x509.issuer.common_name
+    - name: server.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common name (CN) of issuing certificate authority.
       example: Example SHA2 High Assurance Server CA
       default_field: false
-    - name: client.x509.issuer.country
+    - name: server.x509.issuer.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) codes
       example: US
       default_field: false
-    - name: client.x509.issuer.distinguished_name
+    - name: server.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
@@ -13187,54 +39546,54 @@
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       default_field: false
-    - name: client.x509.issuer.locality
+    - name: server.x509.issuer.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: Mountain View
       default_field: false
-    - name: client.x509.issuer.organization
+    - name: server.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of issuing certificate authority.
       example: Example Inc
       default_field: false
-    - name: client.x509.issuer.organizational_unit
+    - name: server.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of issuing certificate authority.
       example: www.example.com
       default_field: false
-    - name: client.x509.issuer.state_or_province
+    - name: server.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: client.x509.not_after
+    - name: server.x509.not_after
       level: extended
       type: date
       description: Time at which the certificate is no longer considered valid.
       example: '2020-07-16T03:15:39Z'
       default_field: false
-    - name: client.x509.not_before
+    - name: server.x509.not_before
       level: extended
       type: date
       description: Time at which the certificate is first considered valid.
       example: '2019-08-16T01:40:25Z'
       default_field: false
-    - name: client.x509.public_key_algorithm
+    - name: server.x509.public_key_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
       description: Algorithm used to generate the public key.
       example: RSA
       default_field: false
-    - name: client.x509.public_key_curve
+    - name: server.x509.public_key_curve
       level: extended
       type: keyword
       ignore_above: 1024
@@ -13242,7 +39601,7 @@
         is algorithm specific.
       example: nistp521
       default_field: false
-    - name: client.x509.public_key_exponent
+    - name: server.x509.public_key_exponent
       level: extended
       type: long
       description: Exponent used to derive the public key. This is algorithm specific.
@@ -13250,13 +39609,13 @@
       index: false
       doc_values: false
       default_field: false
-    - name: client.x509.public_key_size
+    - name: server.x509.public_key_size
       level: extended
       type: long
       description: The size of the public key space in bits.
       example: 2048
       default_field: false
-    - name: client.x509.serial_number
+    - name: server.x509.serial_number
       level: extended
       type: keyword
       ignore_above: 1024
@@ -13265,7 +39624,7 @@
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: client.x509.signature_algorithm
+    - name: server.x509.signature_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
@@ -13273,557 +39632,646 @@
         names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
       example: SHA256-RSA
       default_field: false
-    - name: client.x509.subject.common_name
+    - name: server.x509.subject.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common names (CN) of subject.
       example: shared.global.example.net
       default_field: false
-    - name: client.x509.subject.country
+    - name: server.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) code
       example: US
       default_field: false
-    - name: client.x509.subject.distinguished_name
+    - name: server.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: client.x509.subject.locality
+    - name: server.x509.subject.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: San Francisco
       default_field: false
-    - name: client.x509.subject.organization
+    - name: server.x509.subject.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of subject.
       example: Example, Inc.
       default_field: false
-    - name: client.x509.subject.organizational_unit
+    - name: server.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of subject.
       default_field: false
-    - name: client.x509.subject.state_or_province
+    - name: server.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: client.x509.version_number
+    - name: server.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
       description: Version of x509 format.
       example: 3
       default_field: false
-    - name: curve
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: String indicating the curve used for the given cipher, when applicable.
-      example: secp256r1
-      default_field: false
-    - name: established
-      level: extended
-      type: boolean
-      description: Boolean flag indicating if the TLS negotiation was successful and
-        transitioned to an encrypted tunnel.
-      default_field: false
-    - name: next_protocol
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: String indicating the protocol being tunneled. Per the values in
-        the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
-        this string should be lower case.
-      example: http/1.1
-      default_field: false
-    - name: resumed
-      level: extended
-      type: boolean
-      description: Boolean flag indicating if this TLS connection was resumed from
-        an existing TLS negotiation.
-      default_field: false
-    - name: server.certificate
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PEM-encoded stand-alone certificate offered by the server. This
-        is usually mutually-exclusive of `server.certificate_chain` since this value
-        also exists in that list.
-      example: MII...
-      default_field: false
-    - name: server.certificate_chain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of PEM-encoded certificates that make up the certificate
-        chain offered by the server. This is usually mutually-exclusive of `server.certificate`
-        since that value should be the first certificate in the chain.
-      example: '["MII...", "MII..."]'
-      default_field: false
-    - name: server.hash.md5
+    - name: version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Certificate fingerprint using the MD5 digest of DER-encoded version
-        of certificate offered by the server. For consistency with other hash values,
-        this value should be formatted as an uppercase hash.
-      example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+      description: Numeric part of the version parsed from the original string.
+      example: '1.2'
       default_field: false
-    - name: server.hash.sha1
+    - name: version_protocol
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Certificate fingerprint using the SHA1 digest of DER-encoded version
-        of certificate offered by the server. For consistency with other hash values,
-        this value should be formatted as an uppercase hash.
-      example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+      description: Normalized lowercase protocol name parsed from original string.
+      example: tls
       default_field: false
-    - name: server.hash.sha256
+  - name: span.id
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Unique identifier of the span within the scope of its trace.
+
+      A span represents an operation within a transaction, such as a request to another
+      service, or a database query.'
+    example: 3ff9a8981b7ccd5a
+  - name: trace.id
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Unique identifier of the trace.
+
+      A trace groups multiple events like transactions that belong together. For example,
+      a user request handled by multiple inter-connected services.'
+    example: 4bf92f3577b34da6a3ce929d0e0e4736
+    default_field: true
+  - name: transaction.id
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Unique identifier of the transaction within the scope of its trace.
+
+      A transaction is the highest level of work measured within a service, such as
+      a request to a server.'
+    example: 00f067aa0ba902b7
+    default_field: true
+  - name: url
+    title: URL
+    group: 2
+    description: URL fields provide support for complete or partial URLs, and supports
+      the breaking down into scheme, domain, path, and so on.
+    type: group
+    default_field: true
+    fields:
+    - name: domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Certificate fingerprint using the SHA256 digest of DER-encoded
-        version of certificate offered by the server. For consistency with other hash
-        values, this value should be formatted as an uppercase hash.
-      example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
-      default_field: false
-    - name: server.issuer
+      description: 'Domain of the url, such as "www.elastic.co".
+
+        In some cases a URL may refer to an IP and/or port directly, without a domain
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
+      example: www.elastic.co
+    - name: extension
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Subject of the issuer of the x.509 certificate presented by the
-        server.
-      example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
-      default_field: false
-    - name: server.ja3s
+      description: 'The field contains the file extension from the original request
+        url, excluding the leading dot.
+
+        The file extension is only set if it exists, as not every url has a file extension.
+
+        The leading period must not be included. For example, the value must be "png",
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
+    - name: fragment
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A hash that identifies servers based on how they perform an SSL/TLS
-        handshake.
-      example: 394441ab65754e2207b1e1b457b3641d
-      default_field: false
-    - name: server.not_after
+      description: 'Portion of the url after the `#`, such as "top".
+
+        The `#` is not part of the fragment.'
+    - name: full
       level: extended
-      type: date
-      description: Timestamp indicating when server certificate is no longer considered
-        valid.
-      example: '2021-01-01T00:00:00.000Z'
-      default_field: false
-    - name: server.not_before
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: If full URLs are important to your use case, they should be stored
+        in `url.full`, whether this field is reconstructed or present in the event
+        source.
+      example: https://www.elastic.co:443/search?q=elasticsearch#top
+    - name: original
       level: extended
-      type: date
-      description: Timestamp indicating when server certificate is first considered
-        valid.
-      example: '1970-01-01T00:00:00.000Z'
-      default_field: false
-    - name: server.subject
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: 'Unmodified original url as seen in the event source.
+
+        Note that in network monitoring, the observed URL may be a full URL, whereas
+        in access logs, the URL is often just represented as a path.
+
+        This field is meant to represent the URL as it was observed, complete or not.'
+      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+    - name: password
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Subject of the x.509 certificate presented by the server.
-      example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
-      default_field: false
-    - name: server.x509.alternative_names
+      description: Password of the request.
+    - name: path
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of subject alternative names (SAN). Name types vary by certificate
-        authority and certificate type but commonly contain IP addresses, DNS names
-        (and wildcards), and email addresses.
-      example: '*.elastic.co'
-      default_field: false
-    - name: server.x509.issuer.common_name
+      type: wildcard
+      description: Path of the request, such as "/search".
+    - name: port
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of common name (CN) of issuing certificate authority.
-      example: Example SHA2 High Assurance Server CA
-      default_field: false
-    - name: server.x509.issuer.country
+      type: long
+      format: string
+      description: Port of the request, such as 443.
+      example: 443
+    - name: query
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: List of country \(C) codes
-      example: US
-      default_field: false
-    - name: server.x509.issuer.distinguished_name
+      ignore_above: 2083
+      description: 'The query field describes the query string of the request, such
+        as "q=elasticsearch".
+
+        The `?` is excluded from the query string. If a URL contains no `?`, there
+        is no query field. If there is a `?` but no query, the query field exists
+        with an empty string. The `exists` query can be used to differentiate between
+        the two cases.'
+    - name: registered_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Distinguished name (DN) of issuing certificate authority.
-      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
-        Server CA
-      default_field: false
-    - name: server.x509.issuer.locality
+      description: 'The highest registered url domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: scheme
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of locality names (L)
-      example: Mountain View
-      default_field: false
-    - name: server.x509.issuer.organization
+      description: 'Scheme of the request, such as "https".
+
+        Note: The `:` is not part of the scheme.'
+      example: https
+    - name: subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizations (O) of issuing certificate authority.
-      example: Example Inc
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
       default_field: false
-    - name: server.x509.issuer.organizational_unit
+    - name: top_level_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizational units (OU) of issuing certificate authority.
-      example: www.example.com
-      default_field: false
-    - name: server.x509.issuer.state_or_province
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: username
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
-      default_field: false
-    - name: server.x509.not_after
-      level: extended
-      type: date
-      description: Time at which the certificate is no longer considered valid.
-      example: '2020-07-16T03:15:39Z'
-      default_field: false
-    - name: server.x509.not_before
-      level: extended
-      type: date
-      description: Time at which the certificate is first considered valid.
-      example: '2019-08-16T01:40:25Z'
-      default_field: false
-    - name: server.x509.public_key_algorithm
+      description: Username of the request.
+  - name: user
+    title: User
+    group: 2
+    description: 'The user fields describe information about the user that is relevant
+      to the event.
+
+      Fields can have one entry or multiple entries. If a user has more than one id,
+      provide an array that includes all of them.'
+    type: group
+    default_field: true
+    fields:
+    - name: changes.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Algorithm used to generate the public key.
-      example: RSA
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: server.x509.public_key_curve
+    - name: changes.email
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The curve used by the elliptic curve public key algorithm. This
-        is algorithm specific.
-      example: nistp521
+      description: User email address.
       default_field: false
-    - name: server.x509.public_key_exponent
+    - name: changes.entity.attributes
       level: extended
-      type: long
-      description: Exponent used to derive the public key. This is algorithm specific.
-      example: 65537
-      index: false
-      doc_values: false
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
       default_field: false
-    - name: server.x509.public_key_size
+    - name: changes.entity.behavior
       level: extended
-      type: long
-      description: The size of the public key space in bits.
-      example: 2048
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
       default_field: false
-    - name: server.x509.serial_number
+    - name: changes.entity.display_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique serial number issued by the certificate authority. For consistency,
-        this must be encoded in base 16 and formatted without colons and uppercase
-        characters.
-      example: 55FBB9C7DEBF09809D12CCAA
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
       default_field: false
-    - name: server.x509.signature_algorithm
-      level: extended
+    - name: changes.entity.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Identifier for certificate signature algorithm. We recommend using
-        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-      example: SHA256-RSA
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
       default_field: false
-    - name: server.x509.subject.common_name
+    - name: changes.entity.last_seen_timestamp
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of common names (CN) of subject.
-      example: shared.global.example.net
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
       default_field: false
-    - name: server.x509.subject.country
+    - name: changes.entity.lifecycle
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of country \(C) code
-      example: US
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
       default_field: false
-    - name: server.x509.subject.distinguished_name
+    - name: changes.entity.metrics
       level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: changes.entity.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Distinguished name (DN) of the certificate subject entity.
-      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
       default_field: false
-    - name: server.x509.subject.locality
+    - name: changes.entity.raw
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of locality names (L)
-      example: San Francisco
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
       default_field: false
-    - name: server.x509.subject.organization
+    - name: changes.entity.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizations (O) of subject.
-      example: Example, Inc.
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
       default_field: false
-    - name: server.x509.subject.organizational_unit
-      level: extended
+    - name: changes.entity.source
+      level: core
       type: keyword
       ignore_above: 1024
-      description: List of organizational units (OU) of subject.
+      description: The module or integration that provided this entity data (similar
+        to event.module).
       default_field: false
-    - name: server.x509.subject.state_or_province
+    - name: changes.entity.sub_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
       default_field: false
-    - name: server.x509.version_number
-      level: extended
+    - name: changes.entity.type
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Version of x509 format.
-      example: 3
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
       default_field: false
-    - name: version
+    - name: changes.full_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Numeric part of the version parsed from the original string.
-      example: '1.2'
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
       default_field: false
-    - name: version_protocol
+    - name: changes.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Normalized lowercase protocol name parsed from original string.
-      example: tls
-      default_field: false
-  - name: span.id
-    level: extended
-    type: keyword
-    ignore_above: 1024
-    description: 'Unique identifier of the span within the scope of its trace.
-
-      A span represents an operation within a transaction, such as a request to another
-      service, or a database query.'
-    example: 3ff9a8981b7ccd5a
-  - name: trace.id
-    level: extended
-    type: keyword
-    ignore_above: 1024
-    description: 'Unique identifier of the trace.
-
-      A trace groups multiple events like transactions that belong together. For example,
-      a user request handled by multiple inter-connected services.'
-    example: 4bf92f3577b34da6a3ce929d0e0e4736
-    default_field: true
-  - name: transaction.id
-    level: extended
-    type: keyword
-    ignore_above: 1024
-    description: 'Unique identifier of the transaction within the scope of its trace.
+      description: 'Name of the directory the group is a member of.
 
-      A transaction is the highest level of work measured within a service, such as
-      a request to a server.'
-    example: 00f067aa0ba902b7
-    default_field: true
-  - name: url
-    title: URL
-    group: 2
-    description: URL fields provide support for complete or partial URLs, and supports
-      the breaking down into scheme, domain, path, and so on.
-    type: group
-    default_field: true
-    fields:
-    - name: domain
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: changes.group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Domain of the url, such as "www.elastic.co".
-
-        In some cases a URL may refer to an IP and/or port directly, without a domain
-        name. In this case, the IP address would go to the `domain` field.
-
-        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
-        2732), the `[` and `]` characters should also be captured in the `domain`
-        field.'
-      example: www.elastic.co
-    - name: extension
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: changes.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The field contains the file extension from the original request
-        url, excluding the leading dot.
-
-        The file extension is only set if it exists, as not every url has a file extension.
-
-        The leading period must not be included. For example, the value must be "png",
-        not ".png".
-
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
-    - name: fragment
+      description: Name of the group.
+      default_field: false
+    - name: changes.hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Portion of the url after the `#`, such as "top".
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
 
-        The `#` is not part of the fragment.'
-    - name: full
-      level: extended
-      type: wildcard
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: changes.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: changes.name
+      level: core
+      type: keyword
+      ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-        default_field: false
-      description: If full URLs are important to your use case, they should be stored
-        in `url.full`, whether this field is reconstructed or present in the event
-        source.
-      example: https://www.elastic.co:443/search?q=elasticsearch#top
-    - name: original
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: changes.risk.calculated_level
       level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: 'Unmodified original url as seen in the event source.
-
-        Note that in network monitoring, the observed URL may be a full URL, whereas
-        in access logs, the URL is often just represented as a path.
-
-        This field is meant to represent the URL as it was observed, complete or not.'
-      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
-    - name: password
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: changes.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: changes.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: changes.risk.static_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Password of the request.
-    - name: path
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: changes.risk.static_score
       level: extended
-      type: wildcard
-      description: Path of the request, such as "/search".
-    - name: port
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: changes.risk.static_score_norm
       level: extended
-      type: long
-      format: string
-      description: Port of the request, such as 443.
-      example: 443
-    - name: query
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: changes.roles
       level: extended
       type: keyword
-      ignore_above: 2083
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
-
-        The `?` is excluded from the query string. If a URL contains no `?`, there
-        is no query field. If there is a `?` but no query, the query field exists
-        with an empty string. The `exists` query can be used to differentiate between
-        the two cases.'
-    - name: registered_domain
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
+    - name: domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The highest registered url domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
+      description: 'Name of the directory the user is a member of.
 
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-    - name: scheme
+        For example, an LDAP or Active Directory domain name.'
+    - name: effective.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Scheme of the request, such as "https".
+      description: 'Name of the directory the user is a member of.
 
-        Note: The `:` is not part of the scheme.'
-      example: https
-    - name: subdomain
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: effective.email
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
+      description: User email address.
       default_field: false
-    - name: top_level_domain
+    - name: effective.entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: effective.entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: effective.entity.display_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-    - name: username
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: effective.entity.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: effective.entity.last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: effective.entity.lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: effective.entity.metrics
       level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: effective.entity.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Username of the request.
-  - name: user
-    title: User
-    group: 2
-    description: 'The user fields describe information about the user that is relevant
-      to the event.
-
-      Fields can have one entry or multiple entries. If a user has more than one id,
-      provide an array that includes all of them.'
-    type: group
-    default_field: true
-    fields:
-    - name: changes.domain
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: effective.entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: effective.entity.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: effective.entity.source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
       default_field: false
-    - name: changes.email
+    - name: effective.entity.sub_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: User email address.
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
       default_field: false
-    - name: changes.full_name
+    - name: effective.entity.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
+    - name: effective.full_name
       level: extended
       type: keyword
       ignore_above: 1024
@@ -13833,7 +40281,7 @@
       description: User's full name, if available.
       example: Albert Einstein
       default_field: false
-    - name: changes.group.domain
+    - name: effective.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
@@ -13841,19 +40289,19 @@
 
         For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: changes.group.id
+    - name: effective.group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: changes.group.name
+    - name: effective.group.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: changes.hash
+    - name: effective.hash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -13863,14 +40311,14 @@
         Useful if `user.id` or `user.name` contain confidential information and cannot
         be used.'
       default_field: false
-    - name: changes.id
+    - name: effective.id
       level: core
       type: keyword
       ignore_above: 1024
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: changes.name
+    - name: effective.name
       level: core
       type: keyword
       ignore_above: 1024
@@ -13880,103 +40328,184 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: changes.roles
+    - name: effective.risk.calculated_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
       default_field: false
-    - name: domain
+    - name: effective.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: effective.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: effective.risk.static_level
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-    - name: effective.domain
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: effective.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: effective.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
+    - name: effective.roles
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: effective.email
+    - name: email
       level: extended
       type: keyword
       ignore_above: 1024
       description: User email address.
+    - name: entity.attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
       default_field: false
-    - name: effective.full_name
+    - name: entity.behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: entity.display_name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
+        type: text
+        norms: false
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
       default_field: false
-    - name: effective.group.domain
-      level: extended
+    - name: entity.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
       default_field: false
-    - name: effective.group.id
+    - name: entity.last_seen_timestamp
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
       default_field: false
-    - name: effective.group.name
+    - name: entity.lifecycle
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
       default_field: false
-    - name: effective.hash
+    - name: entity.metrics
       level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: entity.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
       default_field: false
-    - name: effective.id
-      level: core
+    - name: entity.raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: entity.reference
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
       default_field: false
-    - name: effective.name
+    - name: entity.source
       level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: The module or integration that provided this entity data (similar
+        to event.module).
       default_field: false
-    - name: effective.roles
+    - name: entity.sub_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
       default_field: false
-    - name: email
-      level: extended
+    - name: entity.type
+      level: core
       type: keyword
       ignore_above: 1024
-      description: User email address.
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
     - name: full_name
       level: extended
       type: keyword
@@ -14273,6 +40802,52 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
+    - name: target.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: target.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: target.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: target.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: target.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: target.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: target.roles
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 3871df200a..28d7a14325 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -37,6 +37,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 9.3.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,client,client.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,client,client.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,client,client.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,client,client.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,client,client.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,client,client.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,client,client.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,client,client.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,client,client.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,client,client.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,client,client.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,client,client.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,client,client.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,client,client.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,client,client.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -46,16 +61,52 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,client,client.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,client,client.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,client,client.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,client,client.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,client,client.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,client,client.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
 9.3.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
 9.3.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.3.0-dev,true,cloud,cloud.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,cloud,cloud.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,cloud,cloud.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,cloud,cloud.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,cloud,cloud.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,cloud,cloud.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,cloud,cloud.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,cloud,cloud.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,cloud,cloud.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,cloud,cloud.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,cloud,cloud.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,cloud,cloud.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,cloud,cloud.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,cloud,cloud.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,cloud,cloud.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
 9.3.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
 9.3.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
 9.3.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
 9.3.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
 9.3.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.3.0-dev,true,cloud,cloud.origin.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,cloud,cloud.origin.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,cloud,cloud.origin.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,cloud,cloud.origin.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,cloud,cloud.origin.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,cloud,cloud.origin.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,cloud,cloud.origin.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,cloud,cloud.origin.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,cloud,cloud.origin.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,cloud,cloud.origin.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,cloud,cloud.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,cloud,cloud.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,cloud,cloud.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,cloud,cloud.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,cloud,cloud.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
 9.3.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
 9.3.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
@@ -140,6 +191,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 9.3.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,destination,destination.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,destination,destination.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,destination,destination.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,destination,destination.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,destination,destination.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,destination,destination.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,destination,destination.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,destination,destination.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,destination,destination.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,destination,destination.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,destination,destination.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,destination,destination.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,destination,destination.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,destination,destination.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,destination,destination.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -149,6 +215,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,destination,destination.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,destination,destination.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,destination,destination.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,destination,destination.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,destination,destination.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,destination,destination.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
 9.3.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
@@ -253,6 +325,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
 9.3.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
 9.3.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+9.3.0-dev,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,entity,entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,entity,entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,entity,entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,entity,entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
 9.3.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
 9.3.0-dev,true,error,error.message,match_only_text,core,,,Error message.
@@ -651,6 +738,42 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
 9.3.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 9.3.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.attested_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.attested_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.attested_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.attested_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.attested_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 9.3.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
 9.3.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
@@ -703,96 +826,1295 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
 9.3.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
 9.3.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 9.3.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 9.3.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.entry_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.entry_leader.attested_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.entry_leader.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.entry_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.attested_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.entry_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.entry_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.entry_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,process,process.entry_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,process,process.entry_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,process,process.entry_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,process,process.entry_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,process,process.entry_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,process,process.entry_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,process,process.entry_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,process,process.entry_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,process,process.entry_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,process,process.entry_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 9.3.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 9.3.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.entry_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,process,process.entry_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,process,process.entry_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,process,process.entry_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,process,process.entry_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.entry_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.entry_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,process,process.entry_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,process,process.entry_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,process,process.entry_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,process,process.entry_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,process,process.entry_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,process,process.entry_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,process,process.entry_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,process,process.entry_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,process,process.entry_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,process,process.entry_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,process,process.entry_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,process,process.entry_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,process,process.entry_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,process,process.entry_leader.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,process,process.entry_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,process,process.entry_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,process,process.entry_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,process,process.entry_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,process,process.entry_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.entry_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.address,keyword,extended,,,Source network address.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 9.3.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.port,long,core,,,Port of the source.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,process,process.entry_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 9.3.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.3.0-dev,true,process,process.entry_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 9.3.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.entry_leader.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.entry_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,process,process.entry_leader.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,process,process.entry_leader.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,process,process.entry_leader.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,process,process.entry_leader.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,process,process.entry_leader.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,process,process.entry_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,process,process.entry_leader.hash.tlsh,keyword,extended,,,TLSH hash.
 9.3.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.entry_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.3.0-dev,true,process,process.entry_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.3.0-dev,true,process,process.entry_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.3.0-dev,true,process,process.entry_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.3.0-dev,true,process,process.entry_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.3.0-dev,true,process,process.entry_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.3.0-dev,true,process,process.entry_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.3.0-dev,true,process,process.entry_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.3.0-dev,true,process,process.entry_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.3.0-dev,true,process,process.entry_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.3.0-dev,true,process,process.entry_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.entry_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.entry_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.entry_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.3.0-dev,true,process,process.entry_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.3.0-dev,true,process,process.entry_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.3.0-dev,true,process,process.entry_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.entry_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 9.3.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
 9.3.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.entry_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.3.0-dev,true,process,process.entry_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.3.0-dev,true,process,process.entry_leader.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.3.0-dev,true,process,process.entry_leader.parent.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.entry_leader.parent.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.entry_leader.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,process,process.entry_leader.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,process,process.entry_leader.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,process,process.entry_leader.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,process,process.entry_leader.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,process,process.entry_leader.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,process,process.entry_leader.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,process,process.entry_leader.parent.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,process,process.entry_leader.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,process,process.entry_leader.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,process,process.entry_leader.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.3.0-dev,true,process,process.entry_leader.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.entry_leader.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,process,process.entry_leader.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,process,process.entry_leader.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,process,process.entry_leader.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.entry_leader.parent.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.address,keyword,extended,,,Source network address.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.port,long,core,,,Port of the source.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.3.0-dev,true,process,process.entry_leader.parent.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.3.0-dev,true,process,process.entry_leader.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.entry_leader.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.entry_leader.parent.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.entry_leader.parent.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,process,process.entry_leader.parent.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,process,process.entry_leader.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,process,process.entry_leader.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,process,process.entry_leader.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,process,process.entry_leader.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,process,process.entry_leader.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,process,process.entry_leader.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,process,process.entry_leader.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.entry_leader.parent.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.3.0-dev,true,process,process.entry_leader.parent.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.3.0-dev,true,process,process.entry_leader.parent.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.3.0-dev,true,process,process.entry_leader.parent.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.3.0-dev,true,process,process.entry_leader.parent.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.3.0-dev,true,process,process.entry_leader.parent.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.3.0-dev,true,process,process.entry_leader.parent.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.3.0-dev,true,process,process.entry_leader.parent.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.3.0-dev,true,process,process.entry_leader.parent.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.entry_leader.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.entry_leader.parent.name,keyword,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.entry_leader.parent.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.entry_leader.parent.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.3.0-dev,true,process,process.entry_leader.parent.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.entry_leader.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,process,process.entry_leader.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.entry_leader.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.entry_leader.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.entry_leader.parent.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.3.0-dev,true,process,process.entry_leader.parent.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.entry_leader.parent.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.entry_leader.parent.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.entry_leader.parent.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.address,keyword,extended,,,Source network address.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.port,long,core,,,Port of the source.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.name,keyword,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.thread.id,long,extended,,4242,Thread ID.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.thread.name,keyword,extended,,thread-0,Thread name.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.title,keyword,extended,,,Process title.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.title.text,match_only_text,extended,,,Process title.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.entry_leader.parent.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.entry_leader.parent.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.3.0-dev,true,process,process.entry_leader.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.3.0-dev,true,process,process.entry_leader.parent.thread.id,long,extended,,4242,Thread ID.
+9.3.0-dev,true,process,process.entry_leader.parent.thread.name,keyword,extended,,thread-0,Thread name.
+9.3.0-dev,true,process,process.entry_leader.parent.title,keyword,extended,,,Process title.
+9.3.0-dev,true,process,process.entry_leader.parent.title.text,match_only_text,extended,,,Process title.
+9.3.0-dev,true,process,process.entry_leader.parent.tty,object,extended,,,Information about the controlling TTY device.
+9.3.0-dev,true,process,process.entry_leader.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.3.0-dev,true,process,process.entry_leader.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.entry_leader.parent.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.3.0-dev,true,process,process.entry_leader.parent.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.3.0-dev,true,process,process.entry_leader.parent.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.entry_leader.parent.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.entry_leader.parent.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.entry_leader.parent.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.parent.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.parent.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.parent.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.parent.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.entry_leader.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.parent.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.parent.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.entry_leader.parent.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.parent.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.entry_leader.parent.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.entry_leader.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.entry_leader.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.entry_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,process,process.entry_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.entry_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,process,process.entry_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,process,process.entry_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,process,process.entry_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.entry_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.entry_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.entry_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.entry_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.entry_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.entry_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.entry_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,process,process.entry_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.entry_leader.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,process,process.entry_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,process,process.entry_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,process,process.entry_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.entry_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.entry_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.3.0-dev,true,process,process.entry_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.entry_leader.real_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.entry_leader.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.entry_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.real_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.entry_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.entry_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.entry_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.entry_leader.saved_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.entry_leader.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.entry_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.saved_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.entry_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.entry_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.entry_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.3.0-dev,true,process,process.entry_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.3.0-dev,true,process,process.entry_leader.thread.id,long,extended,,4242,Thread ID.
+9.3.0-dev,true,process,process.entry_leader.thread.name,keyword,extended,,thread-0,Thread name.
+9.3.0-dev,true,process,process.entry_leader.title,keyword,extended,,,Process title.
+9.3.0-dev,true,process,process.entry_leader.title.text,match_only_text,extended,,,Process title.
 9.3.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
 9.3.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
 9.3.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.entry_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.3.0-dev,true,process,process.entry_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.3.0-dev,true,process,process.entry_leader.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.entry_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.entry_leader.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.entry_leader.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.entry_leader.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.entry_leader.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.entry_leader.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.entry_leader.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.entry_leader.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.entry_leader.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.entry_leader.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.entry_leader.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.entry_leader.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.entry_leader.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.entry_leader.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.entry_leader.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.entry_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.entry_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.entry_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.entry_leader.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.entry_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.entry_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.entry_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.entry_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.entry_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.entry_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
 9.3.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.entry_meta.source.address,keyword,extended,,,Source network address.
+9.3.0-dev,true,process,process.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,process,process.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.3.0-dev,true,process,process.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.3.0-dev,true,process,process.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,process,process.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,process,process.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,process,process.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,process,process.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,process,process.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,process,process.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,process,process.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,process,process.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,process,process.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,process,process.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,process,process.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,process,process.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.3.0-dev,true,process,process.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.3.0-dev,true,process,process.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.3.0-dev,true,process,process.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.3.0-dev,true,process,process.entry_meta.source.port,long,core,,,Port of the source.
+9.3.0-dev,true,process,process.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.3.0-dev,true,process,process.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,process,process.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,process,process.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
 9.3.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 9.3.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.group.name,keyword,extended,,,Name of the group.
 9.3.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 9.3.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.group_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.group_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.group_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.group_leader.attested_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.group_leader.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.group_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.group_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.group_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.group_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.group_leader.attested_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.group_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.group_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.group_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.group_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.group_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.group_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.group_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.group_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.group_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.group_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.group_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,process,process.group_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,process,process.group_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,process,process.group_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,process,process.group_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,process,process.group_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,process,process.group_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,process,process.group_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,process,process.group_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,process,process.group_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,process,process.group_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 9.3.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 9.3.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.group_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,process,process.group_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,process,process.group_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,process,process.group_leader.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,process,process.group_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,process,process.group_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,process,process.group_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.group_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.group_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.group_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.group_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,process,process.group_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,process,process.group_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,process,process.group_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,process,process.group_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,process,process.group_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,process,process.group_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,process,process.group_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,process,process.group_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,process,process.group_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.group_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.group_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.group_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,process,process.group_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,process,process.group_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.group_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,process,process.group_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,process,process.group_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,process,process.group_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,process,process.group_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,process,process.group_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.group_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,process,process.group_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,process,process.group_leader.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,process,process.group_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,process,process.group_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,process,process.group_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,process,process.group_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,process,process.group_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.group_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.address,keyword,extended,,,Source network address.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.port,long,core,,,Port of the source.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,process,process.group_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,process,process.group_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.3.0-dev,true,process,process.group_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 9.3.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.group_leader.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.group_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,process,process.group_leader.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,process,process.group_leader.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,process,process.group_leader.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,process,process.group_leader.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,process,process.group_leader.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,process,process.group_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,process,process.group_leader.hash.tlsh,keyword,extended,,,TLSH hash.
 9.3.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.group_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.3.0-dev,true,process,process.group_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.3.0-dev,true,process,process.group_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.3.0-dev,true,process,process.group_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.3.0-dev,true,process,process.group_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.3.0-dev,true,process,process.group_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.3.0-dev,true,process,process.group_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.3.0-dev,true,process,process.group_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.3.0-dev,true,process,process.group_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.3.0-dev,true,process,process.group_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.3.0-dev,true,process,process.group_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.group_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.group_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.group_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.group_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.group_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.group_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.group_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.group_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.3.0-dev,true,process,process.group_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.group_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.3.0-dev,true,process,process.group_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.3.0-dev,true,process,process.group_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.group_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.group_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 9.3.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
 9.3.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.group_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.3.0-dev,true,process,process.group_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.3.0-dev,true,process,process.group_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,process,process.group_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.group_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,process,process.group_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,process,process.group_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,process,process.group_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.group_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.group_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.group_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.group_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.group_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.group_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.group_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.group_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.group_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.group_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,process,process.group_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.group_leader.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,process,process.group_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.group_leader.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,process,process.group_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,process,process.group_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.group_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.group_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.3.0-dev,true,process,process.group_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.group_leader.real_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.group_leader.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.group_leader.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.group_leader.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.group_leader.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.group_leader.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.group_leader.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.group_leader.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.group_leader.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.group_leader.real_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.group_leader.real_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.group_leader.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.group_leader.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.group_leader.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.group_leader.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.group_leader.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.group_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.group_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.group_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.group_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.group_leader.real_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.group_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.group_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.group_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.group_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.group_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.group_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.group_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.group_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.group_leader.saved_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.group_leader.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.group_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.group_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.group_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.group_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.group_leader.saved_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.group_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.group_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.group_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.group_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.group_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.group_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.group_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.group_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.3.0-dev,true,process,process.group_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.3.0-dev,true,process,process.group_leader.thread.id,long,extended,,4242,Thread ID.
+9.3.0-dev,true,process,process.group_leader.thread.name,keyword,extended,,thread-0,Thread name.
+9.3.0-dev,true,process,process.group_leader.title,keyword,extended,,,Process title.
+9.3.0-dev,true,process,process.group_leader.title.text,match_only_text,extended,,,Process title.
 9.3.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
 9.3.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
 9.3.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.group_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.3.0-dev,true,process,process.group_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.3.0-dev,true,process,process.group_leader.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.group_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.group_leader.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.group_leader.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.group_leader.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.group_leader.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.group_leader.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.group_leader.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.group_leader.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.group_leader.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.group_leader.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.group_leader.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.group_leader.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.group_leader.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.group_leader.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.group_leader.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.group_leader.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.group_leader.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.group_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.group_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.group_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.group_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.group_leader.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.group_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.group_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.group_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.group_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.group_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.group_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.group_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.group_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
 9.3.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
@@ -832,8 +2154,46 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 9.3.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
 9.3.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.3.0-dev,true,process,process.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
 9.3.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 9.3.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.parent.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.attested_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.parent.attested_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.parent.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.parent.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.parent.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.parent.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.parent.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.parent.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.parent.attested_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.attested_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.parent.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.parent.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.parent.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.parent.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.parent.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.attested_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.parent.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.parent.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.parent.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.parent.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 9.3.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
 9.3.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
@@ -886,16 +2246,356 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
 9.3.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
 9.3.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.parent.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.parent.entry_meta.source.address,keyword,extended,,,Source network address.
+9.3.0-dev,true,process,process.parent.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,process,process.parent.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.parent.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.parent.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.3.0-dev,true,process,process.parent.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.3.0-dev,true,process,process.parent.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,process,process.parent.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,process,process.parent.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,process,process.parent.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,process,process.parent.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,process,process.parent.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,process,process.parent.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,process,process.parent.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,process,process.parent.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,process,process.parent.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,process,process.parent.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,process,process.parent.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,process,process.parent.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.3.0-dev,true,process,process.parent.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.3.0-dev,true,process,process.parent.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.3.0-dev,true,process,process.parent.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.3.0-dev,true,process,process.parent.entry_meta.source.port,long,core,,,Port of the source.
+9.3.0-dev,true,process,process.parent.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.3.0-dev,true,process,process.parent.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,process,process.parent.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,process,process.parent.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.3.0-dev,true,process,process.parent.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 9.3.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.parent.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.3.0-dev,true,process,process.parent.group_leader.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.parent.group_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.group_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.group_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.parent.group_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.parent.group_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,process,process.parent.group_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,process,process.parent.group_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,process,process.parent.group_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,process,process.parent.group_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,process,process.parent.group_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,process,process.parent.group_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,process,process.parent.group_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,process,process.parent.group_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,process,process.parent.group_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,process,process.parent.group_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.3.0-dev,true,process,process.parent.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.parent.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.parent.group_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,process,process.parent.group_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,process,process.parent.group_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,process,process.parent.group_leader.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,process,process.parent.group_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,process,process.parent.group_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,process,process.parent.group_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.parent.group_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.parent.group_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.parent.group_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.parent.group_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,process,process.parent.group_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,process,process.parent.group_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,process,process.parent.group_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,process,process.parent.group_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,process,process.parent.group_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,process,process.parent.group_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,process,process.parent.group_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,process,process.parent.group_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,process,process.parent.group_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.parent.group_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.parent.group_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.parent.group_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,process,process.parent.group_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,process,process.parent.group_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.parent.group_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,process,process.parent.group_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,process,process.parent.group_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,process,process.parent.group_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,process,process.parent.group_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,process,process.parent.group_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.parent.group_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,process,process.parent.group_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,process,process.parent.group_leader.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,process,process.parent.group_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,process,process.parent.group_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,process,process.parent.group_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,process,process.parent.group_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,process,process.parent.group_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.parent.group_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.address,keyword,extended,,,Source network address.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.port,long,core,,,Port of the source.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,process,process.parent.group_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.3.0-dev,true,process,process.parent.group_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.3.0-dev,true,process,process.parent.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.parent.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.parent.group_leader.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.parent.group_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.group_leader.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.group_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,process,process.parent.group_leader.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,process,process.parent.group_leader.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,process,process.parent.group_leader.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,process,process.parent.group_leader.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,process,process.parent.group_leader.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,process,process.parent.group_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,process,process.parent.group_leader.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,process,process.parent.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.parent.group_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.3.0-dev,true,process,process.parent.group_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.3.0-dev,true,process,process.parent.group_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.3.0-dev,true,process,process.parent.group_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.3.0-dev,true,process,process.parent.group_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.3.0-dev,true,process,process.parent.group_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.3.0-dev,true,process,process.parent.group_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.3.0-dev,true,process,process.parent.group_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.3.0-dev,true,process,process.parent.group_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.3.0-dev,true,process,process.parent.group_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.3.0-dev,true,process,process.parent.group_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.parent.group_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.parent.group_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.parent.group_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.parent.group_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.parent.group_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.parent.group_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.parent.group_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.parent.group_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.3.0-dev,true,process,process.parent.group_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.parent.group_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.3.0-dev,true,process,process.parent.group_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.3.0-dev,true,process,process.parent.group_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.parent.group_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.parent.group_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.parent.group_leader.name,keyword,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.parent.group_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.parent.group_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.3.0-dev,true,process,process.parent.group_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.3.0-dev,true,process,process.parent.group_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,process,process.parent.group_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.parent.group_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,process,process.parent.group_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,process,process.parent.group_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,process,process.parent.group_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.parent.group_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.parent.group_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.parent.group_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.parent.group_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.parent.group_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.parent.group_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.parent.group_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.parent.group_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.parent.group_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.parent.group_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,process,process.parent.group_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.parent.group_leader.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,process,process.parent.group_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.parent.group_leader.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,process,process.parent.group_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,process,process.parent.group_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.parent.group_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.parent.group_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.3.0-dev,true,process,process.parent.group_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.group_leader.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.group_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.group_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.group_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.group_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.parent.group_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.parent.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.parent.group_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.group_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.parent.group_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.parent.group_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.group_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.3.0-dev,true,process,process.parent.group_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.3.0-dev,true,process,process.parent.group_leader.thread.id,long,extended,,4242,Thread ID.
+9.3.0-dev,true,process,process.parent.group_leader.thread.name,keyword,extended,,thread-0,Thread name.
+9.3.0-dev,true,process,process.parent.group_leader.title,keyword,extended,,,Process title.
+9.3.0-dev,true,process,process.parent.group_leader.title.text,match_only_text,extended,,,Process title.
+9.3.0-dev,true,process,process.parent.group_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.3.0-dev,true,process,process.parent.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.3.0-dev,true,process,process.parent.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.parent.group_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.3.0-dev,true,process,process.parent.group_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.3.0-dev,true,process,process.parent.group_leader.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.parent.group_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.parent.group_leader.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.parent.group_leader.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.parent.group_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.group_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.group_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.group_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.group_leader.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.group_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.parent.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.parent.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.group_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.group_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.group_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.parent.group_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.group_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.group_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.parent.group_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.parent.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.parent.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 9.3.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
 9.3.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
@@ -905,6 +2605,15 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 9.3.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
 9.3.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.parent.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.3.0-dev,true,process,process.parent.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.3.0-dev,true,process,process.parent.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.3.0-dev,true,process,process.parent.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.3.0-dev,true,process,process.parent.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.3.0-dev,true,process,process.parent.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.3.0-dev,true,process,process.parent.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.3.0-dev,true,process,process.parent.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.3.0-dev,true,process,process.parent.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
 9.3.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
 9.3.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
 9.3.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
@@ -923,6 +2632,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 9.3.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
 9.3.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.parent.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.3.0-dev,true,process,process.parent.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
 9.3.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 9.3.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 9.3.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
@@ -947,17 +2658,82 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 9.3.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.parent.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.3.0-dev,true,process,process.parent.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.parent.real_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.parent.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.parent.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.parent.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.parent.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.parent.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.parent.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.parent.real_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.real_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.parent.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.parent.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.parent.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.parent.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.parent.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.real_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.parent.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.parent.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.parent.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.parent.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.parent.saved_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.parent.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.parent.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.parent.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.parent.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.parent.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.parent.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.parent.saved_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.saved_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.parent.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.parent.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.parent.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.parent.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.parent.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.saved_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.parent.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.parent.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.parent.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
 9.3.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
@@ -969,10 +2745,42 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
 9.3.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
 9.3.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.parent.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.3.0-dev,true,process,process.parent.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
 9.3.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.parent.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.parent.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.parent.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.parent.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.parent.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.parent.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.parent.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.parent.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.parent.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.parent.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.parent.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.parent.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.parent.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.parent.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.parent.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.parent.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.parent.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.parent.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.parent.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.parent.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.parent.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.parent.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.parent.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.parent.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.parent.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
 9.3.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
@@ -1000,65 +2808,1652 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 9.3.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
 9.3.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 9.3.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.previous.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.previous.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.previous.attested_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.previous.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.previous.attested_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.previous.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.previous.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.previous.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.previous.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.previous.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.previous.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.previous.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.previous.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.previous.attested_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.previous.attested_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.previous.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.previous.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.previous.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.previous.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.previous.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.previous.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.previous.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.previous.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.previous.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.previous.attested_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.previous.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.previous.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.previous.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.previous.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.previous.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.previous.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.previous.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.previous.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.previous.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.previous.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.previous.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.previous.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,process,process.previous.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,process,process.previous.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,process,process.previous.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,process,process.previous.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,process,process.previous.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,process,process.previous.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,process,process.previous.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,process,process.previous.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,process,process.previous.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,process,process.previous.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.3.0-dev,true,process,process.previous.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.previous.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.previous.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,process,process.previous.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,process,process.previous.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,process,process.previous.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,process,process.previous.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,process,process.previous.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,process,process.previous.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.previous.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.previous.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.previous.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.previous.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,process,process.previous.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,process,process.previous.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,process,process.previous.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,process,process.previous.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,process,process.previous.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,process,process.previous.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,process,process.previous.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,process,process.previous.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,process,process.previous.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.previous.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.previous.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.previous.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,process,process.previous.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,process,process.previous.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.previous.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,process,process.previous.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,process,process.previous.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,process,process.previous.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,process,process.previous.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,process,process.previous.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.previous.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,process,process.previous.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,process,process.previous.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,process,process.previous.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,process,process.previous.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,process,process.previous.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,process,process.previous.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,process,process.previous.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.previous.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.3.0-dev,true,process,process.previous.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.previous.entry_meta.source.address,keyword,extended,,,Source network address.
+9.3.0-dev,true,process,process.previous.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,process,process.previous.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.previous.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.previous.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.3.0-dev,true,process,process.previous.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.3.0-dev,true,process,process.previous.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,process,process.previous.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,process,process.previous.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,process,process.previous.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,process,process.previous.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,process,process.previous.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,process,process.previous.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,process,process.previous.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,process,process.previous.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,process,process.previous.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,process,process.previous.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,process,process.previous.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,process,process.previous.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.3.0-dev,true,process,process.previous.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.3.0-dev,true,process,process.previous.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.3.0-dev,true,process,process.previous.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.3.0-dev,true,process,process.previous.entry_meta.source.port,long,core,,,Port of the source.
+9.3.0-dev,true,process,process.previous.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.3.0-dev,true,process,process.previous.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,process,process.previous.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,process,process.previous.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.3.0-dev,true,process,process.previous.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 9.3.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.previous.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.previous.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.previous.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.previous.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.previous.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,process,process.previous.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,process,process.previous.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,process,process.previous.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,process,process.previous.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,process,process.previous.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,process,process.previous.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,process,process.previous.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,process,process.previous.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.previous.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.3.0-dev,true,process,process.previous.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.3.0-dev,true,process,process.previous.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.3.0-dev,true,process,process.previous.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.3.0-dev,true,process,process.previous.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.3.0-dev,true,process,process.previous.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.3.0-dev,true,process,process.previous.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.3.0-dev,true,process,process.previous.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.3.0-dev,true,process,process.previous.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.3.0-dev,true,process,process.previous.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.3.0-dev,true,process,process.previous.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.previous.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.previous.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.previous.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.previous.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.previous.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.previous.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.previous.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.previous.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.3.0-dev,true,process,process.previous.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.previous.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.3.0-dev,true,process,process.previous.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.3.0-dev,true,process,process.previous.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.previous.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.previous.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.previous.name,keyword,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.previous.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.previous.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.3.0-dev,true,process,process.previous.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.3.0-dev,true,process,process.previous.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,process,process.previous.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.previous.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,process,process.previous.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,process,process.previous.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,process,process.previous.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.previous.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.previous.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.previous.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.previous.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.previous.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.previous.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.previous.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.previous.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.previous.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.previous.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,process,process.previous.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.previous.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,process,process.previous.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.previous.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,process,process.previous.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,process,process.previous.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.previous.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.previous.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.previous.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.3.0-dev,true,process,process.previous.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.previous.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.previous.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.previous.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.previous.real_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.previous.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.previous.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.previous.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.previous.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.previous.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.previous.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.previous.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.previous.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.previous.real_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.previous.real_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.previous.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.previous.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.previous.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.previous.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.previous.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.previous.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.previous.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.previous.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.previous.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.previous.real_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.previous.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.previous.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.previous.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.previous.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.previous.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.previous.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.previous.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.previous.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.previous.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.previous.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.previous.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.previous.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.previous.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.previous.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.previous.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.previous.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.previous.saved_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.previous.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.previous.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.previous.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.previous.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.previous.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.previous.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.previous.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.previous.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.previous.saved_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.previous.saved_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.previous.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.previous.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.previous.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.previous.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.previous.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.previous.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.previous.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.previous.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.previous.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.previous.saved_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.previous.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.previous.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.previous.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.previous.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.previous.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.previous.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.previous.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.previous.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.previous.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.previous.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.previous.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.previous.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.previous.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.previous.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.previous.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.previous.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.3.0-dev,true,process,process.previous.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.3.0-dev,true,process,process.previous.thread.id,long,extended,,4242,Thread ID.
+9.3.0-dev,true,process,process.previous.thread.name,keyword,extended,,thread-0,Thread name.
+9.3.0-dev,true,process,process.previous.title,keyword,extended,,,Process title.
+9.3.0-dev,true,process,process.previous.title.text,match_only_text,extended,,,Process title.
+9.3.0-dev,true,process,process.previous.tty,object,extended,,,Information about the controlling TTY device.
+9.3.0-dev,true,process,process.previous.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.3.0-dev,true,process,process.previous.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.previous.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.3.0-dev,true,process,process.previous.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.3.0-dev,true,process,process.previous.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.previous.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.previous.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.previous.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.previous.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.previous.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.previous.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.previous.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.previous.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.previous.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.previous.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.previous.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.previous.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.previous.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.previous.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.previous.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.previous.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.previous.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.previous.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.previous.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.previous.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.previous.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.previous.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.previous.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.previous.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.previous.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.previous.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.previous.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.previous.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.previous.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.previous.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.previous.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.previous.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.previous.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.previous.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.previous.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.previous.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.real_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.real_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.real_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.real_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.responsible.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.3.0-dev,true,process,process.responsible.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.responsible.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.responsible.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.responsible.attested_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.responsible.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.responsible.attested_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.responsible.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.responsible.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.responsible.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.responsible.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.responsible.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.responsible.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.responsible.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.responsible.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.responsible.attested_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.responsible.attested_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.responsible.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.responsible.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.responsible.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.responsible.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.responsible.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.responsible.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.responsible.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.responsible.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.responsible.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.responsible.attested_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.responsible.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.responsible.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.responsible.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.responsible.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.responsible.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.responsible.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.responsible.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.responsible.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.responsible.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.responsible.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.responsible.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.responsible.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,process,process.responsible.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,process,process.responsible.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,process,process.responsible.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,process,process.responsible.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,process,process.responsible.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,process,process.responsible.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,process,process.responsible.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,process,process.responsible.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,process,process.responsible.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,process,process.responsible.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.3.0-dev,true,process,process.responsible.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.responsible.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.responsible.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,process,process.responsible.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,process,process.responsible.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,process,process.responsible.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,process,process.responsible.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,process,process.responsible.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,process,process.responsible.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.responsible.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.responsible.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.responsible.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.responsible.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,process,process.responsible.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,process,process.responsible.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,process,process.responsible.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,process,process.responsible.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,process,process.responsible.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,process,process.responsible.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,process,process.responsible.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,process,process.responsible.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,process,process.responsible.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.responsible.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.responsible.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.responsible.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,process,process.responsible.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,process,process.responsible.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.responsible.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,process,process.responsible.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,process,process.responsible.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,process,process.responsible.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,process,process.responsible.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,process,process.responsible.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.responsible.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,process,process.responsible.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,process,process.responsible.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,process,process.responsible.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,process,process.responsible.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,process,process.responsible.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,process,process.responsible.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,process,process.responsible.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.responsible.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
+9.3.0-dev,true,process,process.responsible.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.address,keyword,extended,,,Source network address.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.3.0-dev,true,process,process.responsible.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.3.0-dev,true,process,process.responsible.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.port,long,core,,,Port of the source.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.3.0-dev,true,process,process.responsible.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,process,process.responsible.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,process,process.responsible.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.3.0-dev,true,process,process.responsible.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.3.0-dev,true,process,process.responsible.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.responsible.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.responsible.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.responsible.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.responsible.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.responsible.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.responsible.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,process,process.responsible.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,process,process.responsible.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,process,process.responsible.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,process,process.responsible.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,process,process.responsible.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,process,process.responsible.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,process,process.responsible.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,process,process.responsible.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.responsible.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.3.0-dev,true,process,process.responsible.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.3.0-dev,true,process,process.responsible.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.3.0-dev,true,process,process.responsible.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.3.0-dev,true,process,process.responsible.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.3.0-dev,true,process,process.responsible.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.3.0-dev,true,process,process.responsible.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.3.0-dev,true,process,process.responsible.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.3.0-dev,true,process,process.responsible.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.3.0-dev,true,process,process.responsible.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.3.0-dev,true,process,process.responsible.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.responsible.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.responsible.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.responsible.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.responsible.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.responsible.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.responsible.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.responsible.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.responsible.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.3.0-dev,true,process,process.responsible.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.responsible.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.3.0-dev,true,process,process.responsible.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.3.0-dev,true,process,process.responsible.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.responsible.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.responsible.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.responsible.name,keyword,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.responsible.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.responsible.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.3.0-dev,true,process,process.responsible.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.3.0-dev,true,process,process.responsible.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,process,process.responsible.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.responsible.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,process,process.responsible.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,process,process.responsible.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,process,process.responsible.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.responsible.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.responsible.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.responsible.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.responsible.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.responsible.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.responsible.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.responsible.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.responsible.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.responsible.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.responsible.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,process,process.responsible.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.responsible.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,process,process.responsible.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.responsible.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,process,process.responsible.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,process,process.responsible.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.responsible.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.responsible.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.responsible.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.3.0-dev,true,process,process.responsible.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.responsible.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.responsible.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.responsible.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.responsible.real_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.responsible.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.responsible.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.responsible.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.responsible.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.responsible.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.responsible.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.responsible.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.responsible.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.responsible.real_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.responsible.real_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.responsible.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.responsible.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.responsible.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.responsible.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.responsible.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.responsible.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.responsible.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.responsible.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.responsible.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.responsible.real_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.responsible.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.responsible.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.responsible.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.responsible.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.responsible.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.responsible.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.responsible.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.responsible.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.responsible.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.responsible.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.responsible.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.responsible.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.responsible.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.responsible.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.responsible.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.responsible.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.responsible.saved_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.responsible.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.responsible.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.responsible.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.responsible.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.responsible.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.responsible.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.responsible.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.responsible.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.responsible.saved_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.responsible.saved_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.responsible.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.responsible.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.responsible.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.responsible.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.responsible.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.responsible.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.responsible.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.responsible.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.responsible.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.responsible.saved_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.responsible.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.responsible.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.responsible.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.responsible.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.responsible.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.responsible.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.responsible.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.responsible.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.responsible.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.responsible.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.responsible.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.responsible.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.responsible.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.responsible.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.responsible.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.responsible.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.3.0-dev,true,process,process.responsible.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.3.0-dev,true,process,process.responsible.thread.id,long,extended,,4242,Thread ID.
+9.3.0-dev,true,process,process.responsible.thread.name,keyword,extended,,thread-0,Thread name.
+9.3.0-dev,true,process,process.responsible.title,keyword,extended,,,Process title.
+9.3.0-dev,true,process,process.responsible.title.text,match_only_text,extended,,,Process title.
+9.3.0-dev,true,process,process.responsible.tty,object,extended,,,Information about the controlling TTY device.
+9.3.0-dev,true,process,process.responsible.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.3.0-dev,true,process,process.responsible.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.responsible.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.3.0-dev,true,process,process.responsible.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.3.0-dev,true,process,process.responsible.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.responsible.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.responsible.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.responsible.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.responsible.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.responsible.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.responsible.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.responsible.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.responsible.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.responsible.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.responsible.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.responsible.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.responsible.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.responsible.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.responsible.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.responsible.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.responsible.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.responsible.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.responsible.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.responsible.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.responsible.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.responsible.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.responsible.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.responsible.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.responsible.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.responsible.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.responsible.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.responsible.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.responsible.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.responsible.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.responsible.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.responsible.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.responsible.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.responsible.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.responsible.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.responsible.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.responsible.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.saved_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.saved_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.saved_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.saved_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 9.3.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.session_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.session_leader.attested_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.session_leader.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.session_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.attested_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.session_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.session_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.session_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.session_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.session_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,process,process.session_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,process,process.session_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,process,process.session_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,process,process.session_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,process,process.session_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,process,process.session_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,process,process.session_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,process,process.session_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,process,process.session_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,process,process.session_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 9.3.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 9.3.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.session_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,process,process.session_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,process,process.session_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,process,process.session_leader.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,process,process.session_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,process,process.session_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,process,process.session_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.session_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.session_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,process,process.session_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,process,process.session_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,process,process.session_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,process,process.session_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,process,process.session_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,process,process.session_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,process,process.session_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,process,process.session_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,process,process.session_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,process,process.session_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,process,process.session_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,process,process.session_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,process,process.session_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,process,process.session_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,process,process.session_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,process,process.session_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,process,process.session_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,process,process.session_leader.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,process,process.session_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,process,process.session_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,process,process.session_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,process,process.session_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,process,process.session_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.session_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.address,keyword,extended,,,Source network address.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.port,long,core,,,Port of the source.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,process,process.session_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,process,process.session_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.3.0-dev,true,process,process.session_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 9.3.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.session_leader.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.session_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,process,process.session_leader.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,process,process.session_leader.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,process,process.session_leader.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,process,process.session_leader.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,process,process.session_leader.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,process,process.session_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,process,process.session_leader.hash.tlsh,keyword,extended,,,TLSH hash.
 9.3.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.session_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.3.0-dev,true,process,process.session_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.3.0-dev,true,process,process.session_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.3.0-dev,true,process,process.session_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.3.0-dev,true,process,process.session_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.3.0-dev,true,process,process.session_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.3.0-dev,true,process,process.session_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.3.0-dev,true,process,process.session_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.3.0-dev,true,process,process.session_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.3.0-dev,true,process,process.session_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.3.0-dev,true,process,process.session_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.session_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.session_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.session_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.3.0-dev,true,process,process.session_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.3.0-dev,true,process,process.session_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.3.0-dev,true,process,process.session_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.session_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 9.3.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
 9.3.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.session_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.3.0-dev,true,process,process.session_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.3.0-dev,true,process,process.session_leader.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.3.0-dev,true,process,process.session_leader.parent.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.session_leader.parent.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.attested_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.session_leader.parent.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.session_leader.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,process,process.session_leader.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,process,process.session_leader.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,process,process.session_leader.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,process,process.session_leader.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,process,process.session_leader.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,process,process.session_leader.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,process,process.session_leader.parent.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,process,process.session_leader.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,process,process.session_leader.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,process,process.session_leader.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.3.0-dev,true,process,process.session_leader.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.session_leader.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.session_leader.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,process,process.session_leader.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.session_leader.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,process,process.session_leader.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,process,process.session_leader.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,process,process.session_leader.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,process,process.session_leader.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,process,process.session_leader.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,process,process.session_leader.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,process,process.session_leader.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,process,process.session_leader.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,process,process.session_leader.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,process,process.session_leader.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,process,process.session_leader.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,process,process.session_leader.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,process,process.session_leader.parent.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,process,process.session_leader.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,process,process.session_leader.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,process,process.session_leader.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,process,process.session_leader.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.session_leader.parent.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.address,keyword,extended,,,Source network address.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.port,long,core,,,Port of the source.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,process,process.session_leader.parent.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.3.0-dev,true,process,process.session_leader.parent.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.3.0-dev,true,process,process.session_leader.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.session_leader.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.session_leader.parent.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.session_leader.parent.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,process,process.session_leader.parent.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,process,process.session_leader.parent.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,process,process.session_leader.parent.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,process,process.session_leader.parent.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,process,process.session_leader.parent.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,process,process.session_leader.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,process,process.session_leader.parent.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,process,process.session_leader.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.session_leader.parent.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.3.0-dev,true,process,process.session_leader.parent.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.3.0-dev,true,process,process.session_leader.parent.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.3.0-dev,true,process,process.session_leader.parent.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.3.0-dev,true,process,process.session_leader.parent.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.3.0-dev,true,process,process.session_leader.parent.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.3.0-dev,true,process,process.session_leader.parent.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.3.0-dev,true,process,process.session_leader.parent.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.3.0-dev,true,process,process.session_leader.parent.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.3.0-dev,true,process,process.session_leader.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.3.0-dev,true,process,process.session_leader.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.session_leader.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.session_leader.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.3.0-dev,true,process,process.session_leader.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.3.0-dev,true,process,process.session_leader.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.3.0-dev,true,process,process.session_leader.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.session_leader.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.session_leader.parent.name,keyword,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.session_leader.parent.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.session_leader.parent.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.3.0-dev,true,process,process.session_leader.parent.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.3.0-dev,true,process,process.session_leader.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,process,process.session_leader.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.session_leader.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,process,process.session_leader.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,process,process.session_leader.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,process,process.session_leader.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.session_leader.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.session_leader.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.session_leader.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.session_leader.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,process,process.session_leader.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.session_leader.parent.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,process,process.session_leader.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.parent.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,process,process.session_leader.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,process,process.session_leader.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.session_leader.parent.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.3.0-dev,true,process,process.session_leader.parent.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.session_leader.parent.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.session_leader.parent.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.session_leader.parent.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.session_leader.parent.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.args_count,long,extended,,4,Length of the process.args array.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.creation_date,date,extended,,,Build or compile date.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.segments,nested,extended,array,,ELF object segment list.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.address,keyword,extended,,,Source network address.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.port,long,core,,,Port of the source.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.exit_code,long,extended,,137,The exit code of the process.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.md5,keyword,extended,,,MD5 hash.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha1,keyword,extended,,,SHA1 hash.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha256,keyword,extended,,,SHA256 hash.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha384,keyword,extended,,,SHA384 hash.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha512,keyword,extended,,,SHA512 hash.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.tlsh,keyword,extended,,,TLSH hash.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.name,keyword,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.name.text,match_only_text,extended,,ssh,Process name.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.thread.id,long,extended,,4242,Thread ID.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.thread.name,keyword,extended,,thread-0,Thread name.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.title,keyword,extended,,,Process title.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.title.text,match_only_text,extended,,,Process title.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.tty,object,extended,,,Information about the controlling TTY device.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.session_leader.parent.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.session_leader.parent.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.3.0-dev,true,process,process.session_leader.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.3.0-dev,true,process,process.session_leader.parent.thread.id,long,extended,,4242,Thread ID.
+9.3.0-dev,true,process,process.session_leader.parent.thread.name,keyword,extended,,thread-0,Thread name.
+9.3.0-dev,true,process,process.session_leader.parent.title,keyword,extended,,,Process title.
+9.3.0-dev,true,process,process.session_leader.parent.title.text,match_only_text,extended,,,Process title.
+9.3.0-dev,true,process,process.session_leader.parent.tty,object,extended,,,Information about the controlling TTY device.
+9.3.0-dev,true,process,process.session_leader.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+9.3.0-dev,true,process,process.session_leader.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.session_leader.parent.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.3.0-dev,true,process,process.session_leader.parent.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.3.0-dev,true,process,process.session_leader.parent.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.session_leader.parent.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.session_leader.parent.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.session_leader.parent.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.parent.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.parent.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.parent.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.parent.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+9.3.0-dev,true,process,process.session_leader.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
+9.3.0-dev,true,process,process.session_leader.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.parent.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.parent.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.session_leader.parent.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.parent.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.session_leader.parent.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
+9.3.0-dev,true,process,process.session_leader.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.session_leader.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
+9.3.0-dev,true,process,process.session_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
+9.3.0-dev,true,process,process.session_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.session_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
+9.3.0-dev,true,process,process.session_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
+9.3.0-dev,true,process,process.session_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
+9.3.0-dev,true,process,process.session_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
+9.3.0-dev,true,process,process.session_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
+9.3.0-dev,true,process,process.session_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
+9.3.0-dev,true,process,process.session_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.session_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
+9.3.0-dev,true,process,process.session_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
+9.3.0-dev,true,process,process.session_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.session_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
+9.3.0-dev,true,process,process.session_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
+9.3.0-dev,true,process,process.session_leader.pe.sections,nested,extended,array,,Section information of the PE file.
+9.3.0-dev,true,process,process.session_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.pe.sections.name,keyword,extended,,,PE Section List name.
+9.3.0-dev,true,process,process.session_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
+9.3.0-dev,true,process,process.session_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
+9.3.0-dev,true,process,process.session_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
+9.3.0-dev,true,process,process.session_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
+9.3.0-dev,true,process,process.session_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.session_leader.real_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.session_leader.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.session_leader.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.session_leader.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.session_leader.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.session_leader.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.session_leader.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.session_leader.real_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.real_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.session_leader.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.session_leader.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.session_leader.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.session_leader.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.session_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.real_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.session_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.session_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
+9.3.0-dev,true,process,process.session_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.session_leader.saved_user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.session_leader.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.session_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.saved_user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.session_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.session_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.session_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+9.3.0-dev,true,process,process.session_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
+9.3.0-dev,true,process,process.session_leader.thread.id,long,extended,,4242,Thread ID.
+9.3.0-dev,true,process,process.session_leader.thread.name,keyword,extended,,thread-0,Thread name.
+9.3.0-dev,true,process,process.session_leader.title,keyword,extended,,,Process title.
+9.3.0-dev,true,process,process.session_leader.title.text,match_only_text,extended,,,Process title.
 9.3.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
 9.3.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
 9.3.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+9.3.0-dev,true,process,process.session_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+9.3.0-dev,true,process,process.session_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
+9.3.0-dev,true,process,process.session_leader.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.session_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.session_leader.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.session_leader.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.session_leader.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.session_leader.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.session_leader.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.session_leader.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.session_leader.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.session_leader.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.session_leader.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.session_leader.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.session_leader.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.session_leader.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.session_leader.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.session_leader.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.session_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.session_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.session_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.session_leader.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.session_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.session_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.session_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.session_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.session_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.session_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
 9.3.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
+9.3.0-dev,true,process,process.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
 9.3.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
@@ -1073,9 +4468,39 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
 9.3.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
 9.3.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
+9.3.0-dev,true,process,process.user.domain,keyword,extended,,,Name of the directory the user is a member of.
+9.3.0-dev,true,process,process.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,process,process.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,process,process.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,process,process.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,process,process.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,process,process.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,process,process.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,process,process.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,process,process.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,process,process.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,process,process.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,process,process.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,process,process.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,process,process.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,process,process.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,process,process.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
+9.3.0-dev,true,process,process.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+9.3.0-dev,true,process,process.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+9.3.0-dev,true,process,process.user.group.name,keyword,extended,,,Name of the group.
+9.3.0-dev,true,process,process.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,process,process.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,process,process.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,process,process.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,process,process.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.3.0-dev,true,process,process.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
 9.3.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
@@ -1128,6 +4553,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 9.3.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,server,server.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,server,server.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,server,server.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,server,server.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,server,server.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,server,server.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,server,server.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,server,server.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,server,server.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,server,server.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,server,server.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,server,server.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,server,server.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,server,server.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,server,server.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -1137,8 +4577,29 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,server,server.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,server,server.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,server,server.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,server,server.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,server,server.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,server,server.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.3.0-dev,true,service,service.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,service,service.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,service,service.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,service,service.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,service,service.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,service,service.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,service,service.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,service,service.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,service,service.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,service,service.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,service,service.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,service,service.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,service,service.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,service,service.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,service,service.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
 9.3.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
 9.3.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
@@ -1147,6 +4608,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
 9.3.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
 9.3.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.3.0-dev,true,service,service.origin.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,service,service.origin.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,service,service.origin.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,service,service.origin.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,service,service.origin.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,service,service.origin.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,service,service.origin.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,service,service.origin.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,service,service.origin.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,service,service.origin.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,service,service.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,service,service.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,service,service.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,service,service.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,service,service.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
 9.3.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
 9.3.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
@@ -1214,6 +4690,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 9.3.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,source,source.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,source,source.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,source,source.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,source,source.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,source,source.user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,source,source.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,source,source.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,source,source.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,source,source.user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,source,source.user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,source,source.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,source,source.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,source,source.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,source,source.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,source,source.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -1223,6 +4714,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,source,source.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,source,source.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,source,source.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,source,source.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,source,source.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,source,source.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
 9.3.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
@@ -1771,6 +5268,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
 9.3.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+9.3.0-dev,true,user,user.changes.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,user,user.changes.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,user,user.changes.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,user,user.changes.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,user,user.changes.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,user,user.changes.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,user,user.changes.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,user,user.changes.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,user,user.changes.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,user,user.changes.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,user,user.changes.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,user,user.changes.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,user,user.changes.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,user,user.changes.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,user,user.changes.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -1780,10 +5292,31 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+9.3.0-dev,true,user,user.effective.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,user,user.effective.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,user,user.effective.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,user,user.effective.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,user,user.effective.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,user,user.effective.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,user,user.effective.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,user,user.effective.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,user,user.effective.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,user,user.effective.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,user,user.effective.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,user,user.effective.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,user,user.effective.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,user,user.effective.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,user,user.effective.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -1793,8 +5326,29 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,user,user.email,keyword,extended,,,User email address.
+9.3.0-dev,true,user,user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,user,user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,user,user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,user,user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,user,user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,user,user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,user,user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,user,user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,user,user.entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,user,user.entity.name.text,text,core,,,The name of the entity.
+9.3.0-dev,true,user,user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,user,user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,user,user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,user,user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,user,user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -1837,6 +5391,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.3.0-dev,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.3.0-dev,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.3.0-dev,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.3.0-dev,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
 9.3.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 68c3dd6471..b17eb8a496 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -475,6 +475,256 @@ client.user.email:
   original_fieldset: user
   short: User email address.
   type: keyword
+client.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: client-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: client.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+client.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: client-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: client.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+client.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: client-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: client.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: client.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+client.user.entity.id:
+  dashed_name: client-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: client.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+client.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: client-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: client.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+client.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: client-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: client.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+client.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: client-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: client.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+client.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: client-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: client.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: client.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+client.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: client-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: client.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+client.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: client-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: client.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+client.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: client-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: client.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+client.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: client-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: client.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+client.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: client-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: client.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
 client.user.full_name:
   dashed_name: client-user-full-name
   description: User's full name, if available.
@@ -569,6 +819,86 @@ client.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+client.user.risk.calculated_level:
+  dashed_name: client-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: client.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+client.user.risk.calculated_score:
+  dashed_name: client-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: client.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+client.user.risk.calculated_score_norm:
+  dashed_name: client-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: client.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+client.user.risk.static_level:
+  dashed_name: client-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: client.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+client.user.risk.static_score:
+  dashed_name: client-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: client.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+client.user.risk.static_score_norm:
+  dashed_name: client-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: client.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 client.user.roles:
   dashed_name: client-user-roles
   description: Array of user roles at the time of the event.
@@ -628,6 +958,256 @@ cloud.availability_zone:
     stability: development
   short: Availability zone in which this host, resource, or service is located.
   type: keyword
+cloud.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: cloud.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+cloud.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: cloud.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+cloud.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: cloud.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: cloud.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+cloud.entity.id:
+  dashed_name: cloud-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: cloud.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+cloud.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: cloud.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+cloud.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: cloud.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+cloud.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: cloud.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+cloud.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: cloud.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: cloud.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+cloud.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: cloud.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+cloud.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: cloud.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+cloud.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: cloud.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+cloud.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: cloud.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+cloud.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: cloud.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
 cloud.instance.id:
   dashed_name: cloud-instance-id
   description: Instance ID of the host machine.
@@ -702,25 +1282,275 @@ cloud.origin.availability_zone:
   original_fieldset: cloud
   short: Availability zone in which this host, resource, or service is located.
   type: keyword
-cloud.origin.instance.id:
-  dashed_name: cloud-origin-instance-id
-  description: Instance ID of the host machine.
-  example: i-1234567890abcdef0
-  flat_name: cloud.origin.instance.id
-  ignore_above: 1024
+cloud.origin.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-origin-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: cloud.origin.entity.attributes
   level: extended
-  name: instance.id
+  name: attributes
   normalize: []
-  original_fieldset: cloud
-  short: Instance ID of the host machine.
-  type: keyword
-cloud.origin.instance.name:
-  dashed_name: cloud-origin-instance-name
-  description: Instance name of the host machine.
-  flat_name: cloud.origin.instance.name
-  ignore_above: 1024
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+cloud.origin.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-origin-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: cloud.origin.entity.behavior
   level: extended
-  name: instance.name
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+cloud.origin.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-origin-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: cloud.origin.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: cloud.origin.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+cloud.origin.entity.id:
+  dashed_name: cloud-origin-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: cloud.origin.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+cloud.origin.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-origin-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: cloud.origin.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+cloud.origin.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-origin-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: cloud.origin.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+cloud.origin.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-origin-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: cloud.origin.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+cloud.origin.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-origin-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: cloud.origin.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: cloud.origin.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+cloud.origin.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-origin-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: cloud.origin.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+cloud.origin.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-origin-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: cloud.origin.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+cloud.origin.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-origin-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: cloud.origin.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+cloud.origin.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-origin-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: cloud.origin.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+cloud.origin.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: cloud-origin-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: cloud.origin.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+cloud.origin.instance.id:
+  dashed_name: cloud-origin-instance-id
+  description: Instance ID of the host machine.
+  example: i-1234567890abcdef0
+  flat_name: cloud.origin.instance.id
+  ignore_above: 1024
+  level: extended
+  name: instance.id
+  normalize: []
+  original_fieldset: cloud
+  short: Instance ID of the host machine.
+  type: keyword
+cloud.origin.instance.name:
+  dashed_name: cloud-origin-instance-name
+  description: Instance name of the host machine.
+  flat_name: cloud.origin.instance.name
+  ignore_above: 1024
+  level: extended
+  name: instance.name
   normalize: []
   original_fieldset: cloud
   short: Instance name of the host machine.
@@ -1867,6 +2697,256 @@ destination.user.email:
   original_fieldset: user
   short: User email address.
   type: keyword
+destination.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: destination-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: destination.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+destination.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: destination-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: destination.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+destination.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: destination-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: destination.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: destination.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+destination.user.entity.id:
+  dashed_name: destination-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: destination.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+destination.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: destination-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: destination.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+destination.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: destination-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: destination.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+destination.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: destination-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: destination.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+destination.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: destination-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: destination.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: destination.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+destination.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: destination-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: destination.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+destination.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: destination-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: destination.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+destination.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: destination-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: destination.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+destination.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: destination-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: destination.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+destination.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: destination-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: destination.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
 destination.user.full_name:
   dashed_name: destination-user-full-name
   description: User's full name, if available.
@@ -1961,6 +3041,86 @@ destination.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+destination.user.risk.calculated_level:
+  dashed_name: destination-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: destination.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+destination.user.risk.calculated_score:
+  dashed_name: destination-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: destination.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+destination.user.risk.calculated_score_norm:
+  dashed_name: destination-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: destination.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+destination.user.risk.static_level:
+  dashed_name: destination-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: destination.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+destination.user.risk.static_score:
+  dashed_name: destination-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: destination.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+destination.user.risk.static_score_norm:
+  dashed_name: destination-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: destination.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 destination.user.roles:
   dashed_name: destination-user-roles
   description: Array of user roles at the time of the event.
@@ -3334,6 +4494,243 @@ email.x_mailer:
   normalize: []
   short: Application that drafted email.
   type: keyword
+entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+entity.id:
+  dashed_name: entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique identifier for the entity.
+  type: keyword
+entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  short: A set of temporal characteristics of the entity.
+  type: object
+entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  short: The name of the entity.
+  type: keyword
+entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  short: Original, unmodified fields from the source system.
+  type: object
+entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  short: Source module or integration that provided the entity data.
+  type: keyword
+entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  short: Standardized high-level classification of the entity.
+  type: keyword
 error.code:
   dashed_name: error-code
   description: Error code describing the error.
@@ -9086,6 +10483,503 @@ process.args_count:
     stability: development
   short: Length of the process.args array.
   type: long
+process.attested_groups.domain:
+  dashed_name: process-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.attested_groups.id:
+  dashed_name: process-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.attested_groups.name:
+  dashed_name: process-attested-groups-name
+  description: Name of the group.
+  flat_name: process.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.attested_user.domain:
+  dashed_name: process-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.attested_user.email:
+  dashed_name: process-attested-user-email
+  description: User email address.
+  flat_name: process.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.attested_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-attested-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.attested_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.attested_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-attested-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.attested_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.attested_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-attested-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.attested_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.attested_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.attested_user.entity.id:
+  dashed_name: process-attested-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.attested_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.attested_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-attested-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.attested_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.attested_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-attested-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.attested_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.attested_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-attested-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.attested_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.attested_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-attested-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.attested_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.attested_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.attested_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-attested-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.attested_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.attested_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-attested-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.attested_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.attested_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-attested-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.attested_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.attested_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-attested-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.attested_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.attested_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-attested-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.attested_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.attested_user.full_name:
+  dashed_name: process-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.attested_user.group.domain:
+  dashed_name: process-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.attested_user.group.id:
+  dashed_name: process-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.attested_user.group.name:
+  dashed_name: process-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.attested_user.hash:
+  dashed_name: process-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.attested_user.id:
+  dashed_name: process-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.attested_user.name:
+  dashed_name: process-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.attested_user.risk.calculated_level:
+  dashed_name: process-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.attested_user.risk.calculated_score:
+  dashed_name: process-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.attested_user.risk.calculated_score_norm:
+  dashed_name: process-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.attested_user.risk.static_level:
+  dashed_name: process-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.attested_user.risk.static_score:
+  dashed_name: process-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.attested_user.risk.static_score_norm:
+  dashed_name: process-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.attested_user.roles:
+  dashed_name: process-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
 process.code_signature.digest_algorithm:
   dashed_name: process-code-signature-digest-algorithm
   description: 'The hashing algorithm used to sign the process.
@@ -9709,6 +11603,17 @@ process.end:
   normalize: []
   short: The time the process ended.
   type: date
+process.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
 process.entity_id:
   dashed_name: process-entity-id
   description: 'Unique identifier for the process.
@@ -9759,6 +11664,30 @@ process.entry_leader.args_count:
   original_fieldset: process
   short: Length of the process.args array.
   type: long
+process.entry_leader.attested_groups.domain:
+  dashed_name: process-entry-leader-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.attested_groups.id:
+  dashed_name: process-entry-leader-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
 process.entry_leader.attested_groups.name:
   dashed_name: process-entry-leader-attested-groups-name
   description: Name of the group.
@@ -9770,387 +11699,313 @@ process.entry_leader.attested_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.entry_leader.attested_user.id:
-  dashed_name: process-entry-leader-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.attested_user.id
+process.entry_leader.attested_user.domain:
+  dashed_name: process-entry-leader-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.attested_user.domain
   ignore_above: 1024
-  level: core
-  name: id
+  level: extended
+  name: domain
   normalize: []
   original_fieldset: user
-  short: Unique identifier of the user.
+  short: Name of the directory the user is a member of.
   type: keyword
-process.entry_leader.attested_user.name:
-  dashed_name: process-entry-leader-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.attested_user.name
+process.entry_leader.attested_user.email:
+  dashed_name: process-entry-leader-attested-user-email
+  description: User email address.
+  flat_name: process.entry_leader.attested_user.email
   ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
+  level: extended
+  name: email
   normalize: []
   original_fieldset: user
-  short: Short name or login of the user.
+  short: User email address.
   type: keyword
-process.entry_leader.command_line:
-  dashed_name: process-entry-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.entry_leader.command_line
+process.entry_leader.attested_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-attested-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.entry_leader.attested_user.entity.attributes
   level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
+  name: attributes
   normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.entry_leader.entity_id:
-  dashed_name: process-entry-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.entry_leader.entity_id
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.entry_leader.attested_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-attested-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.entry_leader.attested_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.entry_leader.attested_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-attested-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.entry_leader.attested_user.entity.display_name
   ignore_above: 1024
   level: extended
-  name: entity_id
+  multi_fields:
+  - flat_name: process.entry_leader.attested_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
   normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.entry_leader.entry_meta.source.ip:
-  dashed_name: process-entry-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.entry_leader.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.entry_leader.entry_meta.type:
-  dashed_name: process-entry-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.entry_leader.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
   type: keyword
-process.entry_leader.executable:
-  dashed_name: process-entry-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.entry_leader.executable
+process.entry_leader.attested_user.entity.id:
+  dashed_name: process-entry-leader-attested-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.entry_leader.attested_user.entity.id
   ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
+  level: core
+  name: id
   normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
+  original_fieldset: entity
+  short: Unique identifier for the entity.
   type: keyword
-process.entry_leader.group.id:
-  dashed_name: process-entry-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.group.id
-  ignore_above: 1024
+process.entry_leader.attested_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-attested-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.entry_leader.attested_user.entity.last_seen_timestamp
   level: extended
-  name: id
+  name: last_seen_timestamp
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.group.name:
-  dashed_name: process-entry-leader-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.group.name
-  ignore_above: 1024
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.entry_leader.attested_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-attested-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.entry_leader.attested_user.entity.lifecycle
   level: extended
-  name: name
+  name: lifecycle
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.interactive:
-  dashed_name: process-entry-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.entry_leader.interactive
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.entry_leader.attested_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-attested-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.entry_leader.attested_user.entity.metrics
   level: extended
-  name: interactive
+  name: metrics
   normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.entry_leader.name:
-  dashed_name: process-entry-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.entry_leader.name
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.entry_leader.attested_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-attested-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.entry_leader.attested_user.entity.name
   ignore_above: 1024
-  level: extended
+  level: core
   multi_fields:
-  - flat_name: process.entry_leader.name.text
+  - flat_name: process.entry_leader.attested_user.entity.name.text
     name: text
-    type: match_only_text
+    norms: false
+    type: text
   name: name
   normalize: []
-  original_fieldset: process
-  short: Process name.
+  original_fieldset: entity
+  short: The name of the entity.
   type: keyword
-process.entry_leader.parent.entity_id:
-  dashed_name: process-entry-leader-parent-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.entry_leader.parent.entity_id
-  ignore_above: 1024
+process.entry_leader.attested_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-attested-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.entry_leader.attested_user.entity.raw
   level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.entry_leader.parent.pid:
-  dashed_name: process-entry-leader-parent-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.entry_leader.parent.pid
-  format: string
-  level: core
-  name: pid
+  name: raw
   normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.entry_leader.parent.session_leader.entity_id:
-  dashed_name: process-entry-leader-parent-session-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.entry_leader.parent.session_leader.entity_id
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.entry_leader.attested_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-attested-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.entry_leader.attested_user.entity.reference
   ignore_above: 1024
   level: extended
-  name: entity_id
+  name: reference
   normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
   type: keyword
-process.entry_leader.parent.session_leader.pid:
-  dashed_name: process-entry-leader-parent-session-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.entry_leader.parent.session_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.entry_leader.parent.session_leader.start:
-  dashed_name: process-entry-leader-parent-session-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.parent.session_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.entry_leader.parent.session_leader.vpid:
-  dashed_name: process-entry-leader-parent-session-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.entry_leader.parent.session_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.entry_leader.parent.start:
-  dashed_name: process-entry-leader-parent-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.parent.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.entry_leader.parent.vpid:
-  dashed_name: process-entry-leader-parent-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.entry_leader.parent.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.entry_leader.pid:
-  dashed_name: process-entry-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.entry_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.entry_leader.real_group.id:
-  dashed_name: process-entry-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.real_group.id
+process.entry_leader.attested_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-attested-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.entry_leader.attested_user.entity.source
   ignore_above: 1024
-  level: extended
-  name: id
+  level: core
+  name: source
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
   type: keyword
-process.entry_leader.real_group.name:
-  dashed_name: process-entry-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.real_group.name
+process.entry_leader.attested_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-attested-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.entry_leader.attested_user.entity.sub_type
   ignore_above: 1024
   level: extended
-  name: name
+  name: sub_type
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
   type: keyword
-process.entry_leader.real_user.id:
-  dashed_name: process-entry-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.real_user.id
+process.entry_leader.attested_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-attested-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.entry_leader.attested_user.entity.type
   ignore_above: 1024
   level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
   type: keyword
-process.entry_leader.real_user.name:
-  dashed_name: process-entry-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.real_user.name
+process.entry_leader.attested_user.full_name:
+  dashed_name: process-entry-leader-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.attested_user.full_name
   ignore_above: 1024
-  level: core
+  level: extended
   multi_fields:
-  - flat_name: process.entry_leader.real_user.name.text
+  - flat_name: process.entry_leader.attested_user.full_name.text
     name: text
     type: match_only_text
-  name: name
+  name: full_name
   normalize: []
   original_fieldset: user
-  short: Short name or login of the user.
+  short: User's full name, if available.
   type: keyword
-process.entry_leader.same_as_process:
-  dashed_name: process-entry-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
+process.entry_leader.attested_user.group.domain:
+  dashed_name: process-entry-leader-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
 
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.entry_leader.same_as_process
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.attested_user.group.domain
+  ignore_above: 1024
   level: extended
-  name: same_as_process
+  name: domain
   normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.entry_leader.saved_group.id:
-  dashed_name: process-entry-leader-saved-group-id
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.attested_user.group.id:
+  dashed_name: process-entry-leader-attested-user-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.saved_group.id
+  flat_name: process.entry_leader.attested_user.group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -10158,10 +12013,10 @@ process.entry_leader.saved_group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.saved_group.name:
-  dashed_name: process-entry-leader-saved-group-name
+process.entry_leader.attested_user.group.name:
+  dashed_name: process-entry-leader-attested-user-group-name
   description: Name of the group.
-  flat_name: process.entry_leader.saved_group.name
+  flat_name: process.entry_leader.attested_user.group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -10169,11 +12024,26 @@ process.entry_leader.saved_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.entry_leader.saved_user.id:
-  dashed_name: process-entry-leader-saved-user-id
+process.entry_leader.attested_user.hash:
+  dashed_name: process-entry-leader-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.attested_user.id:
+  dashed_name: process-entry-leader-attested-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.saved_user.id
+  flat_name: process.entry_leader.attested_user.id
   ignore_above: 1024
   level: core
   name: id
@@ -10181,15 +12051,15 @@ process.entry_leader.saved_user.id:
   original_fieldset: user
   short: Unique identifier of the user.
   type: keyword
-process.entry_leader.saved_user.name:
-  dashed_name: process-entry-leader-saved-user-name
+process.entry_leader.attested_user.name:
+  dashed_name: process-entry-leader-attested-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.entry_leader.saved_user.name
+  flat_name: process.entry_leader.attested_user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.entry_leader.saved_user.name.text
+  - flat_name: process.entry_leader.attested_user.name.text
     name: text
     type: match_only_text
   name: name
@@ -10197,250 +12067,262 @@ process.entry_leader.saved_user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.entry_leader.start:
-  dashed_name: process-entry-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.entry_leader.supplemental_groups.id:
-  dashed_name: process-entry-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.supplemental_groups.id
+process.entry_leader.attested_user.risk.calculated_level:
+  dashed_name: process-entry-leader-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.attested_user.risk.calculated_level
   ignore_above: 1024
   level: extended
-  name: id
+  name: calculated_level
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
   type: keyword
-process.entry_leader.supplemental_groups.name:
-  dashed_name: process-entry-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.entry_leader.supplemental_groups.name
-  ignore_above: 1024
+process.entry_leader.attested_user.risk.calculated_score:
+  dashed_name: process-entry-leader-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.attested_user.risk.calculated_score
   level: extended
-  name: name
+  name: calculated_score
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.tty:
-  dashed_name: process-entry-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.entry_leader.tty
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.attested_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.attested_user.risk.calculated_score_norm
   level: extended
-  name: tty
+  name: calculated_score_norm
   normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.entry_leader.tty.char_device.major:
-  dashed_name: process-entry-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.entry_leader.tty.char_device.major
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.attested_user.risk.static_level:
+  dashed_name: process-entry-leader-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.attested_user.risk.static_level
+  ignore_above: 1024
   level: extended
-  name: tty.char_device.major
+  name: static_level
   normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.entry_leader.tty.char_device.minor:
-  dashed_name: process-entry-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.entry_leader.tty.char_device.minor
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.attested_user.risk.static_score:
+  dashed_name: process-entry-leader-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.attested_user.risk.static_score
   level: extended
-  name: tty.char_device.minor
+  name: static_score
   normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.entry_leader.user.id:
-  dashed_name: process-entry-leader-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.user.id
-  ignore_above: 1024
-  level: core
-  name: id
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.attested_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
   normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.attested_user.roles:
+  dashed_name: process-entry-leader-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
   original_fieldset: user
-  short: Unique identifier of the user.
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
   type: keyword
-process.entry_leader.user.name:
-  dashed_name: process-entry-leader-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.user.name
+process.entry_leader.code_signature.digest_algorithm:
+  dashed_name: process-entry-leader-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.entry_leader.code_signature.digest_algorithm
   ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.user.name.text
-    name: text
-    type: match_only_text
-  name: name
+  level: extended
+  name: digest_algorithm
   normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
   type: keyword
-process.entry_leader.vpid:
-  dashed_name: process-entry-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.entry_leader.vpid
-  format: string
+process.entry_leader.code_signature.exists:
+  dashed_name: process-entry-leader-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.entry_leader.code_signature.exists
   level: core
-  name: vpid
+  name: exists
   normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.entry_leader.working_directory:
-  dashed_name: process-entry-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.entry_leader.working_directory
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.entry_leader.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.entry_leader.code_signature.flags
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
+  name: flags
   normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
+  original_fieldset: code_signature
+  short: Code signing flags of the process
   type: keyword
-process.env_vars:
-  dashed_name: process-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
+process.entry_leader.code_signature.signing_id:
+  dashed_name: process-entry-leader-code-signature-signing-id
+  description: 'The identifier used to sign the process.
 
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.env_vars
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.entry_leader.code_signature.signing_id
   ignore_above: 1024
   level: extended
-  name: env_vars
-  normalize:
-  - array
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
   type: keyword
-process.executable:
-  dashed_name: process-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.executable
+process.entry_leader.code_signature.status:
+  dashed_name: process-entry-leader-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.entry_leader.code_signature.status
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.executable.text
-    name: text
-    type: match_only_text
-  name: executable
+  name: status
   normalize: []
-  otel:
-  - attribute: process.executable.path
-    relation: equivalent
-    stability: development
-  short: Absolute path to the process executable.
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
   type: keyword
-process.exit_code:
-  dashed_name: process-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.exit_code
-  level: extended
-  name: exit_code
+process.entry_leader.code_signature.subject_name:
+  dashed_name: process-entry-leader-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.entry_leader.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
   normalize: []
-  short: The exit code of the process.
-  type: long
-process.group.id:
-  dashed_name: process-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group.id
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.entry_leader.code_signature.team_id:
+  dashed_name: process-entry-leader-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.entry_leader.code_signature.team_id
   ignore_above: 1024
   level: extended
-  name: id
+  name: team_id
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
   type: keyword
-process.group.name:
-  dashed_name: process-group-name
-  description: Name of the group.
-  flat_name: process.group.name
-  ignore_above: 1024
+process.entry_leader.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.entry_leader.code_signature.thumbprint_sha256
+  ignore_above: 64
   level: extended
-  name: name
+  name: thumbprint_sha256
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
   type: keyword
-process.group_leader.args:
-  dashed_name: process-group-leader-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
+process.entry_leader.code_signature.timestamp:
+  dashed_name: process-entry-leader-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.entry_leader.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.entry_leader.code_signature.trusted:
+  dashed_name: process-entry-leader-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
 
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.group_leader.args
-  ignore_above: 1024
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.entry_leader.code_signature.trusted
   level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.group_leader.args_count:
-  dashed_name: process-group-leader-args-count
-  description: 'Length of the process.args array.
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.entry_leader.code_signature.valid:
+  dashed_name: process-entry-leader-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
 
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.group_leader.args_count
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.entry_leader.code_signature.valid
   level: extended
-  name: args_count
+  name: valid
   normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.group_leader.command_line:
-  dashed_name: process-group-leader-command-line
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.entry_leader.command_line:
+  dashed_name: process-entry-leader-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
 
     Some arguments may be filtered to protect sensitive information.'
   example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.group_leader.command_line
+  flat_name: process.entry_leader.command_line
   level: extended
   multi_fields:
-  - flat_name: process.group_leader.command_line.text
+  - flat_name: process.entry_leader.command_line.text
     name: text
     type: match_only_text
   name: command_line
@@ -10448,474 +12330,1023 @@ process.group_leader.command_line:
   original_fieldset: process
   short: Full command line that started the process.
   type: wildcard
-process.group_leader.entity_id:
-  dashed_name: process-group-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.group_leader.entity_id
+process.entry_leader.elf.architecture:
+  dashed_name: process-entry-leader-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.entry_leader.elf.architecture
   ignore_above: 1024
   level: extended
-  name: entity_id
+  name: architecture
   normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
   type: keyword
-process.group_leader.executable:
-  dashed_name: process-group-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.group_leader.executable
+process.entry_leader.elf.byte_order:
+  dashed_name: process-entry-leader-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.entry_leader.elf.byte_order
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.group_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
+  name: byte_order
   normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
   type: keyword
-process.group_leader.group.id:
-  dashed_name: process-group-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.group.id
+process.entry_leader.elf.cpu_type:
+  dashed_name: process-entry-leader-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.entry_leader.elf.cpu_type
   ignore_above: 1024
   level: extended
-  name: id
+  name: cpu_type
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: elf
+  short: CPU type of the ELF file.
   type: keyword
-process.group_leader.group.name:
-  dashed_name: process-group-leader-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.group.name
+process.entry_leader.elf.creation_date:
+  dashed_name: process-entry-leader-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.entry_leader.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.entry_leader.elf.exports:
+  dashed_name: process-entry-leader-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.entry_leader.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.entry_leader.elf.go_import_hash:
+  dashed_name: process-entry-leader-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.elf.go_import_hash
   ignore_above: 1024
   level: extended
-  name: name
+  name: go_import_hash
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
   type: keyword
-process.group_leader.interactive:
-  dashed_name: process-group-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.group_leader.interactive
+process.entry_leader.elf.go_imports:
+  dashed_name: process-entry-leader-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.elf.go_imports
   level: extended
-  name: interactive
+  name: go_imports
   normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.elf.go_imports_names_entropy:
+  dashed_name: process-entry-leader-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.elf.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.elf.go_stripped:
+  dashed_name: process-entry-leader-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.group_leader.name:
-  dashed_name: process-group-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.group_leader.name
+process.entry_leader.elf.header.abi_version:
+  dashed_name: process-entry-leader-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.entry_leader.elf.header.abi_version
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.group_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
+  name: header.abi_version
   normalize: []
-  original_fieldset: process
-  short: Process name.
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
   type: keyword
-process.group_leader.pid:
-  dashed_name: process-group-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.group_leader.pid
+process.entry_leader.elf.header.class:
+  dashed_name: process-entry-leader-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.entry_leader.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.entry_leader.elf.header.data:
+  dashed_name: process-entry-leader-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.entry_leader.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.entry_leader.elf.header.entrypoint:
+  dashed_name: process-entry-leader-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.entry_leader.elf.header.entrypoint
   format: string
-  level: core
-  name: pid
+  level: extended
+  name: header.entrypoint
   normalize: []
-  original_fieldset: process
-  otel:
-  - relation: match
-    stability: development
-  short: Process id.
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
   type: long
-process.group_leader.real_group.id:
-  dashed_name: process-group-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.real_group.id
+process.entry_leader.elf.header.object_version:
+  dashed_name: process-entry-leader-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.entry_leader.elf.header.object_version
   ignore_above: 1024
   level: extended
-  name: id
+  name: header.object_version
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
   type: keyword
-process.group_leader.real_group.name:
-  dashed_name: process-group-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.real_group.name
+process.entry_leader.elf.header.os_abi:
+  dashed_name: process-entry-leader-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.entry_leader.elf.header.os_abi
   ignore_above: 1024
   level: extended
-  name: name
+  name: header.os_abi
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
   type: keyword
-process.group_leader.real_user.id:
-  dashed_name: process-group-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.real_user.id
+process.entry_leader.elf.header.type:
+  dashed_name: process-entry-leader-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.entry_leader.elf.header.type
   ignore_above: 1024
-  level: core
-  name: id
+  level: extended
+  name: header.type
   normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
+  original_fieldset: elf
+  short: Header type of the ELF file.
   type: keyword
-process.group_leader.real_user.name:
-  dashed_name: process-group-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.group_leader.real_user.name
+process.entry_leader.elf.header.version:
+  dashed_name: process-entry-leader-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.entry_leader.elf.header.version
   ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
+  level: extended
+  name: header.version
   normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
+  original_fieldset: elf
+  short: Version of the ELF header.
   type: keyword
-process.group_leader.same_as_process:
-  dashed_name: process-group-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
+process.entry_leader.elf.import_hash:
+  dashed_name: process-entry-leader-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
 
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.entry_leader.elf.imports:
+  dashed_name: process-entry-leader-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.elf.imports_names_entropy:
+  dashed_name: process-entry-leader-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.elf.imports_names_var_entropy:
+  dashed_name: process-entry-leader-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.elf.sections:
+  dashed_name: process-entry-leader-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
 
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.group_leader.same_as_process
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.entry_leader.elf.sections
   level: extended
-  name: same_as_process
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.entry_leader.elf.sections.chi2:
+  dashed_name: process-entry-leader-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.entry_leader.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
   normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.group_leader.saved_group.id:
-  dashed_name: process-group-leader-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.saved_group.id
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.entry_leader.elf.sections.entropy:
+  dashed_name: process-entry-leader-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.elf.sections.flags:
+  dashed_name: process-entry-leader-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.entry_leader.elf.sections.flags
   ignore_above: 1024
   level: extended
-  name: id
+  name: sections.flags
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: elf
+  short: ELF Section List flags.
   type: keyword
-process.group_leader.saved_group.name:
-  dashed_name: process-group-leader-saved-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.saved_group.name
+process.entry_leader.elf.sections.name:
+  dashed_name: process-entry-leader-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.entry_leader.elf.sections.name
   ignore_above: 1024
   level: extended
-  name: name
+  name: sections.name
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: elf
+  short: ELF Section List name.
   type: keyword
-process.group_leader.saved_user.id:
-  dashed_name: process-group-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.saved_user.id
+process.entry_leader.elf.sections.physical_offset:
+  dashed_name: process-entry-leader-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.entry_leader.elf.sections.physical_offset
   ignore_above: 1024
-  level: core
-  name: id
+  level: extended
+  name: sections.physical_offset
   normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
+  original_fieldset: elf
+  short: ELF Section List offset.
   type: keyword
-process.group_leader.saved_user.name:
-  dashed_name: process-group-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.group_leader.saved_user.name
+process.entry_leader.elf.sections.physical_size:
+  dashed_name: process-entry-leader-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.entry_leader.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.entry_leader.elf.sections.type:
+  dashed_name: process-entry-leader-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.entry_leader.elf.sections.type
   ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
+  level: extended
+  name: sections.type
   normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
+  original_fieldset: elf
+  short: ELF Section List type.
   type: keyword
-process.group_leader.start:
-  dashed_name: process-group-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.group_leader.start
+process.entry_leader.elf.sections.var_entropy:
+  dashed_name: process-entry-leader-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.elf.sections.var_entropy
+  format: number
   level: extended
-  name: start
+  name: sections.var_entropy
   normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.group_leader.supplemental_groups.id:
-  dashed_name: process-group-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.supplemental_groups.id
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.elf.sections.virtual_address:
+  dashed_name: process-entry-leader-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.entry_leader.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.entry_leader.elf.sections.virtual_size:
+  dashed_name: process-entry-leader-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.entry_leader.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.entry_leader.elf.segments:
+  dashed_name: process-entry-leader-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.entry_leader.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.entry_leader.elf.segments.sections:
+  dashed_name: process-entry-leader-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.entry_leader.elf.segments.sections
   ignore_above: 1024
   level: extended
-  name: id
+  name: segments.sections
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: elf
+  short: ELF object segment sections.
   type: keyword
-process.group_leader.supplemental_groups.name:
-  dashed_name: process-group-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.group_leader.supplemental_groups.name
+process.entry_leader.elf.segments.type:
+  dashed_name: process-entry-leader-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.entry_leader.elf.segments.type
   ignore_above: 1024
   level: extended
-  name: name
+  name: segments.type
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: elf
+  short: ELF object segment type.
   type: keyword
-process.group_leader.tty:
-  dashed_name: process-group-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.group_leader.tty
+process.entry_leader.elf.shared_libraries:
+  dashed_name: process-entry-leader-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.entry_leader.elf.shared_libraries
+  ignore_above: 1024
   level: extended
-  name: tty
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.entry_leader.elf.telfhash:
+  dashed_name: process-entry-leader-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.entry_leader.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.entry_leader.end:
+  dashed_name: process-entry-leader-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.end
+  level: extended
+  name: end
   normalize: []
   original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.group_leader.tty.char_device.major:
-  dashed_name: process-group-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.group_leader.tty.char_device.major
+  short: The time the process ended.
+  type: date
+process.entry_leader.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.entry_leader.endpoint_security_client
   level: extended
-  name: tty.char_device.major
+  name: endpoint_security_client
   normalize: []
   original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.group_leader.tty.char_device.minor:
-  dashed_name: process-group-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.group_leader.tty.char_device.minor
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.entry_leader.entity_id:
+  dashed_name: process-entry-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.entry_leader.entity_id
+  ignore_above: 1024
   level: extended
-  name: tty.char_device.minor
+  name: entity_id
   normalize: []
   original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.group_leader.user.id:
-  dashed_name: process-group-leader-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.user.id
+  short: Unique identifier for the process.
+  type: keyword
+process.entry_leader.entry_meta.source.address:
+  dashed_name: process-entry-leader-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.entry_leader.entry_meta.source.address
   ignore_above: 1024
-  level: core
-  name: id
+  level: extended
+  name: address
   normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
+  original_fieldset: source
+  short: Source network address.
   type: keyword
-process.group_leader.user.name:
-  dashed_name: process-group-leader-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.group_leader.user.name
+process.entry_leader.entry_meta.source.as.number:
+  dashed_name: process-entry-leader-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.entry_leader.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.entry_leader.entry_meta.source.as.organization.name:
+  dashed_name: process-entry-leader-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.entry_leader.entry_meta.source.as.organization.name
   ignore_above: 1024
-  level: core
+  level: extended
   multi_fields:
-  - flat_name: process.group_leader.user.name.text
+  - flat_name: process.entry_leader.entry_meta.source.as.organization.name.text
     name: text
     type: match_only_text
-  name: name
+  name: organization.name
   normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
+  original_fieldset: as
+  short: Organization name.
   type: keyword
-process.group_leader.vpid:
-  dashed_name: process-group-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.group_leader.vpid
-  format: string
+process.entry_leader.entry_meta.source.bytes:
+  dashed_name: process-entry-leader-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.entry_leader.entry_meta.source.bytes
+  format: bytes
   level: core
-  name: vpid
+  name: bytes
   normalize: []
-  original_fieldset: process
-  short: Virtual process id.
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
   type: long
-process.group_leader.working_directory:
-  dashed_name: process-group-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.group_leader.working_directory
+process.entry_leader.entry_meta.source.domain:
+  dashed_name: process-entry-leader-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.entry_leader.entry_meta.source.domain
   ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
+  level: core
+  name: domain
   normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
+  original_fieldset: source
+  short: The domain name of the source.
   type: keyword
-process.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.hash.cdhash
+process.entry_leader.entry_meta.source.geo.city_name:
+  dashed_name: process-entry-leader-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.entry_leader.entry_meta.source.geo.city_name
   ignore_above: 1024
-  level: extended
-  name: cdhash
+  level: core
+  name: city_name
   normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
+  original_fieldset: geo
+  short: City name.
   type: keyword
-process.hash.md5:
-  dashed_name: process-hash-md5
-  description: MD5 hash.
-  flat_name: process.hash.md5
+process.entry_leader.entry_meta.source.geo.continent_code:
+  dashed_name: process-entry-leader-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.entry_leader.entry_meta.source.geo.continent_code
   ignore_above: 1024
-  level: extended
-  name: md5
+  level: core
+  name: continent_code
   normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
+  original_fieldset: geo
+  short: Continent code.
   type: keyword
-process.hash.sha1:
-  dashed_name: process-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.hash.sha1
+process.entry_leader.entry_meta.source.geo.continent_name:
+  dashed_name: process-entry-leader-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.entry_leader.entry_meta.source.geo.continent_name
   ignore_above: 1024
-  level: extended
-  name: sha1
+  level: core
+  name: continent_name
   normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
+  original_fieldset: geo
+  short: Name of the continent.
   type: keyword
-process.hash.sha256:
-  dashed_name: process-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.hash.sha256
+process.entry_leader.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-entry-leader-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.entry_leader.entry_meta.source.geo.country_iso_code
   ignore_above: 1024
-  level: extended
-  name: sha256
+  level: core
+  name: country_iso_code
   normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
+  original_fieldset: geo
+  short: Country ISO code.
   type: keyword
-process.hash.sha384:
-  dashed_name: process-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.hash.sha384
+process.entry_leader.entry_meta.source.geo.country_name:
+  dashed_name: process-entry-leader-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.entry_leader.entry_meta.source.geo.country_name
   ignore_above: 1024
-  level: extended
-  name: sha384
+  level: core
+  name: country_name
   normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
+  original_fieldset: geo
+  short: Country name.
   type: keyword
-process.hash.sha512:
-  dashed_name: process-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.hash.sha512
+process.entry_leader.entry_meta.source.geo.location:
+  dashed_name: process-entry-leader-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.entry_leader.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.entry_leader.entry_meta.source.geo.name:
+  dashed_name: process-entry-leader-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.entry_leader.entry_meta.source.geo.name
   ignore_above: 1024
   level: extended
-  name: sha512
+  name: name
   normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
+  original_fieldset: geo
+  short: User-defined description of a location.
   type: keyword
-process.hash.ssdeep:
-  dashed_name: process-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.hash.ssdeep
+process.entry_leader.entry_meta.source.geo.postal_code:
+  dashed_name: process-entry-leader-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.entry_leader.entry_meta.source.geo.postal_code
   ignore_above: 1024
-  level: extended
-  name: ssdeep
+  level: core
+  name: postal_code
   normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
+  original_fieldset: geo
+  short: Postal code.
   type: keyword
-process.hash.tlsh:
-  dashed_name: process-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.hash.tlsh
+process.entry_leader.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-entry-leader-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.entry_leader.entry_meta.source.geo.region_iso_code
   ignore_above: 1024
-  level: extended
-  name: tlsh
+  level: core
+  name: region_iso_code
   normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
+  original_fieldset: geo
+  short: Region ISO code.
   type: keyword
-process.interactive:
-  dashed_name: process-interactive
-  description: 'Whether the process is connected to an interactive shell.
+process.entry_leader.entry_meta.source.geo.region_name:
+  dashed_name: process-entry-leader-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.entry_leader.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.entry_leader.entry_meta.source.geo.timezone:
+  dashed_name: process-entry-leader-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.entry_leader.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.entry_leader.entry_meta.source.ip:
+  dashed_name: process-entry-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.entry_leader.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.entry_leader.entry_meta.source.mac:
+  dashed_name: process-entry-leader-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.entry_leader.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.entry_leader.entry_meta.source.nat.ip:
+  dashed_name: process-entry-leader-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.entry_leader.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.entry_leader.entry_meta.source.nat.port:
+  dashed_name: process-entry-leader-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.entry_leader.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.entry_leader.entry_meta.source.packets:
+  dashed_name: process-entry-leader-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.entry_leader.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.entry_leader.entry_meta.source.port:
+  dashed_name: process-entry-leader-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.entry_leader.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.entry_leader.entry_meta.source.registered_domain:
+  dashed_name: process-entry-leader-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.entry_leader.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.entry_leader.entry_meta.source.subdomain:
+  dashed_name: process-entry-leader-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.entry_leader.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.entry_leader.entry_meta.source.top_level_domain:
+  dashed_name: process-entry-leader-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.entry_leader.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.entry_leader.entry_meta.type:
+  dashed_name: process-entry-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.entry_leader.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.entry_leader.env_vars:
+  dashed_name: process-entry-leader-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.entry_leader.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.executable:
+  dashed_name: process-entry-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.entry_leader.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.entry_leader.exit_code:
+  dashed_name: process-entry-leader-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.entry_leader.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.entry_leader.group.domain:
+  dashed_name: process-entry-leader-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.group.id:
+  dashed_name: process-entry-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.group.name:
+  dashed_name: process-entry-leader-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.entry_leader.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.entry_leader.hash.md5:
+  dashed_name: process-entry-leader-hash-md5
+  description: MD5 hash.
+  flat_name: process.entry_leader.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.entry_leader.hash.sha1:
+  dashed_name: process-entry-leader-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.entry_leader.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.entry_leader.hash.sha256:
+  dashed_name: process-entry-leader-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.entry_leader.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.entry_leader.hash.sha384:
+  dashed_name: process-entry-leader-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.entry_leader.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.entry_leader.hash.sha512:
+  dashed_name: process-entry-leader-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.entry_leader.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.entry_leader.hash.ssdeep:
+  dashed_name: process-entry-leader-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.entry_leader.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.entry_leader.hash.tlsh:
+  dashed_name: process-entry-leader-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.entry_leader.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.entry_leader.interactive:
+  dashed_name: process-entry-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
 
     Process interactivity is inferred from the processes file descriptors. If the
     character device for the controlling tty is the same as stdin and stderr for the
@@ -10927,119 +13358,126 @@ process.interactive:
     is still considered interactive if stdin and stderr are connected to the controlling
     TTY.'
   example: true
-  flat_name: process.interactive
+  flat_name: process.entry_leader.interactive
   level: extended
   name: interactive
   normalize: []
-  otel:
-  - relation: match
-    stability: development
+  original_fieldset: process
   short: Whether the process is connected to an interactive shell.
   type: boolean
-process.io:
-  dashed_name: process-io
+process.entry_leader.io:
+  dashed_name: process-entry-leader-io
   description: 'A chunk of input or output (IO) from a single process.
 
     This field only appears on the top level process object, which is the process
     that wrote the output or read the input.'
-  flat_name: process.io
+  flat_name: process.entry_leader.io
   level: extended
   name: io
   normalize: []
+  original_fieldset: process
   short: A chunk of input or output (IO) from a single process.
   type: object
-process.io.bytes_skipped:
-  dashed_name: process-io-bytes-skipped
+process.entry_leader.io.bytes_skipped:
+  dashed_name: process-entry-leader-io-bytes-skipped
   description: An array of byte offsets and lengths denoting where IO data has been
     skipped.
-  flat_name: process.io.bytes_skipped
+  flat_name: process.entry_leader.io.bytes_skipped
   level: extended
   name: io.bytes_skipped
   normalize:
   - array
+  original_fieldset: process
   short: An array of byte offsets and lengths denoting where IO data has been skipped.
   type: object
-process.io.bytes_skipped.length:
-  dashed_name: process-io-bytes-skipped-length
+process.entry_leader.io.bytes_skipped.length:
+  dashed_name: process-entry-leader-io-bytes-skipped-length
   description: The length of bytes skipped.
-  flat_name: process.io.bytes_skipped.length
+  flat_name: process.entry_leader.io.bytes_skipped.length
   level: extended
   name: io.bytes_skipped.length
   normalize: []
+  original_fieldset: process
   short: The length of bytes skipped.
   type: long
-process.io.bytes_skipped.offset:
-  dashed_name: process-io-bytes-skipped-offset
+process.entry_leader.io.bytes_skipped.offset:
+  dashed_name: process-entry-leader-io-bytes-skipped-offset
   description: The byte offset into this event's io.text (or io.bytes in the future)
     where length bytes were skipped.
-  flat_name: process.io.bytes_skipped.offset
+  flat_name: process.entry_leader.io.bytes_skipped.offset
   level: extended
   name: io.bytes_skipped.offset
   normalize: []
+  original_fieldset: process
   short: The byte offset into this event's io.text (or io.bytes in the future) where
     length bytes were skipped.
   type: long
-process.io.max_bytes_per_process_exceeded:
-  dashed_name: process-io-max-bytes-per-process-exceeded
+process.entry_leader.io.max_bytes_per_process_exceeded:
+  dashed_name: process-entry-leader-io-max-bytes-per-process-exceeded
   description: If true, the process producing the output has exceeded the max_kilobytes_per_process
     configuration setting.
-  flat_name: process.io.max_bytes_per_process_exceeded
+  flat_name: process.entry_leader.io.max_bytes_per_process_exceeded
   level: extended
   name: io.max_bytes_per_process_exceeded
   normalize: []
+  original_fieldset: process
   short: If true, the process producing the output has exceeded the max_kilobytes_per_process
     configuration setting.
   type: boolean
-process.io.text:
-  dashed_name: process-io-text
+process.entry_leader.io.text:
+  dashed_name: process-entry-leader-io-text
   description: 'A chunk of output or input sanitized to UTF-8.
 
     Best efforts are made to ensure complete lines are captured in these events. Assumptions
     should NOT be made that multiple lines will appear in the same event. TTY output
     may contain terminal control codes such as for cursor movement, so some string
     queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.io.text
+  flat_name: process.entry_leader.io.text
   level: extended
   name: io.text
   normalize: []
+  original_fieldset: process
   short: A chunk of output or input sanitized to UTF-8.
   type: wildcard
-process.io.total_bytes_captured:
-  dashed_name: process-io-total-bytes-captured
+process.entry_leader.io.total_bytes_captured:
+  dashed_name: process-entry-leader-io-total-bytes-captured
   description: The total number of bytes captured in this event.
-  flat_name: process.io.total_bytes_captured
+  flat_name: process.entry_leader.io.total_bytes_captured
   level: extended
   name: io.total_bytes_captured
   normalize: []
+  original_fieldset: process
   short: The total number of bytes captured in this event.
   type: long
-process.io.total_bytes_skipped:
-  dashed_name: process-io-total-bytes-skipped
+process.entry_leader.io.total_bytes_skipped:
+  dashed_name: process-entry-leader-io-total-bytes-skipped
   description: The total number of bytes that were not captured due to implementation
     restrictions such as buffer size limits. Implementors should strive to ensure
     this value is always zero
-  flat_name: process.io.total_bytes_skipped
+  flat_name: process.entry_leader.io.total_bytes_skipped
   level: extended
   name: io.total_bytes_skipped
   normalize: []
+  original_fieldset: process
   short: The total number of bytes that were not captured due to implementation restrictions
     such as buffer size limits.
   type: long
-process.io.type:
-  dashed_name: process-io-type
+process.entry_leader.io.type:
+  dashed_name: process-entry-leader-io-type
   description: 'The type of object on which the IO action (read or write) was taken.
 
     Currently only ''tty'' is supported. Other types may be added in the future for
     ''file'' and ''socket'' support.'
-  flat_name: process.io.type
+  flat_name: process.entry_leader.io.type
   ignore_above: 1024
   level: extended
   name: io.type
   normalize: []
+  original_fieldset: process
   short: The type of object on which the IO action (read or write) was taken.
   type: keyword
-process.macho.go_import_hash:
-  dashed_name: process-macho-go-import-hash
+process.entry_leader.macho.go_import_hash:
+  dashed_name: process-entry-leader-macho-go-import-hash
   description: 'A hash of the Go language imports in a Mach-O file excluding standard
     library imports. An import hash can be used to fingerprint binaries even after
     recompilation or other code-level transformations have occurred, which would change
@@ -11048,7 +13486,7 @@ process.macho.go_import_hash:
     The algorithm used to calculate the Go symbol hash and a reference implementation
     are available here: https://github.com/elastic/toutoumomoma'
   example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.macho.go_import_hash
+  flat_name: process.entry_leader.macho.go_import_hash
   ignore_above: 1024
   level: extended
   name: go_import_hash
@@ -11056,20 +13494,20 @@ process.macho.go_import_hash:
   original_fieldset: macho
   short: A hash of the Go language imports in a Mach-O file.
   type: keyword
-process.macho.go_imports:
-  dashed_name: process-macho-go-imports
+process.entry_leader.macho.go_imports:
+  dashed_name: process-entry-leader-macho-go-imports
   description: List of imported Go language element names and types.
-  flat_name: process.macho.go_imports
+  flat_name: process.entry_leader.macho.go_imports
   level: extended
   name: go_imports
   normalize: []
   original_fieldset: macho
   short: List of imported Go language element names and types.
   type: flattened
-process.macho.go_imports_names_entropy:
-  dashed_name: process-macho-go-imports-names-entropy
+process.entry_leader.macho.go_imports_names_entropy:
+  dashed_name: process-entry-leader-macho-go-imports-names-entropy
   description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.macho.go_imports_names_entropy
+  flat_name: process.entry_leader.macho.go_imports_names_entropy
   format: number
   level: extended
   name: go_imports_names_entropy
@@ -11077,10 +13515,10 @@ process.macho.go_imports_names_entropy:
   original_fieldset: macho
   short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.macho.go_imports_names_var_entropy:
-  dashed_name: process-macho-go-imports-names-var-entropy
+process.entry_leader.macho.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-macho-go-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.macho.go_imports_names_var_entropy
+  flat_name: process.entry_leader.macho.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
@@ -11088,26 +13526,26 @@ process.macho.go_imports_names_var_entropy:
   original_fieldset: macho
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.macho.go_stripped:
-  dashed_name: process-macho-go-stripped
+process.entry_leader.macho.go_stripped:
+  dashed_name: process-entry-leader-macho-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.macho.go_stripped
+  flat_name: process.entry_leader.macho.go_stripped
   level: extended
   name: go_stripped
   normalize: []
   original_fieldset: macho
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.macho.import_hash:
-  dashed_name: process-macho-import-hash
+process.entry_leader.macho.import_hash:
+  dashed_name: process-entry-leader-macho-import-hash
   description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a synonym for symhash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.macho.import_hash
+  flat_name: process.entry_leader.macho.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
@@ -11115,10 +13553,10 @@ process.macho.import_hash:
   original_fieldset: macho
   short: A hash of the imports in a Mach-O file.
   type: keyword
-process.macho.imports:
-  dashed_name: process-macho-imports
+process.entry_leader.macho.imports:
+  dashed_name: process-entry-leader-macho-imports
   description: List of imported element names and types.
-  flat_name: process.macho.imports
+  flat_name: process.entry_leader.macho.imports
   level: extended
   name: imports
   normalize:
@@ -11126,11 +13564,11 @@ process.macho.imports:
   original_fieldset: macho
   short: List of imported element names and types.
   type: flattened
-process.macho.imports_names_entropy:
-  dashed_name: process-macho-imports-names-entropy
+process.entry_leader.macho.imports_names_entropy:
+  dashed_name: process-entry-leader-macho-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.macho.imports_names_entropy
+  flat_name: process.entry_leader.macho.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
@@ -11138,11 +13576,11 @@ process.macho.imports_names_entropy:
   original_fieldset: macho
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.macho.imports_names_var_entropy:
-  dashed_name: process-macho-imports-names-var-entropy
+process.entry_leader.macho.imports_names_var_entropy:
+  dashed_name: process-entry-leader-macho-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.macho.imports_names_var_entropy
+  flat_name: process.entry_leader.macho.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
@@ -11151,13 +13589,13 @@ process.macho.imports_names_var_entropy:
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.macho.sections:
-  dashed_name: process-macho-sections
+process.entry_leader.macho.sections:
+  dashed_name: process-entry-leader-macho-sections
   description: 'An array containing an object for each section of the Mach-O file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `macho.sections.*`.'
-  flat_name: process.macho.sections
+  flat_name: process.entry_leader.macho.sections
   level: extended
   name: sections
   normalize:
@@ -11165,10 +13603,10 @@ process.macho.sections:
   original_fieldset: macho
   short: Section information of the Mach-O file.
   type: nested
-process.macho.sections.entropy:
-  dashed_name: process-macho-sections-entropy
+process.entry_leader.macho.sections.entropy:
+  dashed_name: process-entry-leader-macho-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.macho.sections.entropy
+  flat_name: process.entry_leader.macho.sections.entropy
   format: number
   level: extended
   name: sections.entropy
@@ -11176,10 +13614,10 @@ process.macho.sections.entropy:
   original_fieldset: macho
   short: Shannon entropy calculation from the section.
   type: long
-process.macho.sections.name:
-  dashed_name: process-macho-sections-name
+process.entry_leader.macho.sections.name:
+  dashed_name: process-entry-leader-macho-sections-name
   description: Mach-O Section List name.
-  flat_name: process.macho.sections.name
+  flat_name: process.entry_leader.macho.sections.name
   ignore_above: 1024
   level: extended
   name: sections.name
@@ -11187,10 +13625,10 @@ process.macho.sections.name:
   original_fieldset: macho
   short: Mach-O Section List name.
   type: keyword
-process.macho.sections.physical_size:
-  dashed_name: process-macho-sections-physical-size
+process.entry_leader.macho.sections.physical_size:
+  dashed_name: process-entry-leader-macho-sections-physical-size
   description: Mach-O Section List physical size.
-  flat_name: process.macho.sections.physical_size
+  flat_name: process.entry_leader.macho.sections.physical_size
   format: bytes
   level: extended
   name: sections.physical_size
@@ -11198,10 +13636,10 @@ process.macho.sections.physical_size:
   original_fieldset: macho
   short: Mach-O Section List physical size.
   type: long
-process.macho.sections.var_entropy:
-  dashed_name: process-macho-sections-var-entropy
+process.entry_leader.macho.sections.var_entropy:
+  dashed_name: process-entry-leader-macho-sections-var-entropy
   description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.macho.sections.var_entropy
+  flat_name: process.entry_leader.macho.sections.var_entropy
   format: number
   level: extended
   name: sections.var_entropy
@@ -11209,10 +13647,10 @@ process.macho.sections.var_entropy:
   original_fieldset: macho
   short: Variance for Shannon entropy calculation from the section.
   type: long
-process.macho.sections.virtual_size:
-  dashed_name: process-macho-sections-virtual-size
+process.entry_leader.macho.sections.virtual_size:
+  dashed_name: process-entry-leader-macho-sections-virtual-size
   description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.macho.sections.virtual_size
+  flat_name: process.entry_leader.macho.sections.virtual_size
   format: string
   level: extended
   name: sections.virtual_size
@@ -11220,15 +13658,15 @@ process.macho.sections.virtual_size:
   original_fieldset: macho
   short: Mach-O Section List virtual size. This is always the same as `physical_size`.
   type: long
-process.macho.symhash:
-  dashed_name: process-macho-symhash
+process.entry_leader.macho.symhash:
+  dashed_name: process-entry-leader-macho-symhash
   description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a Mach-O implementation of the Windows PE imphash'
   example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.macho.symhash
+  flat_name: process.entry_leader.macho.symhash
   ignore_above: 1024
   level: extended
   name: symhash
@@ -11236,31 +13674,58 @@ process.macho.symhash:
   original_fieldset: macho
   short: A hash of the imports in a Mach-O file.
   type: keyword
-process.name:
-  dashed_name: process-name
+process.entry_leader.name:
+  dashed_name: process-entry-leader-name
   description: 'Process name.
 
     Sometimes called program name or similar.'
   example: ssh
-  flat_name: process.name
+  flat_name: process.entry_leader.name
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.name.text
+  - flat_name: process.entry_leader.name.text
     name: text
     type: match_only_text
   name: name
   normalize: []
+  original_fieldset: process
   short: Process name.
   type: keyword
-process.parent.args:
-  dashed_name: process-parent-args
+process.entry_leader.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.entry_leader.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.entry_leader.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.entry_leader.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.entry_leader.parent.args:
+  dashed_name: process-entry-leader-parent-args
   description: 'Array of process arguments, starting with the absolute path to the
     executable.
 
     May be filtered to protect sensitive information.'
   example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.parent.args
+  flat_name: process.entry_leader.parent.args
   ignore_above: 1024
   level: extended
   name: args
@@ -11269,165 +13734,662 @@ process.parent.args:
   original_fieldset: process
   short: Array of process arguments.
   type: keyword
-process.parent.args_count:
-  dashed_name: process-parent-args-count
+process.entry_leader.parent.args_count:
+  dashed_name: process-entry-leader-parent-args-count
   description: 'Length of the process.args array.
 
     This field can be useful for querying or performing bucket analysis on how many
     arguments were provided to start a process. More arguments may be an indication
     of suspicious activity.'
   example: 4
-  flat_name: process.parent.args_count
+  flat_name: process.entry_leader.parent.args_count
   level: extended
   name: args_count
   normalize: []
   original_fieldset: process
   short: Length of the process.args array.
   type: long
-process.parent.code_signature.digest_algorithm:
-  dashed_name: process-parent-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
+process.entry_leader.parent.attested_groups.domain:
+  dashed_name: process-entry-leader-parent-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
 
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.parent.code_signature.digest_algorithm
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.attested_groups.domain
   ignore_above: 1024
   level: extended
-  name: digest_algorithm
+  name: domain
   normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
   type: keyword
-process.parent.code_signature.exists:
-  dashed_name: process-parent-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.parent.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.parent.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.parent.code_signature.flags
+process.entry_leader.parent.attested_groups.id:
+  dashed_name: process-entry-leader-parent-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.attested_groups.id
   ignore_above: 1024
   level: extended
-  name: flags
+  name: id
   normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.parent.code_signature.signing_id:
-  dashed_name: process-parent-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.parent.code_signature.signing_id
+process.entry_leader.parent.attested_groups.name:
+  dashed_name: process-entry-leader-parent-attested-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.attested_groups.name
   ignore_above: 1024
   level: extended
-  name: signing_id
+  name: name
   normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.parent.code_signature.status:
-  dashed_name: process-parent-code-signature-status
-  description: 'Additional information about the certificate status.
+process.entry_leader.parent.attested_user.domain:
+  dashed_name: process-entry-leader-parent-attested-user-domain
+  description: 'Name of the directory the user is a member of.
 
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.parent.code_signature.status
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.attested_user.domain
   ignore_above: 1024
   level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.parent.code_signature.subject_name:
-  dashed_name: process-parent-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.parent.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
+  name: domain
   normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
   type: keyword
-process.parent.code_signature.team_id:
-  dashed_name: process-parent-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.parent.code_signature.team_id
+process.entry_leader.parent.attested_user.email:
+  dashed_name: process-entry-leader-parent-attested-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.attested_user.email
   ignore_above: 1024
   level: extended
-  name: team_id
+  name: email
   normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
+  original_fieldset: user
+  short: User email address.
   type: keyword
-process.parent.code_signature.thumbprint_sha256:
+process.entry_leader.parent.attested_user.entity.attributes:
   beta: This field is beta and subject to change.
-  dashed_name: process-parent-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.parent.code_signature.thumbprint_sha256
-  ignore_above: 64
+  dashed_name: process-entry-leader-parent-attested-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.attested_user.entity.attributes
   level: extended
-  name: thumbprint_sha256
+  name: attributes
   normalize: []
-  original_fieldset: code_signature
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.entry_leader.parent.attested_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-attested-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.entry_leader.parent.attested_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.entry_leader.parent.attested_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-attested-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.entry_leader.parent.attested_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.attested_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.entry_leader.parent.attested_user.entity.id:
+  dashed_name: process-entry-leader-parent-attested-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.entry_leader.parent.attested_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.entry_leader.parent.attested_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-attested-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.entry_leader.parent.attested_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.entry_leader.parent.attested_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-attested-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.attested_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.entry_leader.parent.attested_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-attested-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.entry_leader.parent.attested_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.entry_leader.parent.attested_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-attested-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.entry_leader.parent.attested_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.attested_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.entry_leader.parent.attested_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-attested-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.entry_leader.parent.attested_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.entry_leader.parent.attested_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-attested-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.entry_leader.parent.attested_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.entry_leader.parent.attested_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-attested-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.entry_leader.parent.attested_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.entry_leader.parent.attested_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-attested-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.entry_leader.parent.attested_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.entry_leader.parent.attested_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-attested-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.entry_leader.parent.attested_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.entry_leader.parent.attested_user.full_name:
+  dashed_name: process-entry-leader-parent-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.attested_user.group.domain:
+  dashed_name: process-entry-leader-parent-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.attested_user.group.id:
+  dashed_name: process-entry-leader-parent-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.attested_user.group.name:
+  dashed_name: process-entry-leader-parent-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.attested_user.hash:
+  dashed_name: process-entry-leader-parent-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.attested_user.id:
+  dashed_name: process-entry-leader-parent-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.attested_user.name:
+  dashed_name: process-entry-leader-parent-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.attested_user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.attested_user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.attested_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.attested_user.risk.static_level:
+  dashed_name: process-entry-leader-parent-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.attested_user.risk.static_score:
+  dashed_name: process-entry-leader-parent-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.attested_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.attested_user.roles:
+  dashed_name: process-entry-leader-parent-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.code_signature.digest_algorithm:
+  dashed_name: process-entry-leader-parent-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.entry_leader.parent.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.entry_leader.parent.code_signature.exists:
+  dashed_name: process-entry-leader-parent-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.entry_leader.parent.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.entry_leader.parent.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.entry_leader.parent.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.entry_leader.parent.code_signature.signing_id:
+  dashed_name: process-entry-leader-parent-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.entry_leader.parent.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.entry_leader.parent.code_signature.status:
+  dashed_name: process-entry-leader-parent-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.entry_leader.parent.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.entry_leader.parent.code_signature.subject_name:
+  dashed_name: process-entry-leader-parent-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.entry_leader.parent.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.entry_leader.parent.code_signature.team_id:
+  dashed_name: process-entry-leader-parent-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.entry_leader.parent.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.entry_leader.parent.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.entry_leader.parent.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
   pattern: ^[0-9a-f]{64}$
   short: SHA256 hash of the certificate.
   type: keyword
-process.parent.code_signature.timestamp:
-  dashed_name: process-parent-code-signature-timestamp
+process.entry_leader.parent.code_signature.timestamp:
+  dashed_name: process-entry-leader-parent-code-signature-timestamp
   description: Date and time when the code signature was generated and signed.
   example: '2021-01-01T12:10:30Z'
-  flat_name: process.parent.code_signature.timestamp
+  flat_name: process.entry_leader.parent.code_signature.timestamp
   level: extended
   name: timestamp
   normalize: []
   original_fieldset: code_signature
   short: When the signature was generated and signed.
   type: date
-process.parent.code_signature.trusted:
-  dashed_name: process-parent-code-signature-trusted
+process.entry_leader.parent.code_signature.trusted:
+  dashed_name: process-entry-leader-parent-code-signature-trusted
   description: 'Stores the trust status of the certificate chain.
 
     Validating the trust of the certificate chain may be complicated, and this field
     should only be populated by tools that actively check the status.'
   example: 'true'
-  flat_name: process.parent.code_signature.trusted
+  flat_name: process.entry_leader.parent.code_signature.trusted
   level: extended
   name: trusted
   normalize: []
   original_fieldset: code_signature
   short: Stores the trust status of the certificate chain.
   type: boolean
-process.parent.code_signature.valid:
-  dashed_name: process-parent-code-signature-valid
+process.entry_leader.parent.code_signature.valid:
+  dashed_name: process-entry-leader-parent-code-signature-valid
   description: 'Boolean to capture if the digital signature is verified against the
     binary content.
 
     Leave unpopulated if a certificate was unchecked.'
   example: 'true'
-  flat_name: process.parent.code_signature.valid
+  flat_name: process.entry_leader.parent.code_signature.valid
   level: extended
   name: valid
   normalize: []
@@ -11435,17 +14397,17 @@ process.parent.code_signature.valid:
   short: Boolean to capture if the digital signature is verified against the binary
     content.
   type: boolean
-process.parent.command_line:
-  dashed_name: process-parent-command-line
+process.entry_leader.parent.command_line:
+  dashed_name: process-entry-leader-parent-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
 
     Some arguments may be filtered to protect sensitive information.'
   example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.parent.command_line
+  flat_name: process.entry_leader.parent.command_line
   level: extended
   multi_fields:
-  - flat_name: process.parent.command_line.text
+  - flat_name: process.entry_leader.parent.command_line.text
     name: text
     type: match_only_text
   name: command_line
@@ -11453,11 +14415,11 @@ process.parent.command_line:
   original_fieldset: process
   short: Full command line that started the process.
   type: wildcard
-process.parent.elf.architecture:
-  dashed_name: process-parent-elf-architecture
+process.entry_leader.parent.elf.architecture:
+  dashed_name: process-entry-leader-parent-elf-architecture
   description: Machine architecture of the ELF file.
   example: x86-64
-  flat_name: process.parent.elf.architecture
+  flat_name: process.entry_leader.parent.elf.architecture
   ignore_above: 1024
   level: extended
   name: architecture
@@ -11465,11 +14427,11 @@ process.parent.elf.architecture:
   original_fieldset: elf
   short: Machine architecture of the ELF file.
   type: keyword
-process.parent.elf.byte_order:
-  dashed_name: process-parent-elf-byte-order
+process.entry_leader.parent.elf.byte_order:
+  dashed_name: process-entry-leader-parent-elf-byte-order
   description: Byte sequence of ELF file.
   example: Little Endian
-  flat_name: process.parent.elf.byte_order
+  flat_name: process.entry_leader.parent.elf.byte_order
   ignore_above: 1024
   level: extended
   name: byte_order
@@ -11477,11 +14439,11 @@ process.parent.elf.byte_order:
   original_fieldset: elf
   short: Byte sequence of ELF file.
   type: keyword
-process.parent.elf.cpu_type:
-  dashed_name: process-parent-elf-cpu-type
+process.entry_leader.parent.elf.cpu_type:
+  dashed_name: process-entry-leader-parent-elf-cpu-type
   description: CPU type of the ELF file.
   example: Intel
-  flat_name: process.parent.elf.cpu_type
+  flat_name: process.entry_leader.parent.elf.cpu_type
   ignore_above: 1024
   level: extended
   name: cpu_type
@@ -11489,21 +14451,21 @@ process.parent.elf.cpu_type:
   original_fieldset: elf
   short: CPU type of the ELF file.
   type: keyword
-process.parent.elf.creation_date:
-  dashed_name: process-parent-elf-creation-date
+process.entry_leader.parent.elf.creation_date:
+  dashed_name: process-entry-leader-parent-elf-creation-date
   description: Extracted when possible from the file's metadata. Indicates when it
     was built or compiled. It can also be faked by malware creators.
-  flat_name: process.parent.elf.creation_date
+  flat_name: process.entry_leader.parent.elf.creation_date
   level: extended
   name: creation_date
   normalize: []
   original_fieldset: elf
   short: Build or compile date.
   type: date
-process.parent.elf.exports:
-  dashed_name: process-parent-elf-exports
+process.entry_leader.parent.elf.exports:
+  dashed_name: process-entry-leader-parent-elf-exports
   description: List of exported element names and types.
-  flat_name: process.parent.elf.exports
+  flat_name: process.entry_leader.parent.elf.exports
   level: extended
   name: exports
   normalize:
@@ -11511,8 +14473,8 @@ process.parent.elf.exports:
   original_fieldset: elf
   short: List of exported element names and types.
   type: flattened
-process.parent.elf.go_import_hash:
-  dashed_name: process-parent-elf-go-import-hash
+process.entry_leader.parent.elf.go_import_hash:
+  dashed_name: process-entry-leader-parent-elf-go-import-hash
   description: 'A hash of the Go language imports in an ELF file excluding standard
     library imports. An import hash can be used to fingerprint binaries even after
     recompilation or other code-level transformations have occurred, which would change
@@ -11521,7 +14483,7 @@ process.parent.elf.go_import_hash:
     The algorithm used to calculate the Go symbol hash and a reference implementation
     are available here: https://github.com/elastic/toutoumomoma'
   example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.elf.go_import_hash
+  flat_name: process.entry_leader.parent.elf.go_import_hash
   ignore_above: 1024
   level: extended
   name: go_import_hash
@@ -11529,20 +14491,20 @@ process.parent.elf.go_import_hash:
   original_fieldset: elf
   short: A hash of the Go language imports in an ELF file.
   type: keyword
-process.parent.elf.go_imports:
-  dashed_name: process-parent-elf-go-imports
+process.entry_leader.parent.elf.go_imports:
+  dashed_name: process-entry-leader-parent-elf-go-imports
   description: List of imported Go language element names and types.
-  flat_name: process.parent.elf.go_imports
+  flat_name: process.entry_leader.parent.elf.go_imports
   level: extended
   name: go_imports
   normalize: []
   original_fieldset: elf
   short: List of imported Go language element names and types.
   type: flattened
-process.parent.elf.go_imports_names_entropy:
-  dashed_name: process-parent-elf-go-imports-names-entropy
+process.entry_leader.parent.elf.go_imports_names_entropy:
+  dashed_name: process-entry-leader-parent-elf-go-imports-names-entropy
   description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.elf.go_imports_names_entropy
+  flat_name: process.entry_leader.parent.elf.go_imports_names_entropy
   format: number
   level: extended
   name: go_imports_names_entropy
@@ -11550,10 +14512,10 @@ process.parent.elf.go_imports_names_entropy:
   original_fieldset: elf
   short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.parent.elf.go_imports_names_var_entropy:
-  dashed_name: process-parent-elf-go-imports-names-var-entropy
+process.entry_leader.parent.elf.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-elf-go-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.elf.go_imports_names_var_entropy
+  flat_name: process.entry_leader.parent.elf.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
@@ -11561,21 +14523,21 @@ process.parent.elf.go_imports_names_var_entropy:
   original_fieldset: elf
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.parent.elf.go_stripped:
-  dashed_name: process-parent-elf-go-stripped
+process.entry_leader.parent.elf.go_stripped:
+  dashed_name: process-entry-leader-parent-elf-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.elf.go_stripped
+  flat_name: process.entry_leader.parent.elf.go_stripped
   level: extended
   name: go_stripped
   normalize: []
   original_fieldset: elf
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.parent.elf.header.abi_version:
-  dashed_name: process-parent-elf-header-abi-version
+process.entry_leader.parent.elf.header.abi_version:
+  dashed_name: process-entry-leader-parent-elf-header-abi-version
   description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.parent.elf.header.abi_version
+  flat_name: process.entry_leader.parent.elf.header.abi_version
   ignore_above: 1024
   level: extended
   name: header.abi_version
@@ -11583,10 +14545,10 @@ process.parent.elf.header.abi_version:
   original_fieldset: elf
   short: Version of the ELF Application Binary Interface (ABI).
   type: keyword
-process.parent.elf.header.class:
-  dashed_name: process-parent-elf-header-class
+process.entry_leader.parent.elf.header.class:
+  dashed_name: process-entry-leader-parent-elf-header-class
   description: Header class of the ELF file.
-  flat_name: process.parent.elf.header.class
+  flat_name: process.entry_leader.parent.elf.header.class
   ignore_above: 1024
   level: extended
   name: header.class
@@ -11594,10 +14556,10 @@ process.parent.elf.header.class:
   original_fieldset: elf
   short: Header class of the ELF file.
   type: keyword
-process.parent.elf.header.data:
-  dashed_name: process-parent-elf-header-data
+process.entry_leader.parent.elf.header.data:
+  dashed_name: process-entry-leader-parent-elf-header-data
   description: Data table of the ELF header.
-  flat_name: process.parent.elf.header.data
+  flat_name: process.entry_leader.parent.elf.header.data
   ignore_above: 1024
   level: extended
   name: header.data
@@ -11605,10 +14567,10 @@ process.parent.elf.header.data:
   original_fieldset: elf
   short: Data table of the ELF header.
   type: keyword
-process.parent.elf.header.entrypoint:
-  dashed_name: process-parent-elf-header-entrypoint
+process.entry_leader.parent.elf.header.entrypoint:
+  dashed_name: process-entry-leader-parent-elf-header-entrypoint
   description: Header entrypoint of the ELF file.
-  flat_name: process.parent.elf.header.entrypoint
+  flat_name: process.entry_leader.parent.elf.header.entrypoint
   format: string
   level: extended
   name: header.entrypoint
@@ -11616,10 +14578,10 @@ process.parent.elf.header.entrypoint:
   original_fieldset: elf
   short: Header entrypoint of the ELF file.
   type: long
-process.parent.elf.header.object_version:
-  dashed_name: process-parent-elf-header-object-version
+process.entry_leader.parent.elf.header.object_version:
+  dashed_name: process-entry-leader-parent-elf-header-object-version
   description: '"0x1" for original ELF files.'
-  flat_name: process.parent.elf.header.object_version
+  flat_name: process.entry_leader.parent.elf.header.object_version
   ignore_above: 1024
   level: extended
   name: header.object_version
@@ -11627,10 +14589,10 @@ process.parent.elf.header.object_version:
   original_fieldset: elf
   short: '"0x1" for original ELF files.'
   type: keyword
-process.parent.elf.header.os_abi:
-  dashed_name: process-parent-elf-header-os-abi
+process.entry_leader.parent.elf.header.os_abi:
+  dashed_name: process-entry-leader-parent-elf-header-os-abi
   description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.parent.elf.header.os_abi
+  flat_name: process.entry_leader.parent.elf.header.os_abi
   ignore_above: 1024
   level: extended
   name: header.os_abi
@@ -11638,10 +14600,10 @@ process.parent.elf.header.os_abi:
   original_fieldset: elf
   short: Application Binary Interface (ABI) of the Linux OS.
   type: keyword
-process.parent.elf.header.type:
-  dashed_name: process-parent-elf-header-type
+process.entry_leader.parent.elf.header.type:
+  dashed_name: process-entry-leader-parent-elf-header-type
   description: Header type of the ELF file.
-  flat_name: process.parent.elf.header.type
+  flat_name: process.entry_leader.parent.elf.header.type
   ignore_above: 1024
   level: extended
   name: header.type
@@ -11649,10 +14611,10 @@ process.parent.elf.header.type:
   original_fieldset: elf
   short: Header type of the ELF file.
   type: keyword
-process.parent.elf.header.version:
-  dashed_name: process-parent-elf-header-version
+process.entry_leader.parent.elf.header.version:
+  dashed_name: process-entry-leader-parent-elf-header-version
   description: Version of the ELF header.
-  flat_name: process.parent.elf.header.version
+  flat_name: process.entry_leader.parent.elf.header.version
   ignore_above: 1024
   level: extended
   name: header.version
@@ -11660,15 +14622,15 @@ process.parent.elf.header.version:
   original_fieldset: elf
   short: Version of the ELF header.
   type: keyword
-process.parent.elf.import_hash:
-  dashed_name: process-parent-elf-import-hash
+process.entry_leader.parent.elf.import_hash:
+  dashed_name: process-entry-leader-parent-elf-import-hash
   description: 'A hash of the imports in an ELF file. An import hash can be used to
     fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is an ELF implementation of the Windows PE imphash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.elf.import_hash
+  flat_name: process.entry_leader.parent.elf.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
@@ -11676,10 +14638,10 @@ process.parent.elf.import_hash:
   original_fieldset: elf
   short: A hash of the imports in an ELF file.
   type: keyword
-process.parent.elf.imports:
-  dashed_name: process-parent-elf-imports
+process.entry_leader.parent.elf.imports:
+  dashed_name: process-entry-leader-parent-elf-imports
   description: List of imported element names and types.
-  flat_name: process.parent.elf.imports
+  flat_name: process.entry_leader.parent.elf.imports
   level: extended
   name: imports
   normalize:
@@ -11687,11 +14649,11 @@ process.parent.elf.imports:
   original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
-process.parent.elf.imports_names_entropy:
-  dashed_name: process-parent-elf-imports-names-entropy
+process.entry_leader.parent.elf.imports_names_entropy:
+  dashed_name: process-entry-leader-parent-elf-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.parent.elf.imports_names_entropy
+  flat_name: process.entry_leader.parent.elf.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
@@ -11699,11 +14661,11 @@ process.parent.elf.imports_names_entropy:
   original_fieldset: elf
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.parent.elf.imports_names_var_entropy:
-  dashed_name: process-parent-elf-imports-names-var-entropy
+process.entry_leader.parent.elf.imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-elf-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.parent.elf.imports_names_var_entropy
+  flat_name: process.entry_leader.parent.elf.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
@@ -11712,13 +14674,13 @@ process.parent.elf.imports_names_var_entropy:
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.parent.elf.sections:
-  dashed_name: process-parent-elf-sections
+process.entry_leader.parent.elf.sections:
+  dashed_name: process-entry-leader-parent-elf-sections
   description: 'An array containing an object for each section of the ELF file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `elf.sections.*`.'
-  flat_name: process.parent.elf.sections
+  flat_name: process.entry_leader.parent.elf.sections
   level: extended
   name: sections
   normalize:
@@ -11726,10 +14688,10 @@ process.parent.elf.sections:
   original_fieldset: elf
   short: Section information of the ELF file.
   type: nested
-process.parent.elf.sections.chi2:
-  dashed_name: process-parent-elf-sections-chi2
+process.entry_leader.parent.elf.sections.chi2:
+  dashed_name: process-entry-leader-parent-elf-sections-chi2
   description: Chi-square probability distribution of the section.
-  flat_name: process.parent.elf.sections.chi2
+  flat_name: process.entry_leader.parent.elf.sections.chi2
   format: number
   level: extended
   name: sections.chi2
@@ -11737,10 +14699,10 @@ process.parent.elf.sections.chi2:
   original_fieldset: elf
   short: Chi-square probability distribution of the section.
   type: long
-process.parent.elf.sections.entropy:
-  dashed_name: process-parent-elf-sections-entropy
+process.entry_leader.parent.elf.sections.entropy:
+  dashed_name: process-entry-leader-parent-elf-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.parent.elf.sections.entropy
+  flat_name: process.entry_leader.parent.elf.sections.entropy
   format: number
   level: extended
   name: sections.entropy
@@ -11748,10 +14710,10 @@ process.parent.elf.sections.entropy:
   original_fieldset: elf
   short: Shannon entropy calculation from the section.
   type: long
-process.parent.elf.sections.flags:
-  dashed_name: process-parent-elf-sections-flags
+process.entry_leader.parent.elf.sections.flags:
+  dashed_name: process-entry-leader-parent-elf-sections-flags
   description: ELF Section List flags.
-  flat_name: process.parent.elf.sections.flags
+  flat_name: process.entry_leader.parent.elf.sections.flags
   ignore_above: 1024
   level: extended
   name: sections.flags
@@ -11759,10 +14721,10 @@ process.parent.elf.sections.flags:
   original_fieldset: elf
   short: ELF Section List flags.
   type: keyword
-process.parent.elf.sections.name:
-  dashed_name: process-parent-elf-sections-name
+process.entry_leader.parent.elf.sections.name:
+  dashed_name: process-entry-leader-parent-elf-sections-name
   description: ELF Section List name.
-  flat_name: process.parent.elf.sections.name
+  flat_name: process.entry_leader.parent.elf.sections.name
   ignore_above: 1024
   level: extended
   name: sections.name
@@ -11770,10 +14732,10 @@ process.parent.elf.sections.name:
   original_fieldset: elf
   short: ELF Section List name.
   type: keyword
-process.parent.elf.sections.physical_offset:
-  dashed_name: process-parent-elf-sections-physical-offset
+process.entry_leader.parent.elf.sections.physical_offset:
+  dashed_name: process-entry-leader-parent-elf-sections-physical-offset
   description: ELF Section List offset.
-  flat_name: process.parent.elf.sections.physical_offset
+  flat_name: process.entry_leader.parent.elf.sections.physical_offset
   ignore_above: 1024
   level: extended
   name: sections.physical_offset
@@ -11781,10 +14743,10 @@ process.parent.elf.sections.physical_offset:
   original_fieldset: elf
   short: ELF Section List offset.
   type: keyword
-process.parent.elf.sections.physical_size:
-  dashed_name: process-parent-elf-sections-physical-size
+process.entry_leader.parent.elf.sections.physical_size:
+  dashed_name: process-entry-leader-parent-elf-sections-physical-size
   description: ELF Section List physical size.
-  flat_name: process.parent.elf.sections.physical_size
+  flat_name: process.entry_leader.parent.elf.sections.physical_size
   format: bytes
   level: extended
   name: sections.physical_size
@@ -11792,10 +14754,10 @@ process.parent.elf.sections.physical_size:
   original_fieldset: elf
   short: ELF Section List physical size.
   type: long
-process.parent.elf.sections.type:
-  dashed_name: process-parent-elf-sections-type
+process.entry_leader.parent.elf.sections.type:
+  dashed_name: process-entry-leader-parent-elf-sections-type
   description: ELF Section List type.
-  flat_name: process.parent.elf.sections.type
+  flat_name: process.entry_leader.parent.elf.sections.type
   ignore_above: 1024
   level: extended
   name: sections.type
@@ -11803,10 +14765,10 @@ process.parent.elf.sections.type:
   original_fieldset: elf
   short: ELF Section List type.
   type: keyword
-process.parent.elf.sections.var_entropy:
-  dashed_name: process-parent-elf-sections-var-entropy
+process.entry_leader.parent.elf.sections.var_entropy:
+  dashed_name: process-entry-leader-parent-elf-sections-var-entropy
   description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.elf.sections.var_entropy
+  flat_name: process.entry_leader.parent.elf.sections.var_entropy
   format: number
   level: extended
   name: sections.var_entropy
@@ -11814,10 +14776,10 @@ process.parent.elf.sections.var_entropy:
   original_fieldset: elf
   short: Variance for Shannon entropy calculation from the section.
   type: long
-process.parent.elf.sections.virtual_address:
-  dashed_name: process-parent-elf-sections-virtual-address
+process.entry_leader.parent.elf.sections.virtual_address:
+  dashed_name: process-entry-leader-parent-elf-sections-virtual-address
   description: ELF Section List virtual address.
-  flat_name: process.parent.elf.sections.virtual_address
+  flat_name: process.entry_leader.parent.elf.sections.virtual_address
   format: string
   level: extended
   name: sections.virtual_address
@@ -11825,10 +14787,10 @@ process.parent.elf.sections.virtual_address:
   original_fieldset: elf
   short: ELF Section List virtual address.
   type: long
-process.parent.elf.sections.virtual_size:
-  dashed_name: process-parent-elf-sections-virtual-size
+process.entry_leader.parent.elf.sections.virtual_size:
+  dashed_name: process-entry-leader-parent-elf-sections-virtual-size
   description: ELF Section List virtual size.
-  flat_name: process.parent.elf.sections.virtual_size
+  flat_name: process.entry_leader.parent.elf.sections.virtual_size
   format: string
   level: extended
   name: sections.virtual_size
@@ -11836,13 +14798,13 @@ process.parent.elf.sections.virtual_size:
   original_fieldset: elf
   short: ELF Section List virtual size.
   type: long
-process.parent.elf.segments:
-  dashed_name: process-parent-elf-segments
+process.entry_leader.parent.elf.segments:
+  dashed_name: process-entry-leader-parent-elf-segments
   description: 'An array containing an object for each segment of the ELF file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `elf.segments.*`.'
-  flat_name: process.parent.elf.segments
+  flat_name: process.entry_leader.parent.elf.segments
   level: extended
   name: segments
   normalize:
@@ -11850,10 +14812,10 @@ process.parent.elf.segments:
   original_fieldset: elf
   short: ELF object segment list.
   type: nested
-process.parent.elf.segments.sections:
-  dashed_name: process-parent-elf-segments-sections
+process.entry_leader.parent.elf.segments.sections:
+  dashed_name: process-entry-leader-parent-elf-segments-sections
   description: ELF object segment sections.
-  flat_name: process.parent.elf.segments.sections
+  flat_name: process.entry_leader.parent.elf.segments.sections
   ignore_above: 1024
   level: extended
   name: segments.sections
@@ -11861,10 +14823,10 @@ process.parent.elf.segments.sections:
   original_fieldset: elf
   short: ELF object segment sections.
   type: keyword
-process.parent.elf.segments.type:
-  dashed_name: process-parent-elf-segments-type
+process.entry_leader.parent.elf.segments.type:
+  dashed_name: process-entry-leader-parent-elf-segments-type
   description: ELF object segment type.
-  flat_name: process.parent.elf.segments.type
+  flat_name: process.entry_leader.parent.elf.segments.type
   ignore_above: 1024
   level: extended
   name: segments.type
@@ -11872,10 +14834,10 @@ process.parent.elf.segments.type:
   original_fieldset: elf
   short: ELF object segment type.
   type: keyword
-process.parent.elf.shared_libraries:
-  dashed_name: process-parent-elf-shared-libraries
+process.entry_leader.parent.elf.shared_libraries:
+  dashed_name: process-entry-leader-parent-elf-shared-libraries
   description: List of shared libraries used by this ELF object.
-  flat_name: process.parent.elf.shared_libraries
+  flat_name: process.entry_leader.parent.elf.shared_libraries
   ignore_above: 1024
   level: extended
   name: shared_libraries
@@ -11884,10 +14846,10 @@ process.parent.elf.shared_libraries:
   original_fieldset: elf
   short: List of shared libraries used by this ELF object.
   type: keyword
-process.parent.elf.telfhash:
-  dashed_name: process-parent-elf-telfhash
+process.entry_leader.parent.elf.telfhash:
+  dashed_name: process-entry-leader-parent-elf-telfhash
   description: telfhash symbol hash for ELF file.
-  flat_name: process.parent.elf.telfhash
+  flat_name: process.entry_leader.parent.elf.telfhash
   ignore_above: 1024
   level: extended
   name: telfhash
@@ -11895,19 +14857,31 @@ process.parent.elf.telfhash:
   original_fieldset: elf
   short: telfhash hash for ELF file.
   type: keyword
-process.parent.end:
-  dashed_name: process-parent-end
+process.entry_leader.parent.end:
+  dashed_name: process-entry-leader-parent-end
   description: The time the process ended.
   example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.end
+  flat_name: process.entry_leader.parent.end
   level: extended
   name: end
   normalize: []
   original_fieldset: process
   short: The time the process ended.
   type: date
-process.parent.entity_id:
-  dashed_name: process-parent-entity-id
+process.entry_leader.parent.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.entry_leader.parent.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.entry_leader.parent.entity_id:
+  dashed_name: process-entry-leader-parent-entity-id
   description: 'Unique identifier for the process.
 
     The implementation of this is specified by the data source, but some examples
@@ -11918,7 +14892,7 @@ process.parent.entity_id:
     reuse as well as to identify a specific process over time, across multiple monitored
     hosts.'
   example: c2c455d9f99375d
-  flat_name: process.parent.entity_id
+  flat_name: process.entry_leader.parent.entity_id
   ignore_above: 1024
   level: extended
   name: entity_id
@@ -11926,15 +14900,388 @@ process.parent.entity_id:
   original_fieldset: process
   short: Unique identifier for the process.
   type: keyword
-process.parent.executable:
-  dashed_name: process-parent-executable
+process.entry_leader.parent.entry_meta.source.address:
+  dashed_name: process-entry-leader-parent-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.entry_leader.parent.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.as.number:
+  dashed_name: process-entry-leader-parent-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.entry_leader.parent.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.entry_leader.parent.entry_meta.source.as.organization.name:
+  dashed_name: process-entry-leader-parent-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.bytes:
+  dashed_name: process-entry-leader-parent-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.entry_leader.parent.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.entry_leader.parent.entry_meta.source.domain:
+  dashed_name: process-entry-leader-parent-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.entry_leader.parent.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.city_name:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.continent_code:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.continent_name:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.country_name:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.location:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.entry_leader.parent.entry_meta.source.geo.name:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.postal_code:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.region_name:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.geo.timezone:
+  dashed_name: process-entry-leader-parent-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.entry_leader.parent.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.ip:
+  dashed_name: process-entry-leader-parent-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.entry_leader.parent.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.entry_leader.parent.entry_meta.source.mac:
+  dashed_name: process-entry-leader-parent-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.entry_leader.parent.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.nat.ip:
+  dashed_name: process-entry-leader-parent-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.entry_leader.parent.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.entry_leader.parent.entry_meta.source.nat.port:
+  dashed_name: process-entry-leader-parent-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.entry_leader.parent.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.entry_leader.parent.entry_meta.source.packets:
+  dashed_name: process-entry-leader-parent-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.entry_leader.parent.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.entry_leader.parent.entry_meta.source.port:
+  dashed_name: process-entry-leader-parent-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.entry_leader.parent.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.entry_leader.parent.entry_meta.source.registered_domain:
+  dashed_name: process-entry-leader-parent-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.entry_leader.parent.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.subdomain:
+  dashed_name: process-entry-leader-parent-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.entry_leader.parent.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.entry_leader.parent.entry_meta.source.top_level_domain:
+  dashed_name: process-entry-leader-parent-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.entry_leader.parent.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.entry_leader.parent.entry_meta.type:
+  dashed_name: process-entry-leader-parent-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.entry_leader.parent.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.entry_leader.parent.env_vars:
+  dashed_name: process-entry-leader-parent-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.entry_leader.parent.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.executable:
+  dashed_name: process-entry-leader-parent-executable
   description: Absolute path to the process executable.
   example: /usr/bin/ssh
-  flat_name: process.parent.executable
+  flat_name: process.entry_leader.parent.executable
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.parent.executable.text
+  - flat_name: process.entry_leader.parent.executable.text
     name: text
     type: match_only_text
   name: executable
@@ -11942,24 +15289,37 @@ process.parent.executable:
   original_fieldset: process
   short: Absolute path to the process executable.
   type: keyword
-process.parent.exit_code:
-  dashed_name: process-parent-exit-code
+process.entry_leader.parent.exit_code:
+  dashed_name: process-entry-leader-parent-exit-code
   description: 'The exit code of the process, if this is a termination event.
 
     The field should be absent if there is no exit code for the event (e.g. process
     start).'
   example: 137
-  flat_name: process.parent.exit_code
+  flat_name: process.entry_leader.parent.exit_code
   level: extended
   name: exit_code
   normalize: []
   original_fieldset: process
   short: The exit code of the process.
   type: long
-process.parent.group.id:
-  dashed_name: process-parent-group-id
+process.entry_leader.parent.group.domain:
+  dashed_name: process-entry-leader-parent-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.group.id:
+  dashed_name: process-entry-leader-parent-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group.id
+  flat_name: process.entry_leader.parent.group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -11967,10 +15327,10 @@ process.parent.group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.parent.group.name:
-  dashed_name: process-parent-group-name
+process.entry_leader.parent.group.name:
+  dashed_name: process-entry-leader-parent-group-name
   description: Name of the group.
-  flat_name: process.parent.group.name
+  flat_name: process.entry_leader.parent.group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -11978,72 +15338,13 @@ process.parent.group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.parent.group_leader.entity_id:
-  dashed_name: process-parent-group-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.parent.group_leader.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.parent.group_leader.pid:
-  dashed_name: process-parent-group-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.parent.group_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.parent.group_leader.start:
-  dashed_name: process-parent-group-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.group_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.parent.group_leader.vpid:
-  dashed_name: process-parent-group-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.parent.group_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.parent.hash.cdhash:
+process.entry_leader.parent.hash.cdhash:
   beta: This field is beta and subject to change.
-  dashed_name: process-parent-hash-cdhash
+  dashed_name: process-entry-leader-parent-hash-cdhash
   description: Code directory hash, utilized to uniquely identify and authenticate
     the integrity of the executable code.
   example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.parent.hash.cdhash
+  flat_name: process.entry_leader.parent.hash.cdhash
   ignore_above: 1024
   level: extended
   name: cdhash
@@ -12051,10 +15352,10 @@ process.parent.hash.cdhash:
   original_fieldset: hash
   short: The Code Directory (CD) hash of an executable.
   type: keyword
-process.parent.hash.md5:
-  dashed_name: process-parent-hash-md5
+process.entry_leader.parent.hash.md5:
+  dashed_name: process-entry-leader-parent-hash-md5
   description: MD5 hash.
-  flat_name: process.parent.hash.md5
+  flat_name: process.entry_leader.parent.hash.md5
   ignore_above: 1024
   level: extended
   name: md5
@@ -12062,10 +15363,10 @@ process.parent.hash.md5:
   original_fieldset: hash
   short: MD5 hash.
   type: keyword
-process.parent.hash.sha1:
-  dashed_name: process-parent-hash-sha1
+process.entry_leader.parent.hash.sha1:
+  dashed_name: process-entry-leader-parent-hash-sha1
   description: SHA1 hash.
-  flat_name: process.parent.hash.sha1
+  flat_name: process.entry_leader.parent.hash.sha1
   ignore_above: 1024
   level: extended
   name: sha1
@@ -12073,10 +15374,10 @@ process.parent.hash.sha1:
   original_fieldset: hash
   short: SHA1 hash.
   type: keyword
-process.parent.hash.sha256:
-  dashed_name: process-parent-hash-sha256
+process.entry_leader.parent.hash.sha256:
+  dashed_name: process-entry-leader-parent-hash-sha256
   description: SHA256 hash.
-  flat_name: process.parent.hash.sha256
+  flat_name: process.entry_leader.parent.hash.sha256
   ignore_above: 1024
   level: extended
   name: sha256
@@ -12084,10 +15385,10 @@ process.parent.hash.sha256:
   original_fieldset: hash
   short: SHA256 hash.
   type: keyword
-process.parent.hash.sha384:
-  dashed_name: process-parent-hash-sha384
+process.entry_leader.parent.hash.sha384:
+  dashed_name: process-entry-leader-parent-hash-sha384
   description: SHA384 hash.
-  flat_name: process.parent.hash.sha384
+  flat_name: process.entry_leader.parent.hash.sha384
   ignore_above: 1024
   level: extended
   name: sha384
@@ -12095,10 +15396,10 @@ process.parent.hash.sha384:
   original_fieldset: hash
   short: SHA384 hash.
   type: keyword
-process.parent.hash.sha512:
-  dashed_name: process-parent-hash-sha512
+process.entry_leader.parent.hash.sha512:
+  dashed_name: process-entry-leader-parent-hash-sha512
   description: SHA512 hash.
-  flat_name: process.parent.hash.sha512
+  flat_name: process.entry_leader.parent.hash.sha512
   ignore_above: 1024
   level: extended
   name: sha512
@@ -12106,10 +15407,10 @@ process.parent.hash.sha512:
   original_fieldset: hash
   short: SHA512 hash.
   type: keyword
-process.parent.hash.ssdeep:
-  dashed_name: process-parent-hash-ssdeep
+process.entry_leader.parent.hash.ssdeep:
+  dashed_name: process-entry-leader-parent-hash-ssdeep
   description: SSDEEP hash.
-  flat_name: process.parent.hash.ssdeep
+  flat_name: process.entry_leader.parent.hash.ssdeep
   ignore_above: 1024
   level: extended
   name: ssdeep
@@ -12117,10 +15418,10 @@ process.parent.hash.ssdeep:
   original_fieldset: hash
   short: SSDEEP hash.
   type: keyword
-process.parent.hash.tlsh:
-  dashed_name: process-parent-hash-tlsh
+process.entry_leader.parent.hash.tlsh:
+  dashed_name: process-entry-leader-parent-hash-tlsh
   description: TLSH hash.
-  flat_name: process.parent.hash.tlsh
+  flat_name: process.entry_leader.parent.hash.tlsh
   ignore_above: 1024
   level: extended
   name: tlsh
@@ -12128,8 +15429,8 @@ process.parent.hash.tlsh:
   original_fieldset: hash
   short: TLSH hash.
   type: keyword
-process.parent.interactive:
-  dashed_name: process-parent-interactive
+process.entry_leader.parent.interactive:
+  dashed_name: process-entry-leader-parent-interactive
   description: 'Whether the process is connected to an interactive shell.
 
     Process interactivity is inferred from the processes file descriptors. If the
@@ -12142,56 +15443,167 @@ process.parent.interactive:
     is still considered interactive if stdin and stderr are connected to the controlling
     TTY.'
   example: true
-  flat_name: process.parent.interactive
+  flat_name: process.entry_leader.parent.interactive
   level: extended
   name: interactive
   normalize: []
   original_fieldset: process
   short: Whether the process is connected to an interactive shell.
   type: boolean
-process.parent.macho.go_import_hash:
-  dashed_name: process-parent-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
+process.entry_leader.parent.io:
+  dashed_name: process-entry-leader-parent-io
+  description: 'A chunk of input or output (IO) from a single process.
 
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.macho.go_import_hash
-  ignore_above: 1024
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.entry_leader.parent.io
   level: extended
-  name: go_import_hash
+  name: io
   normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.parent.macho.go_imports:
-  dashed_name: process-parent-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.parent.macho.go_imports
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.entry_leader.parent.io.bytes_skipped:
+  dashed_name: process-entry-leader-parent-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.entry_leader.parent.io.bytes_skipped
   level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.parent.macho.go_imports_names_entropy:
-  dashed_name: process-parent-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.macho.go_imports_names_entropy
-  format: number
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.entry_leader.parent.io.bytes_skipped.length:
+  dashed_name: process-entry-leader-parent-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.entry_leader.parent.io.bytes_skipped.length
   level: extended
-  name: go_imports_names_entropy
+  name: io.bytes_skipped.length
   normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
+  original_fieldset: process
+  short: The length of bytes skipped.
   type: long
-process.parent.macho.go_imports_names_var_entropy:
-  dashed_name: process-parent-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.macho.go_imports_names_var_entropy
+process.entry_leader.parent.io.bytes_skipped.offset:
+  dashed_name: process-entry-leader-parent-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.entry_leader.parent.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.entry_leader.parent.io.max_bytes_per_process_exceeded:
+  dashed_name: process-entry-leader-parent-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.entry_leader.parent.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.entry_leader.parent.io.text:
+  dashed_name: process-entry-leader-parent-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.entry_leader.parent.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.entry_leader.parent.io.total_bytes_captured:
+  dashed_name: process-entry-leader-parent-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.entry_leader.parent.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.entry_leader.parent.io.total_bytes_skipped:
+  dashed_name: process-entry-leader-parent-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.entry_leader.parent.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.entry_leader.parent.io.type:
+  dashed_name: process-entry-leader-parent-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.entry_leader.parent.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.entry_leader.parent.macho.go_import_hash:
+  dashed_name: process-entry-leader-parent-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.parent.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.entry_leader.parent.macho.go_imports:
+  dashed_name: process-entry-leader-parent-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.parent.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.parent.macho.go_imports_names_entropy:
+  dashed_name: process-entry-leader-parent-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.macho.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.macho.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
@@ -12199,26 +15611,26 @@ process.parent.macho.go_imports_names_var_entropy:
   original_fieldset: macho
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.parent.macho.go_stripped:
-  dashed_name: process-parent-macho-go-stripped
+process.entry_leader.parent.macho.go_stripped:
+  dashed_name: process-entry-leader-parent-macho-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.macho.go_stripped
+  flat_name: process.entry_leader.parent.macho.go_stripped
   level: extended
   name: go_stripped
   normalize: []
   original_fieldset: macho
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.parent.macho.import_hash:
-  dashed_name: process-parent-macho-import-hash
+process.entry_leader.parent.macho.import_hash:
+  dashed_name: process-entry-leader-parent-macho-import-hash
   description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a synonym for symhash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.macho.import_hash
+  flat_name: process.entry_leader.parent.macho.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
@@ -12226,10 +15638,10 @@ process.parent.macho.import_hash:
   original_fieldset: macho
   short: A hash of the imports in a Mach-O file.
   type: keyword
-process.parent.macho.imports:
-  dashed_name: process-parent-macho-imports
+process.entry_leader.parent.macho.imports:
+  dashed_name: process-entry-leader-parent-macho-imports
   description: List of imported element names and types.
-  flat_name: process.parent.macho.imports
+  flat_name: process.entry_leader.parent.macho.imports
   level: extended
   name: imports
   normalize:
@@ -12237,11 +15649,11 @@ process.parent.macho.imports:
   original_fieldset: macho
   short: List of imported element names and types.
   type: flattened
-process.parent.macho.imports_names_entropy:
-  dashed_name: process-parent-macho-imports-names-entropy
+process.entry_leader.parent.macho.imports_names_entropy:
+  dashed_name: process-entry-leader-parent-macho-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.parent.macho.imports_names_entropy
+  flat_name: process.entry_leader.parent.macho.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
@@ -12249,11 +15661,11 @@ process.parent.macho.imports_names_entropy:
   original_fieldset: macho
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.parent.macho.imports_names_var_entropy:
-  dashed_name: process-parent-macho-imports-names-var-entropy
+process.entry_leader.parent.macho.imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-macho-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.parent.macho.imports_names_var_entropy
+  flat_name: process.entry_leader.parent.macho.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
@@ -12262,13 +15674,13 @@ process.parent.macho.imports_names_var_entropy:
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.parent.macho.sections:
-  dashed_name: process-parent-macho-sections
+process.entry_leader.parent.macho.sections:
+  dashed_name: process-entry-leader-parent-macho-sections
   description: 'An array containing an object for each section of the Mach-O file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `macho.sections.*`.'
-  flat_name: process.parent.macho.sections
+  flat_name: process.entry_leader.parent.macho.sections
   level: extended
   name: sections
   normalize:
@@ -12276,10 +15688,10 @@ process.parent.macho.sections:
   original_fieldset: macho
   short: Section information of the Mach-O file.
   type: nested
-process.parent.macho.sections.entropy:
-  dashed_name: process-parent-macho-sections-entropy
+process.entry_leader.parent.macho.sections.entropy:
+  dashed_name: process-entry-leader-parent-macho-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.parent.macho.sections.entropy
+  flat_name: process.entry_leader.parent.macho.sections.entropy
   format: number
   level: extended
   name: sections.entropy
@@ -12287,10 +15699,10 @@ process.parent.macho.sections.entropy:
   original_fieldset: macho
   short: Shannon entropy calculation from the section.
   type: long
-process.parent.macho.sections.name:
-  dashed_name: process-parent-macho-sections-name
+process.entry_leader.parent.macho.sections.name:
+  dashed_name: process-entry-leader-parent-macho-sections-name
   description: Mach-O Section List name.
-  flat_name: process.parent.macho.sections.name
+  flat_name: process.entry_leader.parent.macho.sections.name
   ignore_above: 1024
   level: extended
   name: sections.name
@@ -12298,10 +15710,10 @@ process.parent.macho.sections.name:
   original_fieldset: macho
   short: Mach-O Section List name.
   type: keyword
-process.parent.macho.sections.physical_size:
-  dashed_name: process-parent-macho-sections-physical-size
+process.entry_leader.parent.macho.sections.physical_size:
+  dashed_name: process-entry-leader-parent-macho-sections-physical-size
   description: Mach-O Section List physical size.
-  flat_name: process.parent.macho.sections.physical_size
+  flat_name: process.entry_leader.parent.macho.sections.physical_size
   format: bytes
   level: extended
   name: sections.physical_size
@@ -12309,10 +15721,10 @@ process.parent.macho.sections.physical_size:
   original_fieldset: macho
   short: Mach-O Section List physical size.
   type: long
-process.parent.macho.sections.var_entropy:
-  dashed_name: process-parent-macho-sections-var-entropy
+process.entry_leader.parent.macho.sections.var_entropy:
+  dashed_name: process-entry-leader-parent-macho-sections-var-entropy
   description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.macho.sections.var_entropy
+  flat_name: process.entry_leader.parent.macho.sections.var_entropy
   format: number
   level: extended
   name: sections.var_entropy
@@ -12320,10 +15732,10 @@ process.parent.macho.sections.var_entropy:
   original_fieldset: macho
   short: Variance for Shannon entropy calculation from the section.
   type: long
-process.parent.macho.sections.virtual_size:
-  dashed_name: process-parent-macho-sections-virtual-size
+process.entry_leader.parent.macho.sections.virtual_size:
+  dashed_name: process-entry-leader-parent-macho-sections-virtual-size
   description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.parent.macho.sections.virtual_size
+  flat_name: process.entry_leader.parent.macho.sections.virtual_size
   format: string
   level: extended
   name: sections.virtual_size
@@ -12331,15 +15743,15 @@ process.parent.macho.sections.virtual_size:
   original_fieldset: macho
   short: Mach-O Section List virtual size. This is always the same as `physical_size`.
   type: long
-process.parent.macho.symhash:
-  dashed_name: process-parent-macho-symhash
+process.entry_leader.parent.macho.symhash:
+  dashed_name: process-entry-leader-parent-macho-symhash
   description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a Mach-O implementation of the Windows PE imphash'
   example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.parent.macho.symhash
+  flat_name: process.entry_leader.parent.macho.symhash
   ignore_above: 1024
   level: extended
   name: symhash
@@ -12347,17 +15759,17 @@ process.parent.macho.symhash:
   original_fieldset: macho
   short: A hash of the imports in a Mach-O file.
   type: keyword
-process.parent.name:
-  dashed_name: process-parent-name
+process.entry_leader.parent.name:
+  dashed_name: process-entry-leader-parent-name
   description: 'Process name.
 
     Sometimes called program name or similar.'
   example: ssh
-  flat_name: process.parent.name
+  flat_name: process.entry_leader.parent.name
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.parent.name.text
+  - flat_name: process.entry_leader.parent.name.text
     name: text
     type: match_only_text
   name: name
@@ -12365,11 +15777,37 @@ process.parent.name:
   original_fieldset: process
   short: Process name.
   type: keyword
-process.parent.pe.architecture:
-  dashed_name: process-parent-pe-architecture
+process.entry_leader.parent.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.entry_leader.parent.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.entry_leader.parent.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.entry_leader.parent.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.entry_leader.parent.pe.architecture:
+  dashed_name: process-entry-leader-parent-pe-architecture
   description: CPU architecture target for the file.
   example: x64
-  flat_name: process.parent.pe.architecture
+  flat_name: process.entry_leader.parent.pe.architecture
   ignore_above: 1024
   level: extended
   name: architecture
@@ -12377,11 +15815,11 @@ process.parent.pe.architecture:
   original_fieldset: pe
   short: CPU architecture target for the file.
   type: keyword
-process.parent.pe.company:
-  dashed_name: process-parent-pe-company
+process.entry_leader.parent.pe.company:
+  dashed_name: process-entry-leader-parent-pe-company
   description: Internal company name of the file, provided at compile-time.
   example: Microsoft Corporation
-  flat_name: process.parent.pe.company
+  flat_name: process.entry_leader.parent.pe.company
   ignore_above: 1024
   level: extended
   name: company
@@ -12389,11 +15827,11 @@ process.parent.pe.company:
   original_fieldset: pe
   short: Internal company name of the file, provided at compile-time.
   type: keyword
-process.parent.pe.description:
-  dashed_name: process-parent-pe-description
+process.entry_leader.parent.pe.description:
+  dashed_name: process-entry-leader-parent-pe-description
   description: Internal description of the file, provided at compile-time.
   example: Paint
-  flat_name: process.parent.pe.description
+  flat_name: process.entry_leader.parent.pe.description
   ignore_above: 1024
   level: extended
   name: description
@@ -12401,11 +15839,11 @@ process.parent.pe.description:
   original_fieldset: pe
   short: Internal description of the file, provided at compile-time.
   type: keyword
-process.parent.pe.file_version:
-  dashed_name: process-parent-pe-file-version
+process.entry_leader.parent.pe.file_version:
+  dashed_name: process-entry-leader-parent-pe-file-version
   description: Internal version of the file, provided at compile-time.
   example: 6.3.9600.17415
-  flat_name: process.parent.pe.file_version
+  flat_name: process.entry_leader.parent.pe.file_version
   ignore_above: 1024
   level: extended
   name: file_version
@@ -12413,8 +15851,8 @@ process.parent.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
-process.parent.pe.go_import_hash:
-  dashed_name: process-parent-pe-go-import-hash
+process.entry_leader.parent.pe.go_import_hash:
+  dashed_name: process-entry-leader-parent-pe-go-import-hash
   description: 'A hash of the Go language imports in a PE file excluding standard
     library imports. An import hash can be used to fingerprint binaries even after
     recompilation or other code-level transformations have occurred, which would change
@@ -12423,7 +15861,7 @@ process.parent.pe.go_import_hash:
     The algorithm used to calculate the Go symbol hash and a reference implementation
     are available here: https://github.com/elastic/toutoumomoma'
   example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.pe.go_import_hash
+  flat_name: process.entry_leader.parent.pe.go_import_hash
   ignore_above: 1024
   level: extended
   name: go_import_hash
@@ -12431,20 +15869,20 @@ process.parent.pe.go_import_hash:
   original_fieldset: pe
   short: A hash of the Go language imports in a PE file.
   type: keyword
-process.parent.pe.go_imports:
-  dashed_name: process-parent-pe-go-imports
+process.entry_leader.parent.pe.go_imports:
+  dashed_name: process-entry-leader-parent-pe-go-imports
   description: List of imported Go language element names and types.
-  flat_name: process.parent.pe.go_imports
+  flat_name: process.entry_leader.parent.pe.go_imports
   level: extended
   name: go_imports
   normalize: []
   original_fieldset: pe
   short: List of imported Go language element names and types.
   type: flattened
-process.parent.pe.go_imports_names_entropy:
-  dashed_name: process-parent-pe-go-imports-names-entropy
+process.entry_leader.parent.pe.go_imports_names_entropy:
+  dashed_name: process-entry-leader-parent-pe-go-imports-names-entropy
   description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.pe.go_imports_names_entropy
+  flat_name: process.entry_leader.parent.pe.go_imports_names_entropy
   format: number
   level: extended
   name: go_imports_names_entropy
@@ -12452,10 +15890,10 @@ process.parent.pe.go_imports_names_entropy:
   original_fieldset: pe
   short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.parent.pe.go_imports_names_var_entropy:
-  dashed_name: process-parent-pe-go-imports-names-var-entropy
+process.entry_leader.parent.pe.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-pe-go-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.pe.go_imports_names_var_entropy
+  flat_name: process.entry_leader.parent.pe.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
@@ -12463,26 +15901,26 @@ process.parent.pe.go_imports_names_var_entropy:
   original_fieldset: pe
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.parent.pe.go_stripped:
-  dashed_name: process-parent-pe-go-stripped
+process.entry_leader.parent.pe.go_stripped:
+  dashed_name: process-entry-leader-parent-pe-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.pe.go_stripped
+  flat_name: process.entry_leader.parent.pe.go_stripped
   level: extended
   name: go_stripped
   normalize: []
   original_fieldset: pe
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.parent.pe.imphash:
-  dashed_name: process-parent-pe-imphash
+process.entry_leader.parent.pe.imphash:
+  dashed_name: process-entry-leader-parent-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
     can be used to fingerprint binaries even after recompilation or other code-level
     transformations have occurred, which would change more traditional hash values.
 
     Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
   example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.parent.pe.imphash
+  flat_name: process.entry_leader.parent.pe.imphash
   ignore_above: 1024
   level: extended
   name: imphash
@@ -12490,15 +15928,15 @@ process.parent.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
-process.parent.pe.import_hash:
-  dashed_name: process-parent-pe-import-hash
+process.entry_leader.parent.pe.import_hash:
+  dashed_name: process-entry-leader-parent-pe-import-hash
   description: 'A hash of the imports in a PE file. An import hash can be used to
     fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a synonym for imphash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.pe.import_hash
+  flat_name: process.entry_leader.parent.pe.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
@@ -12506,10 +15944,10 @@ process.parent.pe.import_hash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
-process.parent.pe.imports:
-  dashed_name: process-parent-pe-imports
+process.entry_leader.parent.pe.imports:
+  dashed_name: process-entry-leader-parent-pe-imports
   description: List of imported element names and types.
-  flat_name: process.parent.pe.imports
+  flat_name: process.entry_leader.parent.pe.imports
   level: extended
   name: imports
   normalize:
@@ -12517,11 +15955,11 @@ process.parent.pe.imports:
   original_fieldset: pe
   short: List of imported element names and types.
   type: flattened
-process.parent.pe.imports_names_entropy:
-  dashed_name: process-parent-pe-imports-names-entropy
+process.entry_leader.parent.pe.imports_names_entropy:
+  dashed_name: process-entry-leader-parent-pe-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.parent.pe.imports_names_entropy
+  flat_name: process.entry_leader.parent.pe.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
@@ -12529,11 +15967,11 @@ process.parent.pe.imports_names_entropy:
   original_fieldset: pe
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.parent.pe.imports_names_var_entropy:
-  dashed_name: process-parent-pe-imports-names-var-entropy
+process.entry_leader.parent.pe.imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-pe-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.parent.pe.imports_names_var_entropy
+  flat_name: process.entry_leader.parent.pe.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
@@ -12542,11 +15980,11 @@ process.parent.pe.imports_names_var_entropy:
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.parent.pe.original_file_name:
-  dashed_name: process-parent-pe-original-file-name
+process.entry_leader.parent.pe.original_file_name:
+  dashed_name: process-entry-leader-parent-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
-  flat_name: process.parent.pe.original_file_name
+  flat_name: process.entry_leader.parent.pe.original_file_name
   ignore_above: 1024
   level: extended
   name: original_file_name
@@ -12554,15 +15992,15 @@ process.parent.pe.original_file_name:
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
   type: keyword
-process.parent.pe.pehash:
-  dashed_name: process-parent-pe-pehash
+process.entry_leader.parent.pe.pehash:
+  dashed_name: process-entry-leader-parent-pe-pehash
   description: 'A hash of the PE header and data from one or more PE sections. An
     pehash can be used to cluster files by transforming structural information about
     a file into a hash value.
 
     Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
   example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.parent.pe.pehash
+  flat_name: process.entry_leader.parent.pe.pehash
   ignore_above: 1024
   level: extended
   name: pehash
@@ -12570,11 +16008,11 @@ process.parent.pe.pehash:
   original_fieldset: pe
   short: A hash of the PE header and data from one or more PE sections.
   type: keyword
-process.parent.pe.product:
-  dashed_name: process-parent-pe-product
+process.entry_leader.parent.pe.product:
+  dashed_name: process-entry-leader-parent-pe-product
   description: Internal product name of the file, provided at compile-time.
   example: Microsoft® Windows® Operating System
-  flat_name: process.parent.pe.product
+  flat_name: process.entry_leader.parent.pe.product
   ignore_above: 1024
   level: extended
   name: product
@@ -12582,13 +16020,13 @@ process.parent.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
-process.parent.pe.sections:
-  dashed_name: process-parent-pe-sections
+process.entry_leader.parent.pe.sections:
+  dashed_name: process-entry-leader-parent-pe-sections
   description: 'An array containing an object for each section of the PE file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `pe.sections.*`.'
-  flat_name: process.parent.pe.sections
+  flat_name: process.entry_leader.parent.pe.sections
   level: extended
   name: sections
   normalize:
@@ -12596,10 +16034,10 @@ process.parent.pe.sections:
   original_fieldset: pe
   short: Section information of the PE file.
   type: nested
-process.parent.pe.sections.entropy:
-  dashed_name: process-parent-pe-sections-entropy
+process.entry_leader.parent.pe.sections.entropy:
+  dashed_name: process-entry-leader-parent-pe-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.parent.pe.sections.entropy
+  flat_name: process.entry_leader.parent.pe.sections.entropy
   format: number
   level: extended
   name: sections.entropy
@@ -12607,10 +16045,10 @@ process.parent.pe.sections.entropy:
   original_fieldset: pe
   short: Shannon entropy calculation from the section.
   type: long
-process.parent.pe.sections.name:
-  dashed_name: process-parent-pe-sections-name
+process.entry_leader.parent.pe.sections.name:
+  dashed_name: process-entry-leader-parent-pe-sections-name
   description: PE Section List name.
-  flat_name: process.parent.pe.sections.name
+  flat_name: process.entry_leader.parent.pe.sections.name
   ignore_above: 1024
   level: extended
   name: sections.name
@@ -12618,10 +16056,10 @@ process.parent.pe.sections.name:
   original_fieldset: pe
   short: PE Section List name.
   type: keyword
-process.parent.pe.sections.physical_size:
-  dashed_name: process-parent-pe-sections-physical-size
+process.entry_leader.parent.pe.sections.physical_size:
+  dashed_name: process-entry-leader-parent-pe-sections-physical-size
   description: PE Section List physical size.
-  flat_name: process.parent.pe.sections.physical_size
+  flat_name: process.entry_leader.parent.pe.sections.physical_size
   format: bytes
   level: extended
   name: sections.physical_size
@@ -12629,10 +16067,10 @@ process.parent.pe.sections.physical_size:
   original_fieldset: pe
   short: PE Section List physical size.
   type: long
-process.parent.pe.sections.var_entropy:
-  dashed_name: process-parent-pe-sections-var-entropy
+process.entry_leader.parent.pe.sections.var_entropy:
+  dashed_name: process-entry-leader-parent-pe-sections-var-entropy
   description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.pe.sections.var_entropy
+  flat_name: process.entry_leader.parent.pe.sections.var_entropy
   format: number
   level: extended
   name: sections.var_entropy
@@ -12640,10 +16078,10 @@ process.parent.pe.sections.var_entropy:
   original_fieldset: pe
   short: Variance for Shannon entropy calculation from the section.
   type: long
-process.parent.pe.sections.virtual_size:
-  dashed_name: process-parent-pe-sections-virtual-size
+process.entry_leader.parent.pe.sections.virtual_size:
+  dashed_name: process-entry-leader-parent-pe-sections-virtual-size
   description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.parent.pe.sections.virtual_size
+  flat_name: process.entry_leader.parent.pe.sections.virtual_size
   format: string
   level: extended
   name: sections.virtual_size
@@ -12651,11 +16089,11 @@ process.parent.pe.sections.virtual_size:
   original_fieldset: pe
   short: PE Section List virtual size. This is always the same as `physical_size`.
   type: long
-process.parent.pid:
-  dashed_name: process-parent-pid
+process.entry_leader.parent.pid:
+  dashed_name: process-entry-leader-parent-pid
   description: Process id.
   example: 4242
-  flat_name: process.parent.pid
+  flat_name: process.entry_leader.parent.pid
   format: string
   level: core
   name: pid
@@ -12663,60 +16101,36 @@ process.parent.pid:
   original_fieldset: process
   short: Process id.
   type: long
-process.parent.real_group.id:
-  dashed_name: process-parent-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.real_group.id
-  ignore_above: 1024
+process.entry_leader.parent.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.entry_leader.parent.platform_binary
   level: extended
-  name: id
+  name: platform_binary
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.real_group.name:
-  dashed_name: process-parent-real-group-name
-  description: Name of the group.
-  flat_name: process.parent.real_group.name
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.entry_leader.parent.real_group.domain:
+  dashed_name: process-entry-leader-parent-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.real_group.domain
   ignore_above: 1024
   level: extended
-  name: name
+  name: domain
   normalize: []
   original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.real_user.id:
-  dashed_name: process-parent-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.real_user.name:
-  dashed_name: process-parent-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
+  short: Name of the directory the group is a member of.
   type: keyword
-process.parent.saved_group.id:
-  dashed_name: process-parent-saved-group-id
+process.entry_leader.parent.real_group.id:
+  dashed_name: process-entry-leader-parent-real-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.saved_group.id
+  flat_name: process.entry_leader.parent.real_group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -12724,10 +16138,10 @@ process.parent.saved_group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.parent.saved_group.name:
-  dashed_name: process-parent-saved-group-name
+process.entry_leader.parent.real_group.name:
+  dashed_name: process-entry-leader-parent-real-group-name
   description: Name of the group.
-  flat_name: process.parent.saved_group.name
+  flat_name: process.entry_leader.parent.real_group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -12735,196 +16149,351 @@ process.parent.saved_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.parent.saved_user.id:
-  dashed_name: process-parent-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.saved_user.id
+process.entry_leader.parent.real_user.domain:
+  dashed_name: process-entry-leader-parent-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.real_user.domain
   ignore_above: 1024
-  level: core
-  name: id
+  level: extended
+  name: domain
   normalize: []
   original_fieldset: user
-  short: Unique identifier of the user.
+  short: Name of the directory the user is a member of.
   type: keyword
-process.parent.saved_user.name:
-  dashed_name: process-parent-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.saved_user.name
+process.entry_leader.parent.real_user.email:
+  dashed_name: process-entry-leader-parent-real-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.real_user.email
   ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
+  level: extended
+  name: email
   normalize: []
   original_fieldset: user
-  short: Short name or login of the user.
+  short: User email address.
   type: keyword
-process.parent.start:
-  dashed_name: process-parent-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.start
+process.entry_leader.parent.real_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-real-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.real_user.entity.attributes
   level: extended
-  name: start
+  name: attributes
   normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.parent.supplemental_groups.id:
-  dashed_name: process-parent-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.supplemental_groups.id
-  ignore_above: 1024
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.entry_leader.parent.real_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-real-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.entry_leader.parent.real_user.entity.behavior
   level: extended
-  name: id
+  name: behavior
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.supplemental_groups.name:
-  dashed_name: process-parent-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.parent.supplemental_groups.name
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.entry_leader.parent.real_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-real-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.entry_leader.parent.real_user.entity.display_name
   ignore_above: 1024
   level: extended
-  name: name
+  multi_fields:
+  - flat_name: process.entry_leader.parent.real_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
   type: keyword
-process.parent.thread.capabilities.effective:
-  dashed_name: process-parent-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.parent.thread.capabilities.effective
+process.entry_leader.parent.real_user.entity.id:
+  dashed_name: process-entry-leader-parent-real-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.entry_leader.parent.real_user.entity.id
   ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
   type: keyword
-process.parent.thread.capabilities.permitted:
-  dashed_name: process-parent-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.parent.thread.capabilities.permitted
-  ignore_above: 1024
+process.entry_leader.parent.real_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-real-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.entry_leader.parent.real_user.entity.last_seen_timestamp
   level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.thread.id:
-  dashed_name: process-parent-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.parent.thread.id
-  format: string
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.entry_leader.parent.real_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-real-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.real_user.entity.lifecycle
   level: extended
-  name: thread.id
+  name: lifecycle
   normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.parent.thread.name:
-  dashed_name: process-parent-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.parent.thread.name
-  ignore_above: 1024
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.entry_leader.parent.real_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-real-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.entry_leader.parent.real_user.entity.metrics
   level: extended
-  name: thread.name
+  name: metrics
   normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.parent.title:
-  dashed_name: process-parent-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.parent.title
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.entry_leader.parent.real_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-real-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.entry_leader.parent.real_user.entity.name
   ignore_above: 1024
-  level: extended
+  level: core
   multi_fields:
-  - flat_name: process.parent.title.text
+  - flat_name: process.entry_leader.parent.real_user.entity.name.text
     name: text
-    type: match_only_text
-  name: title
+    norms: false
+    type: text
+  name: name
   normalize: []
-  original_fieldset: process
-  short: Process title.
+  original_fieldset: entity
+  short: The name of the entity.
   type: keyword
-process.parent.tty:
-  dashed_name: process-parent-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.parent.tty
+process.entry_leader.parent.real_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-real-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.entry_leader.parent.real_user.entity.raw
   level: extended
-  name: tty
+  name: raw
   normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
   type: object
-process.parent.tty.char_device.major:
-  dashed_name: process-parent-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.parent.tty.char_device.major
+process.entry_leader.parent.real_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-real-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.entry_leader.parent.real_user.entity.reference
+  ignore_above: 1024
   level: extended
-  name: tty.char_device.major
+  name: reference
   normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.parent.tty.char_device.minor:
-  dashed_name: process-parent-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.parent.tty.char_device.minor
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.entry_leader.parent.real_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-real-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.entry_leader.parent.real_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.entry_leader.parent.real_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-real-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.entry_leader.parent.real_user.entity.sub_type
+  ignore_above: 1024
   level: extended
-  name: tty.char_device.minor
+  name: sub_type
   normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.parent.uptime:
-  dashed_name: process-parent-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.parent.uptime
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.entry_leader.parent.real_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-real-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.entry_leader.parent.real_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.entry_leader.parent.real_user.full_name:
+  dashed_name: process-entry-leader-parent-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.real_user.full_name
+  ignore_above: 1024
   level: extended
-  name: uptime
+  multi_fields:
+  - flat_name: process.entry_leader.parent.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
   normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.parent.user.id:
-  dashed_name: process-parent-user-id
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.real_user.group.domain:
+  dashed_name: process-entry-leader-parent-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.real_user.group.id:
+  dashed_name: process-entry-leader-parent-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.real_user.group.name:
+  dashed_name: process-entry-leader-parent-real-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.real_user.hash:
+  dashed_name: process-entry-leader-parent-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.real_user.id:
+  dashed_name: process-entry-leader-parent-real-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.user.id
+  flat_name: process.entry_leader.parent.real_user.id
   ignore_above: 1024
   level: core
   name: id
@@ -12932,15 +16501,15 @@ process.parent.user.id:
   original_fieldset: user
   short: Unique identifier of the user.
   type: keyword
-process.parent.user.name:
-  dashed_name: process-parent-user-name
+process.entry_leader.parent.real_user.name:
+  dashed_name: process-entry-leader-parent-real-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.parent.user.name
+  flat_name: process.entry_leader.parent.real_user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.parent.user.name.text
+  - flat_name: process.entry_leader.parent.real_user.name.text
     name: text
     type: match_only_text
   name: name
@@ -12948,445 +16517,41753 @@ process.parent.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.parent.vpid:
-  dashed_name: process-parent-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.parent.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.parent.working_directory:
-  dashed_name: process-parent-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.parent.working_directory
+process.entry_leader.parent.real_user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.real_user.risk.calculated_level
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.parent.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
+  name: calculated_level
   normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
   type: keyword
-process.pe.architecture:
-  dashed_name: process-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.pe.architecture
+process.entry_leader.parent.real_user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.real_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.real_user.risk.static_level:
+  dashed_name: process-entry-leader-parent-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.real_user.risk.static_level
   ignore_above: 1024
   level: extended
-  name: architecture
+  name: static_level
   normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
   type: keyword
-process.pe.company:
-  dashed_name: process-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.pe.company
-  ignore_above: 1024
+process.entry_leader.parent.real_user.risk.static_score:
+  dashed_name: process-entry-leader-parent-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.real_user.risk.static_score
   level: extended
-  name: company
+  name: static_score
   normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.real_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.real_user.roles:
+  dashed_name: process-entry-leader-parent-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
   type: keyword
-process.pe.description:
-  dashed_name: process-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.pe.description
+process.entry_leader.parent.same_as_process:
+  dashed_name: process-entry-leader-parent-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.entry_leader.parent.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.entry_leader.parent.saved_group.domain:
+  dashed_name: process-entry-leader-parent-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.saved_group.domain
   ignore_above: 1024
   level: extended
-  name: description
+  name: domain
   normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
   type: keyword
-process.pe.file_version:
-  dashed_name: process-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.pe.file_version
+process.entry_leader.parent.saved_group.id:
+  dashed_name: process-entry-leader-parent-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.saved_group.id
   ignore_above: 1024
   level: extended
-  name: file_version
+  name: id
   normalize: []
-  original_fieldset: pe
-  short: Process name.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.pe.go_import_hash:
-  dashed_name: process-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.pe.go_import_hash
+process.entry_leader.parent.saved_group.name:
+  dashed_name: process-entry-leader-parent-saved-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.saved_group.name
   ignore_above: 1024
   level: extended
-  name: go_import_hash
+  name: name
   normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.pe.go_imports:
-  dashed_name: process-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.pe.go_imports
+process.entry_leader.parent.saved_user.domain:
+  dashed_name: process-entry-leader-parent-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.saved_user.domain
+  ignore_above: 1024
   level: extended
-  name: go_imports
+  name: domain
   normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.pe.go_imports_names_entropy:
-  dashed_name: process-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.pe.go_imports_names_entropy
-  format: number
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.saved_user.email:
+  dashed_name: process-entry-leader-parent-saved-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.saved_user.email
+  ignore_above: 1024
   level: extended
-  name: go_imports_names_entropy
+  name: email
   normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.pe.go_imports_names_var_entropy:
-  dashed_name: process-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.pe.go_imports_names_var_entropy
-  format: number
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.saved_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-saved-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.saved_user.entity.attributes
   level: extended
-  name: go_imports_names_var_entropy
+  name: attributes
   normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.pe.go_stripped:
-  dashed_name: process-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.pe.go_stripped
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.entry_leader.parent.saved_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-saved-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.entry_leader.parent.saved_user.entity.behavior
   level: extended
-  name: go_stripped
+  name: behavior
   normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.pe.imphash:
-  dashed_name: process-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.pe.imphash
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.entry_leader.parent.saved_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-saved-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.entry_leader.parent.saved_user.entity.display_name
   ignore_above: 1024
   level: extended
-  name: imphash
+  multi_fields:
+  - flat_name: process.entry_leader.parent.saved_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
   normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
   type: keyword
-process.pe.import_hash:
-  dashed_name: process-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.pe.import_hash
+process.entry_leader.parent.saved_user.entity.id:
+  dashed_name: process-entry-leader-parent-saved-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.entry_leader.parent.saved_user.entity.id
   ignore_above: 1024
-  level: extended
-  name: import_hash
+  level: core
+  name: id
   normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
+  original_fieldset: entity
+  short: Unique identifier for the entity.
   type: keyword
-process.pe.imports:
-  dashed_name: process-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.pe.imports_names_entropy:
-  dashed_name: process-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.pe.imports_names_entropy
-  format: number
+process.entry_leader.parent.saved_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-saved-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.entry_leader.parent.saved_user.entity.last_seen_timestamp
   level: extended
-  name: imports_names_entropy
+  name: last_seen_timestamp
   normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.pe.imports_names_var_entropy:
-  dashed_name: process-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.pe.imports_names_var_entropy
-  format: number
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.entry_leader.parent.saved_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-saved-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.saved_user.entity.lifecycle
   level: extended
-  name: imports_names_var_entropy
+  name: lifecycle
   normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.pe.original_file_name:
-  dashed_name: process-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.pe.original_file_name
-  ignore_above: 1024
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.entry_leader.parent.saved_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-saved-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.entry_leader.parent.saved_user.entity.metrics
   level: extended
-  name: original_file_name
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.entry_leader.parent.saved_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-saved-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.entry_leader.parent.saved_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.saved_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.entry_leader.parent.saved_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-saved-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.entry_leader.parent.saved_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.entry_leader.parent.saved_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-saved-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.entry_leader.parent.saved_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.entry_leader.parent.saved_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-saved-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.entry_leader.parent.saved_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.entry_leader.parent.saved_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-saved-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.entry_leader.parent.saved_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.entry_leader.parent.saved_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-saved-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.entry_leader.parent.saved_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.entry_leader.parent.saved_user.full_name:
+  dashed_name: process-entry-leader-parent-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.saved_user.group.domain:
+  dashed_name: process-entry-leader-parent-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.saved_user.group.id:
+  dashed_name: process-entry-leader-parent-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.saved_user.group.name:
+  dashed_name: process-entry-leader-parent-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.saved_user.hash:
+  dashed_name: process-entry-leader-parent-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.saved_user.id:
+  dashed_name: process-entry-leader-parent-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.saved_user.name:
+  dashed_name: process-entry-leader-parent-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.saved_user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.saved_user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.saved_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.saved_user.risk.static_level:
+  dashed_name: process-entry-leader-parent-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.saved_user.risk.static_score:
+  dashed_name: process-entry-leader-parent-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.saved_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.saved_user.roles:
+  dashed_name: process-entry-leader-parent-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.args:
+  dashed_name: process-entry-leader-parent-session-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.entry_leader.parent.session_leader.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.entry_leader.parent.session_leader.args_count:
+  dashed_name: process-entry-leader-parent-session-leader-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.entry_leader.parent.session_leader.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.entry_leader.parent.session_leader.attested_groups.domain:
+  dashed_name: process-entry-leader-parent-session-leader-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_groups.id:
+  dashed_name: process-entry-leader-parent-session-leader-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_groups.name:
+  dashed_name: process-entry-leader-parent-session-leader-attested-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.domain:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.email:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.entry_leader.parent.session_leader.attested_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.entry_leader.parent.session_leader.attested_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.entity.id:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.entry_leader.parent.session_leader.attested_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.entry_leader.parent.session_leader.attested_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.entry_leader.parent.session_leader.attested_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.entry_leader.parent.session_leader.attested_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.full_name:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.session_leader.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.group.id:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.group.name:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.hash:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.session_leader.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.id:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.session_leader.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.name:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.session_leader.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.session_leader.attested_user.risk.static_level:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.session_leader.attested_user.risk.static_score:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.session_leader.attested_user.roles:
+  dashed_name: process-entry-leader-parent-session-leader-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.session_leader.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.digest_algorithm:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.entry_leader.parent.session_leader.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.exists:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.entry_leader.parent.session_leader.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.entry_leader.parent.session_leader.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.entry_leader.parent.session_leader.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.signing_id:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.entry_leader.parent.session_leader.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.status:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.entry_leader.parent.session_leader.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.subject_name:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.entry_leader.parent.session_leader.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.team_id:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.entry_leader.parent.session_leader.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.entry_leader.parent.session_leader.code_signature.timestamp:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.entry_leader.parent.session_leader.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.entry_leader.parent.session_leader.code_signature.trusted:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.entry_leader.parent.session_leader.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.entry_leader.parent.session_leader.code_signature.valid:
+  dashed_name: process-entry-leader-parent-session-leader-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.entry_leader.parent.session_leader.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.entry_leader.parent.session_leader.command_line:
+  dashed_name: process-entry-leader-parent-session-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.entry_leader.parent.session_leader.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.entry_leader.parent.session_leader.elf.architecture:
+  dashed_name: process-entry-leader-parent-session-leader-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.entry_leader.parent.session_leader.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.byte_order:
+  dashed_name: process-entry-leader-parent-session-leader-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.entry_leader.parent.session_leader.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.cpu_type:
+  dashed_name: process-entry-leader-parent-session-leader-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.entry_leader.parent.session_leader.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.creation_date:
+  dashed_name: process-entry-leader-parent-session-leader-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.entry_leader.parent.session_leader.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.entry_leader.parent.session_leader.elf.exports:
+  dashed_name: process-entry-leader-parent-session-leader-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.entry_leader.parent.session_leader.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.elf.go_import_hash:
+  dashed_name: process-entry-leader-parent-session-leader-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.parent.session_leader.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.go_imports:
+  dashed_name: process-entry-leader-parent-session-leader-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.parent.session_leader.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.elf.go_imports_names_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.session_leader.elf.go_stripped:
+  dashed_name: process-entry-leader-parent-session-leader-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.parent.session_leader.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.entry_leader.parent.session_leader.elf.header.abi_version:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.entry_leader.parent.session_leader.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.entry_leader.parent.session_leader.elf.header.class:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.entry_leader.parent.session_leader.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.header.data:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.entry_leader.parent.session_leader.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.header.entrypoint:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.entry_leader.parent.session_leader.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.entry_leader.parent.session_leader.elf.header.object_version:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.entry_leader.parent.session_leader.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.entry_leader.parent.session_leader.elf.header.os_abi:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.entry_leader.parent.session_leader.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.header.type:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.entry_leader.parent.session_leader.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.header.version:
+  dashed_name: process-entry-leader-parent-session-leader-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.entry_leader.parent.session_leader.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.import_hash:
+  dashed_name: process-entry-leader-parent-session-leader-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.parent.session_leader.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.imports:
+  dashed_name: process-entry-leader-parent-session-leader-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.parent.session_leader.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.elf.imports_names_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.parent.session_leader.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.parent.session_leader.elf.imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.parent.session_leader.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.parent.session_leader.elf.sections:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.entry_leader.parent.session_leader.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.entry_leader.parent.session_leader.elf.sections.chi2:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.entry_leader.parent.session_leader.elf.sections.entropy:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.session_leader.elf.sections.flags:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.sections.name:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.sections.physical_offset:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.sections.physical_size:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.entry_leader.parent.session_leader.elf.sections.type:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.sections.var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.session_leader.elf.sections.virtual_address:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.entry_leader.parent.session_leader.elf.sections.virtual_size:
+  dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.entry_leader.parent.session_leader.elf.segments:
+  dashed_name: process-entry-leader-parent-session-leader-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.entry_leader.parent.session_leader.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.entry_leader.parent.session_leader.elf.segments.sections:
+  dashed_name: process-entry-leader-parent-session-leader-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.entry_leader.parent.session_leader.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.segments.type:
+  dashed_name: process-entry-leader-parent-session-leader-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.entry_leader.parent.session_leader.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.shared_libraries:
+  dashed_name: process-entry-leader-parent-session-leader-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.entry_leader.parent.session_leader.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.entry_leader.parent.session_leader.elf.telfhash:
+  dashed_name: process-entry-leader-parent-session-leader-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.entry_leader.parent.session_leader.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.entry_leader.parent.session_leader.end:
+  dashed_name: process-entry-leader-parent-session-leader-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.parent.session_leader.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.entry_leader.parent.session_leader.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.entry_leader.parent.session_leader.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.entry_leader.parent.session_leader.entity_id:
+  dashed_name: process-entry-leader-parent-session-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.entry_leader.parent.session_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.address:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.as.number:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.bytes:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.entry_leader.parent.session_leader.entry_meta.source.domain:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.location:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.entry_leader.parent.session_leader.entry_meta.source.geo.name:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.ip:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.entry_leader.parent.session_leader.entry_meta.source.mac:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.nat.ip:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.entry_leader.parent.session_leader.entry_meta.source.nat.port:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.entry_leader.parent.session_leader.entry_meta.source.packets:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.entry_leader.parent.session_leader.entry_meta.source.port:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.entry_leader.parent.session_leader.entry_meta.source.registered_domain:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.subdomain:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.entry_leader.parent.session_leader.entry_meta.type:
+  dashed_name: process-entry-leader-parent-session-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.entry_leader.parent.session_leader.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.entry_leader.parent.session_leader.env_vars:
+  dashed_name: process-entry-leader-parent-session-leader-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.entry_leader.parent.session_leader.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.executable:
+  dashed_name: process-entry-leader-parent-session-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.entry_leader.parent.session_leader.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.entry_leader.parent.session_leader.exit_code:
+  dashed_name: process-entry-leader-parent-session-leader-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.entry_leader.parent.session_leader.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.entry_leader.parent.session_leader.group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.group.id:
+  dashed_name: process-entry-leader-parent-session-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.group.name:
+  dashed_name: process-entry-leader-parent-session-leader-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.entry_leader.parent.session_leader.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.md5:
+  dashed_name: process-entry-leader-parent-session-leader-hash-md5
+  description: MD5 hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.sha1:
+  dashed_name: process-entry-leader-parent-session-leader-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.sha256:
+  dashed_name: process-entry-leader-parent-session-leader-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.sha384:
+  dashed_name: process-entry-leader-parent-session-leader-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.sha512:
+  dashed_name: process-entry-leader-parent-session-leader-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.ssdeep:
+  dashed_name: process-entry-leader-parent-session-leader-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.entry_leader.parent.session_leader.hash.tlsh:
+  dashed_name: process-entry-leader-parent-session-leader-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.entry_leader.parent.session_leader.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.entry_leader.parent.session_leader.interactive:
+  dashed_name: process-entry-leader-parent-session-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.entry_leader.parent.session_leader.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.entry_leader.parent.session_leader.io:
+  dashed_name: process-entry-leader-parent-session-leader-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.entry_leader.parent.session_leader.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.entry_leader.parent.session_leader.io.bytes_skipped:
+  dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.entry_leader.parent.session_leader.io.bytes_skipped.length:
+  dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.entry_leader.parent.session_leader.io.bytes_skipped.offset:
+  dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
+  dashed_name: process-entry-leader-parent-session-leader-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.entry_leader.parent.session_leader.io.text:
+  dashed_name: process-entry-leader-parent-session-leader-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.entry_leader.parent.session_leader.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.entry_leader.parent.session_leader.io.total_bytes_captured:
+  dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.entry_leader.parent.session_leader.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.entry_leader.parent.session_leader.io.total_bytes_skipped:
+  dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.entry_leader.parent.session_leader.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.entry_leader.parent.session_leader.io.type:
+  dashed_name: process-entry-leader-parent-session-leader-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.entry_leader.parent.session_leader.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.entry_leader.parent.session_leader.macho.go_import_hash:
+  dashed_name: process-entry-leader-parent-session-leader-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.parent.session_leader.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.entry_leader.parent.session_leader.macho.go_imports:
+  dashed_name: process-entry-leader-parent-session-leader-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.parent.session_leader.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.macho.go_imports_names_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.session_leader.macho.go_stripped:
+  dashed_name: process-entry-leader-parent-session-leader-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.parent.session_leader.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.entry_leader.parent.session_leader.macho.import_hash:
+  dashed_name: process-entry-leader-parent-session-leader-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.parent.session_leader.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.entry_leader.parent.session_leader.macho.imports:
+  dashed_name: process-entry-leader-parent-session-leader-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.parent.session_leader.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.macho.imports_names_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.parent.session_leader.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.parent.session_leader.macho.imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.parent.session_leader.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.parent.session_leader.macho.sections:
+  dashed_name: process-entry-leader-parent-session-leader-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.entry_leader.parent.session_leader.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.entry_leader.parent.session_leader.macho.sections.entropy:
+  dashed_name: process-entry-leader-parent-session-leader-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.session_leader.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.session_leader.macho.sections.name:
+  dashed_name: process-entry-leader-parent-session-leader-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.entry_leader.parent.session_leader.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.entry_leader.parent.session_leader.macho.sections.physical_size:
+  dashed_name: process-entry-leader-parent-session-leader-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.entry_leader.parent.session_leader.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.entry_leader.parent.session_leader.macho.sections.var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.session_leader.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.session_leader.macho.sections.virtual_size:
+  dashed_name: process-entry-leader-parent-session-leader-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.entry_leader.parent.session_leader.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.entry_leader.parent.session_leader.macho.symhash:
+  dashed_name: process-entry-leader-parent-session-leader-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.entry_leader.parent.session_leader.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.entry_leader.parent.session_leader.name:
+  dashed_name: process-entry-leader-parent-session-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.entry_leader.parent.session_leader.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.entry_leader.parent.session_leader.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.entry_leader.parent.session_leader.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.entry_leader.parent.session_leader.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.entry_leader.parent.session_leader.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.architecture:
+  dashed_name: process-entry-leader-parent-session-leader-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.entry_leader.parent.session_leader.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.company:
+  dashed_name: process-entry-leader-parent-session-leader-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.entry_leader.parent.session_leader.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.description:
+  dashed_name: process-entry-leader-parent-session-leader-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.entry_leader.parent.session_leader.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.file_version:
+  dashed_name: process-entry-leader-parent-session-leader-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.entry_leader.parent.session_leader.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.go_import_hash:
+  dashed_name: process-entry-leader-parent-session-leader-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.parent.session_leader.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.go_imports:
+  dashed_name: process-entry-leader-parent-session-leader-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.parent.session_leader.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.pe.go_imports_names_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.parent.session_leader.pe.go_stripped:
+  dashed_name: process-entry-leader-parent-session-leader-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.parent.session_leader.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.entry_leader.parent.session_leader.pe.imphash:
+  dashed_name: process-entry-leader-parent-session-leader-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.entry_leader.parent.session_leader.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.import_hash:
+  dashed_name: process-entry-leader-parent-session-leader-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.parent.session_leader.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.imports:
+  dashed_name: process-entry-leader-parent-session-leader-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.parent.session_leader.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.parent.session_leader.pe.imports_names_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.parent.session_leader.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.parent.session_leader.pe.imports_names_var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.parent.session_leader.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.parent.session_leader.pe.original_file_name:
+  dashed_name: process-entry-leader-parent-session-leader-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.entry_leader.parent.session_leader.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.pehash:
+  dashed_name: process-entry-leader-parent-session-leader-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.entry_leader.parent.session_leader.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.product:
+  dashed_name: process-entry-leader-parent-session-leader-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.entry_leader.parent.session_leader.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.sections:
+  dashed_name: process-entry-leader-parent-session-leader-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.entry_leader.parent.session_leader.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.entry_leader.parent.session_leader.pe.sections.entropy:
+  dashed_name: process-entry-leader-parent-session-leader-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.session_leader.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.session_leader.pe.sections.name:
+  dashed_name: process-entry-leader-parent-session-leader-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.entry_leader.parent.session_leader.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.entry_leader.parent.session_leader.pe.sections.physical_size:
+  dashed_name: process-entry-leader-parent-session-leader-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.entry_leader.parent.session_leader.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.entry_leader.parent.session_leader.pe.sections.var_entropy:
+  dashed_name: process-entry-leader-parent-session-leader-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.parent.session_leader.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.parent.session_leader.pe.sections.virtual_size:
+  dashed_name: process-entry-leader-parent-session-leader-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.entry_leader.parent.session_leader.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.entry_leader.parent.session_leader.pid:
+  dashed_name: process-entry-leader-parent-session-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.entry_leader.parent.session_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.entry_leader.parent.session_leader.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.entry_leader.parent.session_leader.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.entry_leader.parent.session_leader.real_group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.real_group.id:
+  dashed_name: process-entry-leader-parent-session-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.real_group.name:
+  dashed_name: process-entry-leader-parent-session-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.domain:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.email:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.session_leader.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.session_leader.real_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.entry_leader.parent.session_leader.real_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.entry_leader.parent.session_leader.real_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.entry_leader.parent.session_leader.real_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.entity.id:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.entry_leader.parent.session_leader.real_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.entry_leader.parent.session_leader.real_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.session_leader.real_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.entry_leader.parent.session_leader.real_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.entry_leader.parent.session_leader.real_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.entry_leader.parent.session_leader.real_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.entry_leader.parent.session_leader.real_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.real_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.entry_leader.parent.session_leader.real_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.entry_leader.parent.session_leader.real_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.entry_leader.parent.session_leader.real_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.entry_leader.parent.session_leader.real_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.entry_leader.parent.session_leader.real_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.entry_leader.parent.session_leader.real_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.full_name:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.session_leader.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.group.id:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.group.name:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.hash:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.session_leader.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.id:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.session_leader.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.name:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.session_leader.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.session_leader.real_user.risk.static_level:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.session_leader.real_user.risk.static_score:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.session_leader.real_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.session_leader.real_user.roles:
+  dashed_name: process-entry-leader-parent-session-leader-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.session_leader.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.same_as_process:
+  dashed_name: process-entry-leader-parent-session-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.entry_leader.parent.session_leader.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.entry_leader.parent.session_leader.saved_group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_group.id:
+  dashed_name: process-entry-leader-parent-session-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_group.name:
+  dashed_name: process-entry-leader-parent-session-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.domain:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.email:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.entry_leader.parent.session_leader.saved_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.entry_leader.parent.session_leader.saved_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.entity.id:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.entry_leader.parent.session_leader.saved_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.entry_leader.parent.session_leader.saved_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.entry_leader.parent.session_leader.saved_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.entry_leader.parent.session_leader.saved_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.full_name:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.session_leader.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.group.id:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.group.name:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.hash:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.session_leader.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.id:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.session_leader.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.name:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.session_leader.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.session_leader.saved_user.risk.static_level:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.session_leader.saved_user.risk.static_score:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.session_leader.saved_user.roles:
+  dashed_name: process-entry-leader-parent-session-leader-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.session_leader.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.start:
+  dashed_name: process-entry-leader-parent-session-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.parent.session_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.entry_leader.parent.session_leader.supplemental_groups.domain:
+  dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.supplemental_groups.id:
+  dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.supplemental_groups.name:
+  dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.thread.capabilities.effective:
+  dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.entry_leader.parent.session_leader.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.thread.capabilities.permitted:
+  dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.entry_leader.parent.session_leader.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.thread.id:
+  dashed_name: process-entry-leader-parent-session-leader-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.entry_leader.parent.session_leader.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.entry_leader.parent.session_leader.thread.name:
+  dashed_name: process-entry-leader-parent-session-leader-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.entry_leader.parent.session_leader.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.entry_leader.parent.session_leader.title:
+  dashed_name: process-entry-leader-parent-session-leader-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.entry_leader.parent.session_leader.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.entry_leader.parent.session_leader.tty:
+  dashed_name: process-entry-leader-parent-session-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.entry_leader.parent.session_leader.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.entry_leader.parent.session_leader.tty.char_device.major:
+  dashed_name: process-entry-leader-parent-session-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.entry_leader.parent.session_leader.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.entry_leader.parent.session_leader.tty.char_device.minor:
+  dashed_name: process-entry-leader-parent-session-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.entry_leader.parent.session_leader.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.entry_leader.parent.session_leader.tty.columns:
+  dashed_name: process-entry-leader-parent-session-leader-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.entry_leader.parent.session_leader.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.entry_leader.parent.session_leader.tty.rows:
+  dashed_name: process-entry-leader-parent-session-leader-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.entry_leader.parent.session_leader.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.entry_leader.parent.session_leader.uptime:
+  dashed_name: process-entry-leader-parent-session-leader-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.entry_leader.parent.session_leader.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.entry_leader.parent.session_leader.user.domain:
+  dashed_name: process-entry-leader-parent-session-leader-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.user.email:
+  dashed_name: process-entry-leader-parent-session-leader-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.session_leader.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.session_leader.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.session_leader.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.entry_leader.parent.session_leader.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.entry_leader.parent.session_leader.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.entry_leader.parent.session_leader.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.entry_leader.parent.session_leader.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.entry_leader.parent.session_leader.user.entity.id:
+  dashed_name: process-entry-leader-parent-session-leader-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.entry_leader.parent.session_leader.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.entry_leader.parent.session_leader.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.session_leader.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.entry_leader.parent.session_leader.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.entry_leader.parent.session_leader.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.entry_leader.parent.session_leader.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.entry_leader.parent.session_leader.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.entry_leader.parent.session_leader.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.entry_leader.parent.session_leader.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.entry_leader.parent.session_leader.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.entry_leader.parent.session_leader.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.entry_leader.parent.session_leader.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.entry_leader.parent.session_leader.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.entry_leader.parent.session_leader.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-session-leader-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.entry_leader.parent.session_leader.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.entry_leader.parent.session_leader.user.full_name:
+  dashed_name: process-entry-leader-parent-session-leader-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.session_leader.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.session_leader.user.group.domain:
+  dashed_name: process-entry-leader-parent-session-leader-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.session_leader.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.session_leader.user.group.id:
+  dashed_name: process-entry-leader-parent-session-leader-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.session_leader.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.session_leader.user.group.name:
+  dashed_name: process-entry-leader-parent-session-leader-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.session_leader.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.session_leader.user.hash:
+  dashed_name: process-entry-leader-parent-session-leader-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.session_leader.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.session_leader.user.id:
+  dashed_name: process-entry-leader-parent-session-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.session_leader.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.user.name:
+  dashed_name: process-entry-leader-parent-session-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.session_leader.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.session_leader.user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.session_leader.user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.session_leader.user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.session_leader.user.risk.static_level:
+  dashed_name: process-entry-leader-parent-session-leader-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.session_leader.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.session_leader.user.risk.static_score:
+  dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.session_leader.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.session_leader.user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.session_leader.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.session_leader.user.roles:
+  dashed_name: process-entry-leader-parent-session-leader-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.session_leader.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.session_leader.vpid:
+  dashed_name: process-entry-leader-parent-session-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.parent.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.entry_leader.parent.session_leader.working_directory:
+  dashed_name: process-entry-leader-parent-session-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.entry_leader.parent.session_leader.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.session_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.entry_leader.parent.start:
+  dashed_name: process-entry-leader-parent-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.parent.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.entry_leader.parent.supplemental_groups.domain:
+  dashed_name: process-entry-leader-parent-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.supplemental_groups.id:
+  dashed_name: process-entry-leader-parent-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.supplemental_groups.name:
+  dashed_name: process-entry-leader-parent-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.thread.capabilities.effective:
+  dashed_name: process-entry-leader-parent-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.entry_leader.parent.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.thread.capabilities.permitted:
+  dashed_name: process-entry-leader-parent-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.entry_leader.parent.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.thread.id:
+  dashed_name: process-entry-leader-parent-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.entry_leader.parent.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.entry_leader.parent.thread.name:
+  dashed_name: process-entry-leader-parent-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.entry_leader.parent.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.entry_leader.parent.title:
+  dashed_name: process-entry-leader-parent-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.entry_leader.parent.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.entry_leader.parent.tty:
+  dashed_name: process-entry-leader-parent-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.entry_leader.parent.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.entry_leader.parent.tty.char_device.major:
+  dashed_name: process-entry-leader-parent-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.entry_leader.parent.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.entry_leader.parent.tty.char_device.minor:
+  dashed_name: process-entry-leader-parent-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.entry_leader.parent.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.entry_leader.parent.tty.columns:
+  dashed_name: process-entry-leader-parent-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.entry_leader.parent.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.entry_leader.parent.tty.rows:
+  dashed_name: process-entry-leader-parent-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.entry_leader.parent.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.entry_leader.parent.uptime:
+  dashed_name: process-entry-leader-parent-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.entry_leader.parent.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.entry_leader.parent.user.domain:
+  dashed_name: process-entry-leader-parent-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.parent.user.email:
+  dashed_name: process-entry-leader-parent-user-email
+  description: User email address.
+  flat_name: process.entry_leader.parent.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.parent.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.entry_leader.parent.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.entry_leader.parent.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.entry_leader.parent.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.entry_leader.parent.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.entry_leader.parent.user.entity.id:
+  dashed_name: process-entry-leader-parent-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.entry_leader.parent.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.entry_leader.parent.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.entry_leader.parent.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.entry_leader.parent.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.entry_leader.parent.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.entry_leader.parent.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.entry_leader.parent.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.entry_leader.parent.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.entry_leader.parent.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.entry_leader.parent.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.entry_leader.parent.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.entry_leader.parent.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.entry_leader.parent.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.entry_leader.parent.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.entry_leader.parent.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.entry_leader.parent.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.entry_leader.parent.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.entry_leader.parent.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-parent-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.entry_leader.parent.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.entry_leader.parent.user.full_name:
+  dashed_name: process-entry-leader-parent-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.parent.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.parent.user.group.domain:
+  dashed_name: process-entry-leader-parent-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.parent.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.parent.user.group.id:
+  dashed_name: process-entry-leader-parent-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.parent.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.parent.user.group.name:
+  dashed_name: process-entry-leader-parent-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.parent.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.parent.user.hash:
+  dashed_name: process-entry-leader-parent-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.parent.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.parent.user.id:
+  dashed_name: process-entry-leader-parent-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.parent.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.parent.user.name:
+  dashed_name: process-entry-leader-parent-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.parent.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.parent.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.parent.user.risk.calculated_level:
+  dashed_name: process-entry-leader-parent-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.parent.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.parent.user.risk.calculated_score:
+  dashed_name: process-entry-leader-parent-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.parent.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.parent.user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-parent-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.parent.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.parent.user.risk.static_level:
+  dashed_name: process-entry-leader-parent-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.parent.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.parent.user.risk.static_score:
+  dashed_name: process-entry-leader-parent-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.parent.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.parent.user.risk.static_score_norm:
+  dashed_name: process-entry-leader-parent-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.parent.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.parent.user.roles:
+  dashed_name: process-entry-leader-parent-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.parent.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.parent.vpid:
+  dashed_name: process-entry-leader-parent-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.entry_leader.parent.working_directory:
+  dashed_name: process-entry-leader-parent-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.entry_leader.parent.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.parent.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.entry_leader.pe.architecture:
+  dashed_name: process-entry-leader-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.entry_leader.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.entry_leader.pe.company:
+  dashed_name: process-entry-leader-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.entry_leader.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.pe.description:
+  dashed_name: process-entry-leader-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.entry_leader.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.pe.file_version:
+  dashed_name: process-entry-leader-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.entry_leader.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.entry_leader.pe.go_import_hash:
+  dashed_name: process-entry-leader-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.entry_leader.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.entry_leader.pe.go_imports:
+  dashed_name: process-entry-leader-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.entry_leader.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.entry_leader.pe.go_imports_names_entropy:
+  dashed_name: process-entry-leader-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.pe.go_imports_names_var_entropy:
+  dashed_name: process-entry-leader-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.entry_leader.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.entry_leader.pe.go_stripped:
+  dashed_name: process-entry-leader-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.entry_leader.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.entry_leader.pe.imphash:
+  dashed_name: process-entry-leader-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.entry_leader.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.entry_leader.pe.import_hash:
+  dashed_name: process-entry-leader-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.entry_leader.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.entry_leader.pe.imports:
+  dashed_name: process-entry-leader-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.entry_leader.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.entry_leader.pe.imports_names_entropy:
+  dashed_name: process-entry-leader-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.entry_leader.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.entry_leader.pe.imports_names_var_entropy:
+  dashed_name: process-entry-leader-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.entry_leader.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.entry_leader.pe.original_file_name:
+  dashed_name: process-entry-leader-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.entry_leader.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.pe.pehash:
+  dashed_name: process-entry-leader-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.entry_leader.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.entry_leader.pe.product:
+  dashed_name: process-entry-leader-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.entry_leader.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.entry_leader.pe.sections:
+  dashed_name: process-entry-leader-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.entry_leader.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.entry_leader.pe.sections.entropy:
+  dashed_name: process-entry-leader-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.pe.sections.name:
+  dashed_name: process-entry-leader-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.entry_leader.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.entry_leader.pe.sections.physical_size:
+  dashed_name: process-entry-leader-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.entry_leader.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.entry_leader.pe.sections.var_entropy:
+  dashed_name: process-entry-leader-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.entry_leader.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.entry_leader.pe.sections.virtual_size:
+  dashed_name: process-entry-leader-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.entry_leader.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.entry_leader.pid:
+  dashed_name: process-entry-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.entry_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.entry_leader.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.entry_leader.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.entry_leader.real_group.domain:
+  dashed_name: process-entry-leader-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.real_group.id:
+  dashed_name: process-entry-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.real_group.name:
+  dashed_name: process-entry-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.real_user.domain:
+  dashed_name: process-entry-leader-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.real_user.email:
+  dashed_name: process-entry-leader-real-user-email
+  description: User email address.
+  flat_name: process.entry_leader.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.real_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-real-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.entry_leader.real_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.entry_leader.real_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-real-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.entry_leader.real_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.entry_leader.real_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-real-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.entry_leader.real_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.real_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.entry_leader.real_user.entity.id:
+  dashed_name: process-entry-leader-real-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.entry_leader.real_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.entry_leader.real_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-real-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.entry_leader.real_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.entry_leader.real_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-real-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.entry_leader.real_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.entry_leader.real_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-real-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.entry_leader.real_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.entry_leader.real_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-real-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.entry_leader.real_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.real_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.entry_leader.real_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-real-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.entry_leader.real_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.entry_leader.real_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-real-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.entry_leader.real_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.entry_leader.real_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-real-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.entry_leader.real_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.entry_leader.real_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-real-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.entry_leader.real_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.entry_leader.real_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-real-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.entry_leader.real_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.entry_leader.real_user.full_name:
+  dashed_name: process-entry-leader-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.real_user.group.domain:
+  dashed_name: process-entry-leader-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.real_user.group.id:
+  dashed_name: process-entry-leader-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.real_user.group.name:
+  dashed_name: process-entry-leader-real-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.real_user.hash:
+  dashed_name: process-entry-leader-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.real_user.id:
+  dashed_name: process-entry-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.real_user.name:
+  dashed_name: process-entry-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.real_user.risk.calculated_level:
+  dashed_name: process-entry-leader-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.real_user.risk.calculated_score:
+  dashed_name: process-entry-leader-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.real_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.real_user.risk.static_level:
+  dashed_name: process-entry-leader-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.real_user.risk.static_score:
+  dashed_name: process-entry-leader-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.real_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.real_user.roles:
+  dashed_name: process-entry-leader-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.same_as_process:
+  dashed_name: process-entry-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.entry_leader.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.entry_leader.saved_group.domain:
+  dashed_name: process-entry-leader-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.saved_group.id:
+  dashed_name: process-entry-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.saved_group.name:
+  dashed_name: process-entry-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.saved_user.domain:
+  dashed_name: process-entry-leader-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.saved_user.email:
+  dashed_name: process-entry-leader-saved-user-email
+  description: User email address.
+  flat_name: process.entry_leader.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.saved_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-saved-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.entry_leader.saved_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.entry_leader.saved_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-saved-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.entry_leader.saved_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.entry_leader.saved_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-saved-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.entry_leader.saved_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.saved_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.entry_leader.saved_user.entity.id:
+  dashed_name: process-entry-leader-saved-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.entry_leader.saved_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.entry_leader.saved_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-saved-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.entry_leader.saved_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.entry_leader.saved_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-saved-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.entry_leader.saved_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.entry_leader.saved_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-saved-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.entry_leader.saved_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.entry_leader.saved_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-saved-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.entry_leader.saved_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.saved_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.entry_leader.saved_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-saved-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.entry_leader.saved_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.entry_leader.saved_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-saved-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.entry_leader.saved_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.entry_leader.saved_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-saved-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.entry_leader.saved_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.entry_leader.saved_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-saved-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.entry_leader.saved_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.entry_leader.saved_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-saved-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.entry_leader.saved_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.entry_leader.saved_user.full_name:
+  dashed_name: process-entry-leader-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.saved_user.group.domain:
+  dashed_name: process-entry-leader-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.saved_user.group.id:
+  dashed_name: process-entry-leader-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.saved_user.group.name:
+  dashed_name: process-entry-leader-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.saved_user.hash:
+  dashed_name: process-entry-leader-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.saved_user.id:
+  dashed_name: process-entry-leader-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.saved_user.name:
+  dashed_name: process-entry-leader-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.saved_user.risk.calculated_level:
+  dashed_name: process-entry-leader-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.saved_user.risk.calculated_score:
+  dashed_name: process-entry-leader-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.saved_user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.saved_user.risk.static_level:
+  dashed_name: process-entry-leader-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.saved_user.risk.static_score:
+  dashed_name: process-entry-leader-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.saved_user.risk.static_score_norm:
+  dashed_name: process-entry-leader-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.saved_user.roles:
+  dashed_name: process-entry-leader-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.start:
+  dashed_name: process-entry-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.entry_leader.supplemental_groups.domain:
+  dashed_name: process-entry-leader-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.supplemental_groups.id:
+  dashed_name: process-entry-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.supplemental_groups.name:
+  dashed_name: process-entry-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.thread.capabilities.effective:
+  dashed_name: process-entry-leader-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.entry_leader.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.thread.capabilities.permitted:
+  dashed_name: process-entry-leader-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.entry_leader.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.thread.id:
+  dashed_name: process-entry-leader-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.entry_leader.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.entry_leader.thread.name:
+  dashed_name: process-entry-leader-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.entry_leader.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.entry_leader.title:
+  dashed_name: process-entry-leader-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.entry_leader.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.entry_leader.tty:
+  dashed_name: process-entry-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.entry_leader.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.entry_leader.tty.char_device.major:
+  dashed_name: process-entry-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.entry_leader.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.entry_leader.tty.char_device.minor:
+  dashed_name: process-entry-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.entry_leader.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.entry_leader.tty.columns:
+  dashed_name: process-entry-leader-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.entry_leader.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.entry_leader.tty.rows:
+  dashed_name: process-entry-leader-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.entry_leader.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.entry_leader.uptime:
+  dashed_name: process-entry-leader-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.entry_leader.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.entry_leader.user.domain:
+  dashed_name: process-entry-leader-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.entry_leader.user.email:
+  dashed_name: process-entry-leader-user-email
+  description: User email address.
+  flat_name: process.entry_leader.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.entry_leader.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.entry_leader.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.entry_leader.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.entry_leader.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.entry_leader.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.entry_leader.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.entry_leader.user.entity.id:
+  dashed_name: process-entry-leader-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.entry_leader.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.entry_leader.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.entry_leader.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.entry_leader.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.entry_leader.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.entry_leader.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.entry_leader.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.entry_leader.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.entry_leader.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.entry_leader.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.entry_leader.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.entry_leader.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.entry_leader.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.entry_leader.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.entry_leader.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.entry_leader.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.entry_leader.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.entry_leader.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-entry-leader-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.entry_leader.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.entry_leader.user.full_name:
+  dashed_name: process-entry-leader-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.entry_leader.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.entry_leader.user.group.domain:
+  dashed_name: process-entry-leader-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.entry_leader.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.entry_leader.user.group.id:
+  dashed_name: process-entry-leader-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.user.group.name:
+  dashed_name: process-entry-leader-user-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.user.hash:
+  dashed_name: process-entry-leader-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.entry_leader.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.entry_leader.user.id:
+  dashed_name: process-entry-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.entry_leader.user.name:
+  dashed_name: process-entry-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.entry_leader.user.risk.calculated_level:
+  dashed_name: process-entry-leader-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.entry_leader.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.entry_leader.user.risk.calculated_score:
+  dashed_name: process-entry-leader-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.entry_leader.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.entry_leader.user.risk.calculated_score_norm:
+  dashed_name: process-entry-leader-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.entry_leader.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.entry_leader.user.risk.static_level:
+  dashed_name: process-entry-leader-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.entry_leader.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.entry_leader.user.risk.static_score:
+  dashed_name: process-entry-leader-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.entry_leader.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.entry_leader.user.risk.static_score_norm:
+  dashed_name: process-entry-leader-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.entry_leader.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.entry_leader.user.roles:
+  dashed_name: process-entry-leader-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.entry_leader.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.entry_leader.vpid:
+  dashed_name: process-entry-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.entry_leader.working_directory:
+  dashed_name: process-entry-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.entry_leader.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.entry_meta.source.address:
+  dashed_name: process-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.entry_meta.source.as.number:
+  dashed_name: process-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.entry_meta.source.as.organization.name:
+  dashed_name: process-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.entry_meta.source.bytes:
+  dashed_name: process-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.entry_meta.source.domain:
+  dashed_name: process-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.entry_meta.source.geo.city_name:
+  dashed_name: process-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.entry_meta.source.geo.continent_code:
+  dashed_name: process-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.entry_meta.source.geo.continent_name:
+  dashed_name: process-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.entry_meta.source.geo.country_name:
+  dashed_name: process-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.entry_meta.source.geo.location:
+  dashed_name: process-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.entry_meta.source.geo.name:
+  dashed_name: process-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.entry_meta.source.geo.postal_code:
+  dashed_name: process-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.entry_meta.source.geo.region_name:
+  dashed_name: process-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.entry_meta.source.geo.timezone:
+  dashed_name: process-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.entry_meta.source.ip:
+  dashed_name: process-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.entry_meta.source.mac:
+  dashed_name: process-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.entry_meta.source.nat.ip:
+  dashed_name: process-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.entry_meta.source.nat.port:
+  dashed_name: process-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.entry_meta.source.packets:
+  dashed_name: process-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.entry_meta.source.port:
+  dashed_name: process-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.entry_meta.source.registered_domain:
+  dashed_name: process-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.entry_meta.source.subdomain:
+  dashed_name: process-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.entry_meta.source.top_level_domain:
+  dashed_name: process-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.entry_meta.type:
+  dashed_name: process-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  short: The entry type for the entry session leader.
+  type: keyword
+process.env_vars:
+  dashed_name: process-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.executable:
+  dashed_name: process-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  otel:
+  - attribute: process.executable.path
+    relation: equivalent
+    stability: development
+  short: Absolute path to the process executable.
+  type: keyword
+process.exit_code:
+  dashed_name: process-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  short: The exit code of the process.
+  type: long
+process.group.domain:
+  dashed_name: process-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group.id:
+  dashed_name: process-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group.name:
+  dashed_name: process-group-name
+  description: Name of the group.
+  flat_name: process.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.args:
+  dashed_name: process-group-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.group_leader.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.group_leader.args_count:
+  dashed_name: process-group-leader-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.group_leader.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.group_leader.attested_groups.domain:
+  dashed_name: process-group-leader-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.attested_groups.id:
+  dashed_name: process-group-leader-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.attested_groups.name:
+  dashed_name: process-group-leader-attested-groups-name
+  description: Name of the group.
+  flat_name: process.group_leader.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.attested_user.domain:
+  dashed_name: process-group-leader-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.group_leader.attested_user.email:
+  dashed_name: process-group-leader-attested-user-email
+  description: User email address.
+  flat_name: process.group_leader.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.group_leader.attested_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-attested-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.group_leader.attested_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.group_leader.attested_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-attested-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.group_leader.attested_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.group_leader.attested_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-attested-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.group_leader.attested_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.attested_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.group_leader.attested_user.entity.id:
+  dashed_name: process-group-leader-attested-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.group_leader.attested_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.group_leader.attested_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-attested-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.group_leader.attested_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.group_leader.attested_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-attested-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.group_leader.attested_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.group_leader.attested_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-attested-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.group_leader.attested_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.group_leader.attested_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-attested-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.group_leader.attested_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.attested_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.group_leader.attested_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-attested-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.group_leader.attested_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.group_leader.attested_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-attested-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.group_leader.attested_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.group_leader.attested_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-attested-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.group_leader.attested_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.group_leader.attested_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-attested-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.group_leader.attested_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.group_leader.attested_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-attested-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.group_leader.attested_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.group_leader.attested_user.full_name:
+  dashed_name: process-group-leader-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.group_leader.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.group_leader.attested_user.group.domain:
+  dashed_name: process-group-leader-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.attested_user.group.id:
+  dashed_name: process-group-leader-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.attested_user.group.name:
+  dashed_name: process-group-leader-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.attested_user.hash:
+  dashed_name: process-group-leader-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.group_leader.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.group_leader.attested_user.id:
+  dashed_name: process-group-leader-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.group_leader.attested_user.name:
+  dashed_name: process-group-leader-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.group_leader.attested_user.risk.calculated_level:
+  dashed_name: process-group-leader-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.group_leader.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.group_leader.attested_user.risk.calculated_score:
+  dashed_name: process-group-leader-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.group_leader.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.group_leader.attested_user.risk.calculated_score_norm:
+  dashed_name: process-group-leader-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.group_leader.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.group_leader.attested_user.risk.static_level:
+  dashed_name: process-group-leader-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.group_leader.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.group_leader.attested_user.risk.static_score:
+  dashed_name: process-group-leader-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.group_leader.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.group_leader.attested_user.risk.static_score_norm:
+  dashed_name: process-group-leader-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.group_leader.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.group_leader.attested_user.roles:
+  dashed_name: process-group-leader-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.group_leader.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.code_signature.digest_algorithm:
+  dashed_name: process-group-leader-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.group_leader.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.group_leader.code_signature.exists:
+  dashed_name: process-group-leader-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.group_leader.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.group_leader.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.group_leader.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.group_leader.code_signature.signing_id:
+  dashed_name: process-group-leader-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.group_leader.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.group_leader.code_signature.status:
+  dashed_name: process-group-leader-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.group_leader.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.group_leader.code_signature.subject_name:
+  dashed_name: process-group-leader-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.group_leader.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.group_leader.code_signature.team_id:
+  dashed_name: process-group-leader-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.group_leader.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.group_leader.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.group_leader.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.group_leader.code_signature.timestamp:
+  dashed_name: process-group-leader-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.group_leader.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.group_leader.code_signature.trusted:
+  dashed_name: process-group-leader-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.group_leader.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.group_leader.code_signature.valid:
+  dashed_name: process-group-leader-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.group_leader.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.group_leader.command_line:
+  dashed_name: process-group-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.group_leader.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.group_leader.elf.architecture:
+  dashed_name: process-group-leader-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.group_leader.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.group_leader.elf.byte_order:
+  dashed_name: process-group-leader-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.group_leader.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.group_leader.elf.cpu_type:
+  dashed_name: process-group-leader-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.group_leader.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.group_leader.elf.creation_date:
+  dashed_name: process-group-leader-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.group_leader.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.group_leader.elf.exports:
+  dashed_name: process-group-leader-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.group_leader.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.group_leader.elf.go_import_hash:
+  dashed_name: process-group-leader-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.group_leader.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.group_leader.elf.go_imports:
+  dashed_name: process-group-leader-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.group_leader.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.group_leader.elf.go_imports_names_entropy:
+  dashed_name: process-group-leader-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.group_leader.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.group_leader.elf.go_imports_names_var_entropy:
+  dashed_name: process-group-leader-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.group_leader.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.group_leader.elf.go_stripped:
+  dashed_name: process-group-leader-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.group_leader.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.group_leader.elf.header.abi_version:
+  dashed_name: process-group-leader-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.group_leader.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.group_leader.elf.header.class:
+  dashed_name: process-group-leader-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.group_leader.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.group_leader.elf.header.data:
+  dashed_name: process-group-leader-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.group_leader.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.group_leader.elf.header.entrypoint:
+  dashed_name: process-group-leader-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.group_leader.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.group_leader.elf.header.object_version:
+  dashed_name: process-group-leader-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.group_leader.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.group_leader.elf.header.os_abi:
+  dashed_name: process-group-leader-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.group_leader.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.group_leader.elf.header.type:
+  dashed_name: process-group-leader-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.group_leader.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.group_leader.elf.header.version:
+  dashed_name: process-group-leader-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.group_leader.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.group_leader.elf.import_hash:
+  dashed_name: process-group-leader-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.group_leader.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.group_leader.elf.imports:
+  dashed_name: process-group-leader-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.group_leader.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.group_leader.elf.imports_names_entropy:
+  dashed_name: process-group-leader-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.group_leader.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.group_leader.elf.imports_names_var_entropy:
+  dashed_name: process-group-leader-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.group_leader.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.group_leader.elf.sections:
+  dashed_name: process-group-leader-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.group_leader.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.group_leader.elf.sections.chi2:
+  dashed_name: process-group-leader-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.group_leader.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.group_leader.elf.sections.entropy:
+  dashed_name: process-group-leader-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.group_leader.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.group_leader.elf.sections.flags:
+  dashed_name: process-group-leader-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.group_leader.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.group_leader.elf.sections.name:
+  dashed_name: process-group-leader-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.group_leader.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.group_leader.elf.sections.physical_offset:
+  dashed_name: process-group-leader-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.group_leader.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.group_leader.elf.sections.physical_size:
+  dashed_name: process-group-leader-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.group_leader.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.group_leader.elf.sections.type:
+  dashed_name: process-group-leader-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.group_leader.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.group_leader.elf.sections.var_entropy:
+  dashed_name: process-group-leader-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.group_leader.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.group_leader.elf.sections.virtual_address:
+  dashed_name: process-group-leader-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.group_leader.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.group_leader.elf.sections.virtual_size:
+  dashed_name: process-group-leader-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.group_leader.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.group_leader.elf.segments:
+  dashed_name: process-group-leader-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.group_leader.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.group_leader.elf.segments.sections:
+  dashed_name: process-group-leader-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.group_leader.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.group_leader.elf.segments.type:
+  dashed_name: process-group-leader-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.group_leader.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.group_leader.elf.shared_libraries:
+  dashed_name: process-group-leader-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.group_leader.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.group_leader.elf.telfhash:
+  dashed_name: process-group-leader-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.group_leader.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.group_leader.end:
+  dashed_name: process-group-leader-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.group_leader.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.group_leader.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.group_leader.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.group_leader.entity_id:
+  dashed_name: process-group-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.group_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.group_leader.entry_meta.source.address:
+  dashed_name: process-group-leader-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.group_leader.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.group_leader.entry_meta.source.as.number:
+  dashed_name: process-group-leader-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.group_leader.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.group_leader.entry_meta.source.as.organization.name:
+  dashed_name: process-group-leader-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.group_leader.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.group_leader.entry_meta.source.bytes:
+  dashed_name: process-group-leader-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.group_leader.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.group_leader.entry_meta.source.domain:
+  dashed_name: process-group-leader-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.group_leader.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.group_leader.entry_meta.source.geo.city_name:
+  dashed_name: process-group-leader-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.group_leader.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.group_leader.entry_meta.source.geo.continent_code:
+  dashed_name: process-group-leader-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.group_leader.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.group_leader.entry_meta.source.geo.continent_name:
+  dashed_name: process-group-leader-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.group_leader.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.group_leader.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-group-leader-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.group_leader.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.group_leader.entry_meta.source.geo.country_name:
+  dashed_name: process-group-leader-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.group_leader.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.group_leader.entry_meta.source.geo.location:
+  dashed_name: process-group-leader-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.group_leader.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.group_leader.entry_meta.source.geo.name:
+  dashed_name: process-group-leader-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.group_leader.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.group_leader.entry_meta.source.geo.postal_code:
+  dashed_name: process-group-leader-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.group_leader.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.group_leader.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-group-leader-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.group_leader.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.group_leader.entry_meta.source.geo.region_name:
+  dashed_name: process-group-leader-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.group_leader.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.group_leader.entry_meta.source.geo.timezone:
+  dashed_name: process-group-leader-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.group_leader.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.group_leader.entry_meta.source.ip:
+  dashed_name: process-group-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.group_leader.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.group_leader.entry_meta.source.mac:
+  dashed_name: process-group-leader-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.group_leader.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.group_leader.entry_meta.source.nat.ip:
+  dashed_name: process-group-leader-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.group_leader.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.group_leader.entry_meta.source.nat.port:
+  dashed_name: process-group-leader-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.group_leader.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.group_leader.entry_meta.source.packets:
+  dashed_name: process-group-leader-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.group_leader.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.group_leader.entry_meta.source.port:
+  dashed_name: process-group-leader-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.group_leader.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.group_leader.entry_meta.source.registered_domain:
+  dashed_name: process-group-leader-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.group_leader.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.group_leader.entry_meta.source.subdomain:
+  dashed_name: process-group-leader-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.group_leader.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.group_leader.entry_meta.source.top_level_domain:
+  dashed_name: process-group-leader-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.group_leader.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.group_leader.entry_meta.type:
+  dashed_name: process-group-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.group_leader.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.group_leader.env_vars:
+  dashed_name: process-group-leader-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.group_leader.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.executable:
+  dashed_name: process-group-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.group_leader.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.group_leader.exit_code:
+  dashed_name: process-group-leader-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.group_leader.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.group_leader.group.domain:
+  dashed_name: process-group-leader-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.group.id:
+  dashed_name: process-group-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.group.name:
+  dashed_name: process-group-leader-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.group_leader.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.group_leader.hash.md5:
+  dashed_name: process-group-leader-hash-md5
+  description: MD5 hash.
+  flat_name: process.group_leader.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.group_leader.hash.sha1:
+  dashed_name: process-group-leader-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.group_leader.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.group_leader.hash.sha256:
+  dashed_name: process-group-leader-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.group_leader.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.group_leader.hash.sha384:
+  dashed_name: process-group-leader-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.group_leader.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.group_leader.hash.sha512:
+  dashed_name: process-group-leader-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.group_leader.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.group_leader.hash.ssdeep:
+  dashed_name: process-group-leader-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.group_leader.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.group_leader.hash.tlsh:
+  dashed_name: process-group-leader-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.group_leader.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.group_leader.interactive:
+  dashed_name: process-group-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.group_leader.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.group_leader.io:
+  dashed_name: process-group-leader-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.group_leader.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.group_leader.io.bytes_skipped:
+  dashed_name: process-group-leader-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.group_leader.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.group_leader.io.bytes_skipped.length:
+  dashed_name: process-group-leader-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.group_leader.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.group_leader.io.bytes_skipped.offset:
+  dashed_name: process-group-leader-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.group_leader.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.group_leader.io.max_bytes_per_process_exceeded:
+  dashed_name: process-group-leader-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.group_leader.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.group_leader.io.text:
+  dashed_name: process-group-leader-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.group_leader.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.group_leader.io.total_bytes_captured:
+  dashed_name: process-group-leader-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.group_leader.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.group_leader.io.total_bytes_skipped:
+  dashed_name: process-group-leader-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.group_leader.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.group_leader.io.type:
+  dashed_name: process-group-leader-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.group_leader.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.group_leader.macho.go_import_hash:
+  dashed_name: process-group-leader-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.group_leader.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.group_leader.macho.go_imports:
+  dashed_name: process-group-leader-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.group_leader.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.group_leader.macho.go_imports_names_entropy:
+  dashed_name: process-group-leader-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.group_leader.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.group_leader.macho.go_imports_names_var_entropy:
+  dashed_name: process-group-leader-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.group_leader.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.group_leader.macho.go_stripped:
+  dashed_name: process-group-leader-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.group_leader.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.group_leader.macho.import_hash:
+  dashed_name: process-group-leader-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.group_leader.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.group_leader.macho.imports:
+  dashed_name: process-group-leader-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.group_leader.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.group_leader.macho.imports_names_entropy:
+  dashed_name: process-group-leader-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.group_leader.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.group_leader.macho.imports_names_var_entropy:
+  dashed_name: process-group-leader-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.group_leader.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.group_leader.macho.sections:
+  dashed_name: process-group-leader-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.group_leader.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.group_leader.macho.sections.entropy:
+  dashed_name: process-group-leader-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.group_leader.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.group_leader.macho.sections.name:
+  dashed_name: process-group-leader-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.group_leader.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.group_leader.macho.sections.physical_size:
+  dashed_name: process-group-leader-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.group_leader.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.group_leader.macho.sections.var_entropy:
+  dashed_name: process-group-leader-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.group_leader.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.group_leader.macho.sections.virtual_size:
+  dashed_name: process-group-leader-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.group_leader.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.group_leader.macho.symhash:
+  dashed_name: process-group-leader-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.group_leader.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.group_leader.name:
+  dashed_name: process-group-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.group_leader.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.group_leader.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.group_leader.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.group_leader.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.group_leader.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.group_leader.pe.architecture:
+  dashed_name: process-group-leader-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.group_leader.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.group_leader.pe.company:
+  dashed_name: process-group-leader-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.group_leader.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.group_leader.pe.description:
+  dashed_name: process-group-leader-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.group_leader.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.group_leader.pe.file_version:
+  dashed_name: process-group-leader-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.group_leader.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.group_leader.pe.go_import_hash:
+  dashed_name: process-group-leader-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.group_leader.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.group_leader.pe.go_imports:
+  dashed_name: process-group-leader-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.group_leader.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.group_leader.pe.go_imports_names_entropy:
+  dashed_name: process-group-leader-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.group_leader.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.group_leader.pe.go_imports_names_var_entropy:
+  dashed_name: process-group-leader-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.group_leader.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.group_leader.pe.go_stripped:
+  dashed_name: process-group-leader-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.group_leader.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.group_leader.pe.imphash:
+  dashed_name: process-group-leader-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.group_leader.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.group_leader.pe.import_hash:
+  dashed_name: process-group-leader-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.group_leader.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.group_leader.pe.imports:
+  dashed_name: process-group-leader-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.group_leader.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.group_leader.pe.imports_names_entropy:
+  dashed_name: process-group-leader-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.group_leader.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.group_leader.pe.imports_names_var_entropy:
+  dashed_name: process-group-leader-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.group_leader.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.group_leader.pe.original_file_name:
+  dashed_name: process-group-leader-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.group_leader.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.group_leader.pe.pehash:
+  dashed_name: process-group-leader-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.group_leader.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.group_leader.pe.product:
+  dashed_name: process-group-leader-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.group_leader.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.group_leader.pe.sections:
+  dashed_name: process-group-leader-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.group_leader.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.group_leader.pe.sections.entropy:
+  dashed_name: process-group-leader-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.group_leader.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.group_leader.pe.sections.name:
+  dashed_name: process-group-leader-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.group_leader.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.group_leader.pe.sections.physical_size:
+  dashed_name: process-group-leader-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.group_leader.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.group_leader.pe.sections.var_entropy:
+  dashed_name: process-group-leader-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.group_leader.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.group_leader.pe.sections.virtual_size:
+  dashed_name: process-group-leader-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.group_leader.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.group_leader.pid:
+  dashed_name: process-group-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.group_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  otel:
+  - relation: match
+    stability: development
+  short: Process id.
+  type: long
+process.group_leader.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.group_leader.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.group_leader.real_group.domain:
+  dashed_name: process-group-leader-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.real_group.id:
+  dashed_name: process-group-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.real_group.name:
+  dashed_name: process-group-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.real_user.domain:
+  dashed_name: process-group-leader-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.group_leader.real_user.email:
+  dashed_name: process-group-leader-real-user-email
+  description: User email address.
+  flat_name: process.group_leader.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.group_leader.real_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-real-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.group_leader.real_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.group_leader.real_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-real-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.group_leader.real_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.group_leader.real_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-real-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.group_leader.real_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.real_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.group_leader.real_user.entity.id:
+  dashed_name: process-group-leader-real-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.group_leader.real_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.group_leader.real_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-real-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.group_leader.real_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.group_leader.real_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-real-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.group_leader.real_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.group_leader.real_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-real-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.group_leader.real_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.group_leader.real_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-real-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.group_leader.real_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.real_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.group_leader.real_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-real-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.group_leader.real_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.group_leader.real_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-real-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.group_leader.real_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.group_leader.real_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-real-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.group_leader.real_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.group_leader.real_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-real-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.group_leader.real_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.group_leader.real_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-real-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.group_leader.real_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.group_leader.real_user.full_name:
+  dashed_name: process-group-leader-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.group_leader.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.group_leader.real_user.group.domain:
+  dashed_name: process-group-leader-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.real_user.group.id:
+  dashed_name: process-group-leader-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.real_user.group.name:
+  dashed_name: process-group-leader-real-user-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.real_user.hash:
+  dashed_name: process-group-leader-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.group_leader.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.group_leader.real_user.id:
+  dashed_name: process-group-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.group_leader.real_user.name:
+  dashed_name: process-group-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.group_leader.real_user.risk.calculated_level:
+  dashed_name: process-group-leader-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.group_leader.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.group_leader.real_user.risk.calculated_score:
+  dashed_name: process-group-leader-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.group_leader.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.group_leader.real_user.risk.calculated_score_norm:
+  dashed_name: process-group-leader-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.group_leader.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.group_leader.real_user.risk.static_level:
+  dashed_name: process-group-leader-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.group_leader.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.group_leader.real_user.risk.static_score:
+  dashed_name: process-group-leader-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.group_leader.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.group_leader.real_user.risk.static_score_norm:
+  dashed_name: process-group-leader-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.group_leader.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.group_leader.real_user.roles:
+  dashed_name: process-group-leader-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.group_leader.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.same_as_process:
+  dashed_name: process-group-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.group_leader.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.group_leader.saved_group.domain:
+  dashed_name: process-group-leader-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.saved_group.id:
+  dashed_name: process-group-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.saved_group.name:
+  dashed_name: process-group-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.saved_user.domain:
+  dashed_name: process-group-leader-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.group_leader.saved_user.email:
+  dashed_name: process-group-leader-saved-user-email
+  description: User email address.
+  flat_name: process.group_leader.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.group_leader.saved_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-saved-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.group_leader.saved_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.group_leader.saved_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-saved-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.group_leader.saved_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.group_leader.saved_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-saved-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.group_leader.saved_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.saved_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.group_leader.saved_user.entity.id:
+  dashed_name: process-group-leader-saved-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.group_leader.saved_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.group_leader.saved_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-saved-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.group_leader.saved_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.group_leader.saved_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-saved-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.group_leader.saved_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.group_leader.saved_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-saved-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.group_leader.saved_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.group_leader.saved_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-saved-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.group_leader.saved_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.saved_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.group_leader.saved_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-saved-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.group_leader.saved_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.group_leader.saved_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-saved-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.group_leader.saved_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.group_leader.saved_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-saved-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.group_leader.saved_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.group_leader.saved_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-saved-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.group_leader.saved_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.group_leader.saved_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-saved-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.group_leader.saved_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.group_leader.saved_user.full_name:
+  dashed_name: process-group-leader-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.group_leader.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.group_leader.saved_user.group.domain:
+  dashed_name: process-group-leader-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.saved_user.group.id:
+  dashed_name: process-group-leader-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.saved_user.group.name:
+  dashed_name: process-group-leader-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.saved_user.hash:
+  dashed_name: process-group-leader-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.group_leader.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.group_leader.saved_user.id:
+  dashed_name: process-group-leader-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.group_leader.saved_user.name:
+  dashed_name: process-group-leader-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.group_leader.saved_user.risk.calculated_level:
+  dashed_name: process-group-leader-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.group_leader.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.group_leader.saved_user.risk.calculated_score:
+  dashed_name: process-group-leader-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.group_leader.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.group_leader.saved_user.risk.calculated_score_norm:
+  dashed_name: process-group-leader-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.group_leader.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.group_leader.saved_user.risk.static_level:
+  dashed_name: process-group-leader-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.group_leader.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.group_leader.saved_user.risk.static_score:
+  dashed_name: process-group-leader-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.group_leader.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.group_leader.saved_user.risk.static_score_norm:
+  dashed_name: process-group-leader-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.group_leader.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.group_leader.saved_user.roles:
+  dashed_name: process-group-leader-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.group_leader.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.start:
+  dashed_name: process-group-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.group_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.group_leader.supplemental_groups.domain:
+  dashed_name: process-group-leader-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.supplemental_groups.id:
+  dashed_name: process-group-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.supplemental_groups.name:
+  dashed_name: process-group-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.group_leader.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.thread.capabilities.effective:
+  dashed_name: process-group-leader-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.group_leader.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.thread.capabilities.permitted:
+  dashed_name: process-group-leader-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.group_leader.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.thread.id:
+  dashed_name: process-group-leader-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.group_leader.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.group_leader.thread.name:
+  dashed_name: process-group-leader-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.group_leader.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.group_leader.title:
+  dashed_name: process-group-leader-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.group_leader.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.group_leader.tty:
+  dashed_name: process-group-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.group_leader.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.group_leader.tty.char_device.major:
+  dashed_name: process-group-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.group_leader.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.group_leader.tty.char_device.minor:
+  dashed_name: process-group-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.group_leader.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.group_leader.tty.columns:
+  dashed_name: process-group-leader-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.group_leader.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.group_leader.tty.rows:
+  dashed_name: process-group-leader-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.group_leader.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.group_leader.uptime:
+  dashed_name: process-group-leader-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.group_leader.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.group_leader.user.domain:
+  dashed_name: process-group-leader-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.group_leader.user.email:
+  dashed_name: process-group-leader-user-email
+  description: User email address.
+  flat_name: process.group_leader.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.group_leader.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.group_leader.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.group_leader.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.group_leader.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.group_leader.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.group_leader.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.group_leader.user.entity.id:
+  dashed_name: process-group-leader-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.group_leader.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.group_leader.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.group_leader.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.group_leader.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.group_leader.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.group_leader.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.group_leader.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.group_leader.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.group_leader.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.group_leader.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.group_leader.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.group_leader.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.group_leader.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.group_leader.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.group_leader.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.group_leader.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.group_leader.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.group_leader.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-group-leader-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.group_leader.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.group_leader.user.full_name:
+  dashed_name: process-group-leader-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.group_leader.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.group_leader.user.group.domain:
+  dashed_name: process-group-leader-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.group_leader.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.group_leader.user.group.id:
+  dashed_name: process-group-leader-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.group_leader.user.group.name:
+  dashed_name: process-group-leader-user-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.user.hash:
+  dashed_name: process-group-leader-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.group_leader.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.group_leader.user.id:
+  dashed_name: process-group-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.group_leader.user.name:
+  dashed_name: process-group-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.group_leader.user.risk.calculated_level:
+  dashed_name: process-group-leader-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.group_leader.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.group_leader.user.risk.calculated_score:
+  dashed_name: process-group-leader-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.group_leader.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.group_leader.user.risk.calculated_score_norm:
+  dashed_name: process-group-leader-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.group_leader.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.group_leader.user.risk.static_level:
+  dashed_name: process-group-leader-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.group_leader.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.group_leader.user.risk.static_score:
+  dashed_name: process-group-leader-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.group_leader.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.group_leader.user.risk.static_score_norm:
+  dashed_name: process-group-leader-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.group_leader.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.group_leader.user.roles:
+  dashed_name: process-group-leader-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.group_leader.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.group_leader.vpid:
+  dashed_name: process-group-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.group_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.group_leader.working_directory:
+  dashed_name: process-group-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.group_leader.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.hash.md5:
+  dashed_name: process-hash-md5
+  description: MD5 hash.
+  flat_name: process.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.hash.sha1:
+  dashed_name: process-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.hash.sha256:
+  dashed_name: process-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.hash.sha384:
+  dashed_name: process-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.hash.sha512:
+  dashed_name: process-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.hash.ssdeep:
+  dashed_name: process-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.hash.tlsh:
+  dashed_name: process-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.interactive:
+  dashed_name: process-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  otel:
+  - relation: match
+    stability: development
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.io:
+  dashed_name: process-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.io
+  level: extended
+  name: io
+  normalize: []
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.io.bytes_skipped:
+  dashed_name: process-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.io.bytes_skipped.length:
+  dashed_name: process-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  short: The length of bytes skipped.
+  type: long
+process.io.bytes_skipped.offset:
+  dashed_name: process-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.io.max_bytes_per_process_exceeded:
+  dashed_name: process-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.io.text:
+  dashed_name: process-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.io.total_bytes_captured:
+  dashed_name: process-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  short: The total number of bytes captured in this event.
+  type: long
+process.io.total_bytes_skipped:
+  dashed_name: process-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.io.type:
+  dashed_name: process-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.macho.go_import_hash:
+  dashed_name: process-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.macho.go_imports:
+  dashed_name: process-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.macho.go_imports_names_entropy:
+  dashed_name: process-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.macho.go_imports_names_var_entropy:
+  dashed_name: process-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.macho.go_stripped:
+  dashed_name: process-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.macho.import_hash:
+  dashed_name: process-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.macho.imports:
+  dashed_name: process-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.macho.imports_names_entropy:
+  dashed_name: process-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.macho.imports_names_var_entropy:
+  dashed_name: process-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.macho.sections:
+  dashed_name: process-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.macho.sections.entropy:
+  dashed_name: process-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.macho.sections.name:
+  dashed_name: process-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.macho.sections.physical_size:
+  dashed_name: process-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.macho.sections.var_entropy:
+  dashed_name: process-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.macho.sections.virtual_size:
+  dashed_name: process-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.macho.symhash:
+  dashed_name: process-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.name:
+  dashed_name: process-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  short: Process name.
+  type: keyword
+process.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.parent.args:
+  dashed_name: process-parent-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.parent.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.parent.args_count:
+  dashed_name: process-parent-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.parent.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.parent.attested_groups.domain:
+  dashed_name: process-parent-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.attested_groups.id:
+  dashed_name: process-parent-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.attested_groups.name:
+  dashed_name: process-parent-attested-groups-name
+  description: Name of the group.
+  flat_name: process.parent.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.attested_user.domain:
+  dashed_name: process-parent-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.attested_user.email:
+  dashed_name: process-parent-attested-user-email
+  description: User email address.
+  flat_name: process.parent.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.attested_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-attested-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.parent.attested_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.parent.attested_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-attested-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.parent.attested_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.parent.attested_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-attested-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.parent.attested_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.attested_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.parent.attested_user.entity.id:
+  dashed_name: process-parent-attested-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.parent.attested_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.parent.attested_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-attested-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.parent.attested_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.parent.attested_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-attested-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.parent.attested_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.parent.attested_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-attested-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.parent.attested_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.parent.attested_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-attested-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.parent.attested_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.attested_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.parent.attested_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-attested-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.parent.attested_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.parent.attested_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-attested-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.parent.attested_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.parent.attested_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-attested-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.parent.attested_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.parent.attested_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-attested-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.parent.attested_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.parent.attested_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-attested-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.parent.attested_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.parent.attested_user.full_name:
+  dashed_name: process-parent-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.attested_user.group.domain:
+  dashed_name: process-parent-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.attested_user.group.id:
+  dashed_name: process-parent-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.attested_user.group.name:
+  dashed_name: process-parent-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.attested_user.hash:
+  dashed_name: process-parent-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.attested_user.id:
+  dashed_name: process-parent-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.attested_user.name:
+  dashed_name: process-parent-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.attested_user.risk.calculated_level:
+  dashed_name: process-parent-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.attested_user.risk.calculated_score:
+  dashed_name: process-parent-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.attested_user.risk.calculated_score_norm:
+  dashed_name: process-parent-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.attested_user.risk.static_level:
+  dashed_name: process-parent-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.attested_user.risk.static_score:
+  dashed_name: process-parent-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.attested_user.risk.static_score_norm:
+  dashed_name: process-parent-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.attested_user.roles:
+  dashed_name: process-parent-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.code_signature.digest_algorithm:
+  dashed_name: process-parent-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.parent.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.parent.code_signature.exists:
+  dashed_name: process-parent-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.parent.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.parent.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.parent.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.parent.code_signature.signing_id:
+  dashed_name: process-parent-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.parent.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.parent.code_signature.status:
+  dashed_name: process-parent-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.parent.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.parent.code_signature.subject_name:
+  dashed_name: process-parent-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.parent.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.parent.code_signature.team_id:
+  dashed_name: process-parent-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.parent.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.parent.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.parent.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.parent.code_signature.timestamp:
+  dashed_name: process-parent-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.parent.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.parent.code_signature.trusted:
+  dashed_name: process-parent-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.parent.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.parent.code_signature.valid:
+  dashed_name: process-parent-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.parent.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.parent.command_line:
+  dashed_name: process-parent-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.parent.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.parent.elf.architecture:
+  dashed_name: process-parent-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.parent.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.parent.elf.byte_order:
+  dashed_name: process-parent-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.parent.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.parent.elf.cpu_type:
+  dashed_name: process-parent-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.parent.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.parent.elf.creation_date:
+  dashed_name: process-parent-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.parent.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.parent.elf.exports:
+  dashed_name: process-parent-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.parent.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.parent.elf.go_import_hash:
+  dashed_name: process-parent-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.parent.elf.go_imports:
+  dashed_name: process-parent-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.elf.go_imports_names_entropy:
+  dashed_name: process-parent-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.elf.go_imports_names_var_entropy:
+  dashed_name: process-parent-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.elf.go_stripped:
+  dashed_name: process-parent-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.elf.header.abi_version:
+  dashed_name: process-parent-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.parent.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.parent.elf.header.class:
+  dashed_name: process-parent-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.parent.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.parent.elf.header.data:
+  dashed_name: process-parent-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.parent.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.parent.elf.header.entrypoint:
+  dashed_name: process-parent-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.parent.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.parent.elf.header.object_version:
+  dashed_name: process-parent-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.parent.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.parent.elf.header.os_abi:
+  dashed_name: process-parent-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.parent.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.parent.elf.header.type:
+  dashed_name: process-parent-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.parent.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.parent.elf.header.version:
+  dashed_name: process-parent-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.parent.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.parent.elf.import_hash:
+  dashed_name: process-parent-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.parent.elf.imports:
+  dashed_name: process-parent-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.parent.elf.imports_names_entropy:
+  dashed_name: process-parent-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.elf.imports_names_var_entropy:
+  dashed_name: process-parent-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.elf.sections:
+  dashed_name: process-parent-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.parent.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.parent.elf.sections.chi2:
+  dashed_name: process-parent-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.parent.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.parent.elf.sections.entropy:
+  dashed_name: process-parent-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.elf.sections.flags:
+  dashed_name: process-parent-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.parent.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.parent.elf.sections.name:
+  dashed_name: process-parent-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.parent.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.parent.elf.sections.physical_offset:
+  dashed_name: process-parent-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.parent.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.parent.elf.sections.physical_size:
+  dashed_name: process-parent-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.parent.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.parent.elf.sections.type:
+  dashed_name: process-parent-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.parent.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.parent.elf.sections.var_entropy:
+  dashed_name: process-parent-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.elf.sections.virtual_address:
+  dashed_name: process-parent-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.parent.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.parent.elf.sections.virtual_size:
+  dashed_name: process-parent-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.parent.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.parent.elf.segments:
+  dashed_name: process-parent-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.parent.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.parent.elf.segments.sections:
+  dashed_name: process-parent-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.parent.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.parent.elf.segments.type:
+  dashed_name: process-parent-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.parent.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.parent.elf.shared_libraries:
+  dashed_name: process-parent-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.parent.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.parent.elf.telfhash:
+  dashed_name: process-parent-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.parent.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.parent.end:
+  dashed_name: process-parent-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.parent.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.parent.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.parent.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.parent.entity_id:
+  dashed_name: process-parent-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.parent.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.parent.entry_meta.source.address:
+  dashed_name: process-parent-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.parent.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.parent.entry_meta.source.as.number:
+  dashed_name: process-parent-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.parent.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.parent.entry_meta.source.as.organization.name:
+  dashed_name: process-parent-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.parent.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.parent.entry_meta.source.bytes:
+  dashed_name: process-parent-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.parent.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.parent.entry_meta.source.domain:
+  dashed_name: process-parent-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.parent.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.parent.entry_meta.source.geo.city_name:
+  dashed_name: process-parent-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.parent.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.parent.entry_meta.source.geo.continent_code:
+  dashed_name: process-parent-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.parent.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.parent.entry_meta.source.geo.continent_name:
+  dashed_name: process-parent-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.parent.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.parent.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-parent-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.parent.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.parent.entry_meta.source.geo.country_name:
+  dashed_name: process-parent-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.parent.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.parent.entry_meta.source.geo.location:
+  dashed_name: process-parent-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.parent.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.parent.entry_meta.source.geo.name:
+  dashed_name: process-parent-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.parent.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.parent.entry_meta.source.geo.postal_code:
+  dashed_name: process-parent-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.parent.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.parent.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-parent-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.parent.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.parent.entry_meta.source.geo.region_name:
+  dashed_name: process-parent-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.parent.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.parent.entry_meta.source.geo.timezone:
+  dashed_name: process-parent-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.parent.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.parent.entry_meta.source.ip:
+  dashed_name: process-parent-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.parent.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.parent.entry_meta.source.mac:
+  dashed_name: process-parent-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.parent.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.parent.entry_meta.source.nat.ip:
+  dashed_name: process-parent-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.parent.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.parent.entry_meta.source.nat.port:
+  dashed_name: process-parent-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.parent.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.parent.entry_meta.source.packets:
+  dashed_name: process-parent-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.parent.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.parent.entry_meta.source.port:
+  dashed_name: process-parent-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.parent.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.parent.entry_meta.source.registered_domain:
+  dashed_name: process-parent-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.parent.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.parent.entry_meta.source.subdomain:
+  dashed_name: process-parent-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.parent.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.parent.entry_meta.source.top_level_domain:
+  dashed_name: process-parent-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.parent.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.parent.entry_meta.type:
+  dashed_name: process-parent-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.parent.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.parent.env_vars:
+  dashed_name: process-parent-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.parent.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.executable:
+  dashed_name: process-parent-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.parent.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.parent.exit_code:
+  dashed_name: process-parent-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.parent.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.parent.group.domain:
+  dashed_name: process-parent-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group.id:
+  dashed_name: process-parent-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group.name:
+  dashed_name: process-parent-group-name
+  description: Name of the group.
+  flat_name: process.parent.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.args:
+  dashed_name: process-parent-group-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.parent.group_leader.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.parent.group_leader.args_count:
+  dashed_name: process-parent-group-leader-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.parent.group_leader.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.parent.group_leader.attested_groups.domain:
+  dashed_name: process-parent-group-leader-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.attested_groups.id:
+  dashed_name: process-parent-group-leader-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.attested_groups.name:
+  dashed_name: process-parent-group-leader-attested-groups-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.attested_user.domain:
+  dashed_name: process-parent-group-leader-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.group_leader.attested_user.email:
+  dashed_name: process-parent-group-leader-attested-user-email
+  description: User email address.
+  flat_name: process.parent.group_leader.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.group_leader.attested_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-attested-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.parent.group_leader.attested_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.parent.group_leader.attested_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-attested-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.parent.group_leader.attested_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.parent.group_leader.attested_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-attested-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.parent.group_leader.attested_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.attested_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.parent.group_leader.attested_user.entity.id:
+  dashed_name: process-parent-group-leader-attested-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.parent.group_leader.attested_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.parent.group_leader.attested_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-attested-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.parent.group_leader.attested_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.parent.group_leader.attested_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-attested-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.parent.group_leader.attested_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.parent.group_leader.attested_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-attested-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.parent.group_leader.attested_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.parent.group_leader.attested_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-attested-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.parent.group_leader.attested_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.group_leader.attested_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.parent.group_leader.attested_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-attested-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.parent.group_leader.attested_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.parent.group_leader.attested_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-attested-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.parent.group_leader.attested_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.parent.group_leader.attested_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-attested-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.parent.group_leader.attested_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.parent.group_leader.attested_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-attested-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.parent.group_leader.attested_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.parent.group_leader.attested_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-attested-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.parent.group_leader.attested_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.parent.group_leader.attested_user.full_name:
+  dashed_name: process-parent-group-leader-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.group_leader.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.group_leader.attested_user.group.domain:
+  dashed_name: process-parent-group-leader-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.attested_user.group.id:
+  dashed_name: process-parent-group-leader-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.attested_user.group.name:
+  dashed_name: process-parent-group-leader-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.attested_user.hash:
+  dashed_name: process-parent-group-leader-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.group_leader.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.group_leader.attested_user.id:
+  dashed_name: process-parent-group-leader-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.group_leader.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.group_leader.attested_user.name:
+  dashed_name: process-parent-group-leader-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.group_leader.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.group_leader.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.group_leader.attested_user.risk.calculated_level:
+  dashed_name: process-parent-group-leader-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.group_leader.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.group_leader.attested_user.risk.calculated_score:
+  dashed_name: process-parent-group-leader-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.group_leader.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.group_leader.attested_user.risk.calculated_score_norm:
+  dashed_name: process-parent-group-leader-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.group_leader.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.group_leader.attested_user.risk.static_level:
+  dashed_name: process-parent-group-leader-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.group_leader.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.group_leader.attested_user.risk.static_score:
+  dashed_name: process-parent-group-leader-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.group_leader.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.group_leader.attested_user.risk.static_score_norm:
+  dashed_name: process-parent-group-leader-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.group_leader.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.group_leader.attested_user.roles:
+  dashed_name: process-parent-group-leader-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.group_leader.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.code_signature.digest_algorithm:
+  dashed_name: process-parent-group-leader-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.parent.group_leader.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.parent.group_leader.code_signature.exists:
+  dashed_name: process-parent-group-leader-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.parent.group_leader.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.parent.group_leader.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.parent.group_leader.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.parent.group_leader.code_signature.signing_id:
+  dashed_name: process-parent-group-leader-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.parent.group_leader.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.parent.group_leader.code_signature.status:
+  dashed_name: process-parent-group-leader-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.parent.group_leader.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.parent.group_leader.code_signature.subject_name:
+  dashed_name: process-parent-group-leader-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.parent.group_leader.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.parent.group_leader.code_signature.team_id:
+  dashed_name: process-parent-group-leader-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.parent.group_leader.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.parent.group_leader.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.parent.group_leader.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.parent.group_leader.code_signature.timestamp:
+  dashed_name: process-parent-group-leader-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.parent.group_leader.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.parent.group_leader.code_signature.trusted:
+  dashed_name: process-parent-group-leader-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.parent.group_leader.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.parent.group_leader.code_signature.valid:
+  dashed_name: process-parent-group-leader-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.parent.group_leader.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.parent.group_leader.command_line:
+  dashed_name: process-parent-group-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.parent.group_leader.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.parent.group_leader.elf.architecture:
+  dashed_name: process-parent-group-leader-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.parent.group_leader.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.parent.group_leader.elf.byte_order:
+  dashed_name: process-parent-group-leader-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.parent.group_leader.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.parent.group_leader.elf.cpu_type:
+  dashed_name: process-parent-group-leader-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.parent.group_leader.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.parent.group_leader.elf.creation_date:
+  dashed_name: process-parent-group-leader-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.parent.group_leader.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.parent.group_leader.elf.exports:
+  dashed_name: process-parent-group-leader-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.parent.group_leader.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.parent.group_leader.elf.go_import_hash:
+  dashed_name: process-parent-group-leader-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.group_leader.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.parent.group_leader.elf.go_imports:
+  dashed_name: process-parent-group-leader-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.group_leader.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.group_leader.elf.go_imports_names_entropy:
+  dashed_name: process-parent-group-leader-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.group_leader.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.group_leader.elf.go_imports_names_var_entropy:
+  dashed_name: process-parent-group-leader-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.group_leader.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.group_leader.elf.go_stripped:
+  dashed_name: process-parent-group-leader-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.group_leader.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.group_leader.elf.header.abi_version:
+  dashed_name: process-parent-group-leader-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.parent.group_leader.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.parent.group_leader.elf.header.class:
+  dashed_name: process-parent-group-leader-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.parent.group_leader.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.parent.group_leader.elf.header.data:
+  dashed_name: process-parent-group-leader-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.parent.group_leader.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.parent.group_leader.elf.header.entrypoint:
+  dashed_name: process-parent-group-leader-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.parent.group_leader.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.parent.group_leader.elf.header.object_version:
+  dashed_name: process-parent-group-leader-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.parent.group_leader.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.parent.group_leader.elf.header.os_abi:
+  dashed_name: process-parent-group-leader-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.parent.group_leader.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.parent.group_leader.elf.header.type:
+  dashed_name: process-parent-group-leader-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.parent.group_leader.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.parent.group_leader.elf.header.version:
+  dashed_name: process-parent-group-leader-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.parent.group_leader.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.parent.group_leader.elf.import_hash:
+  dashed_name: process-parent-group-leader-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.group_leader.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.parent.group_leader.elf.imports:
+  dashed_name: process-parent-group-leader-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.group_leader.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.parent.group_leader.elf.imports_names_entropy:
+  dashed_name: process-parent-group-leader-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.group_leader.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.group_leader.elf.imports_names_var_entropy:
+  dashed_name: process-parent-group-leader-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.group_leader.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.group_leader.elf.sections:
+  dashed_name: process-parent-group-leader-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.parent.group_leader.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.parent.group_leader.elf.sections.chi2:
+  dashed_name: process-parent-group-leader-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.parent.group_leader.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.parent.group_leader.elf.sections.entropy:
+  dashed_name: process-parent-group-leader-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.group_leader.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.group_leader.elf.sections.flags:
+  dashed_name: process-parent-group-leader-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.parent.group_leader.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.parent.group_leader.elf.sections.name:
+  dashed_name: process-parent-group-leader-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.parent.group_leader.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.parent.group_leader.elf.sections.physical_offset:
+  dashed_name: process-parent-group-leader-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.parent.group_leader.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.parent.group_leader.elf.sections.physical_size:
+  dashed_name: process-parent-group-leader-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.parent.group_leader.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.parent.group_leader.elf.sections.type:
+  dashed_name: process-parent-group-leader-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.parent.group_leader.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.parent.group_leader.elf.sections.var_entropy:
+  dashed_name: process-parent-group-leader-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.group_leader.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.group_leader.elf.sections.virtual_address:
+  dashed_name: process-parent-group-leader-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.parent.group_leader.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.parent.group_leader.elf.sections.virtual_size:
+  dashed_name: process-parent-group-leader-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.parent.group_leader.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.parent.group_leader.elf.segments:
+  dashed_name: process-parent-group-leader-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.parent.group_leader.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.parent.group_leader.elf.segments.sections:
+  dashed_name: process-parent-group-leader-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.parent.group_leader.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.parent.group_leader.elf.segments.type:
+  dashed_name: process-parent-group-leader-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.parent.group_leader.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.parent.group_leader.elf.shared_libraries:
+  dashed_name: process-parent-group-leader-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.parent.group_leader.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.parent.group_leader.elf.telfhash:
+  dashed_name: process-parent-group-leader-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.parent.group_leader.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.parent.group_leader.end:
+  dashed_name: process-parent-group-leader-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.parent.group_leader.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.parent.group_leader.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.parent.group_leader.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.parent.group_leader.entity_id:
+  dashed_name: process-parent-group-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.parent.group_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.parent.group_leader.entry_meta.source.address:
+  dashed_name: process-parent-group-leader-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.parent.group_leader.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.parent.group_leader.entry_meta.source.as.number:
+  dashed_name: process-parent-group-leader-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.parent.group_leader.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.parent.group_leader.entry_meta.source.as.organization.name:
+  dashed_name: process-parent-group-leader-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.parent.group_leader.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.parent.group_leader.entry_meta.source.bytes:
+  dashed_name: process-parent-group-leader-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.parent.group_leader.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.parent.group_leader.entry_meta.source.domain:
+  dashed_name: process-parent-group-leader-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.parent.group_leader.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.city_name:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.parent.group_leader.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.continent_code:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.parent.group_leader.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.continent_name:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.parent.group_leader.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.parent.group_leader.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.country_name:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.parent.group_leader.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.location:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.parent.group_leader.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.parent.group_leader.entry_meta.source.geo.name:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.parent.group_leader.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.postal_code:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.parent.group_leader.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.parent.group_leader.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.region_name:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.parent.group_leader.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.parent.group_leader.entry_meta.source.geo.timezone:
+  dashed_name: process-parent-group-leader-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.parent.group_leader.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.parent.group_leader.entry_meta.source.ip:
+  dashed_name: process-parent-group-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.parent.group_leader.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.parent.group_leader.entry_meta.source.mac:
+  dashed_name: process-parent-group-leader-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.parent.group_leader.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.parent.group_leader.entry_meta.source.nat.ip:
+  dashed_name: process-parent-group-leader-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.parent.group_leader.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.parent.group_leader.entry_meta.source.nat.port:
+  dashed_name: process-parent-group-leader-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.parent.group_leader.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.parent.group_leader.entry_meta.source.packets:
+  dashed_name: process-parent-group-leader-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.parent.group_leader.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.parent.group_leader.entry_meta.source.port:
+  dashed_name: process-parent-group-leader-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.parent.group_leader.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.parent.group_leader.entry_meta.source.registered_domain:
+  dashed_name: process-parent-group-leader-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.parent.group_leader.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.parent.group_leader.entry_meta.source.subdomain:
+  dashed_name: process-parent-group-leader-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.parent.group_leader.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.parent.group_leader.entry_meta.source.top_level_domain:
+  dashed_name: process-parent-group-leader-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.parent.group_leader.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.parent.group_leader.entry_meta.type:
+  dashed_name: process-parent-group-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.parent.group_leader.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.parent.group_leader.env_vars:
+  dashed_name: process-parent-group-leader-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.parent.group_leader.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.executable:
+  dashed_name: process-parent-group-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.parent.group_leader.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.parent.group_leader.exit_code:
+  dashed_name: process-parent-group-leader-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.parent.group_leader.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.parent.group_leader.group.domain:
+  dashed_name: process-parent-group-leader-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.group.id:
+  dashed_name: process-parent-group-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.group.name:
+  dashed_name: process-parent-group-leader-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.parent.group_leader.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.parent.group_leader.hash.md5:
+  dashed_name: process-parent-group-leader-hash-md5
+  description: MD5 hash.
+  flat_name: process.parent.group_leader.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.parent.group_leader.hash.sha1:
+  dashed_name: process-parent-group-leader-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.parent.group_leader.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.parent.group_leader.hash.sha256:
+  dashed_name: process-parent-group-leader-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.parent.group_leader.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.parent.group_leader.hash.sha384:
+  dashed_name: process-parent-group-leader-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.parent.group_leader.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.parent.group_leader.hash.sha512:
+  dashed_name: process-parent-group-leader-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.parent.group_leader.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.parent.group_leader.hash.ssdeep:
+  dashed_name: process-parent-group-leader-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.parent.group_leader.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.parent.group_leader.hash.tlsh:
+  dashed_name: process-parent-group-leader-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.parent.group_leader.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.parent.group_leader.interactive:
+  dashed_name: process-parent-group-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.parent.group_leader.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.parent.group_leader.io:
+  dashed_name: process-parent-group-leader-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.parent.group_leader.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.parent.group_leader.io.bytes_skipped:
+  dashed_name: process-parent-group-leader-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.parent.group_leader.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.parent.group_leader.io.bytes_skipped.length:
+  dashed_name: process-parent-group-leader-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.parent.group_leader.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.parent.group_leader.io.bytes_skipped.offset:
+  dashed_name: process-parent-group-leader-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.parent.group_leader.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.parent.group_leader.io.max_bytes_per_process_exceeded:
+  dashed_name: process-parent-group-leader-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.parent.group_leader.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.parent.group_leader.io.text:
+  dashed_name: process-parent-group-leader-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.parent.group_leader.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.parent.group_leader.io.total_bytes_captured:
+  dashed_name: process-parent-group-leader-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.parent.group_leader.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.parent.group_leader.io.total_bytes_skipped:
+  dashed_name: process-parent-group-leader-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.parent.group_leader.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.parent.group_leader.io.type:
+  dashed_name: process-parent-group-leader-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.parent.group_leader.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.parent.group_leader.macho.go_import_hash:
+  dashed_name: process-parent-group-leader-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.group_leader.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.parent.group_leader.macho.go_imports:
+  dashed_name: process-parent-group-leader-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.group_leader.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.group_leader.macho.go_imports_names_entropy:
+  dashed_name: process-parent-group-leader-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.group_leader.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.group_leader.macho.go_imports_names_var_entropy:
+  dashed_name: process-parent-group-leader-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.group_leader.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.group_leader.macho.go_stripped:
+  dashed_name: process-parent-group-leader-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.group_leader.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.group_leader.macho.import_hash:
+  dashed_name: process-parent-group-leader-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.group_leader.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.parent.group_leader.macho.imports:
+  dashed_name: process-parent-group-leader-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.group_leader.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.parent.group_leader.macho.imports_names_entropy:
+  dashed_name: process-parent-group-leader-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.group_leader.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.group_leader.macho.imports_names_var_entropy:
+  dashed_name: process-parent-group-leader-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.group_leader.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.group_leader.macho.sections:
+  dashed_name: process-parent-group-leader-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.parent.group_leader.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.parent.group_leader.macho.sections.entropy:
+  dashed_name: process-parent-group-leader-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.group_leader.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.group_leader.macho.sections.name:
+  dashed_name: process-parent-group-leader-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.parent.group_leader.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.parent.group_leader.macho.sections.physical_size:
+  dashed_name: process-parent-group-leader-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.parent.group_leader.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.parent.group_leader.macho.sections.var_entropy:
+  dashed_name: process-parent-group-leader-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.group_leader.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.group_leader.macho.sections.virtual_size:
+  dashed_name: process-parent-group-leader-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.group_leader.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.parent.group_leader.macho.symhash:
+  dashed_name: process-parent-group-leader-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.parent.group_leader.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.parent.group_leader.name:
+  dashed_name: process-parent-group-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.parent.group_leader.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.parent.group_leader.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.parent.group_leader.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.parent.group_leader.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.parent.group_leader.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.parent.group_leader.pe.architecture:
+  dashed_name: process-parent-group-leader-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.parent.group_leader.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.parent.group_leader.pe.company:
+  dashed_name: process-parent-group-leader-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.parent.group_leader.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.parent.group_leader.pe.description:
+  dashed_name: process-parent-group-leader-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.parent.group_leader.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.parent.group_leader.pe.file_version:
+  dashed_name: process-parent-group-leader-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.parent.group_leader.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.parent.group_leader.pe.go_import_hash:
+  dashed_name: process-parent-group-leader-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.group_leader.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.parent.group_leader.pe.go_imports:
+  dashed_name: process-parent-group-leader-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.group_leader.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.group_leader.pe.go_imports_names_entropy:
+  dashed_name: process-parent-group-leader-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.group_leader.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.group_leader.pe.go_imports_names_var_entropy:
+  dashed_name: process-parent-group-leader-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.group_leader.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.group_leader.pe.go_stripped:
+  dashed_name: process-parent-group-leader-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.group_leader.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.group_leader.pe.imphash:
+  dashed_name: process-parent-group-leader-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.parent.group_leader.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.parent.group_leader.pe.import_hash:
+  dashed_name: process-parent-group-leader-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.group_leader.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.parent.group_leader.pe.imports:
+  dashed_name: process-parent-group-leader-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.group_leader.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.parent.group_leader.pe.imports_names_entropy:
+  dashed_name: process-parent-group-leader-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.group_leader.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.group_leader.pe.imports_names_var_entropy:
+  dashed_name: process-parent-group-leader-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.group_leader.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.group_leader.pe.original_file_name:
+  dashed_name: process-parent-group-leader-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.parent.group_leader.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.parent.group_leader.pe.pehash:
+  dashed_name: process-parent-group-leader-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.parent.group_leader.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.parent.group_leader.pe.product:
+  dashed_name: process-parent-group-leader-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.parent.group_leader.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.parent.group_leader.pe.sections:
+  dashed_name: process-parent-group-leader-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.parent.group_leader.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.parent.group_leader.pe.sections.entropy:
+  dashed_name: process-parent-group-leader-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.group_leader.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.group_leader.pe.sections.name:
+  dashed_name: process-parent-group-leader-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.parent.group_leader.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.parent.group_leader.pe.sections.physical_size:
+  dashed_name: process-parent-group-leader-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.parent.group_leader.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.parent.group_leader.pe.sections.var_entropy:
+  dashed_name: process-parent-group-leader-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.group_leader.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.group_leader.pe.sections.virtual_size:
+  dashed_name: process-parent-group-leader-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.group_leader.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.parent.group_leader.pid:
+  dashed_name: process-parent-group-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.parent.group_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.parent.group_leader.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.parent.group_leader.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.parent.group_leader.real_group.domain:
+  dashed_name: process-parent-group-leader-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.real_group.id:
+  dashed_name: process-parent-group-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.real_group.name:
+  dashed_name: process-parent-group-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.real_user.domain:
+  dashed_name: process-parent-group-leader-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.group_leader.real_user.email:
+  dashed_name: process-parent-group-leader-real-user-email
+  description: User email address.
+  flat_name: process.parent.group_leader.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.group_leader.real_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-real-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.parent.group_leader.real_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.parent.group_leader.real_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-real-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.parent.group_leader.real_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.parent.group_leader.real_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-real-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.parent.group_leader.real_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.real_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.parent.group_leader.real_user.entity.id:
+  dashed_name: process-parent-group-leader-real-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.parent.group_leader.real_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.parent.group_leader.real_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-real-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.parent.group_leader.real_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.parent.group_leader.real_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-real-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.parent.group_leader.real_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.parent.group_leader.real_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-real-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.parent.group_leader.real_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.parent.group_leader.real_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-real-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.parent.group_leader.real_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.group_leader.real_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.parent.group_leader.real_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-real-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.parent.group_leader.real_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.parent.group_leader.real_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-real-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.parent.group_leader.real_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.parent.group_leader.real_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-real-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.parent.group_leader.real_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.parent.group_leader.real_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-real-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.parent.group_leader.real_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.parent.group_leader.real_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-real-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.parent.group_leader.real_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.parent.group_leader.real_user.full_name:
+  dashed_name: process-parent-group-leader-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.group_leader.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.group_leader.real_user.group.domain:
+  dashed_name: process-parent-group-leader-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.real_user.group.id:
+  dashed_name: process-parent-group-leader-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.real_user.group.name:
+  dashed_name: process-parent-group-leader-real-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.real_user.hash:
+  dashed_name: process-parent-group-leader-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.group_leader.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.group_leader.real_user.id:
+  dashed_name: process-parent-group-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.group_leader.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.group_leader.real_user.name:
+  dashed_name: process-parent-group-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.group_leader.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.group_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.group_leader.real_user.risk.calculated_level:
+  dashed_name: process-parent-group-leader-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.group_leader.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.group_leader.real_user.risk.calculated_score:
+  dashed_name: process-parent-group-leader-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.group_leader.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.group_leader.real_user.risk.calculated_score_norm:
+  dashed_name: process-parent-group-leader-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.group_leader.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.group_leader.real_user.risk.static_level:
+  dashed_name: process-parent-group-leader-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.group_leader.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.group_leader.real_user.risk.static_score:
+  dashed_name: process-parent-group-leader-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.group_leader.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.group_leader.real_user.risk.static_score_norm:
+  dashed_name: process-parent-group-leader-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.group_leader.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.group_leader.real_user.roles:
+  dashed_name: process-parent-group-leader-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.group_leader.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.same_as_process:
+  dashed_name: process-parent-group-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.parent.group_leader.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.parent.group_leader.saved_group.domain:
+  dashed_name: process-parent-group-leader-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.saved_group.id:
+  dashed_name: process-parent-group-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.saved_group.name:
+  dashed_name: process-parent-group-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.saved_user.domain:
+  dashed_name: process-parent-group-leader-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.group_leader.saved_user.email:
+  dashed_name: process-parent-group-leader-saved-user-email
+  description: User email address.
+  flat_name: process.parent.group_leader.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.group_leader.saved_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-saved-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.parent.group_leader.saved_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.parent.group_leader.saved_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-saved-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.parent.group_leader.saved_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.parent.group_leader.saved_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-saved-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.parent.group_leader.saved_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.saved_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.parent.group_leader.saved_user.entity.id:
+  dashed_name: process-parent-group-leader-saved-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.parent.group_leader.saved_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.parent.group_leader.saved_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-saved-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.parent.group_leader.saved_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.parent.group_leader.saved_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-saved-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.parent.group_leader.saved_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.parent.group_leader.saved_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-saved-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.parent.group_leader.saved_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.parent.group_leader.saved_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-saved-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.parent.group_leader.saved_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.group_leader.saved_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.parent.group_leader.saved_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-saved-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.parent.group_leader.saved_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.parent.group_leader.saved_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-saved-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.parent.group_leader.saved_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.parent.group_leader.saved_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-saved-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.parent.group_leader.saved_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.parent.group_leader.saved_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-saved-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.parent.group_leader.saved_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.parent.group_leader.saved_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-saved-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.parent.group_leader.saved_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.parent.group_leader.saved_user.full_name:
+  dashed_name: process-parent-group-leader-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.group_leader.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.group_leader.saved_user.group.domain:
+  dashed_name: process-parent-group-leader-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.saved_user.group.id:
+  dashed_name: process-parent-group-leader-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.saved_user.group.name:
+  dashed_name: process-parent-group-leader-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.saved_user.hash:
+  dashed_name: process-parent-group-leader-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.group_leader.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.group_leader.saved_user.id:
+  dashed_name: process-parent-group-leader-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.group_leader.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.group_leader.saved_user.name:
+  dashed_name: process-parent-group-leader-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.group_leader.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.group_leader.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.group_leader.saved_user.risk.calculated_level:
+  dashed_name: process-parent-group-leader-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.group_leader.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.group_leader.saved_user.risk.calculated_score:
+  dashed_name: process-parent-group-leader-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.group_leader.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.group_leader.saved_user.risk.calculated_score_norm:
+  dashed_name: process-parent-group-leader-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.group_leader.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.group_leader.saved_user.risk.static_level:
+  dashed_name: process-parent-group-leader-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.group_leader.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.group_leader.saved_user.risk.static_score:
+  dashed_name: process-parent-group-leader-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.group_leader.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.group_leader.saved_user.risk.static_score_norm:
+  dashed_name: process-parent-group-leader-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.group_leader.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.group_leader.saved_user.roles:
+  dashed_name: process-parent-group-leader-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.group_leader.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.start:
+  dashed_name: process-parent-group-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.parent.group_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.parent.group_leader.supplemental_groups.domain:
+  dashed_name: process-parent-group-leader-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.supplemental_groups.id:
+  dashed_name: process-parent-group-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.supplemental_groups.name:
+  dashed_name: process-parent-group-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.thread.capabilities.effective:
+  dashed_name: process-parent-group-leader-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.group_leader.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.thread.capabilities.permitted:
+  dashed_name: process-parent-group-leader-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.group_leader.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.thread.id:
+  dashed_name: process-parent-group-leader-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.parent.group_leader.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.parent.group_leader.thread.name:
+  dashed_name: process-parent-group-leader-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.parent.group_leader.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.parent.group_leader.title:
+  dashed_name: process-parent-group-leader-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.parent.group_leader.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.parent.group_leader.tty:
+  dashed_name: process-parent-group-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.parent.group_leader.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.parent.group_leader.tty.char_device.major:
+  dashed_name: process-parent-group-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.parent.group_leader.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.parent.group_leader.tty.char_device.minor:
+  dashed_name: process-parent-group-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.parent.group_leader.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.parent.group_leader.tty.columns:
+  dashed_name: process-parent-group-leader-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.parent.group_leader.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.parent.group_leader.tty.rows:
+  dashed_name: process-parent-group-leader-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.parent.group_leader.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.parent.group_leader.uptime:
+  dashed_name: process-parent-group-leader-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.parent.group_leader.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.parent.group_leader.user.domain:
+  dashed_name: process-parent-group-leader-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.group_leader.user.email:
+  dashed_name: process-parent-group-leader-user-email
+  description: User email address.
+  flat_name: process.parent.group_leader.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.group_leader.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.parent.group_leader.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.parent.group_leader.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.parent.group_leader.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.parent.group_leader.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.parent.group_leader.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.parent.group_leader.user.entity.id:
+  dashed_name: process-parent-group-leader-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.parent.group_leader.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.parent.group_leader.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.parent.group_leader.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.parent.group_leader.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.parent.group_leader.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.parent.group_leader.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.parent.group_leader.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.parent.group_leader.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.parent.group_leader.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.group_leader.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.parent.group_leader.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.parent.group_leader.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.parent.group_leader.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.parent.group_leader.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.parent.group_leader.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.parent.group_leader.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.parent.group_leader.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.parent.group_leader.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.parent.group_leader.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-group-leader-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.parent.group_leader.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.parent.group_leader.user.full_name:
+  dashed_name: process-parent-group-leader-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.group_leader.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.group_leader.user.group.domain:
+  dashed_name: process-parent-group-leader-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.group_leader.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.group_leader.user.group.id:
+  dashed_name: process-parent-group-leader-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.group_leader.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.group_leader.user.group.name:
+  dashed_name: process-parent-group-leader-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.group_leader.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.group_leader.user.hash:
+  dashed_name: process-parent-group-leader-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.group_leader.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.group_leader.user.id:
+  dashed_name: process-parent-group-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.group_leader.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.group_leader.user.name:
+  dashed_name: process-parent-group-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.group_leader.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.group_leader.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.group_leader.user.risk.calculated_level:
+  dashed_name: process-parent-group-leader-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.group_leader.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.group_leader.user.risk.calculated_score:
+  dashed_name: process-parent-group-leader-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.group_leader.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.group_leader.user.risk.calculated_score_norm:
+  dashed_name: process-parent-group-leader-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.group_leader.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.group_leader.user.risk.static_level:
+  dashed_name: process-parent-group-leader-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.group_leader.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.group_leader.user.risk.static_score:
+  dashed_name: process-parent-group-leader-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.group_leader.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.group_leader.user.risk.static_score_norm:
+  dashed_name: process-parent-group-leader-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.group_leader.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.group_leader.user.roles:
+  dashed_name: process-parent-group-leader-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.group_leader.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.group_leader.vpid:
+  dashed_name: process-parent-group-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.parent.group_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.parent.group_leader.working_directory:
+  dashed_name: process-parent-group-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.parent.group_leader.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.group_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.parent.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.parent.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.parent.hash.md5:
+  dashed_name: process-parent-hash-md5
+  description: MD5 hash.
+  flat_name: process.parent.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.parent.hash.sha1:
+  dashed_name: process-parent-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.parent.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.parent.hash.sha256:
+  dashed_name: process-parent-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.parent.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.parent.hash.sha384:
+  dashed_name: process-parent-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.parent.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.parent.hash.sha512:
+  dashed_name: process-parent-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.parent.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.parent.hash.ssdeep:
+  dashed_name: process-parent-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.parent.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.parent.hash.tlsh:
+  dashed_name: process-parent-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.parent.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.parent.interactive:
+  dashed_name: process-parent-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.parent.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.parent.io:
+  dashed_name: process-parent-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.parent.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.parent.io.bytes_skipped:
+  dashed_name: process-parent-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.parent.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.parent.io.bytes_skipped.length:
+  dashed_name: process-parent-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.parent.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.parent.io.bytes_skipped.offset:
+  dashed_name: process-parent-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.parent.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.parent.io.max_bytes_per_process_exceeded:
+  dashed_name: process-parent-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.parent.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.parent.io.text:
+  dashed_name: process-parent-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.parent.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.parent.io.total_bytes_captured:
+  dashed_name: process-parent-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.parent.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.parent.io.total_bytes_skipped:
+  dashed_name: process-parent-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.parent.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.parent.io.type:
+  dashed_name: process-parent-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.parent.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.parent.macho.go_import_hash:
+  dashed_name: process-parent-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.parent.macho.go_imports:
+  dashed_name: process-parent-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.macho.go_imports_names_entropy:
+  dashed_name: process-parent-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.macho.go_imports_names_var_entropy:
+  dashed_name: process-parent-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.macho.go_stripped:
+  dashed_name: process-parent-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.macho.import_hash:
+  dashed_name: process-parent-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.parent.macho.imports:
+  dashed_name: process-parent-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.parent.macho.imports_names_entropy:
+  dashed_name: process-parent-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.macho.imports_names_var_entropy:
+  dashed_name: process-parent-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.macho.sections:
+  dashed_name: process-parent-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.parent.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.parent.macho.sections.entropy:
+  dashed_name: process-parent-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.macho.sections.name:
+  dashed_name: process-parent-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.parent.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.parent.macho.sections.physical_size:
+  dashed_name: process-parent-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.parent.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.parent.macho.sections.var_entropy:
+  dashed_name: process-parent-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.macho.sections.virtual_size:
+  dashed_name: process-parent-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.parent.macho.symhash:
+  dashed_name: process-parent-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.parent.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.parent.name:
+  dashed_name: process-parent-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.parent.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.parent.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.parent.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.parent.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.parent.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.parent.pe.architecture:
+  dashed_name: process-parent-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.parent.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.parent.pe.company:
+  dashed_name: process-parent-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.parent.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.parent.pe.description:
+  dashed_name: process-parent-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.parent.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.parent.pe.file_version:
+  dashed_name: process-parent-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.parent.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.parent.pe.go_import_hash:
+  dashed_name: process-parent-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.parent.pe.go_imports:
+  dashed_name: process-parent-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.pe.go_imports_names_entropy:
+  dashed_name: process-parent-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.pe.go_imports_names_var_entropy:
+  dashed_name: process-parent-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.parent.pe.go_stripped:
+  dashed_name: process-parent-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.parent.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.parent.pe.imphash:
+  dashed_name: process-parent-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.parent.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.parent.pe.import_hash:
+  dashed_name: process-parent-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.parent.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.parent.pe.imports:
+  dashed_name: process-parent-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.parent.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.parent.pe.imports_names_entropy:
+  dashed_name: process-parent-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.parent.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.parent.pe.imports_names_var_entropy:
+  dashed_name: process-parent-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.parent.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.parent.pe.original_file_name:
+  dashed_name: process-parent-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.parent.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.parent.pe.pehash:
+  dashed_name: process-parent-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.parent.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.parent.pe.product:
+  dashed_name: process-parent-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.parent.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.parent.pe.sections:
+  dashed_name: process-parent-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.parent.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.parent.pe.sections.entropy:
+  dashed_name: process-parent-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.parent.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.parent.pe.sections.name:
+  dashed_name: process-parent-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.parent.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.parent.pe.sections.physical_size:
+  dashed_name: process-parent-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.parent.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.parent.pe.sections.var_entropy:
+  dashed_name: process-parent-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.parent.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.parent.pe.sections.virtual_size:
+  dashed_name: process-parent-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.parent.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.parent.pid:
+  dashed_name: process-parent-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.parent.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.parent.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.parent.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.parent.real_group.domain:
+  dashed_name: process-parent-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.real_group.id:
+  dashed_name: process-parent-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.real_group.name:
+  dashed_name: process-parent-real-group-name
+  description: Name of the group.
+  flat_name: process.parent.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.real_user.domain:
+  dashed_name: process-parent-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.real_user.email:
+  dashed_name: process-parent-real-user-email
+  description: User email address.
+  flat_name: process.parent.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.real_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-real-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.parent.real_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.parent.real_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-real-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.parent.real_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.parent.real_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-real-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.parent.real_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.real_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.parent.real_user.entity.id:
+  dashed_name: process-parent-real-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.parent.real_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.parent.real_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-real-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.parent.real_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.parent.real_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-real-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.parent.real_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.parent.real_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-real-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.parent.real_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.parent.real_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-real-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.parent.real_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.real_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.parent.real_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-real-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.parent.real_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.parent.real_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-real-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.parent.real_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.parent.real_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-real-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.parent.real_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.parent.real_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-real-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.parent.real_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.parent.real_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-real-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.parent.real_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.parent.real_user.full_name:
+  dashed_name: process-parent-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.real_user.group.domain:
+  dashed_name: process-parent-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.real_user.group.id:
+  dashed_name: process-parent-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.real_user.group.name:
+  dashed_name: process-parent-real-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.real_user.hash:
+  dashed_name: process-parent-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.real_user.id:
+  dashed_name: process-parent-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.real_user.name:
+  dashed_name: process-parent-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.real_user.risk.calculated_level:
+  dashed_name: process-parent-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.real_user.risk.calculated_score:
+  dashed_name: process-parent-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.real_user.risk.calculated_score_norm:
+  dashed_name: process-parent-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.real_user.risk.static_level:
+  dashed_name: process-parent-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.real_user.risk.static_score:
+  dashed_name: process-parent-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.real_user.risk.static_score_norm:
+  dashed_name: process-parent-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.real_user.roles:
+  dashed_name: process-parent-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.same_as_process:
+  dashed_name: process-parent-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.parent.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.parent.saved_group.domain:
+  dashed_name: process-parent-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.saved_group.id:
+  dashed_name: process-parent-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.saved_group.name:
+  dashed_name: process-parent-saved-group-name
+  description: Name of the group.
+  flat_name: process.parent.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.saved_user.domain:
+  dashed_name: process-parent-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.saved_user.email:
+  dashed_name: process-parent-saved-user-email
+  description: User email address.
+  flat_name: process.parent.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.saved_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-saved-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.parent.saved_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.parent.saved_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-saved-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.parent.saved_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.parent.saved_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-saved-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.parent.saved_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.saved_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.parent.saved_user.entity.id:
+  dashed_name: process-parent-saved-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.parent.saved_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.parent.saved_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-saved-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.parent.saved_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.parent.saved_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-saved-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.parent.saved_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.parent.saved_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-saved-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.parent.saved_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.parent.saved_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-saved-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.parent.saved_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.saved_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.parent.saved_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-saved-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.parent.saved_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.parent.saved_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-saved-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.parent.saved_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.parent.saved_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-saved-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.parent.saved_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.parent.saved_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-saved-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.parent.saved_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.parent.saved_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-saved-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.parent.saved_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.parent.saved_user.full_name:
+  dashed_name: process-parent-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.saved_user.group.domain:
+  dashed_name: process-parent-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.saved_user.group.id:
+  dashed_name: process-parent-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.saved_user.group.name:
+  dashed_name: process-parent-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.saved_user.hash:
+  dashed_name: process-parent-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.saved_user.id:
+  dashed_name: process-parent-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.saved_user.name:
+  dashed_name: process-parent-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.saved_user.risk.calculated_level:
+  dashed_name: process-parent-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.saved_user.risk.calculated_score:
+  dashed_name: process-parent-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.saved_user.risk.calculated_score_norm:
+  dashed_name: process-parent-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.saved_user.risk.static_level:
+  dashed_name: process-parent-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.saved_user.risk.static_score:
+  dashed_name: process-parent-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.saved_user.risk.static_score_norm:
+  dashed_name: process-parent-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.saved_user.roles:
+  dashed_name: process-parent-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.start:
+  dashed_name: process-parent-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.parent.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.parent.supplemental_groups.domain:
+  dashed_name: process-parent-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.supplemental_groups.id:
+  dashed_name: process-parent-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.supplemental_groups.name:
+  dashed_name: process-parent-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.parent.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.thread.capabilities.effective:
+  dashed_name: process-parent-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.thread.capabilities.permitted:
+  dashed_name: process-parent-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.thread.id:
+  dashed_name: process-parent-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.parent.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.parent.thread.name:
+  dashed_name: process-parent-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.parent.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.parent.title:
+  dashed_name: process-parent-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.parent.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.parent.tty:
+  dashed_name: process-parent-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.parent.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.parent.tty.char_device.major:
+  dashed_name: process-parent-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.parent.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.parent.tty.char_device.minor:
+  dashed_name: process-parent-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.parent.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.parent.tty.columns:
+  dashed_name: process-parent-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.parent.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.parent.tty.rows:
+  dashed_name: process-parent-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.parent.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.parent.uptime:
+  dashed_name: process-parent-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.parent.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.parent.user.domain:
+  dashed_name: process-parent-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.parent.user.email:
+  dashed_name: process-parent-user-email
+  description: User email address.
+  flat_name: process.parent.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.parent.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.parent.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.parent.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.parent.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.parent.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.parent.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.parent.user.entity.id:
+  dashed_name: process-parent-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.parent.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.parent.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.parent.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.parent.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.parent.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.parent.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.parent.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.parent.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.parent.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.parent.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.parent.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.parent.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.parent.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.parent.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.parent.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.parent.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.parent.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.parent.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.parent.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.parent.user.full_name:
+  dashed_name: process-parent-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.parent.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.parent.user.group.domain:
+  dashed_name: process-parent-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.parent.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.parent.user.group.id:
+  dashed_name: process-parent-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.parent.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.parent.user.group.name:
+  dashed_name: process-parent-user-group-name
+  description: Name of the group.
+  flat_name: process.parent.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.parent.user.hash:
+  dashed_name: process-parent-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.parent.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.parent.user.id:
+  dashed_name: process-parent-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.parent.user.name:
+  dashed_name: process-parent-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.parent.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.parent.user.risk.calculated_level:
+  dashed_name: process-parent-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.parent.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.parent.user.risk.calculated_score:
+  dashed_name: process-parent-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.parent.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.parent.user.risk.calculated_score_norm:
+  dashed_name: process-parent-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.parent.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.parent.user.risk.static_level:
+  dashed_name: process-parent-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.parent.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.parent.user.risk.static_score:
+  dashed_name: process-parent-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.parent.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.parent.user.risk.static_score_norm:
+  dashed_name: process-parent-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.parent.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.parent.user.roles:
+  dashed_name: process-parent-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.parent.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.parent.vpid:
+  dashed_name: process-parent-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.parent.working_directory:
+  dashed_name: process-parent-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.parent.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.parent.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.pe.architecture:
+  dashed_name: process-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.pe.company:
+  dashed_name: process-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.pe.description:
+  dashed_name: process-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.pe.file_version:
+  dashed_name: process-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.pe.go_import_hash:
+  dashed_name: process-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.pe.go_imports:
+  dashed_name: process-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.pe.go_imports_names_entropy:
+  dashed_name: process-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.pe.go_imports_names_var_entropy:
+  dashed_name: process-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.pe.go_stripped:
+  dashed_name: process-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.pe.imphash:
+  dashed_name: process-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.pe.import_hash:
+  dashed_name: process-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.pe.imports:
+  dashed_name: process-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.pe.imports_names_entropy:
+  dashed_name: process-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.pe.imports_names_var_entropy:
+  dashed_name: process-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.pe.original_file_name:
+  dashed_name: process-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.pe.pehash:
+  dashed_name: process-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.pe.product:
+  dashed_name: process-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.pe.sections:
+  dashed_name: process-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.pe.sections.entropy:
+  dashed_name: process-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.pe.sections.name:
+  dashed_name: process-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.pe.sections.physical_size:
+  dashed_name: process-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.pe.sections.var_entropy:
+  dashed_name: process-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.pe.sections.virtual_size:
+  dashed_name: process-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.pid:
+  dashed_name: process-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  otel:
+  - relation: match
+    stability: development
+  short: Process id.
+  type: long
+process.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.previous.args:
+  dashed_name: process-previous-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.previous.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.previous.args_count:
+  dashed_name: process-previous-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.previous.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.previous.attested_groups.domain:
+  dashed_name: process-previous-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.attested_groups.id:
+  dashed_name: process-previous-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.attested_groups.name:
+  dashed_name: process-previous-attested-groups-name
+  description: Name of the group.
+  flat_name: process.previous.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.attested_user.domain:
+  dashed_name: process-previous-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.previous.attested_user.email:
+  dashed_name: process-previous-attested-user-email
+  description: User email address.
+  flat_name: process.previous.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.previous.attested_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-attested-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.previous.attested_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.previous.attested_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-attested-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.previous.attested_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.previous.attested_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-attested-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.previous.attested_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.attested_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.previous.attested_user.entity.id:
+  dashed_name: process-previous-attested-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.previous.attested_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.previous.attested_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-attested-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.previous.attested_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.previous.attested_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-attested-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.previous.attested_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.previous.attested_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-attested-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.previous.attested_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.previous.attested_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-attested-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.previous.attested_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.previous.attested_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.previous.attested_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-attested-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.previous.attested_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.previous.attested_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-attested-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.previous.attested_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.previous.attested_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-attested-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.previous.attested_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.previous.attested_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-attested-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.previous.attested_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.previous.attested_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-attested-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.previous.attested_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.previous.attested_user.full_name:
+  dashed_name: process-previous-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.previous.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.previous.attested_user.group.domain:
+  dashed_name: process-previous-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.attested_user.group.id:
+  dashed_name: process-previous-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.attested_user.group.name:
+  dashed_name: process-previous-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.previous.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.attested_user.hash:
+  dashed_name: process-previous-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.previous.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.previous.attested_user.id:
+  dashed_name: process-previous-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.previous.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.previous.attested_user.name:
+  dashed_name: process-previous-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.previous.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.previous.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.previous.attested_user.risk.calculated_level:
+  dashed_name: process-previous-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.previous.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.previous.attested_user.risk.calculated_score:
+  dashed_name: process-previous-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.previous.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.previous.attested_user.risk.calculated_score_norm:
+  dashed_name: process-previous-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.previous.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.previous.attested_user.risk.static_level:
+  dashed_name: process-previous-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.previous.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.previous.attested_user.risk.static_score:
+  dashed_name: process-previous-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.previous.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.previous.attested_user.risk.static_score_norm:
+  dashed_name: process-previous-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.previous.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.previous.attested_user.roles:
+  dashed_name: process-previous-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.previous.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.code_signature.digest_algorithm:
+  dashed_name: process-previous-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.previous.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.previous.code_signature.exists:
+  dashed_name: process-previous-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.previous.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.previous.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.previous.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.previous.code_signature.signing_id:
+  dashed_name: process-previous-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.previous.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.previous.code_signature.status:
+  dashed_name: process-previous-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.previous.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.previous.code_signature.subject_name:
+  dashed_name: process-previous-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.previous.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.previous.code_signature.team_id:
+  dashed_name: process-previous-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.previous.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.previous.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.previous.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.previous.code_signature.timestamp:
+  dashed_name: process-previous-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.previous.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.previous.code_signature.trusted:
+  dashed_name: process-previous-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.previous.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.previous.code_signature.valid:
+  dashed_name: process-previous-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.previous.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.previous.command_line:
+  dashed_name: process-previous-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.previous.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.previous.elf.architecture:
+  dashed_name: process-previous-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.previous.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.previous.elf.byte_order:
+  dashed_name: process-previous-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.previous.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.previous.elf.cpu_type:
+  dashed_name: process-previous-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.previous.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.previous.elf.creation_date:
+  dashed_name: process-previous-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.previous.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.previous.elf.exports:
+  dashed_name: process-previous-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.previous.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.previous.elf.go_import_hash:
+  dashed_name: process-previous-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.previous.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.previous.elf.go_imports:
+  dashed_name: process-previous-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.previous.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.previous.elf.go_imports_names_entropy:
+  dashed_name: process-previous-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.previous.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.previous.elf.go_imports_names_var_entropy:
+  dashed_name: process-previous-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.previous.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.previous.elf.go_stripped:
+  dashed_name: process-previous-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.previous.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.previous.elf.header.abi_version:
+  dashed_name: process-previous-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.previous.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.previous.elf.header.class:
+  dashed_name: process-previous-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.previous.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.previous.elf.header.data:
+  dashed_name: process-previous-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.previous.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.previous.elf.header.entrypoint:
+  dashed_name: process-previous-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.previous.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.previous.elf.header.object_version:
+  dashed_name: process-previous-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.previous.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.previous.elf.header.os_abi:
+  dashed_name: process-previous-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.previous.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.previous.elf.header.type:
+  dashed_name: process-previous-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.previous.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.previous.elf.header.version:
+  dashed_name: process-previous-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.previous.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.previous.elf.import_hash:
+  dashed_name: process-previous-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.previous.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.previous.elf.imports:
+  dashed_name: process-previous-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.previous.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.previous.elf.imports_names_entropy:
+  dashed_name: process-previous-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.previous.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.previous.elf.imports_names_var_entropy:
+  dashed_name: process-previous-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.previous.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.previous.elf.sections:
+  dashed_name: process-previous-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.previous.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.previous.elf.sections.chi2:
+  dashed_name: process-previous-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.previous.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.previous.elf.sections.entropy:
+  dashed_name: process-previous-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.previous.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.previous.elf.sections.flags:
+  dashed_name: process-previous-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.previous.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.previous.elf.sections.name:
+  dashed_name: process-previous-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.previous.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.previous.elf.sections.physical_offset:
+  dashed_name: process-previous-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.previous.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.previous.elf.sections.physical_size:
+  dashed_name: process-previous-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.previous.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.previous.elf.sections.type:
+  dashed_name: process-previous-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.previous.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.previous.elf.sections.var_entropy:
+  dashed_name: process-previous-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.previous.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.previous.elf.sections.virtual_address:
+  dashed_name: process-previous-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.previous.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.previous.elf.sections.virtual_size:
+  dashed_name: process-previous-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.previous.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.previous.elf.segments:
+  dashed_name: process-previous-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.previous.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.previous.elf.segments.sections:
+  dashed_name: process-previous-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.previous.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.previous.elf.segments.type:
+  dashed_name: process-previous-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.previous.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.previous.elf.shared_libraries:
+  dashed_name: process-previous-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.previous.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.previous.elf.telfhash:
+  dashed_name: process-previous-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.previous.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.previous.end:
+  dashed_name: process-previous-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.previous.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.previous.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.previous.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.previous.entity_id:
+  dashed_name: process-previous-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.previous.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.previous.entry_meta.source.address:
+  dashed_name: process-previous-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.previous.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.previous.entry_meta.source.as.number:
+  dashed_name: process-previous-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.previous.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.previous.entry_meta.source.as.organization.name:
+  dashed_name: process-previous-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.previous.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.previous.entry_meta.source.bytes:
+  dashed_name: process-previous-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.previous.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.previous.entry_meta.source.domain:
+  dashed_name: process-previous-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.previous.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.previous.entry_meta.source.geo.city_name:
+  dashed_name: process-previous-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.previous.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.previous.entry_meta.source.geo.continent_code:
+  dashed_name: process-previous-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.previous.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.previous.entry_meta.source.geo.continent_name:
+  dashed_name: process-previous-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.previous.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.previous.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-previous-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.previous.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.previous.entry_meta.source.geo.country_name:
+  dashed_name: process-previous-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.previous.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.previous.entry_meta.source.geo.location:
+  dashed_name: process-previous-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.previous.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.previous.entry_meta.source.geo.name:
+  dashed_name: process-previous-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.previous.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.previous.entry_meta.source.geo.postal_code:
+  dashed_name: process-previous-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.previous.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.previous.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-previous-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.previous.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.previous.entry_meta.source.geo.region_name:
+  dashed_name: process-previous-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.previous.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.previous.entry_meta.source.geo.timezone:
+  dashed_name: process-previous-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.previous.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.previous.entry_meta.source.ip:
+  dashed_name: process-previous-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.previous.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.previous.entry_meta.source.mac:
+  dashed_name: process-previous-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.previous.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.previous.entry_meta.source.nat.ip:
+  dashed_name: process-previous-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.previous.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.previous.entry_meta.source.nat.port:
+  dashed_name: process-previous-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.previous.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.previous.entry_meta.source.packets:
+  dashed_name: process-previous-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.previous.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.previous.entry_meta.source.port:
+  dashed_name: process-previous-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.previous.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.previous.entry_meta.source.registered_domain:
+  dashed_name: process-previous-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.previous.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.previous.entry_meta.source.subdomain:
+  dashed_name: process-previous-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.previous.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.previous.entry_meta.source.top_level_domain:
+  dashed_name: process-previous-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.previous.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.previous.entry_meta.type:
+  dashed_name: process-previous-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.previous.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.previous.env_vars:
+  dashed_name: process-previous-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.previous.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.executable:
+  dashed_name: process-previous-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.previous.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.previous.exit_code:
+  dashed_name: process-previous-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.previous.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.previous.group.domain:
+  dashed_name: process-previous-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.group.id:
+  dashed_name: process-previous-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.group.name:
+  dashed_name: process-previous-group-name
+  description: Name of the group.
+  flat_name: process.previous.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.previous.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.previous.hash.md5:
+  dashed_name: process-previous-hash-md5
+  description: MD5 hash.
+  flat_name: process.previous.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.previous.hash.sha1:
+  dashed_name: process-previous-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.previous.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.previous.hash.sha256:
+  dashed_name: process-previous-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.previous.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.previous.hash.sha384:
+  dashed_name: process-previous-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.previous.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.previous.hash.sha512:
+  dashed_name: process-previous-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.previous.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.previous.hash.ssdeep:
+  dashed_name: process-previous-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.previous.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.previous.hash.tlsh:
+  dashed_name: process-previous-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.previous.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.previous.interactive:
+  dashed_name: process-previous-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.previous.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.previous.io:
+  dashed_name: process-previous-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.previous.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.previous.io.bytes_skipped:
+  dashed_name: process-previous-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.previous.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.previous.io.bytes_skipped.length:
+  dashed_name: process-previous-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.previous.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.previous.io.bytes_skipped.offset:
+  dashed_name: process-previous-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.previous.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.previous.io.max_bytes_per_process_exceeded:
+  dashed_name: process-previous-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.previous.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.previous.io.text:
+  dashed_name: process-previous-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.previous.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.previous.io.total_bytes_captured:
+  dashed_name: process-previous-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.previous.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.previous.io.total_bytes_skipped:
+  dashed_name: process-previous-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.previous.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.previous.io.type:
+  dashed_name: process-previous-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.previous.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.previous.macho.go_import_hash:
+  dashed_name: process-previous-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.previous.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.previous.macho.go_imports:
+  dashed_name: process-previous-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.previous.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.previous.macho.go_imports_names_entropy:
+  dashed_name: process-previous-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.previous.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.previous.macho.go_imports_names_var_entropy:
+  dashed_name: process-previous-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.previous.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.previous.macho.go_stripped:
+  dashed_name: process-previous-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.previous.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.previous.macho.import_hash:
+  dashed_name: process-previous-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.previous.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.previous.macho.imports:
+  dashed_name: process-previous-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.previous.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.previous.macho.imports_names_entropy:
+  dashed_name: process-previous-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.previous.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.previous.macho.imports_names_var_entropy:
+  dashed_name: process-previous-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.previous.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.previous.macho.sections:
+  dashed_name: process-previous-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.previous.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.previous.macho.sections.entropy:
+  dashed_name: process-previous-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.previous.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.previous.macho.sections.name:
+  dashed_name: process-previous-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.previous.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.previous.macho.sections.physical_size:
+  dashed_name: process-previous-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.previous.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.previous.macho.sections.var_entropy:
+  dashed_name: process-previous-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.previous.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.previous.macho.sections.virtual_size:
+  dashed_name: process-previous-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.previous.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.previous.macho.symhash:
+  dashed_name: process-previous-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.previous.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.previous.name:
+  dashed_name: process-previous-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.previous.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.previous.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.previous.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.previous.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.previous.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.previous.pe.architecture:
+  dashed_name: process-previous-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.previous.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.previous.pe.company:
+  dashed_name: process-previous-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.previous.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.previous.pe.description:
+  dashed_name: process-previous-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.previous.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.previous.pe.file_version:
+  dashed_name: process-previous-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.previous.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.previous.pe.go_import_hash:
+  dashed_name: process-previous-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.previous.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.previous.pe.go_imports:
+  dashed_name: process-previous-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.previous.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.previous.pe.go_imports_names_entropy:
+  dashed_name: process-previous-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.previous.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.previous.pe.go_imports_names_var_entropy:
+  dashed_name: process-previous-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.previous.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.previous.pe.go_stripped:
+  dashed_name: process-previous-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.previous.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.previous.pe.imphash:
+  dashed_name: process-previous-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.previous.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.previous.pe.import_hash:
+  dashed_name: process-previous-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.previous.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.previous.pe.imports:
+  dashed_name: process-previous-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.previous.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.previous.pe.imports_names_entropy:
+  dashed_name: process-previous-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.previous.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.previous.pe.imports_names_var_entropy:
+  dashed_name: process-previous-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.previous.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.previous.pe.original_file_name:
+  dashed_name: process-previous-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.previous.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.previous.pe.pehash:
+  dashed_name: process-previous-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.previous.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.previous.pe.product:
+  dashed_name: process-previous-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.previous.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.previous.pe.sections:
+  dashed_name: process-previous-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.previous.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.previous.pe.sections.entropy:
+  dashed_name: process-previous-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.previous.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.previous.pe.sections.name:
+  dashed_name: process-previous-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.previous.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.previous.pe.sections.physical_size:
+  dashed_name: process-previous-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.previous.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.previous.pe.sections.var_entropy:
+  dashed_name: process-previous-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.previous.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.previous.pe.sections.virtual_size:
+  dashed_name: process-previous-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.previous.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.previous.pid:
+  dashed_name: process-previous-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.previous.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.previous.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.previous.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.previous.real_group.domain:
+  dashed_name: process-previous-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.real_group.id:
+  dashed_name: process-previous-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.real_group.name:
+  dashed_name: process-previous-real-group-name
+  description: Name of the group.
+  flat_name: process.previous.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.real_user.domain:
+  dashed_name: process-previous-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.previous.real_user.email:
+  dashed_name: process-previous-real-user-email
+  description: User email address.
+  flat_name: process.previous.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.previous.real_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-real-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.previous.real_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.previous.real_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-real-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.previous.real_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.previous.real_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-real-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.previous.real_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.real_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.previous.real_user.entity.id:
+  dashed_name: process-previous-real-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.previous.real_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.previous.real_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-real-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.previous.real_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.previous.real_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-real-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.previous.real_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.previous.real_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-real-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.previous.real_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.previous.real_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-real-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.previous.real_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.previous.real_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.previous.real_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-real-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.previous.real_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.previous.real_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-real-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.previous.real_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.previous.real_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-real-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.previous.real_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.previous.real_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-real-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.previous.real_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.previous.real_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-real-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.previous.real_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.previous.real_user.full_name:
+  dashed_name: process-previous-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.previous.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.previous.real_user.group.domain:
+  dashed_name: process-previous-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.real_user.group.id:
+  dashed_name: process-previous-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.real_user.group.name:
+  dashed_name: process-previous-real-user-group-name
+  description: Name of the group.
+  flat_name: process.previous.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.real_user.hash:
+  dashed_name: process-previous-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.previous.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.previous.real_user.id:
+  dashed_name: process-previous-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.previous.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.previous.real_user.name:
+  dashed_name: process-previous-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.previous.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.previous.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.previous.real_user.risk.calculated_level:
+  dashed_name: process-previous-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.previous.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.previous.real_user.risk.calculated_score:
+  dashed_name: process-previous-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.previous.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.previous.real_user.risk.calculated_score_norm:
+  dashed_name: process-previous-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.previous.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.previous.real_user.risk.static_level:
+  dashed_name: process-previous-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.previous.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.previous.real_user.risk.static_score:
+  dashed_name: process-previous-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.previous.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.previous.real_user.risk.static_score_norm:
+  dashed_name: process-previous-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.previous.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.previous.real_user.roles:
+  dashed_name: process-previous-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.previous.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.same_as_process:
+  dashed_name: process-previous-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.previous.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.previous.saved_group.domain:
+  dashed_name: process-previous-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.saved_group.id:
+  dashed_name: process-previous-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.saved_group.name:
+  dashed_name: process-previous-saved-group-name
+  description: Name of the group.
+  flat_name: process.previous.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.saved_user.domain:
+  dashed_name: process-previous-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.previous.saved_user.email:
+  dashed_name: process-previous-saved-user-email
+  description: User email address.
+  flat_name: process.previous.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.previous.saved_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-saved-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.previous.saved_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.previous.saved_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-saved-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.previous.saved_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.previous.saved_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-saved-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.previous.saved_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.saved_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.previous.saved_user.entity.id:
+  dashed_name: process-previous-saved-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.previous.saved_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.previous.saved_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-saved-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.previous.saved_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.previous.saved_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-saved-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.previous.saved_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.previous.saved_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-saved-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.previous.saved_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.previous.saved_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-saved-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.previous.saved_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.previous.saved_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.previous.saved_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-saved-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.previous.saved_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.previous.saved_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-saved-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.previous.saved_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.previous.saved_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-saved-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.previous.saved_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.previous.saved_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-saved-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.previous.saved_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.previous.saved_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-saved-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.previous.saved_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.previous.saved_user.full_name:
+  dashed_name: process-previous-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.previous.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.previous.saved_user.group.domain:
+  dashed_name: process-previous-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.saved_user.group.id:
+  dashed_name: process-previous-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.saved_user.group.name:
+  dashed_name: process-previous-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.previous.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.saved_user.hash:
+  dashed_name: process-previous-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.previous.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.previous.saved_user.id:
+  dashed_name: process-previous-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.previous.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.previous.saved_user.name:
+  dashed_name: process-previous-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.previous.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.previous.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.previous.saved_user.risk.calculated_level:
+  dashed_name: process-previous-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.previous.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.previous.saved_user.risk.calculated_score:
+  dashed_name: process-previous-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.previous.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.previous.saved_user.risk.calculated_score_norm:
+  dashed_name: process-previous-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.previous.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.previous.saved_user.risk.static_level:
+  dashed_name: process-previous-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.previous.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.previous.saved_user.risk.static_score:
+  dashed_name: process-previous-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.previous.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.previous.saved_user.risk.static_score_norm:
+  dashed_name: process-previous-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.previous.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.previous.saved_user.roles:
+  dashed_name: process-previous-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.previous.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.start:
+  dashed_name: process-previous-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.previous.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.previous.supplemental_groups.domain:
+  dashed_name: process-previous-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.supplemental_groups.id:
+  dashed_name: process-previous-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.supplemental_groups.name:
+  dashed_name: process-previous-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.previous.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.thread.capabilities.effective:
+  dashed_name: process-previous-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.previous.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.thread.capabilities.permitted:
+  dashed_name: process-previous-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.previous.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.thread.id:
+  dashed_name: process-previous-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.previous.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.previous.thread.name:
+  dashed_name: process-previous-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.previous.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.previous.title:
+  dashed_name: process-previous-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.previous.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.previous.tty:
+  dashed_name: process-previous-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.previous.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.previous.tty.char_device.major:
+  dashed_name: process-previous-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.previous.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.previous.tty.char_device.minor:
+  dashed_name: process-previous-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.previous.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.previous.tty.columns:
+  dashed_name: process-previous-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.previous.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.previous.tty.rows:
+  dashed_name: process-previous-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.previous.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.previous.uptime:
+  dashed_name: process-previous-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.previous.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.previous.user.domain:
+  dashed_name: process-previous-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.previous.user.email:
+  dashed_name: process-previous-user-email
+  description: User email address.
+  flat_name: process.previous.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.previous.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.previous.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.previous.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.previous.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.previous.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.previous.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.previous.user.entity.id:
+  dashed_name: process-previous-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.previous.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.previous.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.previous.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.previous.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.previous.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.previous.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.previous.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.previous.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.previous.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.previous.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.previous.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.previous.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.previous.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.previous.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.previous.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.previous.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.previous.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.previous.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.previous.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-previous-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.previous.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.previous.user.full_name:
+  dashed_name: process-previous-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.previous.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.previous.user.group.domain:
+  dashed_name: process-previous-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.previous.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.previous.user.group.id:
+  dashed_name: process-previous-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.previous.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.previous.user.group.name:
+  dashed_name: process-previous-user-group-name
+  description: Name of the group.
+  flat_name: process.previous.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.previous.user.hash:
+  dashed_name: process-previous-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.previous.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.previous.user.id:
+  dashed_name: process-previous-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.previous.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.previous.user.name:
+  dashed_name: process-previous-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.previous.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.previous.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.previous.user.risk.calculated_level:
+  dashed_name: process-previous-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.previous.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.previous.user.risk.calculated_score:
+  dashed_name: process-previous-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.previous.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.previous.user.risk.calculated_score_norm:
+  dashed_name: process-previous-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.previous.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.previous.user.risk.static_level:
+  dashed_name: process-previous-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.previous.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.previous.user.risk.static_score:
+  dashed_name: process-previous-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.previous.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.previous.user.risk.static_score_norm:
+  dashed_name: process-previous-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.previous.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.previous.user.roles:
+  dashed_name: process-previous-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.previous.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.previous.vpid:
+  dashed_name: process-previous-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.previous.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.previous.working_directory:
+  dashed_name: process-previous-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.previous.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.previous.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.real_group.domain:
+  dashed_name: process-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.real_group.id:
+  dashed_name: process-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.real_group.name:
+  dashed_name: process-real-group-name
+  description: Name of the group.
+  flat_name: process.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.real_user.domain:
+  dashed_name: process-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.real_user.email:
+  dashed_name: process-real-user-email
+  description: User email address.
+  flat_name: process.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.real_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-real-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.real_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.real_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-real-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.real_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.real_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-real-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.real_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.real_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.real_user.entity.id:
+  dashed_name: process-real-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.real_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.real_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-real-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.real_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.real_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-real-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.real_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.real_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-real-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.real_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.real_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-real-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.real_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.real_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.real_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-real-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.real_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.real_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-real-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.real_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.real_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-real-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.real_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.real_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-real-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.real_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.real_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-real-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.real_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.real_user.full_name:
+  dashed_name: process-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.real_user.group.domain:
+  dashed_name: process-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.real_user.group.id:
+  dashed_name: process-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.real_user.group.name:
+  dashed_name: process-real-user-group-name
+  description: Name of the group.
+  flat_name: process.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.real_user.hash:
+  dashed_name: process-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.real_user.id:
+  dashed_name: process-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  otel:
+  - relation: match
+    stability: development
+  short: Unique identifier of the user.
+  type: keyword
+process.real_user.name:
+  dashed_name: process-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  otel:
+  - relation: match
+    stability: development
+  short: Short name or login of the user.
+  type: keyword
+process.real_user.risk.calculated_level:
+  dashed_name: process-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.real_user.risk.calculated_score:
+  dashed_name: process-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.real_user.risk.calculated_score_norm:
+  dashed_name: process-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.real_user.risk.static_level:
+  dashed_name: process-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.real_user.risk.static_score:
+  dashed_name: process-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.real_user.risk.static_score_norm:
+  dashed_name: process-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.real_user.roles:
+  dashed_name: process-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.args:
+  dashed_name: process-responsible-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.responsible.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.responsible.args_count:
+  dashed_name: process-responsible-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.responsible.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.responsible.attested_groups.domain:
+  dashed_name: process-responsible-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.attested_groups.id:
+  dashed_name: process-responsible-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.attested_groups.name:
+  dashed_name: process-responsible-attested-groups-name
+  description: Name of the group.
+  flat_name: process.responsible.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.attested_user.domain:
+  dashed_name: process-responsible-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.responsible.attested_user.email:
+  dashed_name: process-responsible-attested-user-email
+  description: User email address.
+  flat_name: process.responsible.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.responsible.attested_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-attested-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.responsible.attested_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.responsible.attested_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-attested-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.responsible.attested_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.responsible.attested_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-attested-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.responsible.attested_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.attested_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.responsible.attested_user.entity.id:
+  dashed_name: process-responsible-attested-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.responsible.attested_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.responsible.attested_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-attested-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.responsible.attested_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.responsible.attested_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-attested-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.responsible.attested_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.responsible.attested_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-attested-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.responsible.attested_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.responsible.attested_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-attested-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.responsible.attested_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.responsible.attested_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.responsible.attested_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-attested-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.responsible.attested_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.responsible.attested_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-attested-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.responsible.attested_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.responsible.attested_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-attested-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.responsible.attested_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.responsible.attested_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-attested-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.responsible.attested_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.responsible.attested_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-attested-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.responsible.attested_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.responsible.attested_user.full_name:
+  dashed_name: process-responsible-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.responsible.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.responsible.attested_user.group.domain:
+  dashed_name: process-responsible-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.attested_user.group.id:
+  dashed_name: process-responsible-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.attested_user.group.name:
+  dashed_name: process-responsible-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.responsible.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.attested_user.hash:
+  dashed_name: process-responsible-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.responsible.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.responsible.attested_user.id:
+  dashed_name: process-responsible-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.responsible.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.responsible.attested_user.name:
+  dashed_name: process-responsible-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.responsible.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.responsible.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.responsible.attested_user.risk.calculated_level:
+  dashed_name: process-responsible-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.responsible.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.responsible.attested_user.risk.calculated_score:
+  dashed_name: process-responsible-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.responsible.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.responsible.attested_user.risk.calculated_score_norm:
+  dashed_name: process-responsible-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.responsible.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.responsible.attested_user.risk.static_level:
+  dashed_name: process-responsible-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.responsible.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.responsible.attested_user.risk.static_score:
+  dashed_name: process-responsible-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.responsible.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.responsible.attested_user.risk.static_score_norm:
+  dashed_name: process-responsible-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.responsible.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.responsible.attested_user.roles:
+  dashed_name: process-responsible-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.responsible.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.code_signature.digest_algorithm:
+  dashed_name: process-responsible-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.responsible.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.responsible.code_signature.exists:
+  dashed_name: process-responsible-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.responsible.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.responsible.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.responsible.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.responsible.code_signature.signing_id:
+  dashed_name: process-responsible-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.responsible.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.responsible.code_signature.status:
+  dashed_name: process-responsible-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.responsible.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.responsible.code_signature.subject_name:
+  dashed_name: process-responsible-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.responsible.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.responsible.code_signature.team_id:
+  dashed_name: process-responsible-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.responsible.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.responsible.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.responsible.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.responsible.code_signature.timestamp:
+  dashed_name: process-responsible-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.responsible.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.responsible.code_signature.trusted:
+  dashed_name: process-responsible-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.responsible.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.responsible.code_signature.valid:
+  dashed_name: process-responsible-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.responsible.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.responsible.command_line:
+  dashed_name: process-responsible-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.responsible.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.responsible.elf.architecture:
+  dashed_name: process-responsible-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.responsible.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.responsible.elf.byte_order:
+  dashed_name: process-responsible-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.responsible.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.responsible.elf.cpu_type:
+  dashed_name: process-responsible-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.responsible.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.responsible.elf.creation_date:
+  dashed_name: process-responsible-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.responsible.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.responsible.elf.exports:
+  dashed_name: process-responsible-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.responsible.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.responsible.elf.go_import_hash:
+  dashed_name: process-responsible-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.responsible.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.responsible.elf.go_imports:
+  dashed_name: process-responsible-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.responsible.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.responsible.elf.go_imports_names_entropy:
+  dashed_name: process-responsible-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.responsible.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.responsible.elf.go_imports_names_var_entropy:
+  dashed_name: process-responsible-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.responsible.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.responsible.elf.go_stripped:
+  dashed_name: process-responsible-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.responsible.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.responsible.elf.header.abi_version:
+  dashed_name: process-responsible-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.responsible.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.responsible.elf.header.class:
+  dashed_name: process-responsible-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.responsible.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.responsible.elf.header.data:
+  dashed_name: process-responsible-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.responsible.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.responsible.elf.header.entrypoint:
+  dashed_name: process-responsible-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.responsible.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.responsible.elf.header.object_version:
+  dashed_name: process-responsible-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.responsible.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.responsible.elf.header.os_abi:
+  dashed_name: process-responsible-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.responsible.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.responsible.elf.header.type:
+  dashed_name: process-responsible-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.responsible.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.responsible.elf.header.version:
+  dashed_name: process-responsible-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.responsible.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.responsible.elf.import_hash:
+  dashed_name: process-responsible-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.responsible.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.responsible.elf.imports:
+  dashed_name: process-responsible-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.responsible.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.responsible.elf.imports_names_entropy:
+  dashed_name: process-responsible-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.responsible.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.responsible.elf.imports_names_var_entropy:
+  dashed_name: process-responsible-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.responsible.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.responsible.elf.sections:
+  dashed_name: process-responsible-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.responsible.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.responsible.elf.sections.chi2:
+  dashed_name: process-responsible-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.responsible.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.responsible.elf.sections.entropy:
+  dashed_name: process-responsible-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.responsible.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.responsible.elf.sections.flags:
+  dashed_name: process-responsible-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.responsible.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.responsible.elf.sections.name:
+  dashed_name: process-responsible-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.responsible.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.responsible.elf.sections.physical_offset:
+  dashed_name: process-responsible-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.responsible.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.responsible.elf.sections.physical_size:
+  dashed_name: process-responsible-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.responsible.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.responsible.elf.sections.type:
+  dashed_name: process-responsible-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.responsible.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.responsible.elf.sections.var_entropy:
+  dashed_name: process-responsible-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.responsible.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.responsible.elf.sections.virtual_address:
+  dashed_name: process-responsible-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.responsible.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.responsible.elf.sections.virtual_size:
+  dashed_name: process-responsible-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.responsible.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.responsible.elf.segments:
+  dashed_name: process-responsible-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.responsible.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.responsible.elf.segments.sections:
+  dashed_name: process-responsible-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.responsible.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.responsible.elf.segments.type:
+  dashed_name: process-responsible-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.responsible.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.responsible.elf.shared_libraries:
+  dashed_name: process-responsible-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.responsible.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.responsible.elf.telfhash:
+  dashed_name: process-responsible-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.responsible.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.responsible.end:
+  dashed_name: process-responsible-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.responsible.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.responsible.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.responsible.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.responsible.entity_id:
+  dashed_name: process-responsible-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.responsible.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.responsible.entry_meta.source.address:
+  dashed_name: process-responsible-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.responsible.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.responsible.entry_meta.source.as.number:
+  dashed_name: process-responsible-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.responsible.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.responsible.entry_meta.source.as.organization.name:
+  dashed_name: process-responsible-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.responsible.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.responsible.entry_meta.source.bytes:
+  dashed_name: process-responsible-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.responsible.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.responsible.entry_meta.source.domain:
+  dashed_name: process-responsible-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.responsible.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.responsible.entry_meta.source.geo.city_name:
+  dashed_name: process-responsible-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.responsible.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.responsible.entry_meta.source.geo.continent_code:
+  dashed_name: process-responsible-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.responsible.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.responsible.entry_meta.source.geo.continent_name:
+  dashed_name: process-responsible-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.responsible.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.responsible.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-responsible-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.responsible.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.responsible.entry_meta.source.geo.country_name:
+  dashed_name: process-responsible-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.responsible.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.responsible.entry_meta.source.geo.location:
+  dashed_name: process-responsible-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.responsible.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.responsible.entry_meta.source.geo.name:
+  dashed_name: process-responsible-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.responsible.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.responsible.entry_meta.source.geo.postal_code:
+  dashed_name: process-responsible-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.responsible.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.responsible.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-responsible-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.responsible.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.responsible.entry_meta.source.geo.region_name:
+  dashed_name: process-responsible-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.responsible.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.responsible.entry_meta.source.geo.timezone:
+  dashed_name: process-responsible-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.responsible.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.responsible.entry_meta.source.ip:
+  dashed_name: process-responsible-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.responsible.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.responsible.entry_meta.source.mac:
+  dashed_name: process-responsible-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.responsible.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.responsible.entry_meta.source.nat.ip:
+  dashed_name: process-responsible-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.responsible.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.responsible.entry_meta.source.nat.port:
+  dashed_name: process-responsible-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.responsible.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.responsible.entry_meta.source.packets:
+  dashed_name: process-responsible-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.responsible.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.responsible.entry_meta.source.port:
+  dashed_name: process-responsible-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.responsible.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.responsible.entry_meta.source.registered_domain:
+  dashed_name: process-responsible-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.responsible.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.responsible.entry_meta.source.subdomain:
+  dashed_name: process-responsible-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.responsible.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.responsible.entry_meta.source.top_level_domain:
+  dashed_name: process-responsible-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.responsible.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.responsible.entry_meta.type:
+  dashed_name: process-responsible-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.responsible.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.responsible.env_vars:
+  dashed_name: process-responsible-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.responsible.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.executable:
+  dashed_name: process-responsible-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.responsible.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.responsible.exit_code:
+  dashed_name: process-responsible-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.responsible.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.responsible.group.domain:
+  dashed_name: process-responsible-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.group.id:
+  dashed_name: process-responsible-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.group.name:
+  dashed_name: process-responsible-group-name
+  description: Name of the group.
+  flat_name: process.responsible.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.responsible.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.responsible.hash.md5:
+  dashed_name: process-responsible-hash-md5
+  description: MD5 hash.
+  flat_name: process.responsible.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.responsible.hash.sha1:
+  dashed_name: process-responsible-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.responsible.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.responsible.hash.sha256:
+  dashed_name: process-responsible-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.responsible.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.responsible.hash.sha384:
+  dashed_name: process-responsible-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.responsible.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.responsible.hash.sha512:
+  dashed_name: process-responsible-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.responsible.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.responsible.hash.ssdeep:
+  dashed_name: process-responsible-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.responsible.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.responsible.hash.tlsh:
+  dashed_name: process-responsible-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.responsible.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.responsible.interactive:
+  dashed_name: process-responsible-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.responsible.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.responsible.io:
+  dashed_name: process-responsible-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.responsible.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.responsible.io.bytes_skipped:
+  dashed_name: process-responsible-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.responsible.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.responsible.io.bytes_skipped.length:
+  dashed_name: process-responsible-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.responsible.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.responsible.io.bytes_skipped.offset:
+  dashed_name: process-responsible-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.responsible.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.responsible.io.max_bytes_per_process_exceeded:
+  dashed_name: process-responsible-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.responsible.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.responsible.io.text:
+  dashed_name: process-responsible-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.responsible.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.responsible.io.total_bytes_captured:
+  dashed_name: process-responsible-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.responsible.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.responsible.io.total_bytes_skipped:
+  dashed_name: process-responsible-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.responsible.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.responsible.io.type:
+  dashed_name: process-responsible-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.responsible.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.responsible.macho.go_import_hash:
+  dashed_name: process-responsible-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.responsible.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.responsible.macho.go_imports:
+  dashed_name: process-responsible-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.responsible.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.responsible.macho.go_imports_names_entropy:
+  dashed_name: process-responsible-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.responsible.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.responsible.macho.go_imports_names_var_entropy:
+  dashed_name: process-responsible-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.responsible.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.responsible.macho.go_stripped:
+  dashed_name: process-responsible-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.responsible.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.responsible.macho.import_hash:
+  dashed_name: process-responsible-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.responsible.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.responsible.macho.imports:
+  dashed_name: process-responsible-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.responsible.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.responsible.macho.imports_names_entropy:
+  dashed_name: process-responsible-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.responsible.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.responsible.macho.imports_names_var_entropy:
+  dashed_name: process-responsible-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.responsible.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.responsible.macho.sections:
+  dashed_name: process-responsible-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.responsible.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.responsible.macho.sections.entropy:
+  dashed_name: process-responsible-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.responsible.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.responsible.macho.sections.name:
+  dashed_name: process-responsible-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.responsible.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.responsible.macho.sections.physical_size:
+  dashed_name: process-responsible-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.responsible.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.responsible.macho.sections.var_entropy:
+  dashed_name: process-responsible-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.responsible.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.responsible.macho.sections.virtual_size:
+  dashed_name: process-responsible-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.responsible.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.responsible.macho.symhash:
+  dashed_name: process-responsible-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.responsible.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.responsible.name:
+  dashed_name: process-responsible-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.responsible.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.responsible.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.responsible.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.responsible.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.responsible.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.responsible.pe.architecture:
+  dashed_name: process-responsible-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.responsible.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.responsible.pe.company:
+  dashed_name: process-responsible-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.responsible.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.responsible.pe.description:
+  dashed_name: process-responsible-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.responsible.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.responsible.pe.file_version:
+  dashed_name: process-responsible-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.responsible.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.responsible.pe.go_import_hash:
+  dashed_name: process-responsible-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.responsible.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.responsible.pe.go_imports:
+  dashed_name: process-responsible-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.responsible.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.responsible.pe.go_imports_names_entropy:
+  dashed_name: process-responsible-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.responsible.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.responsible.pe.go_imports_names_var_entropy:
+  dashed_name: process-responsible-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.responsible.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.responsible.pe.go_stripped:
+  dashed_name: process-responsible-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.responsible.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.responsible.pe.imphash:
+  dashed_name: process-responsible-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.responsible.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.responsible.pe.import_hash:
+  dashed_name: process-responsible-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.responsible.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.responsible.pe.imports:
+  dashed_name: process-responsible-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.responsible.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.responsible.pe.imports_names_entropy:
+  dashed_name: process-responsible-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.responsible.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.responsible.pe.imports_names_var_entropy:
+  dashed_name: process-responsible-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.responsible.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.responsible.pe.original_file_name:
+  dashed_name: process-responsible-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.responsible.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.responsible.pe.pehash:
+  dashed_name: process-responsible-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.responsible.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.responsible.pe.product:
+  dashed_name: process-responsible-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.responsible.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.responsible.pe.sections:
+  dashed_name: process-responsible-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.responsible.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.responsible.pe.sections.entropy:
+  dashed_name: process-responsible-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.responsible.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.responsible.pe.sections.name:
+  dashed_name: process-responsible-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.responsible.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.responsible.pe.sections.physical_size:
+  dashed_name: process-responsible-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.responsible.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.responsible.pe.sections.var_entropy:
+  dashed_name: process-responsible-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.responsible.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.responsible.pe.sections.virtual_size:
+  dashed_name: process-responsible-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.responsible.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.responsible.pid:
+  dashed_name: process-responsible-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.responsible.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.responsible.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.responsible.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.responsible.real_group.domain:
+  dashed_name: process-responsible-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.real_group.id:
+  dashed_name: process-responsible-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.real_group.name:
+  dashed_name: process-responsible-real-group-name
+  description: Name of the group.
+  flat_name: process.responsible.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.real_user.domain:
+  dashed_name: process-responsible-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.responsible.real_user.email:
+  dashed_name: process-responsible-real-user-email
+  description: User email address.
+  flat_name: process.responsible.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.responsible.real_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-real-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.responsible.real_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.responsible.real_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-real-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.responsible.real_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.responsible.real_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-real-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.responsible.real_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.real_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.responsible.real_user.entity.id:
+  dashed_name: process-responsible-real-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.responsible.real_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.responsible.real_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-real-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.responsible.real_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.responsible.real_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-real-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.responsible.real_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.responsible.real_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-real-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.responsible.real_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.responsible.real_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-real-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.responsible.real_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.responsible.real_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.responsible.real_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-real-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.responsible.real_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.responsible.real_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-real-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.responsible.real_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.responsible.real_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-real-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.responsible.real_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.responsible.real_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-real-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.responsible.real_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.responsible.real_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-real-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.responsible.real_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.responsible.real_user.full_name:
+  dashed_name: process-responsible-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.responsible.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.responsible.real_user.group.domain:
+  dashed_name: process-responsible-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.real_user.group.id:
+  dashed_name: process-responsible-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.real_user.group.name:
+  dashed_name: process-responsible-real-user-group-name
+  description: Name of the group.
+  flat_name: process.responsible.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.real_user.hash:
+  dashed_name: process-responsible-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.responsible.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.responsible.real_user.id:
+  dashed_name: process-responsible-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.responsible.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.responsible.real_user.name:
+  dashed_name: process-responsible-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.responsible.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.responsible.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.responsible.real_user.risk.calculated_level:
+  dashed_name: process-responsible-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.responsible.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.responsible.real_user.risk.calculated_score:
+  dashed_name: process-responsible-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.responsible.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.responsible.real_user.risk.calculated_score_norm:
+  dashed_name: process-responsible-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.responsible.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.responsible.real_user.risk.static_level:
+  dashed_name: process-responsible-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.responsible.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.responsible.real_user.risk.static_score:
+  dashed_name: process-responsible-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.responsible.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.responsible.real_user.risk.static_score_norm:
+  dashed_name: process-responsible-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.responsible.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.responsible.real_user.roles:
+  dashed_name: process-responsible-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.responsible.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.same_as_process:
+  dashed_name: process-responsible-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.responsible.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.responsible.saved_group.domain:
+  dashed_name: process-responsible-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.saved_group.id:
+  dashed_name: process-responsible-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.saved_group.name:
+  dashed_name: process-responsible-saved-group-name
+  description: Name of the group.
+  flat_name: process.responsible.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.saved_user.domain:
+  dashed_name: process-responsible-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.responsible.saved_user.email:
+  dashed_name: process-responsible-saved-user-email
+  description: User email address.
+  flat_name: process.responsible.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.responsible.saved_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-saved-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.responsible.saved_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.responsible.saved_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-saved-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.responsible.saved_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.responsible.saved_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-saved-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.responsible.saved_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.saved_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.responsible.saved_user.entity.id:
+  dashed_name: process-responsible-saved-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.responsible.saved_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.responsible.saved_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-saved-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.responsible.saved_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.responsible.saved_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-saved-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.responsible.saved_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.responsible.saved_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-saved-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.responsible.saved_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.responsible.saved_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-saved-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.responsible.saved_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.responsible.saved_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.responsible.saved_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-saved-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.responsible.saved_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.responsible.saved_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-saved-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.responsible.saved_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.responsible.saved_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-saved-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.responsible.saved_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.responsible.saved_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-saved-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.responsible.saved_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.responsible.saved_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-saved-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.responsible.saved_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.responsible.saved_user.full_name:
+  dashed_name: process-responsible-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.responsible.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.responsible.saved_user.group.domain:
+  dashed_name: process-responsible-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.saved_user.group.id:
+  dashed_name: process-responsible-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.saved_user.group.name:
+  dashed_name: process-responsible-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.responsible.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.saved_user.hash:
+  dashed_name: process-responsible-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.responsible.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.responsible.saved_user.id:
+  dashed_name: process-responsible-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.responsible.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.responsible.saved_user.name:
+  dashed_name: process-responsible-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.responsible.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.responsible.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.responsible.saved_user.risk.calculated_level:
+  dashed_name: process-responsible-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.responsible.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.responsible.saved_user.risk.calculated_score:
+  dashed_name: process-responsible-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.responsible.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.responsible.saved_user.risk.calculated_score_norm:
+  dashed_name: process-responsible-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.responsible.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.responsible.saved_user.risk.static_level:
+  dashed_name: process-responsible-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.responsible.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.responsible.saved_user.risk.static_score:
+  dashed_name: process-responsible-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.responsible.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.responsible.saved_user.risk.static_score_norm:
+  dashed_name: process-responsible-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.responsible.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.responsible.saved_user.roles:
+  dashed_name: process-responsible-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.responsible.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.start:
+  dashed_name: process-responsible-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.responsible.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.responsible.supplemental_groups.domain:
+  dashed_name: process-responsible-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.supplemental_groups.id:
+  dashed_name: process-responsible-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.supplemental_groups.name:
+  dashed_name: process-responsible-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.responsible.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.thread.capabilities.effective:
+  dashed_name: process-responsible-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.responsible.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.thread.capabilities.permitted:
+  dashed_name: process-responsible-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.responsible.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.thread.id:
+  dashed_name: process-responsible-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.responsible.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.responsible.thread.name:
+  dashed_name: process-responsible-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.responsible.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.responsible.title:
+  dashed_name: process-responsible-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.responsible.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.responsible.tty:
+  dashed_name: process-responsible-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.responsible.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.responsible.tty.char_device.major:
+  dashed_name: process-responsible-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.responsible.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.responsible.tty.char_device.minor:
+  dashed_name: process-responsible-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.responsible.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.responsible.tty.columns:
+  dashed_name: process-responsible-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.responsible.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.responsible.tty.rows:
+  dashed_name: process-responsible-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.responsible.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.responsible.uptime:
+  dashed_name: process-responsible-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.responsible.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.responsible.user.domain:
+  dashed_name: process-responsible-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.responsible.user.email:
+  dashed_name: process-responsible-user-email
+  description: User email address.
+  flat_name: process.responsible.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.responsible.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.responsible.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.responsible.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.responsible.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.responsible.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.responsible.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.responsible.user.entity.id:
+  dashed_name: process-responsible-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.responsible.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.responsible.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.responsible.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.responsible.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.responsible.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.responsible.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.responsible.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.responsible.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.responsible.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.responsible.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.responsible.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.responsible.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.responsible.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.responsible.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.responsible.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.responsible.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.responsible.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.responsible.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.responsible.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-responsible-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.responsible.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.responsible.user.full_name:
+  dashed_name: process-responsible-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.responsible.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.responsible.user.group.domain:
+  dashed_name: process-responsible-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.responsible.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.responsible.user.group.id:
+  dashed_name: process-responsible-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.responsible.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.responsible.user.group.name:
+  dashed_name: process-responsible-user-group-name
+  description: Name of the group.
+  flat_name: process.responsible.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.responsible.user.hash:
+  dashed_name: process-responsible-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.responsible.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.responsible.user.id:
+  dashed_name: process-responsible-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.responsible.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.responsible.user.name:
+  dashed_name: process-responsible-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.responsible.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.responsible.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.responsible.user.risk.calculated_level:
+  dashed_name: process-responsible-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.responsible.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.responsible.user.risk.calculated_score:
+  dashed_name: process-responsible-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.responsible.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.responsible.user.risk.calculated_score_norm:
+  dashed_name: process-responsible-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.responsible.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.responsible.user.risk.static_level:
+  dashed_name: process-responsible-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.responsible.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.responsible.user.risk.static_score:
+  dashed_name: process-responsible-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.responsible.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.responsible.user.risk.static_score_norm:
+  dashed_name: process-responsible-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.responsible.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.responsible.user.roles:
+  dashed_name: process-responsible-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.responsible.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.responsible.vpid:
+  dashed_name: process-responsible-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.responsible.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.responsible.working_directory:
+  dashed_name: process-responsible-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.responsible.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.responsible.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.same_as_process:
+  dashed_name: process-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.saved_group.domain:
+  dashed_name: process-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.saved_group.id:
+  dashed_name: process-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.saved_group.name:
+  dashed_name: process-saved-group-name
+  description: Name of the group.
+  flat_name: process.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.saved_user.domain:
+  dashed_name: process-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.saved_user.email:
+  dashed_name: process-saved-user-email
+  description: User email address.
+  flat_name: process.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.saved_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-saved-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.saved_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.saved_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-saved-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.saved_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.saved_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-saved-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.saved_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.saved_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.saved_user.entity.id:
+  dashed_name: process-saved-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.saved_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.saved_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-saved-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.saved_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.saved_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-saved-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.saved_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.saved_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-saved-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.saved_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.saved_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-saved-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.saved_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.saved_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.saved_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-saved-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.saved_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.saved_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-saved-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.saved_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.saved_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-saved-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.saved_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.saved_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-saved-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.saved_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.saved_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-saved-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.saved_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.saved_user.full_name:
+  dashed_name: process-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.saved_user.group.domain:
+  dashed_name: process-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.saved_user.group.id:
+  dashed_name: process-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.saved_user.group.name:
+  dashed_name: process-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.saved_user.hash:
+  dashed_name: process-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.saved_user.id:
+  dashed_name: process-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  otel:
+  - relation: match
+    stability: development
+  short: Unique identifier of the user.
+  type: keyword
+process.saved_user.name:
+  dashed_name: process-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  otel:
+  - relation: match
+    stability: development
+  short: Short name or login of the user.
+  type: keyword
+process.saved_user.risk.calculated_level:
+  dashed_name: process-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.saved_user.risk.calculated_score:
+  dashed_name: process-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.saved_user.risk.calculated_score_norm:
+  dashed_name: process-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.saved_user.risk.static_level:
+  dashed_name: process-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.saved_user.risk.static_score:
+  dashed_name: process-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.saved_user.risk.static_score_norm:
+  dashed_name: process-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.saved_user.roles:
+  dashed_name: process-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.args:
+  dashed_name: process-session-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.session_leader.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.session_leader.args_count:
+  dashed_name: process-session-leader-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.session_leader.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.session_leader.attested_groups.domain:
+  dashed_name: process-session-leader-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.attested_groups.id:
+  dashed_name: process-session-leader-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.attested_groups.name:
+  dashed_name: process-session-leader-attested-groups-name
+  description: Name of the group.
+  flat_name: process.session_leader.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.attested_user.domain:
+  dashed_name: process-session-leader-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.attested_user.email:
+  dashed_name: process-session-leader-attested-user-email
+  description: User email address.
+  flat_name: process.session_leader.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.attested_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-attested-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.session_leader.attested_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.session_leader.attested_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-attested-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.session_leader.attested_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.session_leader.attested_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-attested-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.session_leader.attested_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.attested_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.session_leader.attested_user.entity.id:
+  dashed_name: process-session-leader-attested-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.session_leader.attested_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.session_leader.attested_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-attested-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.session_leader.attested_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.session_leader.attested_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-attested-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.session_leader.attested_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.session_leader.attested_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-attested-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.session_leader.attested_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.session_leader.attested_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-attested-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.session_leader.attested_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.attested_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.session_leader.attested_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-attested-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.session_leader.attested_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.session_leader.attested_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-attested-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.session_leader.attested_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.session_leader.attested_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-attested-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.session_leader.attested_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.session_leader.attested_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-attested-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.session_leader.attested_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.session_leader.attested_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-attested-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.session_leader.attested_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.session_leader.attested_user.full_name:
+  dashed_name: process-session-leader-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.attested_user.group.domain:
+  dashed_name: process-session-leader-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.attested_user.group.id:
+  dashed_name: process-session-leader-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.attested_user.group.name:
+  dashed_name: process-session-leader-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.attested_user.hash:
+  dashed_name: process-session-leader-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.attested_user.id:
+  dashed_name: process-session-leader-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.attested_user.name:
+  dashed_name: process-session-leader-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.attested_user.risk.calculated_level:
+  dashed_name: process-session-leader-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.attested_user.risk.calculated_score:
+  dashed_name: process-session-leader-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.attested_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.attested_user.risk.static_level:
+  dashed_name: process-session-leader-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.attested_user.risk.static_score:
+  dashed_name: process-session-leader-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.attested_user.risk.static_score_norm:
+  dashed_name: process-session-leader-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.attested_user.roles:
+  dashed_name: process-session-leader-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.code_signature.digest_algorithm:
+  dashed_name: process-session-leader-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.session_leader.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.session_leader.code_signature.exists:
+  dashed_name: process-session-leader-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.session_leader.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.session_leader.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.session_leader.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.session_leader.code_signature.signing_id:
+  dashed_name: process-session-leader-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.session_leader.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.session_leader.code_signature.status:
+  dashed_name: process-session-leader-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.session_leader.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.session_leader.code_signature.subject_name:
+  dashed_name: process-session-leader-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.session_leader.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.session_leader.code_signature.team_id:
+  dashed_name: process-session-leader-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.session_leader.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.session_leader.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.session_leader.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.session_leader.code_signature.timestamp:
+  dashed_name: process-session-leader-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.session_leader.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.session_leader.code_signature.trusted:
+  dashed_name: process-session-leader-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.session_leader.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.session_leader.code_signature.valid:
+  dashed_name: process-session-leader-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.session_leader.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.session_leader.command_line:
+  dashed_name: process-session-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.session_leader.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.session_leader.elf.architecture:
+  dashed_name: process-session-leader-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.session_leader.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.session_leader.elf.byte_order:
+  dashed_name: process-session-leader-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.session_leader.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.session_leader.elf.cpu_type:
+  dashed_name: process-session-leader-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.session_leader.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.session_leader.elf.creation_date:
+  dashed_name: process-session-leader-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.session_leader.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.session_leader.elf.exports:
+  dashed_name: process-session-leader-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.session_leader.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.session_leader.elf.go_import_hash:
+  dashed_name: process-session-leader-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.session_leader.elf.go_imports:
+  dashed_name: process-session-leader-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.elf.go_imports_names_entropy:
+  dashed_name: process-session-leader-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.elf.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.elf.go_stripped:
+  dashed_name: process-session-leader-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.elf.header.abi_version:
+  dashed_name: process-session-leader-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.session_leader.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.session_leader.elf.header.class:
+  dashed_name: process-session-leader-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.session_leader.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.session_leader.elf.header.data:
+  dashed_name: process-session-leader-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.session_leader.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.session_leader.elf.header.entrypoint:
+  dashed_name: process-session-leader-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.session_leader.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.session_leader.elf.header.object_version:
+  dashed_name: process-session-leader-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.session_leader.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.session_leader.elf.header.os_abi:
+  dashed_name: process-session-leader-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.session_leader.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.session_leader.elf.header.type:
+  dashed_name: process-session-leader-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.session_leader.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.session_leader.elf.header.version:
+  dashed_name: process-session-leader-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.session_leader.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.session_leader.elf.import_hash:
+  dashed_name: process-session-leader-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.session_leader.elf.imports:
+  dashed_name: process-session-leader-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.elf.imports_names_entropy:
+  dashed_name: process-session-leader-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.elf.imports_names_var_entropy:
+  dashed_name: process-session-leader-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.elf.sections:
+  dashed_name: process-session-leader-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.session_leader.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.session_leader.elf.sections.chi2:
+  dashed_name: process-session-leader-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.session_leader.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.session_leader.elf.sections.entropy:
+  dashed_name: process-session-leader-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.elf.sections.flags:
+  dashed_name: process-session-leader-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.session_leader.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.session_leader.elf.sections.name:
+  dashed_name: process-session-leader-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.session_leader.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.session_leader.elf.sections.physical_offset:
+  dashed_name: process-session-leader-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.session_leader.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.session_leader.elf.sections.physical_size:
+  dashed_name: process-session-leader-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.session_leader.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.session_leader.elf.sections.type:
+  dashed_name: process-session-leader-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.session_leader.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.session_leader.elf.sections.var_entropy:
+  dashed_name: process-session-leader-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.elf.sections.virtual_address:
+  dashed_name: process-session-leader-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.session_leader.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.session_leader.elf.sections.virtual_size:
+  dashed_name: process-session-leader-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.session_leader.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.session_leader.elf.segments:
+  dashed_name: process-session-leader-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.session_leader.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.session_leader.elf.segments.sections:
+  dashed_name: process-session-leader-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.session_leader.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.session_leader.elf.segments.type:
+  dashed_name: process-session-leader-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.session_leader.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.session_leader.elf.shared_libraries:
+  dashed_name: process-session-leader-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.session_leader.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.session_leader.elf.telfhash:
+  dashed_name: process-session-leader-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.session_leader.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.session_leader.end:
+  dashed_name: process-session-leader-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.session_leader.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.session_leader.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.session_leader.entity_id:
+  dashed_name: process-session-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.session_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.session_leader.entry_meta.source.address:
+  dashed_name: process-session-leader-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.session_leader.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.session_leader.entry_meta.source.as.number:
+  dashed_name: process-session-leader-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.session_leader.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.session_leader.entry_meta.source.as.organization.name:
+  dashed_name: process-session-leader-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.session_leader.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.session_leader.entry_meta.source.bytes:
+  dashed_name: process-session-leader-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.session_leader.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.session_leader.entry_meta.source.domain:
+  dashed_name: process-session-leader-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.session_leader.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.session_leader.entry_meta.source.geo.city_name:
+  dashed_name: process-session-leader-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.session_leader.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.session_leader.entry_meta.source.geo.continent_code:
+  dashed_name: process-session-leader-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.session_leader.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.session_leader.entry_meta.source.geo.continent_name:
+  dashed_name: process-session-leader-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.session_leader.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.session_leader.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-session-leader-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.session_leader.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.session_leader.entry_meta.source.geo.country_name:
+  dashed_name: process-session-leader-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.session_leader.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.session_leader.entry_meta.source.geo.location:
+  dashed_name: process-session-leader-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.session_leader.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.session_leader.entry_meta.source.geo.name:
+  dashed_name: process-session-leader-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.session_leader.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.session_leader.entry_meta.source.geo.postal_code:
+  dashed_name: process-session-leader-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.session_leader.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.session_leader.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-session-leader-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.session_leader.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.session_leader.entry_meta.source.geo.region_name:
+  dashed_name: process-session-leader-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.session_leader.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.session_leader.entry_meta.source.geo.timezone:
+  dashed_name: process-session-leader-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.session_leader.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.session_leader.entry_meta.source.ip:
+  dashed_name: process-session-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.session_leader.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.session_leader.entry_meta.source.mac:
+  dashed_name: process-session-leader-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.session_leader.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.session_leader.entry_meta.source.nat.ip:
+  dashed_name: process-session-leader-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.session_leader.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.session_leader.entry_meta.source.nat.port:
+  dashed_name: process-session-leader-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.session_leader.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.session_leader.entry_meta.source.packets:
+  dashed_name: process-session-leader-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.session_leader.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.session_leader.entry_meta.source.port:
+  dashed_name: process-session-leader-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.session_leader.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.session_leader.entry_meta.source.registered_domain:
+  dashed_name: process-session-leader-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.session_leader.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.session_leader.entry_meta.source.subdomain:
+  dashed_name: process-session-leader-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.session_leader.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.session_leader.entry_meta.source.top_level_domain:
+  dashed_name: process-session-leader-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.session_leader.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.session_leader.entry_meta.type:
+  dashed_name: process-session-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.session_leader.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.session_leader.env_vars:
+  dashed_name: process-session-leader-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.session_leader.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.executable:
+  dashed_name: process-session-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.session_leader.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.session_leader.exit_code:
+  dashed_name: process-session-leader-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.session_leader.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.session_leader.group.domain:
+  dashed_name: process-session-leader-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.group.id:
+  dashed_name: process-session-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.group.name:
+  dashed_name: process-session-leader-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.session_leader.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.session_leader.hash.md5:
+  dashed_name: process-session-leader-hash-md5
+  description: MD5 hash.
+  flat_name: process.session_leader.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.session_leader.hash.sha1:
+  dashed_name: process-session-leader-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.session_leader.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.session_leader.hash.sha256:
+  dashed_name: process-session-leader-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.session_leader.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.session_leader.hash.sha384:
+  dashed_name: process-session-leader-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.session_leader.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.session_leader.hash.sha512:
+  dashed_name: process-session-leader-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.session_leader.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.session_leader.hash.ssdeep:
+  dashed_name: process-session-leader-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.session_leader.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.session_leader.hash.tlsh:
+  dashed_name: process-session-leader-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.session_leader.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.session_leader.interactive:
+  dashed_name: process-session-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.session_leader.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.session_leader.io:
+  dashed_name: process-session-leader-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.session_leader.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.session_leader.io.bytes_skipped:
+  dashed_name: process-session-leader-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.session_leader.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.session_leader.io.bytes_skipped.length:
+  dashed_name: process-session-leader-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.session_leader.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.session_leader.io.bytes_skipped.offset:
+  dashed_name: process-session-leader-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.session_leader.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.session_leader.io.max_bytes_per_process_exceeded:
+  dashed_name: process-session-leader-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.session_leader.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.session_leader.io.text:
+  dashed_name: process-session-leader-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.session_leader.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.session_leader.io.total_bytes_captured:
+  dashed_name: process-session-leader-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.session_leader.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.session_leader.io.total_bytes_skipped:
+  dashed_name: process-session-leader-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.session_leader.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.session_leader.io.type:
+  dashed_name: process-session-leader-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.session_leader.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.session_leader.macho.go_import_hash:
+  dashed_name: process-session-leader-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.session_leader.macho.go_imports:
+  dashed_name: process-session-leader-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.macho.go_imports_names_entropy:
+  dashed_name: process-session-leader-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.macho.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.macho.go_stripped:
+  dashed_name: process-session-leader-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.macho.import_hash:
+  dashed_name: process-session-leader-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.session_leader.macho.imports:
+  dashed_name: process-session-leader-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.macho.imports_names_entropy:
+  dashed_name: process-session-leader-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.macho.imports_names_var_entropy:
+  dashed_name: process-session-leader-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.macho.sections:
+  dashed_name: process-session-leader-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.session_leader.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.session_leader.macho.sections.entropy:
+  dashed_name: process-session-leader-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.macho.sections.name:
+  dashed_name: process-session-leader-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.session_leader.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.session_leader.macho.sections.physical_size:
+  dashed_name: process-session-leader-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.session_leader.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.session_leader.macho.sections.var_entropy:
+  dashed_name: process-session-leader-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.macho.sections.virtual_size:
+  dashed_name: process-session-leader-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.session_leader.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.session_leader.macho.symhash:
+  dashed_name: process-session-leader-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.session_leader.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.session_leader.name:
+  dashed_name: process-session-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.session_leader.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.session_leader.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.session_leader.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.session_leader.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.session_leader.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.session_leader.parent.args:
+  dashed_name: process-session-leader-parent-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.session_leader.parent.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.session_leader.parent.args_count:
+  dashed_name: process-session-leader-parent-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.session_leader.parent.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.session_leader.parent.attested_groups.domain:
+  dashed_name: process-session-leader-parent-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.attested_groups.id:
+  dashed_name: process-session-leader-parent-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.attested_groups.name:
+  dashed_name: process-session-leader-parent-attested-groups-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.attested_user.domain:
+  dashed_name: process-session-leader-parent-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.parent.attested_user.email:
+  dashed_name: process-session-leader-parent-attested-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.attested_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-attested-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.session_leader.parent.attested_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.session_leader.parent.attested_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-attested-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.session_leader.parent.attested_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.session_leader.parent.attested_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-attested-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.session_leader.parent.attested_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.attested_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.session_leader.parent.attested_user.entity.id:
+  dashed_name: process-session-leader-parent-attested-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.session_leader.parent.attested_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.session_leader.parent.attested_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-attested-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.session_leader.parent.attested_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.session_leader.parent.attested_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-attested-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.session_leader.parent.attested_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.session_leader.parent.attested_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-attested-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.session_leader.parent.attested_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.session_leader.parent.attested_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-attested-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.session_leader.parent.attested_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.attested_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.session_leader.parent.attested_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-attested-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.session_leader.parent.attested_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.session_leader.parent.attested_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-attested-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.session_leader.parent.attested_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.session_leader.parent.attested_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-attested-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.session_leader.parent.attested_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.session_leader.parent.attested_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-attested-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.session_leader.parent.attested_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.session_leader.parent.attested_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-attested-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.session_leader.parent.attested_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.session_leader.parent.attested_user.full_name:
+  dashed_name: process-session-leader-parent-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.parent.attested_user.group.domain:
+  dashed_name: process-session-leader-parent-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.attested_user.group.id:
+  dashed_name: process-session-leader-parent-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.attested_user.group.name:
+  dashed_name: process-session-leader-parent-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.attested_user.hash:
+  dashed_name: process-session-leader-parent-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.attested_user.id:
+  dashed_name: process-session-leader-parent-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.parent.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.parent.attested_user.name:
+  dashed_name: process-session-leader-parent-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.parent.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.parent.attested_user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.attested_user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.attested_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.attested_user.risk.static_level:
+  dashed_name: process-session-leader-parent-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.parent.attested_user.risk.static_score:
+  dashed_name: process-session-leader-parent-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.attested_user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.attested_user.roles:
+  dashed_name: process-session-leader-parent-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.code_signature.digest_algorithm:
+  dashed_name: process-session-leader-parent-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.session_leader.parent.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.session_leader.parent.code_signature.exists:
+  dashed_name: process-session-leader-parent-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.session_leader.parent.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.session_leader.parent.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.session_leader.parent.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.session_leader.parent.code_signature.signing_id:
+  dashed_name: process-session-leader-parent-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.session_leader.parent.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.session_leader.parent.code_signature.status:
+  dashed_name: process-session-leader-parent-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.session_leader.parent.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.session_leader.parent.code_signature.subject_name:
+  dashed_name: process-session-leader-parent-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.session_leader.parent.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.session_leader.parent.code_signature.team_id:
+  dashed_name: process-session-leader-parent-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.session_leader.parent.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.session_leader.parent.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.session_leader.parent.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.session_leader.parent.code_signature.timestamp:
+  dashed_name: process-session-leader-parent-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.session_leader.parent.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.session_leader.parent.code_signature.trusted:
+  dashed_name: process-session-leader-parent-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.session_leader.parent.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.session_leader.parent.code_signature.valid:
+  dashed_name: process-session-leader-parent-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.session_leader.parent.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.session_leader.parent.command_line:
+  dashed_name: process-session-leader-parent-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.session_leader.parent.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.session_leader.parent.elf.architecture:
+  dashed_name: process-session-leader-parent-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.session_leader.parent.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.session_leader.parent.elf.byte_order:
+  dashed_name: process-session-leader-parent-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.session_leader.parent.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.session_leader.parent.elf.cpu_type:
+  dashed_name: process-session-leader-parent-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.session_leader.parent.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.session_leader.parent.elf.creation_date:
+  dashed_name: process-session-leader-parent-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.session_leader.parent.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.session_leader.parent.elf.exports:
+  dashed_name: process-session-leader-parent-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.session_leader.parent.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.session_leader.parent.elf.go_import_hash:
+  dashed_name: process-session-leader-parent-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.parent.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.session_leader.parent.elf.go_imports:
+  dashed_name: process-session-leader-parent-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.parent.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.parent.elf.go_imports_names_entropy:
+  dashed_name: process-session-leader-parent-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.elf.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.elf.go_stripped:
+  dashed_name: process-session-leader-parent-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.parent.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.parent.elf.header.abi_version:
+  dashed_name: process-session-leader-parent-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.session_leader.parent.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.session_leader.parent.elf.header.class:
+  dashed_name: process-session-leader-parent-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.session_leader.parent.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.session_leader.parent.elf.header.data:
+  dashed_name: process-session-leader-parent-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.session_leader.parent.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.session_leader.parent.elf.header.entrypoint:
+  dashed_name: process-session-leader-parent-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.session_leader.parent.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.session_leader.parent.elf.header.object_version:
+  dashed_name: process-session-leader-parent-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.session_leader.parent.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.session_leader.parent.elf.header.os_abi:
+  dashed_name: process-session-leader-parent-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.session_leader.parent.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.session_leader.parent.elf.header.type:
+  dashed_name: process-session-leader-parent-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.session_leader.parent.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.session_leader.parent.elf.header.version:
+  dashed_name: process-session-leader-parent-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.session_leader.parent.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.session_leader.parent.elf.import_hash:
+  dashed_name: process-session-leader-parent-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.parent.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.session_leader.parent.elf.imports:
+  dashed_name: process-session-leader-parent-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.parent.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.parent.elf.imports_names_entropy:
+  dashed_name: process-session-leader-parent-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.parent.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.parent.elf.imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.parent.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.parent.elf.sections:
+  dashed_name: process-session-leader-parent-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.session_leader.parent.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.session_leader.parent.elf.sections.chi2:
+  dashed_name: process-session-leader-parent-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.session_leader.parent.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.session_leader.parent.elf.sections.entropy:
+  dashed_name: process-session-leader-parent-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.elf.sections.flags:
+  dashed_name: process-session-leader-parent-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.session_leader.parent.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.session_leader.parent.elf.sections.name:
+  dashed_name: process-session-leader-parent-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.session_leader.parent.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.session_leader.parent.elf.sections.physical_offset:
+  dashed_name: process-session-leader-parent-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.session_leader.parent.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.session_leader.parent.elf.sections.physical_size:
+  dashed_name: process-session-leader-parent-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.session_leader.parent.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.session_leader.parent.elf.sections.type:
+  dashed_name: process-session-leader-parent-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.session_leader.parent.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.session_leader.parent.elf.sections.var_entropy:
+  dashed_name: process-session-leader-parent-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.elf.sections.virtual_address:
+  dashed_name: process-session-leader-parent-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.session_leader.parent.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.session_leader.parent.elf.sections.virtual_size:
+  dashed_name: process-session-leader-parent-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.session_leader.parent.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.session_leader.parent.elf.segments:
+  dashed_name: process-session-leader-parent-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.session_leader.parent.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.session_leader.parent.elf.segments.sections:
+  dashed_name: process-session-leader-parent-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.session_leader.parent.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.session_leader.parent.elf.segments.type:
+  dashed_name: process-session-leader-parent-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.session_leader.parent.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.session_leader.parent.elf.shared_libraries:
+  dashed_name: process-session-leader-parent-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.session_leader.parent.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.session_leader.parent.elf.telfhash:
+  dashed_name: process-session-leader-parent-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.session_leader.parent.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.session_leader.parent.end:
+  dashed_name: process-session-leader-parent-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.parent.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.session_leader.parent.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.session_leader.parent.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.session_leader.parent.entity_id:
+  dashed_name: process-session-leader-parent-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.session_leader.parent.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.session_leader.parent.entry_meta.source.address:
+  dashed_name: process-session-leader-parent-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.session_leader.parent.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.session_leader.parent.entry_meta.source.as.number:
+  dashed_name: process-session-leader-parent-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.session_leader.parent.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.session_leader.parent.entry_meta.source.as.organization.name:
+  dashed_name: process-session-leader-parent-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.session_leader.parent.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.session_leader.parent.entry_meta.source.bytes:
+  dashed_name: process-session-leader-parent-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.session_leader.parent.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.session_leader.parent.entry_meta.source.domain:
+  dashed_name: process-session-leader-parent-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.session_leader.parent.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.city_name:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.session_leader.parent.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.continent_code:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.session_leader.parent.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.continent_name:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.session_leader.parent.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.session_leader.parent.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.country_name:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.session_leader.parent.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.location:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.session_leader.parent.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.session_leader.parent.entry_meta.source.geo.name:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.session_leader.parent.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.postal_code:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.session_leader.parent.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.session_leader.parent.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.region_name:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.session_leader.parent.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.session_leader.parent.entry_meta.source.geo.timezone:
+  dashed_name: process-session-leader-parent-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.session_leader.parent.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.session_leader.parent.entry_meta.source.ip:
+  dashed_name: process-session-leader-parent-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.session_leader.parent.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.session_leader.parent.entry_meta.source.mac:
+  dashed_name: process-session-leader-parent-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.session_leader.parent.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.session_leader.parent.entry_meta.source.nat.ip:
+  dashed_name: process-session-leader-parent-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.session_leader.parent.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.session_leader.parent.entry_meta.source.nat.port:
+  dashed_name: process-session-leader-parent-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.session_leader.parent.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.session_leader.parent.entry_meta.source.packets:
+  dashed_name: process-session-leader-parent-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.session_leader.parent.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.session_leader.parent.entry_meta.source.port:
+  dashed_name: process-session-leader-parent-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.session_leader.parent.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.session_leader.parent.entry_meta.source.registered_domain:
+  dashed_name: process-session-leader-parent-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.session_leader.parent.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.session_leader.parent.entry_meta.source.subdomain:
+  dashed_name: process-session-leader-parent-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.session_leader.parent.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.session_leader.parent.entry_meta.source.top_level_domain:
+  dashed_name: process-session-leader-parent-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.session_leader.parent.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.session_leader.parent.entry_meta.type:
+  dashed_name: process-session-leader-parent-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.session_leader.parent.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.session_leader.parent.env_vars:
+  dashed_name: process-session-leader-parent-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.session_leader.parent.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.executable:
+  dashed_name: process-session-leader-parent-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.session_leader.parent.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.session_leader.parent.exit_code:
+  dashed_name: process-session-leader-parent-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.session_leader.parent.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.session_leader.parent.group.domain:
+  dashed_name: process-session-leader-parent-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.group.id:
+  dashed_name: process-session-leader-parent-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.group.name:
+  dashed_name: process-session-leader-parent-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.session_leader.parent.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.session_leader.parent.hash.md5:
+  dashed_name: process-session-leader-parent-hash-md5
+  description: MD5 hash.
+  flat_name: process.session_leader.parent.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.session_leader.parent.hash.sha1:
+  dashed_name: process-session-leader-parent-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.session_leader.parent.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.session_leader.parent.hash.sha256:
+  dashed_name: process-session-leader-parent-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.session_leader.parent.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.session_leader.parent.hash.sha384:
+  dashed_name: process-session-leader-parent-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.session_leader.parent.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.session_leader.parent.hash.sha512:
+  dashed_name: process-session-leader-parent-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.session_leader.parent.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.session_leader.parent.hash.ssdeep:
+  dashed_name: process-session-leader-parent-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.session_leader.parent.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.session_leader.parent.hash.tlsh:
+  dashed_name: process-session-leader-parent-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.session_leader.parent.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.session_leader.parent.interactive:
+  dashed_name: process-session-leader-parent-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.session_leader.parent.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.session_leader.parent.io:
+  dashed_name: process-session-leader-parent-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.session_leader.parent.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.session_leader.parent.io.bytes_skipped:
+  dashed_name: process-session-leader-parent-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.session_leader.parent.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.session_leader.parent.io.bytes_skipped.length:
+  dashed_name: process-session-leader-parent-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.session_leader.parent.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.session_leader.parent.io.bytes_skipped.offset:
+  dashed_name: process-session-leader-parent-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.session_leader.parent.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.session_leader.parent.io.max_bytes_per_process_exceeded:
+  dashed_name: process-session-leader-parent-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.session_leader.parent.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.session_leader.parent.io.text:
+  dashed_name: process-session-leader-parent-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.session_leader.parent.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.session_leader.parent.io.total_bytes_captured:
+  dashed_name: process-session-leader-parent-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.session_leader.parent.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.session_leader.parent.io.total_bytes_skipped:
+  dashed_name: process-session-leader-parent-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.session_leader.parent.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.session_leader.parent.io.type:
+  dashed_name: process-session-leader-parent-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.session_leader.parent.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.session_leader.parent.macho.go_import_hash:
+  dashed_name: process-session-leader-parent-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.parent.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.session_leader.parent.macho.go_imports:
+  dashed_name: process-session-leader-parent-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.parent.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.parent.macho.go_imports_names_entropy:
+  dashed_name: process-session-leader-parent-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.macho.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.macho.go_stripped:
+  dashed_name: process-session-leader-parent-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.parent.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.parent.macho.import_hash:
+  dashed_name: process-session-leader-parent-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.parent.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.session_leader.parent.macho.imports:
+  dashed_name: process-session-leader-parent-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.parent.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.parent.macho.imports_names_entropy:
+  dashed_name: process-session-leader-parent-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.parent.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.parent.macho.imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.parent.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.parent.macho.sections:
+  dashed_name: process-session-leader-parent-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.session_leader.parent.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.session_leader.parent.macho.sections.entropy:
+  dashed_name: process-session-leader-parent-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.macho.sections.name:
+  dashed_name: process-session-leader-parent-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.session_leader.parent.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.session_leader.parent.macho.sections.physical_size:
+  dashed_name: process-session-leader-parent-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.session_leader.parent.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.session_leader.parent.macho.sections.var_entropy:
+  dashed_name: process-session-leader-parent-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.macho.sections.virtual_size:
+  dashed_name: process-session-leader-parent-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.session_leader.parent.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.session_leader.parent.macho.symhash:
+  dashed_name: process-session-leader-parent-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.session_leader.parent.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.session_leader.parent.name:
+  dashed_name: process-session-leader-parent-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.session_leader.parent.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.session_leader.parent.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.session_leader.parent.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.session_leader.parent.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.session_leader.parent.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.session_leader.parent.pe.architecture:
+  dashed_name: process-session-leader-parent-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.session_leader.parent.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.session_leader.parent.pe.company:
+  dashed_name: process-session-leader-parent-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.session_leader.parent.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.session_leader.parent.pe.description:
+  dashed_name: process-session-leader-parent-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.session_leader.parent.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.session_leader.parent.pe.file_version:
+  dashed_name: process-session-leader-parent-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.session_leader.parent.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.session_leader.parent.pe.go_import_hash:
+  dashed_name: process-session-leader-parent-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.parent.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.session_leader.parent.pe.go_imports:
+  dashed_name: process-session-leader-parent-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.parent.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.parent.pe.go_imports_names_entropy:
+  dashed_name: process-session-leader-parent-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.pe.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.pe.go_stripped:
+  dashed_name: process-session-leader-parent-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.parent.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.parent.pe.imphash:
+  dashed_name: process-session-leader-parent-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.session_leader.parent.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.session_leader.parent.pe.import_hash:
+  dashed_name: process-session-leader-parent-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.parent.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.session_leader.parent.pe.imports:
+  dashed_name: process-session-leader-parent-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.parent.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.parent.pe.imports_names_entropy:
+  dashed_name: process-session-leader-parent-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.parent.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.parent.pe.imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.parent.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.parent.pe.original_file_name:
+  dashed_name: process-session-leader-parent-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.session_leader.parent.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.session_leader.parent.pe.pehash:
+  dashed_name: process-session-leader-parent-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.session_leader.parent.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.session_leader.parent.pe.product:
+  dashed_name: process-session-leader-parent-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.session_leader.parent.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.session_leader.parent.pe.sections:
+  dashed_name: process-session-leader-parent-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.session_leader.parent.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.session_leader.parent.pe.sections.entropy:
+  dashed_name: process-session-leader-parent-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.pe.sections.name:
+  dashed_name: process-session-leader-parent-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.session_leader.parent.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.session_leader.parent.pe.sections.physical_size:
+  dashed_name: process-session-leader-parent-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.session_leader.parent.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.session_leader.parent.pe.sections.var_entropy:
+  dashed_name: process-session-leader-parent-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.pe.sections.virtual_size:
+  dashed_name: process-session-leader-parent-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.session_leader.parent.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.session_leader.parent.pid:
+  dashed_name: process-session-leader-parent-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.session_leader.parent.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.session_leader.parent.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.session_leader.parent.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.session_leader.parent.real_group.domain:
+  dashed_name: process-session-leader-parent-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.real_group.id:
+  dashed_name: process-session-leader-parent-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.real_group.name:
+  dashed_name: process-session-leader-parent-real-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.real_user.domain:
+  dashed_name: process-session-leader-parent-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.parent.real_user.email:
+  dashed_name: process-session-leader-parent-real-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.real_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-real-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.session_leader.parent.real_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.session_leader.parent.real_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-real-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.session_leader.parent.real_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.session_leader.parent.real_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-real-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.session_leader.parent.real_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.real_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.session_leader.parent.real_user.entity.id:
+  dashed_name: process-session-leader-parent-real-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.session_leader.parent.real_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.session_leader.parent.real_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-real-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.session_leader.parent.real_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.session_leader.parent.real_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-real-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.session_leader.parent.real_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.session_leader.parent.real_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-real-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.session_leader.parent.real_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.session_leader.parent.real_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-real-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.session_leader.parent.real_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.real_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.session_leader.parent.real_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-real-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.session_leader.parent.real_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.session_leader.parent.real_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-real-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.session_leader.parent.real_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.session_leader.parent.real_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-real-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.session_leader.parent.real_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.session_leader.parent.real_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-real-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.session_leader.parent.real_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.session_leader.parent.real_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-real-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.session_leader.parent.real_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.session_leader.parent.real_user.full_name:
+  dashed_name: process-session-leader-parent-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.parent.real_user.group.domain:
+  dashed_name: process-session-leader-parent-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.real_user.group.id:
+  dashed_name: process-session-leader-parent-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.real_user.group.name:
+  dashed_name: process-session-leader-parent-real-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.real_user.hash:
+  dashed_name: process-session-leader-parent-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.real_user.id:
+  dashed_name: process-session-leader-parent-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.parent.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.parent.real_user.name:
+  dashed_name: process-session-leader-parent-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.parent.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.parent.real_user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.real_user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.real_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.real_user.risk.static_level:
+  dashed_name: process-session-leader-parent-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.parent.real_user.risk.static_score:
+  dashed_name: process-session-leader-parent-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.real_user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.real_user.roles:
+  dashed_name: process-session-leader-parent-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.same_as_process:
+  dashed_name: process-session-leader-parent-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.session_leader.parent.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.session_leader.parent.saved_group.domain:
+  dashed_name: process-session-leader-parent-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.saved_group.id:
+  dashed_name: process-session-leader-parent-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.saved_group.name:
+  dashed_name: process-session-leader-parent-saved-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.saved_user.domain:
+  dashed_name: process-session-leader-parent-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.parent.saved_user.email:
+  dashed_name: process-session-leader-parent-saved-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.saved_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-saved-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.session_leader.parent.saved_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.session_leader.parent.saved_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-saved-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.session_leader.parent.saved_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.session_leader.parent.saved_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-saved-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.session_leader.parent.saved_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.saved_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.session_leader.parent.saved_user.entity.id:
+  dashed_name: process-session-leader-parent-saved-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.session_leader.parent.saved_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.session_leader.parent.saved_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-saved-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.session_leader.parent.saved_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.session_leader.parent.saved_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-saved-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.session_leader.parent.saved_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.session_leader.parent.saved_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-saved-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.session_leader.parent.saved_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.session_leader.parent.saved_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-saved-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.session_leader.parent.saved_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.saved_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.session_leader.parent.saved_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-saved-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.session_leader.parent.saved_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.session_leader.parent.saved_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-saved-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.session_leader.parent.saved_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.session_leader.parent.saved_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-saved-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.session_leader.parent.saved_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.session_leader.parent.saved_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-saved-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.session_leader.parent.saved_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.session_leader.parent.saved_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-saved-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.session_leader.parent.saved_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.session_leader.parent.saved_user.full_name:
+  dashed_name: process-session-leader-parent-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.parent.saved_user.group.domain:
+  dashed_name: process-session-leader-parent-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.saved_user.group.id:
+  dashed_name: process-session-leader-parent-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.saved_user.group.name:
+  dashed_name: process-session-leader-parent-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.saved_user.hash:
+  dashed_name: process-session-leader-parent-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.saved_user.id:
+  dashed_name: process-session-leader-parent-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.parent.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.parent.saved_user.name:
+  dashed_name: process-session-leader-parent-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.parent.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.parent.saved_user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.saved_user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.saved_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.saved_user.risk.static_level:
+  dashed_name: process-session-leader-parent-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.parent.saved_user.risk.static_score:
+  dashed_name: process-session-leader-parent-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.saved_user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.saved_user.roles:
+  dashed_name: process-session-leader-parent-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.session_leader.args:
+  dashed_name: process-session-leader-parent-session-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.session_leader.parent.session_leader.args
+  ignore_above: 1024
+  level: extended
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.session_leader.parent.session_leader.args_count:
+  dashed_name: process-session-leader-parent-session-leader-args-count
+  description: 'Length of the process.args array.
+
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.session_leader.parent.session_leader.args_count
+  level: extended
+  name: args_count
+  normalize: []
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.session_leader.parent.session_leader.attested_groups.domain:
+  dashed_name: process-session-leader-parent-session-leader-attested-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.attested_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.attested_groups.id:
+  dashed_name: process-session-leader-parent-session-leader-attested-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.attested_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.session_leader.attested_groups.name:
+  dashed_name: process-session-leader-parent-session-leader-attested-groups-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.attested_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.domain:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.attested_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.email:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.session_leader.attested_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.session_leader.parent.session_leader.attested_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.session_leader.parent.session_leader.attested_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.session_leader.parent.session_leader.attested_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.session_leader.parent.session_leader.attested_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.entity.id:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.session_leader.parent.session_leader.attested_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.session_leader.parent.session_leader.attested_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.session_leader.parent.session_leader.attested_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.session_leader.parent.session_leader.attested_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.session_leader.parent.session_leader.attested_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.session_leader.parent.session_leader.attested_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.session_leader.parent.session_leader.attested_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.attested_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.session_leader.parent.session_leader.attested_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.session_leader.parent.session_leader.attested_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.session_leader.parent.session_leader.attested_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.session_leader.parent.session_leader.attested_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.session_leader.parent.session_leader.attested_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.session_leader.parent.session_leader.attested_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.full_name:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.session_leader.attested_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.attested_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.group.domain:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.attested_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.group.id:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.attested_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.group.name:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.attested_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.hash:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.session_leader.attested_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.id:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.parent.session_leader.attested_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.name:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.parent.session_leader.attested_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.session_leader.attested_user.risk.static_level:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.parent.session_leader.attested_user.risk.static_score:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.session_leader.attested_user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.session_leader.attested_user.roles:
+  dashed_name: process-session-leader-parent-session-leader-attested-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.session_leader.attested_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.session_leader.code_signature.digest_algorithm:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
+
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.session_leader.parent.session_leader.code_signature.digest_algorithm
+  ignore_above: 1024
+  level: extended
+  name: digest_algorithm
+  normalize: []
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
+  type: keyword
+process.session_leader.parent.session_leader.code_signature.exists:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.session_leader.parent.session_leader.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.session_leader.parent.session_leader.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.session_leader.parent.session_leader.code_signature.flags
+  ignore_above: 1024
+  level: extended
+  name: flags
+  normalize: []
+  original_fieldset: code_signature
+  short: Code signing flags of the process
+  type: keyword
+process.session_leader.parent.session_leader.code_signature.signing_id:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.session_leader.parent.session_leader.code_signature.signing_id
+  ignore_above: 1024
+  level: extended
+  name: signing_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
+  type: keyword
+process.session_leader.parent.session_leader.code_signature.status:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-status
+  description: 'Additional information about the certificate status.
+
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.session_leader.parent.session_leader.code_signature.status
+  ignore_above: 1024
+  level: extended
+  name: status
+  normalize: []
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
+  type: keyword
+process.session_leader.parent.session_leader.code_signature.subject_name:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.session_leader.parent.session_leader.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.session_leader.parent.session_leader.code_signature.team_id:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.session_leader.parent.session_leader.code_signature.team_id
+  ignore_above: 1024
+  level: extended
+  name: team_id
+  normalize: []
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
+  type: keyword
+process.session_leader.parent.session_leader.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.session_leader.parent.session_leader.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
+process.session_leader.parent.session_leader.code_signature.timestamp:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-timestamp
+  description: Date and time when the code signature was generated and signed.
+  example: '2021-01-01T12:10:30Z'
+  flat_name: process.session_leader.parent.session_leader.code_signature.timestamp
+  level: extended
+  name: timestamp
+  normalize: []
+  original_fieldset: code_signature
+  short: When the signature was generated and signed.
+  type: date
+process.session_leader.parent.session_leader.code_signature.trusted:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-trusted
+  description: 'Stores the trust status of the certificate chain.
+
+    Validating the trust of the certificate chain may be complicated, and this field
+    should only be populated by tools that actively check the status.'
+  example: 'true'
+  flat_name: process.session_leader.parent.session_leader.code_signature.trusted
+  level: extended
+  name: trusted
+  normalize: []
+  original_fieldset: code_signature
+  short: Stores the trust status of the certificate chain.
+  type: boolean
+process.session_leader.parent.session_leader.code_signature.valid:
+  dashed_name: process-session-leader-parent-session-leader-code-signature-valid
+  description: 'Boolean to capture if the digital signature is verified against the
+    binary content.
+
+    Leave unpopulated if a certificate was unchecked.'
+  example: 'true'
+  flat_name: process.session_leader.parent.session_leader.code_signature.valid
+  level: extended
+  name: valid
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if the digital signature is verified against the binary
+    content.
+  type: boolean
+process.session_leader.parent.session_leader.command_line:
+  dashed_name: process-session-leader-parent-session-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.session_leader.parent.session_leader.command_line
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
+  normalize: []
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.session_leader.parent.session_leader.elf.architecture:
+  dashed_name: process-session-leader-parent-session-leader-elf-architecture
+  description: Machine architecture of the ELF file.
+  example: x86-64
+  flat_name: process.session_leader.parent.session_leader.elf.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: elf
+  short: Machine architecture of the ELF file.
+  type: keyword
+process.session_leader.parent.session_leader.elf.byte_order:
+  dashed_name: process-session-leader-parent-session-leader-elf-byte-order
+  description: Byte sequence of ELF file.
+  example: Little Endian
+  flat_name: process.session_leader.parent.session_leader.elf.byte_order
+  ignore_above: 1024
+  level: extended
+  name: byte_order
+  normalize: []
+  original_fieldset: elf
+  short: Byte sequence of ELF file.
+  type: keyword
+process.session_leader.parent.session_leader.elf.cpu_type:
+  dashed_name: process-session-leader-parent-session-leader-elf-cpu-type
+  description: CPU type of the ELF file.
+  example: Intel
+  flat_name: process.session_leader.parent.session_leader.elf.cpu_type
+  ignore_above: 1024
+  level: extended
+  name: cpu_type
+  normalize: []
+  original_fieldset: elf
+  short: CPU type of the ELF file.
+  type: keyword
+process.session_leader.parent.session_leader.elf.creation_date:
+  dashed_name: process-session-leader-parent-session-leader-elf-creation-date
+  description: Extracted when possible from the file's metadata. Indicates when it
+    was built or compiled. It can also be faked by malware creators.
+  flat_name: process.session_leader.parent.session_leader.elf.creation_date
+  level: extended
+  name: creation_date
+  normalize: []
+  original_fieldset: elf
+  short: Build or compile date.
+  type: date
+process.session_leader.parent.session_leader.elf.exports:
+  dashed_name: process-session-leader-parent-session-leader-elf-exports
+  description: List of exported element names and types.
+  flat_name: process.session_leader.parent.session_leader.elf.exports
+  level: extended
+  name: exports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of exported element names and types.
+  type: flattened
+process.session_leader.parent.session_leader.elf.go_import_hash:
+  dashed_name: process-session-leader-parent-session-leader-elf-go-import-hash
+  description: 'A hash of the Go language imports in an ELF file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.parent.session_leader.elf.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the Go language imports in an ELF file.
+  type: keyword
+process.session_leader.parent.session_leader.elf.go_imports:
+  dashed_name: process-session-leader-parent-session-leader-elf-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.parent.session_leader.elf.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: elf
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.parent.session_leader.elf.go_imports_names_entropy:
+  dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.session_leader.elf.go_stripped:
+  dashed_name: process-session-leader-parent-session-leader-elf-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.parent.session_leader.elf.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: elf
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.parent.session_leader.elf.header.abi_version:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-abi-version
+  description: Version of the ELF Application Binary Interface (ABI).
+  flat_name: process.session_leader.parent.session_leader.elf.header.abi_version
+  ignore_above: 1024
+  level: extended
+  name: header.abi_version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF Application Binary Interface (ABI).
+  type: keyword
+process.session_leader.parent.session_leader.elf.header.class:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-class
+  description: Header class of the ELF file.
+  flat_name: process.session_leader.parent.session_leader.elf.header.class
+  ignore_above: 1024
+  level: extended
+  name: header.class
+  normalize: []
+  original_fieldset: elf
+  short: Header class of the ELF file.
+  type: keyword
+process.session_leader.parent.session_leader.elf.header.data:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-data
+  description: Data table of the ELF header.
+  flat_name: process.session_leader.parent.session_leader.elf.header.data
+  ignore_above: 1024
+  level: extended
+  name: header.data
+  normalize: []
+  original_fieldset: elf
+  short: Data table of the ELF header.
+  type: keyword
+process.session_leader.parent.session_leader.elf.header.entrypoint:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-entrypoint
+  description: Header entrypoint of the ELF file.
+  flat_name: process.session_leader.parent.session_leader.elf.header.entrypoint
+  format: string
+  level: extended
+  name: header.entrypoint
+  normalize: []
+  original_fieldset: elf
+  short: Header entrypoint of the ELF file.
+  type: long
+process.session_leader.parent.session_leader.elf.header.object_version:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-object-version
+  description: '"0x1" for original ELF files.'
+  flat_name: process.session_leader.parent.session_leader.elf.header.object_version
+  ignore_above: 1024
+  level: extended
+  name: header.object_version
+  normalize: []
+  original_fieldset: elf
+  short: '"0x1" for original ELF files.'
+  type: keyword
+process.session_leader.parent.session_leader.elf.header.os_abi:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-os-abi
+  description: Application Binary Interface (ABI) of the Linux OS.
+  flat_name: process.session_leader.parent.session_leader.elf.header.os_abi
+  ignore_above: 1024
+  level: extended
+  name: header.os_abi
+  normalize: []
+  original_fieldset: elf
+  short: Application Binary Interface (ABI) of the Linux OS.
+  type: keyword
+process.session_leader.parent.session_leader.elf.header.type:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-type
+  description: Header type of the ELF file.
+  flat_name: process.session_leader.parent.session_leader.elf.header.type
+  ignore_above: 1024
+  level: extended
+  name: header.type
+  normalize: []
+  original_fieldset: elf
+  short: Header type of the ELF file.
+  type: keyword
+process.session_leader.parent.session_leader.elf.header.version:
+  dashed_name: process-session-leader-parent-session-leader-elf-header-version
+  description: Version of the ELF header.
+  flat_name: process.session_leader.parent.session_leader.elf.header.version
+  ignore_above: 1024
+  level: extended
+  name: header.version
+  normalize: []
+  original_fieldset: elf
+  short: Version of the ELF header.
+  type: keyword
+process.session_leader.parent.session_leader.elf.import_hash:
+  dashed_name: process-session-leader-parent-session-leader-elf-import-hash
+  description: 'A hash of the imports in an ELF file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is an ELF implementation of the Windows PE imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.parent.session_leader.elf.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: elf
+  short: A hash of the imports in an ELF file.
+  type: keyword
+process.session_leader.parent.session_leader.elf.imports:
+  dashed_name: process-session-leader-parent-session-leader-elf-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.parent.session_leader.elf.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.parent.session_leader.elf.imports_names_entropy:
+  dashed_name: process-session-leader-parent-session-leader-elf-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.parent.session_leader.elf.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.parent.session_leader.elf.imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-elf-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.parent.session_leader.elf.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.parent.session_leader.elf.sections:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections
+  description: 'An array containing an object for each section of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.sections.*`.'
+  flat_name: process.session_leader.parent.session_leader.elf.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: elf
+  short: Section information of the ELF file.
+  type: nested
+process.session_leader.parent.session_leader.elf.sections.chi2:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-chi2
+  description: Chi-square probability distribution of the section.
+  flat_name: process.session_leader.parent.session_leader.elf.sections.chi2
+  format: number
+  level: extended
+  name: sections.chi2
+  normalize: []
+  original_fieldset: elf
+  short: Chi-square probability distribution of the section.
+  type: long
+process.session_leader.parent.session_leader.elf.sections.entropy:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.session_leader.elf.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: elf
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.session_leader.elf.sections.flags:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-flags
+  description: ELF Section List flags.
+  flat_name: process.session_leader.parent.session_leader.elf.sections.flags
+  ignore_above: 1024
+  level: extended
+  name: sections.flags
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List flags.
+  type: keyword
+process.session_leader.parent.session_leader.elf.sections.name:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-name
+  description: ELF Section List name.
+  flat_name: process.session_leader.parent.session_leader.elf.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List name.
+  type: keyword
+process.session_leader.parent.session_leader.elf.sections.physical_offset:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-offset
+  description: ELF Section List offset.
+  flat_name: process.session_leader.parent.session_leader.elf.sections.physical_offset
+  ignore_above: 1024
+  level: extended
+  name: sections.physical_offset
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List offset.
+  type: keyword
+process.session_leader.parent.session_leader.elf.sections.physical_size:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-size
+  description: ELF Section List physical size.
+  flat_name: process.session_leader.parent.session_leader.elf.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List physical size.
+  type: long
+process.session_leader.parent.session_leader.elf.sections.type:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-type
+  description: ELF Section List type.
+  flat_name: process.session_leader.parent.session_leader.elf.sections.type
+  ignore_above: 1024
+  level: extended
+  name: sections.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List type.
+  type: keyword
+process.session_leader.parent.session_leader.elf.sections.var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.session_leader.elf.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: elf
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.session_leader.elf.sections.virtual_address:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-address
+  description: ELF Section List virtual address.
+  flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_address
+  format: string
+  level: extended
+  name: sections.virtual_address
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual address.
+  type: long
+process.session_leader.parent.session_leader.elf.sections.virtual_size:
+  dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-size
+  description: ELF Section List virtual size.
+  flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: elf
+  short: ELF Section List virtual size.
+  type: long
+process.session_leader.parent.session_leader.elf.segments:
+  dashed_name: process-session-leader-parent-session-leader-elf-segments
+  description: 'An array containing an object for each segment of the ELF file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `elf.segments.*`.'
+  flat_name: process.session_leader.parent.session_leader.elf.segments
+  level: extended
+  name: segments
+  normalize:
+  - array
+  original_fieldset: elf
+  short: ELF object segment list.
+  type: nested
+process.session_leader.parent.session_leader.elf.segments.sections:
+  dashed_name: process-session-leader-parent-session-leader-elf-segments-sections
+  description: ELF object segment sections.
+  flat_name: process.session_leader.parent.session_leader.elf.segments.sections
+  ignore_above: 1024
+  level: extended
+  name: segments.sections
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment sections.
+  type: keyword
+process.session_leader.parent.session_leader.elf.segments.type:
+  dashed_name: process-session-leader-parent-session-leader-elf-segments-type
+  description: ELF object segment type.
+  flat_name: process.session_leader.parent.session_leader.elf.segments.type
+  ignore_above: 1024
+  level: extended
+  name: segments.type
+  normalize: []
+  original_fieldset: elf
+  short: ELF object segment type.
+  type: keyword
+process.session_leader.parent.session_leader.elf.shared_libraries:
+  dashed_name: process-session-leader-parent-session-leader-elf-shared-libraries
+  description: List of shared libraries used by this ELF object.
+  flat_name: process.session_leader.parent.session_leader.elf.shared_libraries
+  ignore_above: 1024
+  level: extended
+  name: shared_libraries
+  normalize:
+  - array
+  original_fieldset: elf
+  short: List of shared libraries used by this ELF object.
+  type: keyword
+process.session_leader.parent.session_leader.elf.telfhash:
+  dashed_name: process-session-leader-parent-session-leader-elf-telfhash
+  description: telfhash symbol hash for ELF file.
+  flat_name: process.session_leader.parent.session_leader.elf.telfhash
+  ignore_above: 1024
+  level: extended
+  name: telfhash
+  normalize: []
+  original_fieldset: elf
+  short: telfhash hash for ELF file.
+  type: keyword
+process.session_leader.parent.session_leader.end:
+  dashed_name: process-session-leader-parent-session-leader-end
+  description: The time the process ended.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.parent.session_leader.end
+  level: extended
+  name: end
+  normalize: []
+  original_fieldset: process
+  short: The time the process ended.
+  type: date
+process.session_leader.parent.session_leader.endpoint_security_client:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-endpoint-security-client
+  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+    entitlement and the value is set to true in the message.
+  flat_name: process.session_leader.parent.session_leader.endpoint_security_client
+  level: extended
+  name: endpoint_security_client
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is an Endpoint Security client.
+  type: boolean
+process.session_leader.parent.session_leader.entity_id:
+  dashed_name: process-session-leader-parent-session-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.session_leader.parent.session_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.address:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-address
+  description: 'Some event source addresses are defined ambiguously. The event will
+    sometimes list an IP, a domain or a unix socket.  You should always store the
+    raw address in the `.address` field.
+
+    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
+    is.'
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.address
+  ignore_above: 1024
+  level: extended
+  name: address
+  normalize: []
+  original_fieldset: source
+  short: Source network address.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.as.number:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-number
+  description: Unique number allocated to the autonomous system. The autonomous system
+    number (ASN) uniquely identifies each network on the Internet.
+  example: 15169
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.number
+  level: extended
+  name: number
+  normalize: []
+  original_fieldset: as
+  short: Unique number allocated to the autonomous system.
+  type: long
+process.session_leader.parent.session_leader.entry_meta.source.as.organization.name:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-organization-name
+  description: Organization name.
+  example: Google LLC
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text
+    name: text
+    type: match_only_text
+  name: organization.name
+  normalize: []
+  original_fieldset: as
+  short: Organization name.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.bytes:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-bytes
+  description: Bytes sent from the source to the destination.
+  example: 184
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.bytes
+  format: bytes
+  level: core
+  name: bytes
+  normalize: []
+  original_fieldset: source
+  short: Bytes sent from the source to the destination.
+  type: long
+process.session_leader.parent.session_leader.entry_meta.source.domain:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-domain
+  description: 'The domain name of the source system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  original_fieldset: source
+  short: The domain name of the source.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.city_name:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-city-name
+  description: City name.
+  example: Montreal
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.city_name
+  ignore_above: 1024
+  level: core
+  name: city_name
+  normalize: []
+  original_fieldset: geo
+  short: City name.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-code
+  description: Two-letter code representing continent's name.
+  example: NA
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code
+  ignore_above: 1024
+  level: core
+  name: continent_code
+  normalize: []
+  original_fieldset: geo
+  short: Continent code.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-name
+  description: Name of the continent.
+  example: North America
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name
+  ignore_above: 1024
+  level: core
+  name: continent_name
+  normalize: []
+  original_fieldset: geo
+  short: Name of the continent.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
+  description: Country ISO code.
+  example: CA
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+  ignore_above: 1024
+  level: core
+  name: country_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Country ISO code.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.country_name:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-name
+  description: Country name.
+  example: Canada
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_name
+  ignore_above: 1024
+  level: core
+  name: country_name
+  normalize: []
+  original_fieldset: geo
+  short: Country name.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.location:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-location
+  description: Longitude and latitude.
+  example: '{ "lon": -73.614830, "lat": 45.505918 }'
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.location
+  level: core
+  name: location
+  normalize: []
+  original_fieldset: geo
+  short: Longitude and latitude.
+  type: geo_point
+process.session_leader.parent.session_leader.entry_meta.source.geo.name:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-name
+  description: 'User-defined description of a location, at the level of granularity
+    they care about.
+
+    Could be the name of their data centers, the floor number, if this describes a
+    local physical entity, city names.
+
+    Not typically used in automated geolocation.'
+  example: boston-dc
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: geo
+  short: User-defined description of a location.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-postal-code
+  description: 'Postal code associated with the location.
+
+    Values appropriate for this field may also be known as a postcode or ZIP code
+    and will vary widely from country to country.'
+  example: 94040
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code
+  ignore_above: 1024
+  level: core
+  name: postal_code
+  normalize: []
+  original_fieldset: geo
+  short: Postal code.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
+  description: Region ISO code.
+  example: CA-QC
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+  ignore_above: 1024
+  level: core
+  name: region_iso_code
+  normalize: []
+  original_fieldset: geo
+  short: Region ISO code.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.region_name:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-name
+  description: Region name.
+  example: Quebec
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_name
+  ignore_above: 1024
+  level: core
+  name: region_name
+  normalize: []
+  original_fieldset: geo
+  short: Region name.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.geo.timezone:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-timezone
+  description: The time zone of the location, such as IANA time zone name.
+  example: America/Argentina/Buenos_Aires
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.timezone
+  ignore_above: 1024
+  level: core
+  name: timezone
+  normalize: []
+  original_fieldset: geo
+  short: Time zone.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.ip:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.ip
+  level: core
+  name: ip
+  normalize: []
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.session_leader.parent.session_leader.entry_meta.source.mac:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-mac
+  description: 'MAC address of the source.
+
+    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
+    is represented by two [uppercase] hexadecimal digits giving the value of the octet
+    as an unsigned integer. Successive octets are separated by a hyphen.'
+  example: 00-00-5E-00-53-23
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.mac
+  ignore_above: 1024
+  level: core
+  name: mac
+  normalize: []
+  original_fieldset: source
+  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+  short: MAC address of the source.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.nat.ip:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-ip
+  description: 'Translated ip of source based NAT sessions (e.g. internal client to
+    internet)
+
+    Typically connections traversing load balancers, firewalls, or routers.'
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.ip
+  level: extended
+  name: nat.ip
+  normalize: []
+  original_fieldset: source
+  short: Source NAT ip
+  type: ip
+process.session_leader.parent.session_leader.entry_meta.source.nat.port:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-port
+  description: 'Translated port of source based NAT sessions. (e.g. internal client
+    to internet)
+
+    Typically used with load balancers, firewalls, or routers.'
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.port
+  format: string
+  level: extended
+  name: nat.port
+  normalize: []
+  original_fieldset: source
+  short: Source NAT port
+  type: long
+process.session_leader.parent.session_leader.entry_meta.source.packets:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-packets
+  description: Packets sent from the source to the destination.
+  example: 12
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.packets
+  level: core
+  name: packets
+  normalize: []
+  original_fieldset: source
+  short: Packets sent from the source to the destination.
+  type: long
+process.session_leader.parent.session_leader.entry_meta.source.port:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-port
+  description: Port of the source.
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.port
+  format: string
+  level: core
+  name: port
+  normalize: []
+  original_fieldset: source
+  short: Port of the source.
+  type: long
+process.session_leader.parent.session_leader.entry_meta.source.registered_domain:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-registered-domain
+  description: 'The highest registered source domain, stripped of the subdomain.
+
+    For example, the registered domain for "foo.example.com" is "example.com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    two labels will not work well for TLDs such as "co.uk".'
+  example: example.com
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.registered_domain
+  ignore_above: 1024
+  level: extended
+  name: registered_domain
+  normalize: []
+  original_fieldset: source
+  short: The highest registered source domain, stripped of the subdomain.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.subdomain:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  original_fieldset: source
+  short: The subdomain of the domain.
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.source.top_level_domain:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: process.session_leader.parent.session_leader.entry_meta.source.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  original_fieldset: source
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+process.session_leader.parent.session_leader.entry_meta.type:
+  dashed_name: process-session-leader-parent-session-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.session_leader.parent.session_leader.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
+  type: keyword
+process.session_leader.parent.session_leader.env_vars:
+  dashed_name: process-session-leader-parent-session-leader-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
+
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.session_leader.parent.session_leader.env_vars
+  ignore_above: 1024
+  level: extended
+  name: env_vars
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.session_leader.executable:
+  dashed_name: process-session-leader-parent-session-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.session_leader.parent.session_leader.executable
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
+  normalize: []
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.session_leader.parent.session_leader.exit_code:
+  dashed_name: process-session-leader-parent-session-leader-exit-code
+  description: 'The exit code of the process, if this is a termination event.
+
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.session_leader.parent.session_leader.exit_code
+  level: extended
+  name: exit_code
+  normalize: []
+  original_fieldset: process
+  short: The exit code of the process.
+  type: long
+process.session_leader.parent.session_leader.group.domain:
+  dashed_name: process-session-leader-parent-session-leader-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.group.id:
+  dashed_name: process-session-leader-parent-session-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.session_leader.group.name:
+  dashed_name: process-session-leader-parent-session-leader-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.session_leader.parent.session_leader.hash.cdhash
+  ignore_above: 1024
+  level: extended
+  name: cdhash
+  normalize: []
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
+  type: keyword
+process.session_leader.parent.session_leader.hash.md5:
+  dashed_name: process-session-leader-parent-session-leader-hash-md5
+  description: MD5 hash.
+  flat_name: process.session_leader.parent.session_leader.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+process.session_leader.parent.session_leader.hash.sha1:
+  dashed_name: process-session-leader-parent-session-leader-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.session_leader.parent.session_leader.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+process.session_leader.parent.session_leader.hash.sha256:
+  dashed_name: process-session-leader-parent-session-leader-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.session_leader.parent.session_leader.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+process.session_leader.parent.session_leader.hash.sha384:
+  dashed_name: process-session-leader-parent-session-leader-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.session_leader.parent.session_leader.hash.sha384
+  ignore_above: 1024
+  level: extended
+  name: sha384
+  normalize: []
+  original_fieldset: hash
+  short: SHA384 hash.
+  type: keyword
+process.session_leader.parent.session_leader.hash.sha512:
+  dashed_name: process-session-leader-parent-session-leader-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.session_leader.parent.session_leader.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+process.session_leader.parent.session_leader.hash.ssdeep:
+  dashed_name: process-session-leader-parent-session-leader-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.session_leader.parent.session_leader.hash.ssdeep
+  ignore_above: 1024
+  level: extended
+  name: ssdeep
+  normalize: []
+  original_fieldset: hash
+  short: SSDEEP hash.
+  type: keyword
+process.session_leader.parent.session_leader.hash.tlsh:
+  dashed_name: process-session-leader-parent-session-leader-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.session_leader.parent.session_leader.hash.tlsh
+  ignore_above: 1024
+  level: extended
+  name: tlsh
+  normalize: []
+  original_fieldset: hash
+  short: TLSH hash.
+  type: keyword
+process.session_leader.parent.session_leader.interactive:
+  dashed_name: process-session-leader-parent-session-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.session_leader.parent.session_leader.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.session_leader.parent.session_leader.io:
+  dashed_name: process-session-leader-parent-session-leader-io
+  description: 'A chunk of input or output (IO) from a single process.
+
+    This field only appears on the top level process object, which is the process
+    that wrote the output or read the input.'
+  flat_name: process.session_leader.parent.session_leader.io
+  level: extended
+  name: io
+  normalize: []
+  original_fieldset: process
+  short: A chunk of input or output (IO) from a single process.
+  type: object
+process.session_leader.parent.session_leader.io.bytes_skipped:
+  dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped
+  description: An array of byte offsets and lengths denoting where IO data has been
+    skipped.
+  flat_name: process.session_leader.parent.session_leader.io.bytes_skipped
+  level: extended
+  name: io.bytes_skipped
+  normalize:
+  - array
+  original_fieldset: process
+  short: An array of byte offsets and lengths denoting where IO data has been skipped.
+  type: object
+process.session_leader.parent.session_leader.io.bytes_skipped.length:
+  dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-length
+  description: The length of bytes skipped.
+  flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.length
+  level: extended
+  name: io.bytes_skipped.length
+  normalize: []
+  original_fieldset: process
+  short: The length of bytes skipped.
+  type: long
+process.session_leader.parent.session_leader.io.bytes_skipped.offset:
+  dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-offset
+  description: The byte offset into this event's io.text (or io.bytes in the future)
+    where length bytes were skipped.
+  flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.offset
+  level: extended
+  name: io.bytes_skipped.offset
+  normalize: []
+  original_fieldset: process
+  short: The byte offset into this event's io.text (or io.bytes in the future) where
+    length bytes were skipped.
+  type: long
+process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
+  dashed_name: process-session-leader-parent-session-leader-io-max-bytes-per-process-exceeded
+  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  flat_name: process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+  level: extended
+  name: io.max_bytes_per_process_exceeded
+  normalize: []
+  original_fieldset: process
+  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+    configuration setting.
+  type: boolean
+process.session_leader.parent.session_leader.io.text:
+  dashed_name: process-session-leader-parent-session-leader-io-text
+  description: 'A chunk of output or input sanitized to UTF-8.
+
+    Best efforts are made to ensure complete lines are captured in these events. Assumptions
+    should NOT be made that multiple lines will appear in the same event. TTY output
+    may contain terminal control codes such as for cursor movement, so some string
+    queries may not match due to terminal codes inserted between characters of a word.'
+  flat_name: process.session_leader.parent.session_leader.io.text
+  level: extended
+  name: io.text
+  normalize: []
+  original_fieldset: process
+  short: A chunk of output or input sanitized to UTF-8.
+  type: wildcard
+process.session_leader.parent.session_leader.io.total_bytes_captured:
+  dashed_name: process-session-leader-parent-session-leader-io-total-bytes-captured
+  description: The total number of bytes captured in this event.
+  flat_name: process.session_leader.parent.session_leader.io.total_bytes_captured
+  level: extended
+  name: io.total_bytes_captured
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes captured in this event.
+  type: long
+process.session_leader.parent.session_leader.io.total_bytes_skipped:
+  dashed_name: process-session-leader-parent-session-leader-io-total-bytes-skipped
+  description: The total number of bytes that were not captured due to implementation
+    restrictions such as buffer size limits. Implementors should strive to ensure
+    this value is always zero
+  flat_name: process.session_leader.parent.session_leader.io.total_bytes_skipped
+  level: extended
+  name: io.total_bytes_skipped
+  normalize: []
+  original_fieldset: process
+  short: The total number of bytes that were not captured due to implementation restrictions
+    such as buffer size limits.
+  type: long
+process.session_leader.parent.session_leader.io.type:
+  dashed_name: process-session-leader-parent-session-leader-io-type
+  description: 'The type of object on which the IO action (read or write) was taken.
+
+    Currently only ''tty'' is supported. Other types may be added in the future for
+    ''file'' and ''socket'' support.'
+  flat_name: process.session_leader.parent.session_leader.io.type
+  ignore_above: 1024
+  level: extended
+  name: io.type
+  normalize: []
+  original_fieldset: process
+  short: The type of object on which the IO action (read or write) was taken.
+  type: keyword
+process.session_leader.parent.session_leader.macho.go_import_hash:
+  dashed_name: process-session-leader-parent-session-leader-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.parent.session_leader.macho.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.session_leader.parent.session_leader.macho.go_imports:
+  dashed_name: process-session-leader-parent-session-leader-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.parent.session_leader.macho.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.parent.session_leader.macho.go_imports_names_entropy:
+  dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.session_leader.macho.go_stripped:
+  dashed_name: process-session-leader-parent-session-leader-macho-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.parent.session_leader.macho.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: macho
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.parent.session_leader.macho.import_hash:
+  dashed_name: process-session-leader-parent-session-leader-macho-import-hash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for symhash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.parent.session_leader.macho.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.session_leader.parent.session_leader.macho.imports:
+  dashed_name: process-session-leader-parent-session-leader-macho-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.parent.session_leader.macho.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: macho
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.parent.session_leader.macho.imports_names_entropy:
+  dashed_name: process-session-leader-parent-session-leader-macho-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.parent.session_leader.macho.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.parent.session_leader.macho.imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-macho-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.parent.session_leader.macho.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.parent.session_leader.macho.sections:
+  dashed_name: process-session-leader-parent-session-leader-macho-sections
+  description: 'An array containing an object for each section of the Mach-O file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `macho.sections.*`.'
+  flat_name: process.session_leader.parent.session_leader.macho.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: macho
+  short: Section information of the Mach-O file.
+  type: nested
+process.session_leader.parent.session_leader.macho.sections.entropy:
+  dashed_name: process-session-leader-parent-session-leader-macho-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.session_leader.macho.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: macho
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.session_leader.macho.sections.name:
+  dashed_name: process-session-leader-parent-session-leader-macho-sections-name
+  description: Mach-O Section List name.
+  flat_name: process.session_leader.parent.session_leader.macho.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List name.
+  type: keyword
+process.session_leader.parent.session_leader.macho.sections.physical_size:
+  dashed_name: process-session-leader-parent-session-leader-macho-sections-physical-size
+  description: Mach-O Section List physical size.
+  flat_name: process.session_leader.parent.session_leader.macho.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List physical size.
+  type: long
+process.session_leader.parent.session_leader.macho.sections.var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-macho-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.session_leader.macho.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: macho
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.session_leader.macho.sections.virtual_size:
+  dashed_name: process-session-leader-parent-session-leader-macho-sections-virtual-size
+  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.session_leader.parent.session_leader.macho.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: macho
+  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.session_leader.parent.session_leader.macho.symhash:
+  dashed_name: process-session-leader-parent-session-leader-macho-symhash
+  description: 'A hash of the imports in a Mach-O file. An import hash can be used
+    to fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a Mach-O implementation of the Windows PE imphash'
+  example: d3ccf195b62a9279c3c19af1080497ec
+  flat_name: process.session_leader.parent.session_leader.macho.symhash
+  ignore_above: 1024
+  level: extended
+  name: symhash
+  normalize: []
+  original_fieldset: macho
+  short: A hash of the imports in a Mach-O file.
+  type: keyword
+process.session_leader.parent.session_leader.name:
+  dashed_name: process-session-leader-parent-session-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.session_leader.parent.session_leader.name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: process
+  short: Process name.
+  type: keyword
+process.session_leader.parent.session_leader.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-origin-referrer-url
+  description: The URL of the webpage that linked to the process's executable file.
+  example: http://example.com/article1.html
+  flat_name: process.session_leader.parent.session_leader.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: process
+  short: The URL of the webpage that linked to the process's executable file.
+  type: keyword
+process.session_leader.parent.session_leader.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-origin-url
+  description: The URL where the process's executable file is hosted.
+  example: http://example.com/files/example.exe
+  flat_name: process.session_leader.parent.session_leader.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: process
+  short: The URL where the process's executable file is hosted.
+  type: keyword
+process.session_leader.parent.session_leader.pe.architecture:
+  dashed_name: process-session-leader-parent-session-leader-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.session_leader.parent.session_leader.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.session_leader.parent.session_leader.pe.company:
+  dashed_name: process-session-leader-parent-session-leader-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.session_leader.parent.session_leader.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.session_leader.parent.session_leader.pe.description:
+  dashed_name: process-session-leader-parent-session-leader-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.session_leader.parent.session_leader.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.session_leader.parent.session_leader.pe.file_version:
+  dashed_name: process-session-leader-parent-session-leader-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.session_leader.parent.session_leader.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.session_leader.parent.session_leader.pe.go_import_hash:
+  dashed_name: process-session-leader-parent-session-leader-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.parent.session_leader.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.session_leader.parent.session_leader.pe.go_imports:
+  dashed_name: process-session-leader-parent-session-leader-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.parent.session_leader.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.parent.session_leader.pe.go_imports_names_entropy:
+  dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.parent.session_leader.pe.go_stripped:
+  dashed_name: process-session-leader-parent-session-leader-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.parent.session_leader.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.parent.session_leader.pe.imphash:
+  dashed_name: process-session-leader-parent-session-leader-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.session_leader.parent.session_leader.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.session_leader.parent.session_leader.pe.import_hash:
+  dashed_name: process-session-leader-parent-session-leader-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.parent.session_leader.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.session_leader.parent.session_leader.pe.imports:
+  dashed_name: process-session-leader-parent-session-leader-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.parent.session_leader.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.parent.session_leader.pe.imports_names_entropy:
+  dashed_name: process-session-leader-parent-session-leader-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.parent.session_leader.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.parent.session_leader.pe.imports_names_var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.parent.session_leader.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.parent.session_leader.pe.original_file_name:
+  dashed_name: process-session-leader-parent-session-leader-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.session_leader.parent.session_leader.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.session_leader.parent.session_leader.pe.pehash:
+  dashed_name: process-session-leader-parent-session-leader-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.session_leader.parent.session_leader.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.session_leader.parent.session_leader.pe.product:
+  dashed_name: process-session-leader-parent-session-leader-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.session_leader.parent.session_leader.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.session_leader.parent.session_leader.pe.sections:
+  dashed_name: process-session-leader-parent-session-leader-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.session_leader.parent.session_leader.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.session_leader.parent.session_leader.pe.sections.entropy:
+  dashed_name: process-session-leader-parent-session-leader-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.session_leader.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.session_leader.pe.sections.name:
+  dashed_name: process-session-leader-parent-session-leader-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.session_leader.parent.session_leader.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.session_leader.parent.session_leader.pe.sections.physical_size:
+  dashed_name: process-session-leader-parent-session-leader-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.session_leader.parent.session_leader.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.session_leader.parent.session_leader.pe.sections.var_entropy:
+  dashed_name: process-session-leader-parent-session-leader-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.parent.session_leader.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.parent.session_leader.pe.sections.virtual_size:
+  dashed_name: process-session-leader-parent-session-leader-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.session_leader.parent.session_leader.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.session_leader.parent.session_leader.pid:
+  dashed_name: process-session-leader-parent-session-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.session_leader.parent.session_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.session_leader.parent.session_leader.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.session_leader.parent.session_leader.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.session_leader.parent.session_leader.real_group.domain:
+  dashed_name: process-session-leader-parent-session-leader-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.real_group.id:
+  dashed_name: process-session-leader-parent-session-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.session_leader.real_group.name:
+  dashed_name: process-session-leader-parent-session-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.domain:
+  dashed_name: process-session-leader-parent-session-leader-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.email:
+  dashed_name: process-session-leader-parent-session-leader-real-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.session_leader.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-real-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.session_leader.parent.session_leader.real_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.session_leader.parent.session_leader.real_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-real-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.session_leader.parent.session_leader.real_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.session_leader.parent.session_leader.real_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-real-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.entity.id:
+  dashed_name: process-session-leader-parent-session-leader-real-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.session_leader.parent.session_leader.real_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-real-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.session_leader.parent.session_leader.real_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-real-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.session_leader.parent.session_leader.real_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.session_leader.parent.session_leader.real_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-real-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.session_leader.parent.session_leader.real_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.session_leader.parent.session_leader.real_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-real-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.session_leader.parent.session_leader.real_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.real_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-real-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.session_leader.parent.session_leader.real_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.session_leader.parent.session_leader.real_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-real-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.session_leader.parent.session_leader.real_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-real-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.session_leader.parent.session_leader.real_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-real-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.session_leader.parent.session_leader.real_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-real-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.session_leader.parent.session_leader.real_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.full_name:
+  dashed_name: process-session-leader-parent-session-leader-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.session_leader.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.group.domain:
+  dashed_name: process-session-leader-parent-session-leader-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.group.id:
+  dashed_name: process-session-leader-parent-session-leader-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.group.name:
+  dashed_name: process-session-leader-parent-session-leader-real-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.hash:
+  dashed_name: process-session-leader-parent-session-leader-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.session_leader.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.id:
+  dashed_name: process-session-leader-parent-session-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.parent.session_leader.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.name:
+  dashed_name: process-session-leader-parent-session-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.parent.session_leader.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.session_leader.real_user.risk.static_level:
+  dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.parent.session_leader.real_user.risk.static_score:
+  dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.session_leader.real_user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.session_leader.real_user.roles:
+  dashed_name: process-session-leader-parent-session-leader-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.session_leader.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.session_leader.same_as_process:
+  dashed_name: process-session-leader-parent-session-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.session_leader.parent.session_leader.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.session_leader.parent.session_leader.saved_group.domain:
+  dashed_name: process-session-leader-parent-session-leader-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.saved_group.id:
+  dashed_name: process-session-leader-parent-session-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.session_leader.saved_group.name:
+  dashed_name: process-session-leader-parent-session-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.domain:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.saved_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.email:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.session_leader.saved_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.session_leader.parent.session_leader.saved_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.session_leader.parent.session_leader.saved_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.session_leader.parent.session_leader.saved_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.session_leader.parent.session_leader.saved_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.entity.id:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.session_leader.parent.session_leader.saved_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.session_leader.parent.session_leader.saved_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.session_leader.parent.session_leader.saved_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.session_leader.parent.session_leader.saved_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.session_leader.parent.session_leader.saved_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.session_leader.parent.session_leader.saved_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.session_leader.parent.session_leader.saved_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.saved_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.session_leader.parent.session_leader.saved_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.session_leader.parent.session_leader.saved_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.session_leader.parent.session_leader.saved_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.session_leader.parent.session_leader.saved_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.session_leader.parent.session_leader.saved_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.session_leader.parent.session_leader.saved_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.full_name:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.session_leader.saved_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.saved_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.group.domain:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.group.id:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.saved_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.group.name:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.saved_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.hash:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.session_leader.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.id:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.parent.session_leader.saved_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.name:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.parent.session_leader.saved_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.session_leader.saved_user.risk.static_level:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.parent.session_leader.saved_user.risk.static_score:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.session_leader.saved_user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.session_leader.saved_user.roles:
+  dashed_name: process-session-leader-parent-session-leader-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.session_leader.saved_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.session_leader.start:
+  dashed_name: process-session-leader-parent-session-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.parent.session_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.session_leader.parent.session_leader.supplemental_groups.domain:
+  dashed_name: process-session-leader-parent-session-leader-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.supplemental_groups.id:
+  dashed_name: process-session-leader-parent-session-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.session_leader.supplemental_groups.name:
+  dashed_name: process-session-leader-parent-session-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.thread.capabilities.effective:
+  dashed_name: process-session-leader-parent-session-leader-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.session_leader.parent.session_leader.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.session_leader.thread.capabilities.permitted:
+  dashed_name: process-session-leader-parent-session-leader-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.session_leader.parent.session_leader.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.session_leader.thread.id:
+  dashed_name: process-session-leader-parent-session-leader-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.session_leader.parent.session_leader.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.session_leader.parent.session_leader.thread.name:
+  dashed_name: process-session-leader-parent-session-leader-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.session_leader.parent.session_leader.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.session_leader.parent.session_leader.title:
+  dashed_name: process-session-leader-parent-session-leader-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.session_leader.parent.session_leader.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.session_leader.parent.session_leader.tty:
+  dashed_name: process-session-leader-parent-session-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.session_leader.parent.session_leader.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.session_leader.parent.session_leader.tty.char_device.major:
+  dashed_name: process-session-leader-parent-session-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.session_leader.parent.session_leader.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.session_leader.parent.session_leader.tty.char_device.minor:
+  dashed_name: process-session-leader-parent-session-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.session_leader.parent.session_leader.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.session_leader.parent.session_leader.tty.columns:
+  dashed_name: process-session-leader-parent-session-leader-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.session_leader.parent.session_leader.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.session_leader.parent.session_leader.tty.rows:
+  dashed_name: process-session-leader-parent-session-leader-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.session_leader.parent.session_leader.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.session_leader.parent.session_leader.uptime:
+  dashed_name: process-session-leader-parent-session-leader-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.session_leader.parent.session_leader.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.session_leader.parent.session_leader.user.domain:
+  dashed_name: process-session-leader-parent-session-leader-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.user.email:
+  dashed_name: process-session-leader-parent-session-leader-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.session_leader.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.session_leader.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.session_leader.parent.session_leader.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.session_leader.parent.session_leader.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.session_leader.parent.session_leader.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.session_leader.parent.session_leader.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.session_leader.parent.session_leader.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.session_leader.parent.session_leader.user.entity.id:
+  dashed_name: process-session-leader-parent-session-leader-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.session_leader.parent.session_leader.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.session_leader.parent.session_leader.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.session_leader.parent.session_leader.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.session_leader.parent.session_leader.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.session_leader.parent.session_leader.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.session_leader.parent.session_leader.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.session_leader.parent.session_leader.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.session_leader.parent.session_leader.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.session_leader.parent.session_leader.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.session_leader.parent.session_leader.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.session_leader.parent.session_leader.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.session_leader.parent.session_leader.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.session_leader.parent.session_leader.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.session_leader.parent.session_leader.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.session_leader.parent.session_leader.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.session_leader.parent.session_leader.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.session_leader.parent.session_leader.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.session_leader.parent.session_leader.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-session-leader-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.session_leader.parent.session_leader.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.session_leader.parent.session_leader.user.full_name:
+  dashed_name: process-session-leader-parent-session-leader-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.session_leader.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.parent.session_leader.user.group.domain:
+  dashed_name: process-session-leader-parent-session-leader-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.session_leader.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.session_leader.user.group.id:
+  dashed_name: process-session-leader-parent-session-leader-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.session_leader.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.session_leader.user.group.name:
+  dashed_name: process-session-leader-parent-session-leader-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.session_leader.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.session_leader.user.hash:
+  dashed_name: process-session-leader-parent-session-leader-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.session_leader.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.session_leader.user.id:
+  dashed_name: process-session-leader-parent-session-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.parent.session_leader.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.parent.session_leader.user.name:
+  dashed_name: process-session-leader-parent-session-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.parent.session_leader.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.parent.session_leader.user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.session_leader.user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.session_leader.user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.session_leader.user.risk.static_level:
+  dashed_name: process-session-leader-parent-session-leader-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.session_leader.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.parent.session_leader.user.risk.static_score:
+  dashed_name: process-session-leader-parent-session-leader-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.session_leader.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.session_leader.user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-session-leader-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.session_leader.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.session_leader.user.roles:
+  dashed_name: process-session-leader-parent-session-leader-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.session_leader.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.session_leader.vpid:
+  dashed_name: process-session-leader-parent-session-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.parent.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.session_leader.parent.session_leader.working_directory:
+  dashed_name: process-session-leader-parent-session-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.session_leader.parent.session_leader.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.session_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.session_leader.parent.start:
+  dashed_name: process-session-leader-parent-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.parent.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.session_leader.parent.supplemental_groups.domain:
+  dashed_name: process-session-leader-parent-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.supplemental_groups.id:
+  dashed_name: process-session-leader-parent-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.supplemental_groups.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.supplemental_groups.name:
+  dashed_name: process-session-leader-parent-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.supplemental_groups.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.thread.capabilities.effective:
+  dashed_name: process-session-leader-parent-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.session_leader.parent.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.thread.capabilities.permitted:
+  dashed_name: process-session-leader-parent-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.session_leader.parent.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.thread.id:
+  dashed_name: process-session-leader-parent-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.session_leader.parent.thread.id
+  format: string
+  level: extended
+  name: thread.id
+  normalize: []
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.session_leader.parent.thread.name:
+  dashed_name: process-session-leader-parent-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.session_leader.parent.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.session_leader.parent.title:
+  dashed_name: process-session-leader-parent-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.session_leader.parent.title
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.title.text
+    name: text
+    type: match_only_text
+  name: title
+  normalize: []
+  original_fieldset: process
+  short: Process title.
+  type: keyword
+process.session_leader.parent.tty:
+  dashed_name: process-session-leader-parent-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.session_leader.parent.tty
+  level: extended
+  name: tty
+  normalize: []
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.session_leader.parent.tty.char_device.major:
+  dashed_name: process-session-leader-parent-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.session_leader.parent.tty.char_device.major
+  level: extended
+  name: tty.char_device.major
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.session_leader.parent.tty.char_device.minor:
+  dashed_name: process-session-leader-parent-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.session_leader.parent.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
+  normalize: []
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.session_leader.parent.tty.columns:
+  dashed_name: process-session-leader-parent-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.session_leader.parent.tty.columns
+  level: extended
+  name: tty.columns
+  normalize: []
+  original_fieldset: process
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.session_leader.parent.tty.rows:
+  dashed_name: process-session-leader-parent-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.session_leader.parent.tty.rows
+  level: extended
+  name: tty.rows
+  normalize: []
+  original_fieldset: process
+  short: The number of character rows in the terminal. e.g terminal height
+  type: long
+process.session_leader.parent.uptime:
+  dashed_name: process-session-leader-parent-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.session_leader.parent.uptime
+  level: extended
+  name: uptime
+  normalize: []
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.session_leader.parent.user.domain:
+  dashed_name: process-session-leader-parent-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.parent.user.email:
+  dashed_name: process-session-leader-parent-user-email
+  description: User email address.
+  flat_name: process.session_leader.parent.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.parent.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.session_leader.parent.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.session_leader.parent.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.session_leader.parent.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.session_leader.parent.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.session_leader.parent.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.session_leader.parent.user.entity.id:
+  dashed_name: process-session-leader-parent-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.session_leader.parent.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.session_leader.parent.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.session_leader.parent.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.session_leader.parent.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.session_leader.parent.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.session_leader.parent.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.session_leader.parent.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.session_leader.parent.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.session_leader.parent.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.session_leader.parent.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.session_leader.parent.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.session_leader.parent.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.session_leader.parent.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.session_leader.parent.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.session_leader.parent.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.session_leader.parent.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.session_leader.parent.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.session_leader.parent.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-parent-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.session_leader.parent.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.session_leader.parent.user.full_name:
+  dashed_name: process-session-leader-parent-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.parent.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.parent.user.group.domain:
+  dashed_name: process-session-leader-parent-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.parent.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.parent.user.group.id:
+  dashed_name: process-session-leader-parent-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.parent.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.parent.user.group.name:
+  dashed_name: process-session-leader-parent-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.parent.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.parent.user.hash:
+  dashed_name: process-session-leader-parent-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.parent.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.parent.user.id:
+  dashed_name: process-session-leader-parent-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.parent.user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.parent.user.name:
+  dashed_name: process-session-leader-parent-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.parent.user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.parent.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.parent.user.risk.calculated_level:
+  dashed_name: process-session-leader-parent-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.parent.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.parent.user.risk.calculated_score:
+  dashed_name: process-session-leader-parent-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.parent.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.parent.user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-parent-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.parent.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.parent.user.risk.static_level:
+  dashed_name: process-session-leader-parent-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.parent.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.parent.user.risk.static_score:
+  dashed_name: process-session-leader-parent-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.parent.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.parent.user.risk.static_score_norm:
+  dashed_name: process-session-leader-parent-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.parent.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.parent.user.roles:
+  dashed_name: process-session-leader-parent-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.parent.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.parent.vpid:
+  dashed_name: process-session-leader-parent-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.session_leader.parent.working_directory:
+  dashed_name: process-session-leader-parent-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.session_leader.parent.working_directory
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.parent.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
+  normalize: []
+  original_fieldset: process
+  short: The working directory of the process.
+  type: keyword
+process.session_leader.pe.architecture:
+  dashed_name: process-session-leader-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.session_leader.pe.architecture
+  ignore_above: 1024
+  level: extended
+  name: architecture
+  normalize: []
+  original_fieldset: pe
+  short: CPU architecture target for the file.
+  type: keyword
+process.session_leader.pe.company:
+  dashed_name: process-session-leader-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.session_leader.pe.company
+  ignore_above: 1024
+  level: extended
+  name: company
+  normalize: []
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
+  type: keyword
+process.session_leader.pe.description:
+  dashed_name: process-session-leader-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.session_leader.pe.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  normalize: []
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
+  type: keyword
+process.session_leader.pe.file_version:
+  dashed_name: process-session-leader-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.session_leader.pe.file_version
+  ignore_above: 1024
+  level: extended
+  name: file_version
+  normalize: []
+  original_fieldset: pe
+  short: Process name.
+  type: keyword
+process.session_leader.pe.go_import_hash:
+  dashed_name: process-session-leader-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.session_leader.pe.go_import_hash
+  ignore_above: 1024
+  level: extended
+  name: go_import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
+  type: keyword
+process.session_leader.pe.go_imports:
+  dashed_name: process-session-leader-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.session_leader.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.session_leader.pe.go_imports_names_entropy:
+  dashed_name: process-session-leader-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.pe.go_imports_names_var_entropy:
+  dashed_name: process-session-leader-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.session_leader.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.session_leader.pe.go_stripped:
+  dashed_name: process-session-leader-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.session_leader.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.session_leader.pe.imphash:
+  dashed_name: process-session-leader-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.session_leader.pe.imphash
+  ignore_above: 1024
+  level: extended
+  name: imphash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.session_leader.pe.import_hash:
+  dashed_name: process-session-leader-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.session_leader.pe.import_hash
+  ignore_above: 1024
+  level: extended
+  name: import_hash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.session_leader.pe.imports:
+  dashed_name: process-session-leader-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.session_leader.pe.imports
+  level: extended
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.session_leader.pe.imports_names_entropy:
+  dashed_name: process-session-leader-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.session_leader.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.session_leader.pe.imports_names_var_entropy:
+  dashed_name: process-session-leader-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.session_leader.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.session_leader.pe.original_file_name:
+  dashed_name: process-session-leader-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.session_leader.pe.original_file_name
+  ignore_above: 1024
+  level: extended
+  name: original_file_name
+  normalize: []
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
+  type: keyword
+process.session_leader.pe.pehash:
+  dashed_name: process-session-leader-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.session_leader.pe.pehash
+  ignore_above: 1024
+  level: extended
+  name: pehash
+  normalize: []
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.session_leader.pe.product:
+  dashed_name: process-session-leader-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.session_leader.pe.product
+  ignore_above: 1024
+  level: extended
+  name: product
+  normalize: []
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.session_leader.pe.sections:
+  dashed_name: process-session-leader-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.session_leader.pe.sections
+  level: extended
+  name: sections
+  normalize:
+  - array
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.session_leader.pe.sections.entropy:
+  dashed_name: process-session-leader-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.session_leader.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.session_leader.pe.sections.name:
+  dashed_name: process-session-leader-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.session_leader.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
+  type: keyword
+process.session_leader.pe.sections.physical_size:
+  dashed_name: process-session-leader-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.session_leader.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.session_leader.pe.sections.var_entropy:
+  dashed_name: process-session-leader-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.session_leader.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.session_leader.pe.sections.virtual_size:
+  dashed_name: process-session-leader-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.session_leader.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.session_leader.pid:
+  dashed_name: process-session-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.session_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  otel:
+  - relation: match
+    stability: development
+  short: Process id.
+  type: long
+process.session_leader.platform_binary:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-platform-binary
+  description: Binaries that are shipped by the operating system are defined as platform
+    binaries, this value is then set to true.
+  flat_name: process.session_leader.platform_binary
+  level: extended
+  name: platform_binary
+  normalize: []
+  original_fieldset: process
+  short: Indicates whether this process executable is a default platform binary shipped
+    with the operating system.
+  type: boolean
+process.session_leader.real_group.domain:
+  dashed_name: process-session-leader-real-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.real_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.real_group.id:
+  dashed_name: process-session-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.real_group.name:
+  dashed_name: process-session-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.real_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.real_user.domain:
+  dashed_name: process-session-leader-real-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.real_user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.session_leader.real_user.email:
+  dashed_name: process-session-leader-real-user-email
+  description: User email address.
+  flat_name: process.session_leader.real_user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.session_leader.real_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-real-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.session_leader.real_user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.session_leader.real_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-real-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.session_leader.real_user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.session_leader.real_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-real-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.session_leader.real_user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.real_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.session_leader.real_user.entity.id:
+  dashed_name: process-session-leader-real-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.session_leader.real_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.session_leader.real_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-real-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.session_leader.real_user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.session_leader.real_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-real-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.session_leader.real_user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.session_leader.real_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-real-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.session_leader.real_user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.session_leader.real_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-real-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.session_leader.real_user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.real_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.session_leader.real_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-real-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.session_leader.real_user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.session_leader.real_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-real-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.session_leader.real_user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.session_leader.real_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-real-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.session_leader.real_user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.session_leader.real_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-real-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.session_leader.real_user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.session_leader.real_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-real-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.session_leader.real_user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.session_leader.real_user.full_name:
+  dashed_name: process-session-leader-real-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.real_user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.real_user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.session_leader.real_user.group.domain:
+  dashed_name: process-session-leader-real-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.real_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.real_user.group.id:
+  dashed_name: process-session-leader-real-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.real_user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.real_user.group.name:
+  dashed_name: process-session-leader-real-user-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.real_user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.real_user.hash:
+  dashed_name: process-session-leader-real-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.real_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.real_user.id:
+  dashed_name: process-session-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.real_user.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.real_user.name:
+  dashed_name: process-session-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.real_user.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+process.session_leader.real_user.risk.calculated_level:
+  dashed_name: process-session-leader-real-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.real_user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.session_leader.real_user.risk.calculated_score:
+  dashed_name: process-session-leader-real-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.real_user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.real_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-real-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.real_user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.real_user.risk.static_level:
+  dashed_name: process-session-leader-real-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.real_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.real_user.risk.static_score:
+  dashed_name: process-session-leader-real-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.real_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.real_user.risk.static_score_norm:
+  dashed_name: process-session-leader-real-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.real_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.real_user.roles:
+  dashed_name: process-session-leader-real-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.real_user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.same_as_process:
+  dashed_name: process-session-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
+
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.session_leader.same_as_process
+  level: extended
+  name: same_as_process
+  normalize: []
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.session_leader.saved_group.domain:
+  dashed_name: process-session-leader-saved-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.saved_group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.saved_group.id:
+  dashed_name: process-session-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.saved_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.session_leader.saved_group.name:
+  dashed_name: process-session-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.saved_group.name
+  ignore_above: 1024
+  level: extended
+  name: name
   normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.pe.pehash:
-  dashed_name: process-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
+process.session_leader.saved_user.domain:
+  dashed_name: process-session-leader-saved-user-domain
+  description: 'Name of the directory the user is a member of.
 
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.pe.pehash
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.saved_user.domain
   ignore_above: 1024
   level: extended
-  name: pehash
+  name: domain
   normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
   type: keyword
-process.pe.product:
-  dashed_name: process-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.pe.product
+process.session_leader.saved_user.email:
+  dashed_name: process-session-leader-saved-user-email
+  description: User email address.
+  flat_name: process.session_leader.saved_user.email
   ignore_above: 1024
   level: extended
-  name: product
+  name: email
   normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
+  original_fieldset: user
+  short: User email address.
   type: keyword
-process.pe.sections:
-  dashed_name: process-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.pe.sections
+process.session_leader.saved_user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-saved-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.session_leader.saved_user.entity.attributes
   level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.pe.sections.entropy:
-  dashed_name: process-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.pe.sections.entropy
-  format: number
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.session_leader.saved_user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-saved-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.session_leader.saved_user.entity.behavior
   level: extended
-  name: sections.entropy
+  name: behavior
   normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.pe.sections.name:
-  dashed_name: process-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.pe.sections.name
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.session_leader.saved_user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-saved-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.session_leader.saved_user.entity.display_name
   ignore_above: 1024
   level: extended
-  name: sections.name
+  multi_fields:
+  - flat_name: process.session_leader.saved_user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
   normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
   type: keyword
-process.pe.sections.physical_size:
-  dashed_name: process-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.pe.sections.physical_size
-  format: bytes
+process.session_leader.saved_user.entity.id:
+  dashed_name: process-session-leader-saved-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.session_leader.saved_user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.session_leader.saved_user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-saved-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.session_leader.saved_user.entity.last_seen_timestamp
   level: extended
-  name: sections.physical_size
+  name: last_seen_timestamp
   normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.pe.sections.var_entropy:
-  dashed_name: process-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.pe.sections.var_entropy
-  format: number
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.session_leader.saved_user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-saved-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.session_leader.saved_user.entity.lifecycle
   level: extended
-  name: sections.var_entropy
+  name: lifecycle
   normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.pe.sections.virtual_size:
-  dashed_name: process-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.pe.sections.virtual_size
-  format: string
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.session_leader.saved_user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-saved-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.session_leader.saved_user.entity.metrics
   level: extended
-  name: sections.virtual_size
+  name: metrics
   normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.pid:
-  dashed_name: process-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.pid
-  format: string
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.session_leader.saved_user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-saved-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.session_leader.saved_user.entity.name
+  ignore_above: 1024
   level: core
-  name: pid
+  multi_fields:
+  - flat_name: process.session_leader.saved_user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
   normalize: []
-  otel:
-  - relation: match
-    stability: development
-  short: Process id.
-  type: long
-process.previous.args:
-  dashed_name: process-previous-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.previous.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
+  original_fieldset: entity
+  short: The name of the entity.
   type: keyword
-process.previous.args_count:
-  dashed_name: process-previous-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.previous.args_count
+process.session_leader.saved_user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-saved-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.session_leader.saved_user.entity.raw
   level: extended
-  name: args_count
+  name: raw
   normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.previous.executable:
-  dashed_name: process-previous-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.previous.executable
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.session_leader.saved_user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-saved-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.session_leader.saved_user.entity.reference
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.previous.executable.text
-    name: text
-    type: match_only_text
-  name: executable
+  name: reference
   normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
   type: keyword
-process.real_group.id:
-  dashed_name: process-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.real_group.id
+process.session_leader.saved_user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-saved-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.session_leader.saved_user.entity.source
   ignore_above: 1024
-  level: extended
-  name: id
+  level: core
+  name: source
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
   type: keyword
-process.real_group.name:
-  dashed_name: process-real-group-name
-  description: Name of the group.
-  flat_name: process.real_group.name
+process.session_leader.saved_user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-saved-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.session_leader.saved_user.entity.sub_type
   ignore_above: 1024
   level: extended
-  name: name
+  name: sub_type
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
   type: keyword
-process.real_user.id:
-  dashed_name: process-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.real_user.id
+process.session_leader.saved_user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-saved-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.session_leader.saved_user.entity.type
   ignore_above: 1024
   level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
-  short: Unique identifier of the user.
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
   type: keyword
-process.real_user.name:
-  dashed_name: process-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.real_user.name
+process.session_leader.saved_user.full_name:
+  dashed_name: process-session-leader-saved-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.saved_user.full_name
   ignore_above: 1024
-  level: core
+  level: extended
   multi_fields:
-  - flat_name: process.real_user.name.text
+  - flat_name: process.session_leader.saved_user.full_name.text
     name: text
     type: match_only_text
-  name: name
+  name: full_name
   normalize: []
   original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
-  short: Short name or login of the user.
+  short: User's full name, if available.
   type: keyword
-process.saved_group.id:
-  dashed_name: process-saved-group-id
+process.session_leader.saved_user.group.domain:
+  dashed_name: process-session-leader-saved-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.saved_user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.saved_user.group.id:
+  dashed_name: process-session-leader-saved-user-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.saved_group.id
+  flat_name: process.session_leader.saved_user.group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -13394,10 +58271,10 @@ process.saved_group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.saved_group.name:
-  dashed_name: process-saved-group-name
+process.session_leader.saved_user.group.name:
+  dashed_name: process-session-leader-saved-user-group-name
   description: Name of the group.
-  flat_name: process.saved_group.name
+  flat_name: process.session_leader.saved_user.group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -13405,129 +58282,171 @@ process.saved_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.saved_user.id:
-  dashed_name: process-saved-user-id
+process.session_leader.saved_user.hash:
+  dashed_name: process-session-leader-saved-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.saved_user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.saved_user.id:
+  dashed_name: process-session-leader-saved-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.saved_user.id
+  flat_name: process.session_leader.saved_user.id
   ignore_above: 1024
   level: core
   name: id
   normalize: []
   original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
   short: Unique identifier of the user.
   type: keyword
-process.saved_user.name:
-  dashed_name: process-saved-user-name
+process.session_leader.saved_user.name:
+  dashed_name: process-session-leader-saved-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.saved_user.name
+  flat_name: process.session_leader.saved_user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.saved_user.name.text
+  - flat_name: process.session_leader.saved_user.name.text
     name: text
     type: match_only_text
   name: name
   normalize: []
   original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
   short: Short name or login of the user.
   type: keyword
-process.session_leader.args:
-  dashed_name: process-session-leader-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.session_leader.args
+process.session_leader.saved_user.risk.calculated_level:
+  dashed_name: process-session-leader-saved-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.saved_user.risk.calculated_level
   ignore_above: 1024
   level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
   type: keyword
-process.session_leader.args_count:
-  dashed_name: process-session-leader-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.session_leader.args_count
+process.session_leader.saved_user.risk.calculated_score:
+  dashed_name: process-session-leader-saved-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.saved_user.risk.calculated_score
   level: extended
-  name: args_count
+  name: calculated_score
   normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.session_leader.command_line:
-  dashed_name: process-session-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.session_leader.command_line
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.saved_user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-saved-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.saved_user.risk.calculated_score_norm
   level: extended
-  multi_fields:
-  - flat_name: process.session_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
+  name: calculated_score_norm
   normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.session_leader.entity_id:
-  dashed_name: process-session-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.session_leader.entity_id
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.saved_user.risk.static_level:
+  dashed_name: process-session-leader-saved-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.saved_user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.saved_user.risk.static_score:
+  dashed_name: process-session-leader-saved-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.saved_user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.saved_user.risk.static_score_norm:
+  dashed_name: process-session-leader-saved-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.saved_user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.saved_user.roles:
+  dashed_name: process-session-leader-saved-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.saved_user.roles
   ignore_above: 1024
   level: extended
-  name: entity_id
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
+process.session_leader.start:
+  dashed_name: process-session-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.start
+  level: extended
+  name: start
   normalize: []
   original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.session_leader.executable:
-  dashed_name: process-session-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.session_leader.executable
+  short: The time the process started.
+  type: date
+process.session_leader.supplemental_groups.domain:
+  dashed_name: process-session-leader-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.supplemental_groups.domain
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.session_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
+  name: domain
   normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
   type: keyword
-process.session_leader.group.id:
-  dashed_name: process-session-leader-group-id
+process.session_leader.supplemental_groups.id:
+  dashed_name: process-session-leader-supplemental-groups-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.group.id
+  flat_name: process.session_leader.supplemental_groups.id
   ignore_above: 1024
   level: extended
   name: id
@@ -13535,10 +58454,10 @@ process.session_leader.group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.group.name:
-  dashed_name: process-session-leader-group-name
+process.session_leader.supplemental_groups.name:
+  dashed_name: process-session-leader-supplemental-groups-name
   description: Name of the group.
-  flat_name: process.session_leader.group.name
+  flat_name: process.session_leader.supplemental_groups.name
   ignore_above: 1024
   level: extended
   name: name
@@ -13546,262 +58465,465 @@ process.session_leader.group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.session_leader.interactive:
-  dashed_name: process-session-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.session_leader.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.session_leader.name:
-  dashed_name: process-session-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.session_leader.name
+process.session_leader.thread.capabilities.effective:
+  dashed_name: process-session-leader-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.session_leader.thread.capabilities.effective
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.session_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
+  name: thread.capabilities.effective
+  normalize:
+  - array
   original_fieldset: process
-  short: Process name.
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
   type: keyword
-process.session_leader.parent.entity_id:
-  dashed_name: process-session-leader-parent-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.session_leader.parent.entity_id
+process.session_leader.thread.capabilities.permitted:
+  dashed_name: process-session-leader-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.session_leader.thread.capabilities.permitted
   ignore_above: 1024
   level: extended
-  name: entity_id
-  normalize: []
+  name: thread.capabilities.permitted
+  normalize:
+  - array
   original_fieldset: process
-  short: Unique identifier for the process.
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
   type: keyword
-process.session_leader.parent.pid:
-  dashed_name: process-session-leader-parent-pid
-  description: Process id.
+process.session_leader.thread.id:
+  dashed_name: process-session-leader-thread-id
+  description: Thread ID.
   example: 4242
-  flat_name: process.session_leader.parent.pid
+  flat_name: process.session_leader.thread.id
   format: string
-  level: core
-  name: pid
+  level: extended
+  name: thread.id
   normalize: []
   original_fieldset: process
-  short: Process id.
+  short: Thread ID.
   type: long
-process.session_leader.parent.session_leader.entity_id:
-  dashed_name: process-session-leader-parent-session-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
+process.session_leader.thread.name:
+  dashed_name: process-session-leader-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.session_leader.thread.name
+  ignore_above: 1024
+  level: extended
+  name: thread.name
+  normalize: []
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.session_leader.title:
+  dashed_name: process-session-leader-title
+  description: 'Process title.
 
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.session_leader.parent.session_leader.entity_id
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.session_leader.title
   ignore_above: 1024
   level: extended
-  name: entity_id
+  multi_fields:
+  - flat_name: process.session_leader.title.text
+    name: text
+    type: match_only_text
+  name: title
   normalize: []
   original_fieldset: process
-  short: Unique identifier for the process.
+  short: Process title.
   type: keyword
-process.session_leader.parent.session_leader.pid:
-  dashed_name: process-session-leader-parent-session-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.session_leader.parent.session_leader.pid
-  format: string
-  level: core
-  name: pid
+process.session_leader.tty:
+  dashed_name: process-session-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.session_leader.tty
+  level: extended
+  name: tty
   normalize: []
   original_fieldset: process
-  short: Process id.
-  type: long
-process.session_leader.parent.session_leader.start:
-  dashed_name: process-session-leader-parent-session-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.parent.session_leader.start
+  short: Information about the controlling TTY device.
+  type: object
+process.session_leader.tty.char_device.major:
+  dashed_name: process-session-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.session_leader.tty.char_device.major
   level: extended
-  name: start
+  name: tty.char_device.major
   normalize: []
   original_fieldset: process
-  short: The time the process started.
-  type: date
-process.session_leader.parent.session_leader.vpid:
-  dashed_name: process-session-leader-parent-session-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.session_leader.parent.session_leader.vpid
-  format: string
-  level: core
-  name: vpid
+  short: The TTY character device's major number.
+  type: long
+process.session_leader.tty.char_device.minor:
+  dashed_name: process-session-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.session_leader.tty.char_device.minor
+  level: extended
+  name: tty.char_device.minor
   normalize: []
   original_fieldset: process
-  short: Virtual process id.
+  short: The TTY character device's minor number.
   type: long
-process.session_leader.parent.start:
-  dashed_name: process-session-leader-parent-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.parent.start
+process.session_leader.tty.columns:
+  dashed_name: process-session-leader-tty-columns
+  description: 'The number of character columns per line. e.g terminal width
+
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 80
+  flat_name: process.session_leader.tty.columns
   level: extended
-  name: start
+  name: tty.columns
   normalize: []
   original_fieldset: process
-  short: The time the process started.
-  type: date
-process.session_leader.parent.vpid:
-  dashed_name: process-session-leader-parent-vpid
-  description: 'Virtual process id.
+  short: The number of character columns per line. e.g terminal width
+  type: long
+process.session_leader.tty.rows:
+  dashed_name: process-session-leader-tty-rows
+  description: 'The number of character rows in the terminal. e.g terminal height
 
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.session_leader.parent.vpid
-  format: string
-  level: core
-  name: vpid
+    Terminal sizes can change, so this value reflects the maximum value for a given
+    IO event. i.e. where event.action = ''text_output'''
+  example: 24
+  flat_name: process.session_leader.tty.rows
+  level: extended
+  name: tty.rows
   normalize: []
   original_fieldset: process
-  short: Virtual process id.
+  short: The number of character rows in the terminal. e.g terminal height
   type: long
-process.session_leader.pid:
-  dashed_name: process-session-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.session_leader.pid
-  format: string
-  level: core
-  name: pid
+process.session_leader.uptime:
+  dashed_name: process-session-leader-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.session_leader.uptime
+  level: extended
+  name: uptime
   normalize: []
   original_fieldset: process
-  otel:
-  - relation: match
-    stability: development
-  short: Process id.
+  short: Seconds the process has been up.
   type: long
-process.session_leader.real_group.id:
-  dashed_name: process-session-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.real_group.id
+process.session_leader.user.domain:
+  dashed_name: process-session-leader-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.user.domain
   ignore_above: 1024
   level: extended
-  name: id
+  name: domain
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
   type: keyword
-process.session_leader.real_group.name:
-  dashed_name: process-session-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.real_group.name
+process.session_leader.user.email:
+  dashed_name: process-session-leader-user-email
+  description: User email address.
+  flat_name: process.session_leader.user.email
   ignore_above: 1024
   level: extended
-  name: name
+  name: email
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: user
+  short: User email address.
   type: keyword
-process.session_leader.real_user.id:
-  dashed_name: process-session-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.real_user.id
+process.session_leader.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.session_leader.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.session_leader.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.session_leader.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.session_leader.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.session_leader.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.session_leader.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.session_leader.user.entity.id:
+  dashed_name: process-session-leader-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.session_leader.user.entity.id
   ignore_above: 1024
   level: core
   name: id
   normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
+  original_fieldset: entity
+  short: Unique identifier for the entity.
   type: keyword
-process.session_leader.real_user.name:
-  dashed_name: process-session-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.real_user.name
+process.session_leader.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.session_leader.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.session_leader.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.session_leader.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.session_leader.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.session_leader.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.session_leader.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.session_leader.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.session_leader.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.session_leader.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.session_leader.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.session_leader.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.session_leader.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.session_leader.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.session_leader.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.session_leader.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.session_leader.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-session-leader-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.session_leader.user.entity.type
   ignore_above: 1024
   level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.session_leader.user.full_name:
+  dashed_name: process-session-leader-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.session_leader.user.full_name
+  ignore_above: 1024
+  level: extended
   multi_fields:
-  - flat_name: process.session_leader.real_user.name.text
+  - flat_name: process.session_leader.user.full_name.text
     name: text
     type: match_only_text
-  name: name
+  name: full_name
   normalize: []
   original_fieldset: user
-  short: Short name or login of the user.
+  short: User's full name, if available.
   type: keyword
-process.session_leader.same_as_process:
-  dashed_name: process-session-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
+process.session_leader.user.group.domain:
+  dashed_name: process-session-leader-user-group-domain
+  description: 'Name of the directory the group is a member of.
 
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.session_leader.same_as_process
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.session_leader.user.group.domain
+  ignore_above: 1024
   level: extended
-  name: same_as_process
+  name: domain
   normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.session_leader.saved_group.id:
-  dashed_name: process-session-leader-saved-group-id
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.session_leader.user.group.id:
+  dashed_name: process-session-leader-user-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.saved_group.id
+  flat_name: process.session_leader.user.group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -13809,10 +58931,10 @@ process.session_leader.saved_group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.saved_group.name:
-  dashed_name: process-session-leader-saved-group-name
+process.session_leader.user.group.name:
+  dashed_name: process-session-leader-user-group-name
   description: Name of the group.
-  flat_name: process.session_leader.saved_group.name
+  flat_name: process.session_leader.user.group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -13820,11 +58942,26 @@ process.session_leader.saved_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.session_leader.saved_user.id:
-  dashed_name: process-session-leader-saved-user-id
+process.session_leader.user.hash:
+  dashed_name: process-session-leader-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.session_leader.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+process.session_leader.user.id:
+  dashed_name: process-session-leader-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.saved_user.id
+  flat_name: process.session_leader.user.id
   ignore_above: 1024
   level: core
   name: id
@@ -13832,15 +58969,15 @@ process.session_leader.saved_user.id:
   original_fieldset: user
   short: Unique identifier of the user.
   type: keyword
-process.session_leader.saved_user.name:
-  dashed_name: process-session-leader-saved-user-name
+process.session_leader.user.name:
+  dashed_name: process-session-leader-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.session_leader.saved_user.name
+  flat_name: process.session_leader.user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.session_leader.saved_user.name.text
+  - flat_name: process.session_leader.user.name.text
     name: text
     type: match_only_text
   name: name
@@ -13848,105 +58985,99 @@ process.session_leader.saved_user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.session_leader.start:
-  dashed_name: process-session-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.session_leader.supplemental_groups.id:
-  dashed_name: process-session-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.supplemental_groups.id
+process.session_leader.user.risk.calculated_level:
+  dashed_name: process-session-leader-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.session_leader.user.risk.calculated_level
   ignore_above: 1024
   level: extended
-  name: id
+  name: calculated_level
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
   type: keyword
-process.session_leader.supplemental_groups.name:
-  dashed_name: process-session-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.session_leader.supplemental_groups.name
-  ignore_above: 1024
+process.session_leader.user.risk.calculated_score:
+  dashed_name: process-session-leader-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.session_leader.user.risk.calculated_score
   level: extended
-  name: name
+  name: calculated_score
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.tty:
-  dashed_name: process-session-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.session_leader.tty
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.session_leader.user.risk.calculated_score_norm:
+  dashed_name: process-session-leader-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.session_leader.user.risk.calculated_score_norm
   level: extended
-  name: tty
+  name: calculated_score_norm
   normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.session_leader.tty.char_device.major:
-  dashed_name: process-session-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.session_leader.tty.char_device.major
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.session_leader.user.risk.static_level:
+  dashed_name: process-session-leader-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.session_leader.user.risk.static_level
+  ignore_above: 1024
   level: extended
-  name: tty.char_device.major
+  name: static_level
   normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.session_leader.tty.char_device.minor:
-  dashed_name: process-session-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.session_leader.tty.char_device.minor
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.session_leader.user.risk.static_score:
+  dashed_name: process-session-leader-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.session_leader.user.risk.static_score
   level: extended
-  name: tty.char_device.minor
+  name: static_score
   normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.session_leader.user.id:
-  dashed_name: process-session-leader-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.user.id
-  ignore_above: 1024
-  level: core
-  name: id
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.session_leader.user.risk.static_score_norm:
+  dashed_name: process-session-leader-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.session_leader.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
   normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.user.name:
-  dashed_name: process-session-leader-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.user.name
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.session_leader.user.roles:
+  dashed_name: process-session-leader-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.session_leader.user.roles
   ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
+  level: extended
+  name: roles
+  normalize:
+  - array
   original_fieldset: user
-  short: Short name or login of the user.
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
   type: keyword
 process.session_leader.vpid:
   dashed_name: process-session-leader-vpid
@@ -13990,6 +59121,19 @@ process.start:
   normalize: []
   short: The time the process started.
   type: date
+process.supplemental_groups.domain:
+  dashed_name: process-supplemental-groups-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.supplemental_groups.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
 process.supplemental_groups.id:
   dashed_name: process-supplemental-groups-id
   description: Unique identifier for the group on the system/platform.
@@ -14160,6 +59304,346 @@ process.uptime:
     stability: development
   short: Seconds the process has been up.
   type: long
+process.user.domain:
+  dashed_name: process-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.user.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+process.user.email:
+  dashed_name: process-user-email
+  description: User email address.
+  flat_name: process.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+process.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: process-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: process.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+process.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: process-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: process.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+process.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: process.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+process.user.entity.id:
+  dashed_name: process-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: process.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+process.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: process-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: process.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+process.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: process-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: process.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+process.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: process-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: process.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+process.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: process-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: process.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: process.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+process.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: process-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: process.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+process.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: process-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: process.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+process.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: process-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: process.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+process.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: process-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: process.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+process.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: process-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: process.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
+process.user.full_name:
+  dashed_name: process-user-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: process.user.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: process.user.full_name.text
+    name: text
+    type: match_only_text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+process.user.group.domain:
+  dashed_name: process-user-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: process.user.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+process.user.group.id:
+  dashed_name: process-user-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.user.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.user.group.name:
+  dashed_name: process-user-group-name
+  description: Name of the group.
+  flat_name: process.user.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.user.hash:
+  dashed_name: process-user-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: process.user.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
 process.user.id:
   dashed_name: process-user-id
   description: Unique identifier of the user.
@@ -14194,6 +59678,100 @@ process.user.name:
     stability: development
   short: Short name or login of the user.
   type: keyword
+process.user.risk.calculated_level:
+  dashed_name: process-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: process.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+process.user.risk.calculated_score:
+  dashed_name: process-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: process.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+process.user.risk.calculated_score_norm:
+  dashed_name: process-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: process.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+process.user.risk.static_level:
+  dashed_name: process-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: process.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+process.user.risk.static_score:
+  dashed_name: process-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: process.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+process.user.risk.static_score_norm:
+  dashed_name: process-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: process.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
+process.user.roles:
+  dashed_name: process-user-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: process.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  synthetic_source_keep: none
+  type: keyword
 process.vpid:
   dashed_name: process-vpid
   description: 'Virtual process id.
@@ -14853,11 +60431,261 @@ server.user.email:
   description: User email address.
   flat_name: server.user.email
   ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+server.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: server-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: server.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+server.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: server-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: server.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+server.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: server-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: server.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: server.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+server.user.entity.id:
+  dashed_name: server-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: server.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+server.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: server-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: server.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+server.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: server-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: server.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+server.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: server-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: server.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+server.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: server-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: server.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: server.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+server.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: server-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: server.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+server.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: server-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: server.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+server.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: server-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: server.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+server.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: server-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: server.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+server.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: server-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: server.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
   type: keyword
 server.user.full_name:
   dashed_name: server-user-full-name
@@ -14953,6 +60781,86 @@ server.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+server.user.risk.calculated_level:
+  dashed_name: server-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: server.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+server.user.risk.calculated_score:
+  dashed_name: server-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: server.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+server.user.risk.calculated_score_norm:
+  dashed_name: server-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: server.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+server.user.risk.static_level:
+  dashed_name: server-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: server.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+server.user.risk.static_score:
+  dashed_name: server-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: server.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+server.user.risk.static_score_norm:
+  dashed_name: server-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: server.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 server.user.roles:
   dashed_name: server-user-roles
   description: Array of user roles at the time of the event.
@@ -14981,6 +60889,256 @@ service.address:
   normalize: []
   short: Address of this service.
   type: keyword
+service.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: service-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: service.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+service.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: service-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: service.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+service.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: service-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: service.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: service.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+service.entity.id:
+  dashed_name: service-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: service.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+service.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: service-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: service.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+service.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: service-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: service.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+service.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: service-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: service.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+service.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: service-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: service.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: service.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+service.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: service-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: service.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+service.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: service-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: service.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+service.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: service-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: service.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+service.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: service-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: service.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+service.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: service-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: service.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
 service.environment:
   beta: This field is beta and subject to change.
   dashed_name: service-environment
@@ -15142,6 +61300,256 @@ service.origin.address:
   original_fieldset: service
   short: Address of this service.
   type: keyword
+service.origin.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: service.origin.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+service.origin.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: service.origin.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+service.origin.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: service.origin.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: service.origin.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+service.origin.entity.id:
+  dashed_name: service-origin-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: service.origin.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+service.origin.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: service.origin.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+service.origin.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: service.origin.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+service.origin.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: service.origin.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+service.origin.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: service.origin.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: service.origin.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+service.origin.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: service.origin.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+service.origin.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: service.origin.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+service.origin.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: service.origin.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+service.origin.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: service.origin.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+service.origin.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: service-origin-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: service.origin.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
 service.origin.environment:
   beta: This field is beta and subject to change.
   dashed_name: service-origin-environment
@@ -16180,6 +62588,256 @@ source.user.email:
   original_fieldset: user
   short: User email address.
   type: keyword
+source.user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: source-user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: source.user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+source.user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: source-user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: source.user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+source.user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: source-user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: source.user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: source.user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+source.user.entity.id:
+  dashed_name: source-user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: source.user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+source.user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: source-user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: source.user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+source.user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: source-user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: source.user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+source.user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: source-user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: source.user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+source.user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: source-user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: source.user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: source.user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+source.user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: source-user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: source.user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+source.user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: source-user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: source.user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+source.user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: source-user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: source.user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+source.user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: source-user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: source.user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+source.user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: source-user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: source.user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
 source.user.full_name:
   dashed_name: source-user-full-name
   description: User's full name, if available.
@@ -16274,6 +62932,86 @@ source.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+source.user.risk.calculated_level:
+  dashed_name: source-user-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: source.user.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+source.user.risk.calculated_score:
+  dashed_name: source-user-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: source.user.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+source.user.risk.calculated_score_norm:
+  dashed_name: source-user-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: source.user.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+source.user.risk.static_level:
+  dashed_name: source-user-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: source.user.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+source.user.risk.static_score:
+  dashed_name: source-user-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: source.user.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+source.user.risk.static_score_norm:
+  dashed_name: source-user-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: source.user.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 source.user.roles:
   dashed_name: source-user-roles
   description: Array of user roles at the time of the event.
@@ -23223,88 +69961,338 @@ url.scheme:
   example: https
   flat_name: url.scheme
   ignore_above: 1024
-  level: extended
-  name: scheme
+  level: extended
+  name: scheme
+  normalize: []
+  otel:
+  - relation: match
+    stability: stable
+  short: Scheme of the url.
+  type: keyword
+url.subdomain:
+  dashed_name: url-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: url.subdomain
+  ignore_above: 1024
+  level: extended
+  name: subdomain
+  normalize: []
+  otel:
+  - relation: match
+    stability: development
+  short: The subdomain of the domain.
+  type: keyword
+url.top_level_domain:
+  dashed_name: url-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: url.top_level_domain
+  ignore_above: 1024
+  level: extended
+  name: top_level_domain
+  normalize: []
+  otel:
+  - relation: match
+    stability: development
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+url.username:
+  dashed_name: url-username
+  description: Username of the request.
+  flat_name: url.username
+  ignore_above: 1024
+  level: extended
+  name: username
+  normalize: []
+  short: Username of the request.
+  type: keyword
+user.changes.domain:
+  dashed_name: user-changes-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.changes.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+user.changes.email:
+  dashed_name: user-changes-email
+  description: User email address.
+  flat_name: user.changes.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+user.changes.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: user-changes-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: user.changes.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+user.changes.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: user-changes-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: user.changes.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+user.changes.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: user-changes-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: user.changes.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: user.changes.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+user.changes.entity.id:
+  dashed_name: user-changes-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: user.changes.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+user.changes.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: user-changes-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: user.changes.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+user.changes.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: user-changes-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: user.changes.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+user.changes.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: user-changes-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: user.changes.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+user.changes.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: user-changes-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: user.changes.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: user.changes.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
   normalize: []
-  otel:
-  - relation: match
-    stability: stable
-  short: Scheme of the url.
+  original_fieldset: entity
+  short: The name of the entity.
   type: keyword
-url.subdomain:
-  dashed_name: url-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: url.subdomain
-  ignore_above: 1024
+user.changes.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: user-changes-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: user.changes.entity.raw
   level: extended
-  name: subdomain
+  name: raw
   normalize: []
-  otel:
-  - relation: match
-    stability: development
-  short: The subdomain of the domain.
-  type: keyword
-url.top_level_domain:
-  dashed_name: url-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: url.top_level_domain
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+user.changes.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: user-changes-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: user.changes.entity.reference
   ignore_above: 1024
   level: extended
-  name: top_level_domain
+  name: reference
   normalize: []
-  otel:
-  - relation: match
-    stability: development
-  short: The effective top level domain (com, org, net, co.uk).
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
   type: keyword
-url.username:
-  dashed_name: url-username
-  description: Username of the request.
-  flat_name: url.username
+user.changes.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: user-changes-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: user.changes.entity.source
   ignore_above: 1024
-  level: extended
-  name: username
+  level: core
+  name: source
   normalize: []
-  short: Username of the request.
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
   type: keyword
-user.changes.domain:
-  dashed_name: user-changes-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: user.changes.domain
+user.changes.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: user-changes-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: user.changes.entity.sub_type
   ignore_above: 1024
   level: extended
-  name: domain
+  name: sub_type
   normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
   type: keyword
-user.changes.email:
-  dashed_name: user-changes-email
-  description: User email address.
-  flat_name: user.changes.email
+user.changes.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: user-changes-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: user.changes.entity.type
   ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
   type: keyword
 user.changes.full_name:
   dashed_name: user-changes-full-name
@@ -23400,6 +70388,86 @@ user.changes.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+user.changes.risk.calculated_level:
+  dashed_name: user-changes-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.changes.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.changes.risk.calculated_score:
+  dashed_name: user-changes-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.changes.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.changes.risk.calculated_score_norm:
+  dashed_name: user-changes-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.changes.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+user.changes.risk.static_level:
+  dashed_name: user-changes-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.changes.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.changes.risk.static_score:
+  dashed_name: user-changes-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.changes.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.changes.risk.static_score_norm:
+  dashed_name: user-changes-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.changes.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 user.changes.roles:
   dashed_name: user-changes-roles
   description: Array of user roles at the time of the event.
@@ -23450,6 +70518,256 @@ user.effective.email:
   original_fieldset: user
   short: User email address.
   type: keyword
+user.effective.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: user-effective-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: user.effective.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+user.effective.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: user-effective-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: user.effective.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+user.effective.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: user-effective-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: user.effective.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: user.effective.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+user.effective.entity.id:
+  dashed_name: user-effective-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: user.effective.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+user.effective.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: user-effective-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: user.effective.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+user.effective.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: user-effective-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: user.effective.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+user.effective.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: user-effective-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: user.effective.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+user.effective.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: user-effective-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: user.effective.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: user.effective.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+user.effective.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: user-effective-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: user.effective.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+user.effective.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: user-effective-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: user.effective.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+user.effective.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: user-effective-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: user.effective.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+user.effective.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: user-effective-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: user.effective.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+user.effective.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: user-effective-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: user.effective.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
 user.effective.full_name:
   dashed_name: user-effective-full-name
   description: User's full name, if available.
@@ -23544,6 +70862,86 @@ user.effective.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+user.effective.risk.calculated_level:
+  dashed_name: user-effective-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.effective.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.effective.risk.calculated_score:
+  dashed_name: user-effective-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.effective.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.effective.risk.calculated_score_norm:
+  dashed_name: user-effective-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.effective.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+user.effective.risk.static_level:
+  dashed_name: user-effective-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.effective.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.effective.risk.static_score:
+  dashed_name: user-effective-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.effective.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.effective.risk.static_score_norm:
+  dashed_name: user-effective-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.effective.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 user.effective.roles:
   dashed_name: user-effective-roles
   description: Array of user roles at the time of the event.
@@ -23571,6 +70969,256 @@ user.email:
     stability: development
   short: User email address.
   type: keyword
+user.entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: user-entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: user.entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  original_fieldset: entity
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+user.entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: user-entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: user.entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  original_fieldset: entity
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+user.entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: user-entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: user.entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: user.entity.display_name.text
+    name: text
+    norms: false
+    type: text
+  name: display_name
+  normalize: []
+  original_fieldset: entity
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+user.entity.id:
+  dashed_name: user-entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: user.entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: entity
+  short: Unique identifier for the entity.
+  type: keyword
+user.entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: user-entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: user.entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  original_fieldset: entity
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+user.entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: user-entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: user.entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  original_fieldset: entity
+  short: A set of temporal characteristics of the entity.
+  type: object
+user.entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: user-entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: user.entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  original_fieldset: entity
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+user.entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: user-entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: user.entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: user.entity.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: entity
+  short: The name of the entity.
+  type: keyword
+user.entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: user-entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: user.entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  original_fieldset: entity
+  short: Original, unmodified fields from the source system.
+  type: object
+user.entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: user-entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: user.entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  original_fieldset: entity
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+user.entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: user-entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: user.entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  original_fieldset: entity
+  short: Source module or integration that provided the entity data.
+  type: keyword
+user.entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: user-entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: user.entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  original_fieldset: entity
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+user.entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: user-entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: user.entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  original_fieldset: entity
+  short: Standardized high-level classification of the entity.
+  type: keyword
 user.full_name:
   dashed_name: user-full-name
   description: User's full name, if available.
@@ -24137,6 +71785,86 @@ user.target.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+user.target.risk.calculated_level:
+  dashed_name: user-target-risk-calculated-level
+  description: A risk classification level calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: High
+  flat_name: user.target.risk.calculated_level
+  ignore_above: 1024
+  level: extended
+  name: calculated_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: keyword
+user.target.risk.calculated_score:
+  dashed_name: user-target-risk-calculated-score
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring.
+  example: 880.73
+  flat_name: user.target.risk.calculated_score
+  level: extended
+  name: calculated_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score calculated by an internal system as part of entity
+    analytics and entity risk scoring.
+  type: float
+user.target.risk.calculated_score_norm:
+  dashed_name: user-target-risk-calculated-score-norm
+  description: A risk classification score calculated by an internal system as part
+    of entity analytics and entity risk scoring, and normalized to a range of 0 to
+    100.
+  example: 88.73
+  flat_name: user.target.risk.calculated_score_norm
+  level: extended
+  name: calculated_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an internal system.
+  type: float
+user.target.risk.static_level:
+  dashed_name: user-target-risk-static-level
+  description: A risk classification level obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: High
+  flat_name: user.target.risk.static_level
+  ignore_above: 1024
+  level: extended
+  name: static_level
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification level obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: keyword
+user.target.risk.static_score:
+  dashed_name: user-target-risk-static-score
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform.
+  example: 830.0
+  flat_name: user.target.risk.static_score
+  level: extended
+  name: static_score
+  normalize: []
+  original_fieldset: risk
+  short: A risk classification score obtained from outside the system, such as from
+    some external Threat Intelligence Platform.
+  type: float
+user.target.risk.static_score_norm:
+  dashed_name: user-target-risk-static-score-norm
+  description: A risk classification score obtained from outside the system, such
+    as from some external Threat Intelligence Platform, and normalized to a range
+    of 0 to 100.
+  example: 83.0
+  flat_name: user.target.risk.static_score_norm
+  level: extended
+  name: static_score_norm
+  normalize: []
+  original_fieldset: risk
+  short: A normalized risk score calculated by an external system.
+  type: float
 user.target.roles:
   dashed_name: user-target-roles
   description: Array of user roles at the time of the event.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 749922c0a1..5167c628ba 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -641,6 +641,261 @@ client:
       original_fieldset: user
       short: User email address.
       type: keyword
+    client.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: client-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: client.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    client.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: client-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: client.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    client.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: client-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: client.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: client.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    client.user.entity.id:
+      dashed_name: client-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: client.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    client.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: client-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: client.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    client.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: client-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: client.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    client.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: client-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: client.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    client.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: client-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: client.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: client.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    client.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: client-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: client.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    client.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: client-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: client.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    client.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: client-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: client.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    client.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: client-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: client.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    client.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: client-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: client.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
     client.user.full_name:
       dashed_name: client-user-full-name
       description: User's full name, if available.
@@ -735,6 +990,86 @@ client:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    client.user.risk.calculated_level:
+      dashed_name: client-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: client.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    client.user.risk.calculated_score:
+      dashed_name: client-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: client.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    client.user.risk.calculated_score_norm:
+      dashed_name: client-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: client.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    client.user.risk.static_level:
+      dashed_name: client-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: client.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    client.user.risk.static_score:
+      dashed_name: client-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: client.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    client.user.risk.static_score_norm:
+      dashed_name: client-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: client.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     client.user.roles:
       dashed_name: client-user-roles
       description: Array of user roles at the time of the event.
@@ -818,6 +1153,261 @@ cloud:
         stability: development
       short: Availability zone in which this host, resource, or service is located.
       type: keyword
+    cloud.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: cloud.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    cloud.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: cloud.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    cloud.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: cloud.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: cloud.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    cloud.entity.id:
+      dashed_name: cloud-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: cloud.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    cloud.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: cloud.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    cloud.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: cloud.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    cloud.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: cloud.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    cloud.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: cloud.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: cloud.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    cloud.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: cloud.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    cloud.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: cloud.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    cloud.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: cloud.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    cloud.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: cloud.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    cloud.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: cloud.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
     cloud.instance.id:
       dashed_name: cloud-instance-id
       description: Instance ID of the host machine.
@@ -892,23 +1482,278 @@ cloud:
       original_fieldset: cloud
       short: Availability zone in which this host, resource, or service is located.
       type: keyword
-    cloud.origin.instance.id:
-      dashed_name: cloud-origin-instance-id
-      description: Instance ID of the host machine.
-      example: i-1234567890abcdef0
-      flat_name: cloud.origin.instance.id
-      ignore_above: 1024
+    cloud.origin.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-origin-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: cloud.origin.entity.attributes
       level: extended
-      name: instance.id
+      name: attributes
       normalize: []
-      original_fieldset: cloud
-      short: Instance ID of the host machine.
-      type: keyword
-    cloud.origin.instance.name:
-      dashed_name: cloud-origin-instance-name
-      description: Instance name of the host machine.
-      flat_name: cloud.origin.instance.name
-      ignore_above: 1024
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    cloud.origin.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-origin-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: cloud.origin.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    cloud.origin.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-origin-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: cloud.origin.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: cloud.origin.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    cloud.origin.entity.id:
+      dashed_name: cloud-origin-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: cloud.origin.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    cloud.origin.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-origin-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: cloud.origin.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    cloud.origin.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-origin-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: cloud.origin.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    cloud.origin.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-origin-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: cloud.origin.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    cloud.origin.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-origin-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: cloud.origin.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: cloud.origin.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    cloud.origin.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-origin-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: cloud.origin.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    cloud.origin.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-origin-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: cloud.origin.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    cloud.origin.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-origin-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: cloud.origin.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    cloud.origin.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-origin-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: cloud.origin.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    cloud.origin.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: cloud-origin-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: cloud.origin.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    cloud.origin.instance.id:
+      dashed_name: cloud-origin-instance-id
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+      flat_name: cloud.origin.instance.id
+      ignore_above: 1024
+      level: extended
+      name: instance.id
+      normalize: []
+      original_fieldset: cloud
+      short: Instance ID of the host machine.
+      type: keyword
+    cloud.origin.instance.name:
+      dashed_name: cloud-origin-instance-name
+      description: Instance name of the host machine.
+      flat_name: cloud.origin.instance.name
+      ignore_above: 1024
       level: extended
       name: instance.name
       normalize: []
@@ -2323,6 +3168,261 @@ destination:
       original_fieldset: user
       short: User email address.
       type: keyword
+    destination.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: destination-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: destination.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    destination.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: destination-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: destination.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    destination.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: destination-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: destination.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: destination.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    destination.user.entity.id:
+      dashed_name: destination-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: destination.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    destination.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: destination-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: destination.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    destination.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: destination-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: destination.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    destination.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: destination-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: destination.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    destination.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: destination-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: destination.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: destination.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    destination.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: destination-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: destination.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    destination.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: destination-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: destination.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    destination.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: destination-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: destination.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    destination.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: destination-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: destination.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    destination.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: destination-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: destination.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
     destination.user.full_name:
       dashed_name: destination-user-full-name
       description: User's full name, if available.
@@ -2417,6 +3517,86 @@ destination:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    destination.user.risk.calculated_level:
+      dashed_name: destination-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: destination.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    destination.user.risk.calculated_score:
+      dashed_name: destination-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: destination.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    destination.user.risk.calculated_score_norm:
+      dashed_name: destination-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: destination.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    destination.user.risk.static_level:
+      dashed_name: destination-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: destination.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    destination.user.risk.static_score:
+      dashed_name: destination-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: destination.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    destination.user.risk.static_score_norm:
+      dashed_name: destination-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: destination.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     destination.user.roles:
       dashed_name: destination-user-roles
       description: Array of user roles at the time of the event.
@@ -4331,6 +5511,279 @@ email:
   short: Describes an email transaction.
   title: Email
   type: group
+entity:
+  description: The entity fields provide a standardized way to represent and categorize
+    different types of components within an IT environment, including those that don't
+    have dedicated field sets in ECS. An entity represents a discrete, identifiable
+    component that can be described by a set of attributes and maintains its identity
+    over time.
+  fields:
+    entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    entity.id:
+      dashed_name: entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique identifier for the entity.
+      type: keyword
+    entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      short: A set of temporal characteristics of the entity.
+      type: object
+    entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      short: The name of the entity.
+      type: keyword
+    entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      short: Original, unmodified fields from the source system.
+      type: object
+    entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      short: Standardized high-level classification of the entity.
+      type: keyword
+  group: 2
+  name: entity
+  prefix: entity.
+  reusable:
+    expected:
+    - as: entity
+      at: host
+      full: host.entity
+    - as: entity
+      at: user
+      full: user.target.entity
+      short_override: Entity information for the targeted user.
+    - as: entity
+      at: cloud
+      full: cloud.target.entity
+      short_override: Entity information for the target cloud entity.
+    - as: entity
+      at: service
+      full: service.target.entity
+      short_override: Entity information for the target service.
+    top_level: true
+  short: Fields to describe various types of entities across IT environments.
+  title: Entity
+  type: group
 error:
   description: 'These fields can represent errors of any kind.
 
@@ -11392,6 +12845,508 @@ process:
         stability: development
       short: Length of the process.args array.
       type: long
+    process.attested_groups.domain:
+      dashed_name: process-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.attested_groups.id:
+      dashed_name: process-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.attested_groups.name:
+      dashed_name: process-attested-groups-name
+      description: Name of the group.
+      flat_name: process.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.attested_user.domain:
+      dashed_name: process-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.attested_user.email:
+      dashed_name: process-attested-user-email
+      description: User email address.
+      flat_name: process.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.attested_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-attested-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.attested_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.attested_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-attested-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.attested_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.attested_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-attested-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.attested_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.attested_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.attested_user.entity.id:
+      dashed_name: process-attested-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.attested_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.attested_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-attested-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.attested_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.attested_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-attested-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.attested_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.attested_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-attested-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.attested_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.attested_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-attested-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.attested_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.attested_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.attested_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-attested-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.attested_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.attested_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-attested-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.attested_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.attested_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-attested-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.attested_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.attested_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-attested-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.attested_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.attested_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-attested-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.attested_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.attested_user.full_name:
+      dashed_name: process-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.attested_user.group.domain:
+      dashed_name: process-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.attested_user.group.id:
+      dashed_name: process-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.attested_user.group.name:
+      dashed_name: process-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.attested_user.hash:
+      dashed_name: process-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.attested_user.id:
+      dashed_name: process-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.attested_user.name:
+      dashed_name: process-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.attested_user.risk.calculated_level:
+      dashed_name: process-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.attested_user.risk.calculated_score:
+      dashed_name: process-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.attested_user.risk.calculated_score_norm:
+      dashed_name: process-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.attested_user.risk.static_level:
+      dashed_name: process-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.attested_user.risk.static_score:
+      dashed_name: process-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.attested_user.risk.static_score_norm:
+      dashed_name: process-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.attested_user.roles:
+      dashed_name: process-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
     process.code_signature.digest_algorithm:
       dashed_name: process-code-signature-digest-algorithm
       description: 'The hashing algorithm used to sign the process.
@@ -12016,6 +13971,17 @@ process:
       normalize: []
       short: The time the process ended.
       type: date
+    process.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
     process.entity_id:
       dashed_name: process-entity-id
       description: 'Unique identifier for the process.
@@ -12066,6 +14032,30 @@ process:
       original_fieldset: process
       short: Length of the process.args array.
       type: long
+    process.entry_leader.attested_groups.domain:
+      dashed_name: process-entry-leader-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.attested_groups.id:
+      dashed_name: process-entry-leader-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
     process.entry_leader.attested_groups.name:
       dashed_name: process-entry-leader-attested-groups-name
       description: Name of the group.
@@ -12077,387 +14067,318 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.entry_leader.attested_user.id:
-      dashed_name: process-entry-leader-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.attested_user.id
+    process.entry_leader.attested_user.domain:
+      dashed_name: process-entry-leader-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.attested_user.domain
       ignore_above: 1024
-      level: core
-      name: id
+      level: extended
+      name: domain
       normalize: []
       original_fieldset: user
-      short: Unique identifier of the user.
+      short: Name of the directory the user is a member of.
       type: keyword
-    process.entry_leader.attested_user.name:
-      dashed_name: process-entry-leader-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.attested_user.name
+    process.entry_leader.attested_user.email:
+      dashed_name: process-entry-leader-attested-user-email
+      description: User email address.
+      flat_name: process.entry_leader.attested_user.email
       ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
+      level: extended
+      name: email
       normalize: []
       original_fieldset: user
-      short: Short name or login of the user.
+      short: User email address.
       type: keyword
-    process.entry_leader.command_line:
-      dashed_name: process-entry-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.entry_leader.command_line
+    process.entry_leader.attested_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-attested-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.entry_leader.attested_user.entity.attributes
       level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
+      name: attributes
       normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.entry_leader.entity_id:
-      dashed_name: process-entry-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.entry_leader.entity_id
-      ignore_above: 1024
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.entry_leader.attested_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-attested-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.attested_user.entity.behavior
       level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.entry_leader.entry_meta.source.ip:
-      dashed_name: process-entry-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.entry_leader.entry_meta.source.ip
-      level: core
-      name: ip
+      name: behavior
       normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.entry_leader.entry_meta.type:
-      dashed_name: process-entry-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.entry_leader.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.entry_leader.executable:
-      dashed_name: process-entry-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.entry_leader.executable
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.entry_leader.attested_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-attested-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.entry_leader.attested_user.entity.display_name
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.entry_leader.executable.text
+      - flat_name: process.entry_leader.attested_user.entity.display_name.text
         name: text
-        type: match_only_text
-      name: executable
+        norms: false
+        type: text
+      name: display_name
       normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
       type: keyword
-    process.entry_leader.group.id:
-      dashed_name: process-entry-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.group.id
+    process.entry_leader.attested_user.entity.id:
+      dashed_name: process-entry-leader-attested-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.entry_leader.attested_user.entity.id
       ignore_above: 1024
-      level: extended
+      level: core
       name: id
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: entity
+      short: Unique identifier for the entity.
       type: keyword
-    process.entry_leader.group.name:
-      dashed_name: process-entry-leader-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.group.name
-      ignore_above: 1024
+    process.entry_leader.attested_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-attested-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.entry_leader.attested_user.entity.last_seen_timestamp
       level: extended
-      name: name
+      name: last_seen_timestamp
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.interactive:
-      dashed_name: process-entry-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.entry_leader.interactive
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.entry_leader.attested_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-attested-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.attested_user.entity.lifecycle
       level: extended
-      name: interactive
+      name: lifecycle
       normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.entry_leader.name:
-      dashed_name: process-entry-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.entry_leader.name
-      ignore_above: 1024
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.entry_leader.attested_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-attested-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.entry_leader.attested_user.entity.metrics
       level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.entry_leader.attested_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-attested-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.entry_leader.attested_user.entity.name
+      ignore_above: 1024
+      level: core
       multi_fields:
-      - flat_name: process.entry_leader.name.text
+      - flat_name: process.entry_leader.attested_user.entity.name.text
         name: text
-        type: match_only_text
+        norms: false
+        type: text
       name: name
       normalize: []
-      original_fieldset: process
-      short: Process name.
+      original_fieldset: entity
+      short: The name of the entity.
       type: keyword
-    process.entry_leader.parent.entity_id:
-      dashed_name: process-entry-leader-parent-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.entry_leader.parent.entity_id
-      ignore_above: 1024
+    process.entry_leader.attested_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-attested-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.entry_leader.attested_user.entity.raw
       level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.entry_leader.parent.pid:
-      dashed_name: process-entry-leader-parent-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.entry_leader.parent.pid
-      format: string
-      level: core
-      name: pid
+      name: raw
       normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.entry_leader.parent.session_leader.entity_id:
-      dashed_name: process-entry-leader-parent-session-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.entry_leader.parent.session_leader.entity_id
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.entry_leader.attested_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-attested-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.entry_leader.attested_user.entity.reference
       ignore_above: 1024
       level: extended
-      name: entity_id
+      name: reference
       normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
       type: keyword
-    process.entry_leader.parent.session_leader.pid:
-      dashed_name: process-entry-leader-parent-session-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.entry_leader.parent.session_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.entry_leader.parent.session_leader.start:
-      dashed_name: process-entry-leader-parent-session-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.parent.session_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.entry_leader.parent.session_leader.vpid:
-      dashed_name: process-entry-leader-parent-session-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.entry_leader.parent.session_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.entry_leader.parent.start:
-      dashed_name: process-entry-leader-parent-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.parent.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.entry_leader.parent.vpid:
-      dashed_name: process-entry-leader-parent-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.entry_leader.parent.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.entry_leader.pid:
-      dashed_name: process-entry-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.entry_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.entry_leader.real_group.id:
-      dashed_name: process-entry-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.real_group.id
+    process.entry_leader.attested_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-attested-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.entry_leader.attested_user.entity.source
       ignore_above: 1024
-      level: extended
-      name: id
+      level: core
+      name: source
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
       type: keyword
-    process.entry_leader.real_group.name:
-      dashed_name: process-entry-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.real_group.name
+    process.entry_leader.attested_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-attested-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.entry_leader.attested_user.entity.sub_type
       ignore_above: 1024
       level: extended
-      name: name
+      name: sub_type
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
       type: keyword
-    process.entry_leader.real_user.id:
-      dashed_name: process-entry-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.real_user.id
+    process.entry_leader.attested_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-attested-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.entry_leader.attested_user.entity.type
       ignore_above: 1024
       level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
       type: keyword
-    process.entry_leader.real_user.name:
-      dashed_name: process-entry-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.real_user.name
+    process.entry_leader.attested_user.full_name:
+      dashed_name: process-entry-leader-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.attested_user.full_name
       ignore_above: 1024
-      level: core
+      level: extended
       multi_fields:
-      - flat_name: process.entry_leader.real_user.name.text
+      - flat_name: process.entry_leader.attested_user.full_name.text
         name: text
         type: match_only_text
-      name: name
+      name: full_name
       normalize: []
       original_fieldset: user
-      short: Short name or login of the user.
+      short: User's full name, if available.
       type: keyword
-    process.entry_leader.same_as_process:
-      dashed_name: process-entry-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
+    process.entry_leader.attested_user.group.domain:
+      dashed_name: process-entry-leader-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
 
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.entry_leader.same_as_process
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.attested_user.group.domain
+      ignore_above: 1024
       level: extended
-      name: same_as_process
+      name: domain
       normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.entry_leader.saved_group.id:
-      dashed_name: process-entry-leader-saved-group-id
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.attested_user.group.id:
+      dashed_name: process-entry-leader-attested-user-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.saved_group.id
+      flat_name: process.entry_leader.attested_user.group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -12465,10 +14386,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.entry_leader.saved_group.name:
-      dashed_name: process-entry-leader-saved-group-name
+    process.entry_leader.attested_user.group.name:
+      dashed_name: process-entry-leader-attested-user-group-name
       description: Name of the group.
-      flat_name: process.entry_leader.saved_group.name
+      flat_name: process.entry_leader.attested_user.group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -12476,11 +14397,26 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.entry_leader.saved_user.id:
-      dashed_name: process-entry-leader-saved-user-id
+    process.entry_leader.attested_user.hash:
+      dashed_name: process-entry-leader-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.attested_user.id:
+      dashed_name: process-entry-leader-attested-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.saved_user.id
+      flat_name: process.entry_leader.attested_user.id
       ignore_above: 1024
       level: core
       name: id
@@ -12488,15 +14424,15 @@ process:
       original_fieldset: user
       short: Unique identifier of the user.
       type: keyword
-    process.entry_leader.saved_user.name:
-      dashed_name: process-entry-leader-saved-user-name
+    process.entry_leader.attested_user.name:
+      dashed_name: process-entry-leader-attested-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.entry_leader.saved_user.name
+      flat_name: process.entry_leader.attested_user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.entry_leader.saved_user.name.text
+      - flat_name: process.entry_leader.attested_user.name.text
         name: text
         type: match_only_text
       name: name
@@ -12504,250 +14440,262 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.entry_leader.start:
-      dashed_name: process-entry-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.entry_leader.supplemental_groups.id:
-      dashed_name: process-entry-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.supplemental_groups.id
+    process.entry_leader.attested_user.risk.calculated_level:
+      dashed_name: process-entry-leader-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.attested_user.risk.calculated_level
       ignore_above: 1024
       level: extended
-      name: id
+      name: calculated_level
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
       type: keyword
-    process.entry_leader.supplemental_groups.name:
-      dashed_name: process-entry-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.entry_leader.supplemental_groups.name
-      ignore_above: 1024
+    process.entry_leader.attested_user.risk.calculated_score:
+      dashed_name: process-entry-leader-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.attested_user.risk.calculated_score
       level: extended
-      name: name
+      name: calculated_score
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.tty:
-      dashed_name: process-entry-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.entry_leader.tty
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.attested_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.attested_user.risk.calculated_score_norm
       level: extended
-      name: tty
+      name: calculated_score_norm
       normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.entry_leader.tty.char_device.major:
-      dashed_name: process-entry-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.entry_leader.tty.char_device.major
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.attested_user.risk.static_level:
+      dashed_name: process-entry-leader-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.attested_user.risk.static_level
+      ignore_above: 1024
       level: extended
-      name: tty.char_device.major
+      name: static_level
       normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.entry_leader.tty.char_device.minor:
-      dashed_name: process-entry-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.entry_leader.tty.char_device.minor
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.attested_user.risk.static_score:
+      dashed_name: process-entry-leader-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.attested_user.risk.static_score
       level: extended
-      name: tty.char_device.minor
+      name: static_score
       normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.entry_leader.user.id:
-      dashed_name: process-entry-leader-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.user.id
-      ignore_above: 1024
-      level: core
-      name: id
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.attested_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
       normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.attested_user.roles:
+      dashed_name: process-entry-leader-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
       original_fieldset: user
-      short: Unique identifier of the user.
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
       type: keyword
-    process.entry_leader.user.name:
-      dashed_name: process-entry-leader-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.user.name
+    process.entry_leader.code_signature.digest_algorithm:
+      dashed_name: process-entry-leader-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.entry_leader.code_signature.digest_algorithm
       ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.user.name.text
-        name: text
-        type: match_only_text
-      name: name
+      level: extended
+      name: digest_algorithm
       normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
       type: keyword
-    process.entry_leader.vpid:
-      dashed_name: process-entry-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.entry_leader.vpid
-      format: string
+    process.entry_leader.code_signature.exists:
+      dashed_name: process-entry-leader-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.entry_leader.code_signature.exists
       level: core
-      name: vpid
+      name: exists
       normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.entry_leader.working_directory:
-      dashed_name: process-entry-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.entry_leader.working_directory
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.entry_leader.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.entry_leader.code_signature.flags
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
+      name: flags
       normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
+      original_fieldset: code_signature
+      short: Code signing flags of the process
       type: keyword
-    process.env_vars:
-      dashed_name: process-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
+    process.entry_leader.code_signature.signing_id:
+      dashed_name: process-entry-leader-code-signature-signing-id
+      description: 'The identifier used to sign the process.
 
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.env_vars
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.entry_leader.code_signature.signing_id
       ignore_above: 1024
       level: extended
-      name: env_vars
-      normalize:
-      - array
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
       type: keyword
-    process.executable:
-      dashed_name: process-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.executable
+    process.entry_leader.code_signature.status:
+      dashed_name: process-entry-leader-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.entry_leader.code_signature.status
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.executable.text
-        name: text
-        type: match_only_text
-      name: executable
+      name: status
       normalize: []
-      otel:
-      - attribute: process.executable.path
-        relation: equivalent
-        stability: development
-      short: Absolute path to the process executable.
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
       type: keyword
-    process.exit_code:
-      dashed_name: process-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.exit_code
-      level: extended
-      name: exit_code
+    process.entry_leader.code_signature.subject_name:
+      dashed_name: process-entry-leader-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.entry_leader.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
       normalize: []
-      short: The exit code of the process.
-      type: long
-    process.group.id:
-      dashed_name: process-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group.id
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.entry_leader.code_signature.team_id:
+      dashed_name: process-entry-leader-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.entry_leader.code_signature.team_id
       ignore_above: 1024
       level: extended
-      name: id
+      name: team_id
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
       type: keyword
-    process.group.name:
-      dashed_name: process-group-name
-      description: Name of the group.
-      flat_name: process.group.name
-      ignore_above: 1024
+    process.entry_leader.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.entry_leader.code_signature.thumbprint_sha256
+      ignore_above: 64
       level: extended
-      name: name
+      name: thumbprint_sha256
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
       type: keyword
-    process.group_leader.args:
-      dashed_name: process-group-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
+    process.entry_leader.code_signature.timestamp:
+      dashed_name: process-entry-leader-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.entry_leader.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.entry_leader.code_signature.trusted:
+      dashed_name: process-entry-leader-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
 
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.group_leader.args
-      ignore_above: 1024
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.entry_leader.code_signature.trusted
       level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.group_leader.args_count:
-      dashed_name: process-group-leader-args-count
-      description: 'Length of the process.args array.
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.entry_leader.code_signature.valid:
+      dashed_name: process-entry-leader-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
 
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.group_leader.args_count
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.entry_leader.code_signature.valid
       level: extended
-      name: args_count
+      name: valid
       normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.group_leader.command_line:
-      dashed_name: process-group-leader-command-line
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.entry_leader.command_line:
+      dashed_name: process-entry-leader-command-line
       description: 'Full command line that started the process, including the absolute
         path to the executable, and all arguments.
 
         Some arguments may be filtered to protect sensitive information.'
       example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.group_leader.command_line
+      flat_name: process.entry_leader.command_line
       level: extended
       multi_fields:
-      - flat_name: process.group_leader.command_line.text
+      - flat_name: process.entry_leader.command_line.text
         name: text
         type: match_only_text
       name: command_line
@@ -12755,475 +14703,1027 @@ process:
       original_fieldset: process
       short: Full command line that started the process.
       type: wildcard
-    process.group_leader.entity_id:
-      dashed_name: process-group-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.group_leader.entity_id
+    process.entry_leader.elf.architecture:
+      dashed_name: process-entry-leader-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.entry_leader.elf.architecture
       ignore_above: 1024
       level: extended
-      name: entity_id
+      name: architecture
       normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
       type: keyword
-    process.group_leader.executable:
-      dashed_name: process-group-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.group_leader.executable
+    process.entry_leader.elf.byte_order:
+      dashed_name: process-entry-leader-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.entry_leader.elf.byte_order
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.group_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
+      name: byte_order
       normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
       type: keyword
-    process.group_leader.group.id:
-      dashed_name: process-group-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.group.id
+    process.entry_leader.elf.cpu_type:
+      dashed_name: process-entry-leader-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.entry_leader.elf.cpu_type
       ignore_above: 1024
       level: extended
-      name: id
+      name: cpu_type
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: elf
+      short: CPU type of the ELF file.
       type: keyword
-    process.group_leader.group.name:
-      dashed_name: process-group-leader-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.group.name
+    process.entry_leader.elf.creation_date:
+      dashed_name: process-entry-leader-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.entry_leader.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.entry_leader.elf.exports:
+      dashed_name: process-entry-leader-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.entry_leader.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.entry_leader.elf.go_import_hash:
+      dashed_name: process-entry-leader-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.elf.go_import_hash
       ignore_above: 1024
       level: extended
-      name: name
+      name: go_import_hash
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
       type: keyword
-    process.group_leader.interactive:
-      dashed_name: process-group-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.group_leader.interactive
+    process.entry_leader.elf.go_imports:
+      dashed_name: process-entry-leader-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.elf.go_imports
       level: extended
-      name: interactive
+      name: go_imports
       normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.elf.go_imports_names_entropy:
+      dashed_name: process-entry-leader-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.elf.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.elf.go_stripped:
+      dashed_name: process-entry-leader-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.group_leader.name:
-      dashed_name: process-group-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.group_leader.name
+    process.entry_leader.elf.header.abi_version:
+      dashed_name: process-entry-leader-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.entry_leader.elf.header.abi_version
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.group_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
+      name: header.abi_version
       normalize: []
-      original_fieldset: process
-      short: Process name.
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
       type: keyword
-    process.group_leader.pid:
-      dashed_name: process-group-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.group_leader.pid
+    process.entry_leader.elf.header.class:
+      dashed_name: process-entry-leader-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.entry_leader.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.entry_leader.elf.header.data:
+      dashed_name: process-entry-leader-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.entry_leader.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.entry_leader.elf.header.entrypoint:
+      dashed_name: process-entry-leader-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.entry_leader.elf.header.entrypoint
       format: string
-      level: core
-      name: pid
+      level: extended
+      name: header.entrypoint
       normalize: []
-      original_fieldset: process
-      otel:
-      - relation: match
-        stability: development
-      short: Process id.
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
       type: long
-    process.group_leader.real_group.id:
-      dashed_name: process-group-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.real_group.id
+    process.entry_leader.elf.header.object_version:
+      dashed_name: process-entry-leader-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.entry_leader.elf.header.object_version
       ignore_above: 1024
       level: extended
-      name: id
+      name: header.object_version
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
       type: keyword
-    process.group_leader.real_group.name:
-      dashed_name: process-group-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.real_group.name
+    process.entry_leader.elf.header.os_abi:
+      dashed_name: process-entry-leader-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.entry_leader.elf.header.os_abi
       ignore_above: 1024
       level: extended
-      name: name
+      name: header.os_abi
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
       type: keyword
-    process.group_leader.real_user.id:
-      dashed_name: process-group-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.real_user.id
+    process.entry_leader.elf.header.type:
+      dashed_name: process-entry-leader-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.entry_leader.elf.header.type
       ignore_above: 1024
-      level: core
-      name: id
+      level: extended
+      name: header.type
       normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
+      original_fieldset: elf
+      short: Header type of the ELF file.
       type: keyword
-    process.group_leader.real_user.name:
-      dashed_name: process-group-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.group_leader.real_user.name
+    process.entry_leader.elf.header.version:
+      dashed_name: process-entry-leader-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.entry_leader.elf.header.version
       ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
+      level: extended
+      name: header.version
       normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
+      original_fieldset: elf
+      short: Version of the ELF header.
       type: keyword
-    process.group_leader.same_as_process:
-      dashed_name: process-group-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
+    process.entry_leader.elf.import_hash:
+      dashed_name: process-entry-leader-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
 
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.entry_leader.elf.imports:
+      dashed_name: process-entry-leader-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.elf.imports_names_entropy:
+      dashed_name: process-entry-leader-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.elf.imports_names_var_entropy:
+      dashed_name: process-entry-leader-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.elf.sections:
+      dashed_name: process-entry-leader-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
 
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.group_leader.same_as_process
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.entry_leader.elf.sections
       level: extended
-      name: same_as_process
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.entry_leader.elf.sections.chi2:
+      dashed_name: process-entry-leader-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.entry_leader.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
       normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.group_leader.saved_group.id:
-      dashed_name: process-group-leader-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.saved_group.id
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.entry_leader.elf.sections.entropy:
+      dashed_name: process-entry-leader-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.elf.sections.flags:
+      dashed_name: process-entry-leader-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.entry_leader.elf.sections.flags
       ignore_above: 1024
       level: extended
-      name: id
+      name: sections.flags
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: elf
+      short: ELF Section List flags.
       type: keyword
-    process.group_leader.saved_group.name:
-      dashed_name: process-group-leader-saved-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.saved_group.name
+    process.entry_leader.elf.sections.name:
+      dashed_name: process-entry-leader-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.entry_leader.elf.sections.name
       ignore_above: 1024
       level: extended
-      name: name
+      name: sections.name
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: elf
+      short: ELF Section List name.
       type: keyword
-    process.group_leader.saved_user.id:
-      dashed_name: process-group-leader-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.saved_user.id
+    process.entry_leader.elf.sections.physical_offset:
+      dashed_name: process-entry-leader-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.entry_leader.elf.sections.physical_offset
       ignore_above: 1024
-      level: core
-      name: id
+      level: extended
+      name: sections.physical_offset
       normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
+      original_fieldset: elf
+      short: ELF Section List offset.
       type: keyword
-    process.group_leader.saved_user.name:
-      dashed_name: process-group-leader-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.group_leader.saved_user.name
+    process.entry_leader.elf.sections.physical_size:
+      dashed_name: process-entry-leader-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.entry_leader.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.entry_leader.elf.sections.type:
+      dashed_name: process-entry-leader-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.entry_leader.elf.sections.type
       ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
+      level: extended
+      name: sections.type
       normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
+      original_fieldset: elf
+      short: ELF Section List type.
       type: keyword
-    process.group_leader.start:
-      dashed_name: process-group-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.group_leader.start
+    process.entry_leader.elf.sections.var_entropy:
+      dashed_name: process-entry-leader-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.elf.sections.var_entropy
+      format: number
       level: extended
-      name: start
+      name: sections.var_entropy
       normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.group_leader.supplemental_groups.id:
-      dashed_name: process-group-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.supplemental_groups.id
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.elf.sections.virtual_address:
+      dashed_name: process-entry-leader-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.entry_leader.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.entry_leader.elf.sections.virtual_size:
+      dashed_name: process-entry-leader-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.entry_leader.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.entry_leader.elf.segments:
+      dashed_name: process-entry-leader-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.entry_leader.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.entry_leader.elf.segments.sections:
+      dashed_name: process-entry-leader-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.entry_leader.elf.segments.sections
       ignore_above: 1024
       level: extended
-      name: id
+      name: segments.sections
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: elf
+      short: ELF object segment sections.
       type: keyword
-    process.group_leader.supplemental_groups.name:
-      dashed_name: process-group-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.group_leader.supplemental_groups.name
+    process.entry_leader.elf.segments.type:
+      dashed_name: process-entry-leader-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.entry_leader.elf.segments.type
       ignore_above: 1024
       level: extended
-      name: name
+      name: segments.type
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: elf
+      short: ELF object segment type.
       type: keyword
-    process.group_leader.tty:
-      dashed_name: process-group-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.group_leader.tty
+    process.entry_leader.elf.shared_libraries:
+      dashed_name: process-entry-leader-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.entry_leader.elf.shared_libraries
+      ignore_above: 1024
       level: extended
-      name: tty
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.entry_leader.elf.telfhash:
+      dashed_name: process-entry-leader-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.entry_leader.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
       normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.group_leader.tty.char_device.major:
-      dashed_name: process-group-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.group_leader.tty.char_device.major
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.entry_leader.end:
+      dashed_name: process-entry-leader-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.end
       level: extended
-      name: tty.char_device.major
+      name: end
       normalize: []
       original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.group_leader.tty.char_device.minor:
-      dashed_name: process-group-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.group_leader.tty.char_device.minor
+      short: The time the process ended.
+      type: date
+    process.entry_leader.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.entry_leader.endpoint_security_client
       level: extended
-      name: tty.char_device.minor
+      name: endpoint_security_client
       normalize: []
       original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.group_leader.user.id:
-      dashed_name: process-group-leader-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.user.id
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.entry_leader.entity_id:
+      dashed_name: process-entry-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.entry_leader.entity_id
       ignore_above: 1024
-      level: core
-      name: id
+      level: extended
+      name: entity_id
       normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
+      original_fieldset: process
+      short: Unique identifier for the process.
       type: keyword
-    process.group_leader.user.name:
-      dashed_name: process-group-leader-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.group_leader.user.name
+    process.entry_leader.entry_meta.source.address:
+      dashed_name: process-entry-leader-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.entry_leader.entry_meta.source.address
       ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.user.name.text
-        name: text
-        type: match_only_text
-      name: name
+      level: extended
+      name: address
       normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
+      original_fieldset: source
+      short: Source network address.
       type: keyword
-    process.group_leader.vpid:
-      dashed_name: process-group-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.group_leader.vpid
-      format: string
-      level: core
-      name: vpid
+    process.entry_leader.entry_meta.source.as.number:
+      dashed_name: process-entry-leader-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.entry_leader.entry_meta.source.as.number
+      level: extended
+      name: number
       normalize: []
-      original_fieldset: process
-      short: Virtual process id.
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
       type: long
-    process.group_leader.working_directory:
-      dashed_name: process-group-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.group_leader.working_directory
+    process.entry_leader.entry_meta.source.as.organization.name:
+      dashed_name: process-entry-leader-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.entry_leader.entry_meta.source.as.organization.name
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.group_leader.working_directory.text
+      - flat_name: process.entry_leader.entry_meta.source.as.organization.name.text
         name: text
         type: match_only_text
-      name: working_directory
+      name: organization.name
       normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
+      original_fieldset: as
+      short: Organization name.
       type: keyword
-    process.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.hash.cdhash
+    process.entry_leader.entry_meta.source.bytes:
+      dashed_name: process-entry-leader-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.entry_leader.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.entry_leader.entry_meta.source.domain:
+      dashed_name: process-entry-leader-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.entry_leader.entry_meta.source.domain
       ignore_above: 1024
-      level: extended
-      name: cdhash
+      level: core
+      name: domain
       normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
+      original_fieldset: source
+      short: The domain name of the source.
       type: keyword
-    process.hash.md5:
-      dashed_name: process-hash-md5
-      description: MD5 hash.
-      flat_name: process.hash.md5
+    process.entry_leader.entry_meta.source.geo.city_name:
+      dashed_name: process-entry-leader-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.entry_leader.entry_meta.source.geo.city_name
       ignore_above: 1024
-      level: extended
-      name: md5
+      level: core
+      name: city_name
       normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
+      original_fieldset: geo
+      short: City name.
       type: keyword
-    process.hash.sha1:
-      dashed_name: process-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.hash.sha1
+    process.entry_leader.entry_meta.source.geo.continent_code:
+      dashed_name: process-entry-leader-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.entry_leader.entry_meta.source.geo.continent_code
       ignore_above: 1024
-      level: extended
-      name: sha1
+      level: core
+      name: continent_code
       normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
+      original_fieldset: geo
+      short: Continent code.
       type: keyword
-    process.hash.sha256:
-      dashed_name: process-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.hash.sha256
+    process.entry_leader.entry_meta.source.geo.continent_name:
+      dashed_name: process-entry-leader-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.entry_leader.entry_meta.source.geo.continent_name
       ignore_above: 1024
-      level: extended
-      name: sha256
+      level: core
+      name: continent_name
       normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
+      original_fieldset: geo
+      short: Name of the continent.
       type: keyword
-    process.hash.sha384:
-      dashed_name: process-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.hash.sha384
+    process.entry_leader.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-entry-leader-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.entry_leader.entry_meta.source.geo.country_iso_code
       ignore_above: 1024
-      level: extended
-      name: sha384
+      level: core
+      name: country_iso_code
       normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
+      original_fieldset: geo
+      short: Country ISO code.
       type: keyword
-    process.hash.sha512:
-      dashed_name: process-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.hash.sha512
+    process.entry_leader.entry_meta.source.geo.country_name:
+      dashed_name: process-entry-leader-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.entry_leader.entry_meta.source.geo.country_name
       ignore_above: 1024
-      level: extended
-      name: sha512
+      level: core
+      name: country_name
       normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
+      original_fieldset: geo
+      short: Country name.
       type: keyword
-    process.hash.ssdeep:
-      dashed_name: process-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.hash.ssdeep
+    process.entry_leader.entry_meta.source.geo.location:
+      dashed_name: process-entry-leader-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.entry_leader.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.entry_leader.entry_meta.source.geo.name:
+      dashed_name: process-entry-leader-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.entry_leader.entry_meta.source.geo.name
       ignore_above: 1024
       level: extended
-      name: ssdeep
+      name: name
       normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
+      original_fieldset: geo
+      short: User-defined description of a location.
       type: keyword
-    process.hash.tlsh:
-      dashed_name: process-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.hash.tlsh
+    process.entry_leader.entry_meta.source.geo.postal_code:
+      dashed_name: process-entry-leader-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.entry_leader.entry_meta.source.geo.postal_code
       ignore_above: 1024
-      level: extended
-      name: tlsh
+      level: core
+      name: postal_code
       normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
+      original_fieldset: geo
+      short: Postal code.
       type: keyword
-    process.interactive:
-      dashed_name: process-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
+    process.entry_leader.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-entry-leader-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.entry_leader.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.entry_leader.entry_meta.source.geo.region_name:
+      dashed_name: process-entry-leader-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.entry_leader.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.entry_leader.entry_meta.source.geo.timezone:
+      dashed_name: process-entry-leader-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.entry_leader.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.entry_leader.entry_meta.source.ip:
+      dashed_name: process-entry-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.entry_leader.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.entry_leader.entry_meta.source.mac:
+      dashed_name: process-entry-leader-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.entry_leader.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.entry_leader.entry_meta.source.nat.ip:
+      dashed_name: process-entry-leader-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.entry_leader.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.entry_leader.entry_meta.source.nat.port:
+      dashed_name: process-entry-leader-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.entry_leader.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.entry_leader.entry_meta.source.packets:
+      dashed_name: process-entry-leader-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.entry_leader.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.entry_leader.entry_meta.source.port:
+      dashed_name: process-entry-leader-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.entry_leader.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.entry_leader.entry_meta.source.registered_domain:
+      dashed_name: process-entry-leader-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.entry_leader.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.entry_leader.entry_meta.source.subdomain:
+      dashed_name: process-entry-leader-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.entry_leader.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.entry_leader.entry_meta.source.top_level_domain:
+      dashed_name: process-entry-leader-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.entry_leader.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.entry_leader.entry_meta.type:
+      dashed_name: process-entry-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.entry_leader.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.entry_leader.env_vars:
+      dashed_name: process-entry-leader-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.entry_leader.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.executable:
+      dashed_name: process-entry-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.entry_leader.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.entry_leader.exit_code:
+      dashed_name: process-entry-leader-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.entry_leader.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.entry_leader.group.domain:
+      dashed_name: process-entry-leader-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.group.id:
+      dashed_name: process-entry-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.group.name:
+      dashed_name: process-entry-leader-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.entry_leader.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.entry_leader.hash.md5:
+      dashed_name: process-entry-leader-hash-md5
+      description: MD5 hash.
+      flat_name: process.entry_leader.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.entry_leader.hash.sha1:
+      dashed_name: process-entry-leader-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.entry_leader.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.entry_leader.hash.sha256:
+      dashed_name: process-entry-leader-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.entry_leader.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.entry_leader.hash.sha384:
+      dashed_name: process-entry-leader-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.entry_leader.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.entry_leader.hash.sha512:
+      dashed_name: process-entry-leader-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.entry_leader.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.entry_leader.hash.ssdeep:
+      dashed_name: process-entry-leader-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.entry_leader.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.entry_leader.hash.tlsh:
+      dashed_name: process-entry-leader-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.entry_leader.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.entry_leader.interactive:
+      dashed_name: process-entry-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
         Process interactivity is inferred from the processes file descriptors. If
         the character device for the controlling tty is the same as stdin and stderr
         for the process, the process is considered interactive.
@@ -13234,72 +15734,75 @@ process:
         backgrounded process is still considered interactive if stdin and stderr are
         connected to the controlling TTY.'
       example: true
-      flat_name: process.interactive
+      flat_name: process.entry_leader.interactive
       level: extended
       name: interactive
       normalize: []
-      otel:
-      - relation: match
-        stability: development
+      original_fieldset: process
       short: Whether the process is connected to an interactive shell.
       type: boolean
-    process.io:
-      dashed_name: process-io
+    process.entry_leader.io:
+      dashed_name: process-entry-leader-io
       description: 'A chunk of input or output (IO) from a single process.
 
         This field only appears on the top level process object, which is the process
         that wrote the output or read the input.'
-      flat_name: process.io
+      flat_name: process.entry_leader.io
       level: extended
       name: io
       normalize: []
+      original_fieldset: process
       short: A chunk of input or output (IO) from a single process.
       type: object
-    process.io.bytes_skipped:
-      dashed_name: process-io-bytes-skipped
+    process.entry_leader.io.bytes_skipped:
+      dashed_name: process-entry-leader-io-bytes-skipped
       description: An array of byte offsets and lengths denoting where IO data has
         been skipped.
-      flat_name: process.io.bytes_skipped
+      flat_name: process.entry_leader.io.bytes_skipped
       level: extended
       name: io.bytes_skipped
       normalize:
       - array
+      original_fieldset: process
       short: An array of byte offsets and lengths denoting where IO data has been
         skipped.
       type: object
-    process.io.bytes_skipped.length:
-      dashed_name: process-io-bytes-skipped-length
+    process.entry_leader.io.bytes_skipped.length:
+      dashed_name: process-entry-leader-io-bytes-skipped-length
       description: The length of bytes skipped.
-      flat_name: process.io.bytes_skipped.length
+      flat_name: process.entry_leader.io.bytes_skipped.length
       level: extended
       name: io.bytes_skipped.length
       normalize: []
+      original_fieldset: process
       short: The length of bytes skipped.
       type: long
-    process.io.bytes_skipped.offset:
-      dashed_name: process-io-bytes-skipped-offset
+    process.entry_leader.io.bytes_skipped.offset:
+      dashed_name: process-entry-leader-io-bytes-skipped-offset
       description: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
-      flat_name: process.io.bytes_skipped.offset
+      flat_name: process.entry_leader.io.bytes_skipped.offset
       level: extended
       name: io.bytes_skipped.offset
       normalize: []
+      original_fieldset: process
       short: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
       type: long
-    process.io.max_bytes_per_process_exceeded:
-      dashed_name: process-io-max-bytes-per-process-exceeded
+    process.entry_leader.io.max_bytes_per_process_exceeded:
+      dashed_name: process-entry-leader-io-max-bytes-per-process-exceeded
       description: If true, the process producing the output has exceeded the max_kilobytes_per_process
         configuration setting.
-      flat_name: process.io.max_bytes_per_process_exceeded
+      flat_name: process.entry_leader.io.max_bytes_per_process_exceeded
       level: extended
       name: io.max_bytes_per_process_exceeded
       normalize: []
+      original_fieldset: process
       short: If true, the process producing the output has exceeded the max_kilobytes_per_process
         configuration setting.
       type: boolean
-    process.io.text:
-      dashed_name: process-io-text
+    process.entry_leader.io.text:
+      dashed_name: process-entry-leader-io-text
       description: 'A chunk of output or input sanitized to UTF-8.
 
         Best efforts are made to ensure complete lines are captured in these events.
@@ -13307,49 +15810,53 @@ process:
         event. TTY output may contain terminal control codes such as for cursor movement,
         so some string queries may not match due to terminal codes inserted between
         characters of a word.'
-      flat_name: process.io.text
+      flat_name: process.entry_leader.io.text
       level: extended
       name: io.text
       normalize: []
+      original_fieldset: process
       short: A chunk of output or input sanitized to UTF-8.
       type: wildcard
-    process.io.total_bytes_captured:
-      dashed_name: process-io-total-bytes-captured
+    process.entry_leader.io.total_bytes_captured:
+      dashed_name: process-entry-leader-io-total-bytes-captured
       description: The total number of bytes captured in this event.
-      flat_name: process.io.total_bytes_captured
+      flat_name: process.entry_leader.io.total_bytes_captured
       level: extended
       name: io.total_bytes_captured
       normalize: []
+      original_fieldset: process
       short: The total number of bytes captured in this event.
       type: long
-    process.io.total_bytes_skipped:
-      dashed_name: process-io-total-bytes-skipped
+    process.entry_leader.io.total_bytes_skipped:
+      dashed_name: process-entry-leader-io-total-bytes-skipped
       description: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits. Implementors should strive to ensure
         this value is always zero
-      flat_name: process.io.total_bytes_skipped
+      flat_name: process.entry_leader.io.total_bytes_skipped
       level: extended
       name: io.total_bytes_skipped
       normalize: []
+      original_fieldset: process
       short: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits.
       type: long
-    process.io.type:
-      dashed_name: process-io-type
+    process.entry_leader.io.type:
+      dashed_name: process-entry-leader-io-type
       description: 'The type of object on which the IO action (read or write) was
         taken.
 
         Currently only ''tty'' is supported. Other types may be added in the future
         for ''file'' and ''socket'' support.'
-      flat_name: process.io.type
+      flat_name: process.entry_leader.io.type
       ignore_above: 1024
       level: extended
       name: io.type
       normalize: []
+      original_fieldset: process
       short: The type of object on which the IO action (read or write) was taken.
       type: keyword
-    process.macho.go_import_hash:
-      dashed_name: process-macho-go-import-hash
+    process.entry_leader.macho.go_import_hash:
+      dashed_name: process-entry-leader-macho-go-import-hash
       description: 'A hash of the Go language imports in a Mach-O file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
@@ -13358,7 +15865,7 @@ process:
         The algorithm used to calculate the Go symbol hash and a reference implementation
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.macho.go_import_hash
+      flat_name: process.entry_leader.macho.go_import_hash
       ignore_above: 1024
       level: extended
       name: go_import_hash
@@ -13366,20 +15873,20 @@ process:
       original_fieldset: macho
       short: A hash of the Go language imports in a Mach-O file.
       type: keyword
-    process.macho.go_imports:
-      dashed_name: process-macho-go-imports
+    process.entry_leader.macho.go_imports:
+      dashed_name: process-entry-leader-macho-go-imports
       description: List of imported Go language element names and types.
-      flat_name: process.macho.go_imports
+      flat_name: process.entry_leader.macho.go_imports
       level: extended
       name: go_imports
       normalize: []
       original_fieldset: macho
       short: List of imported Go language element names and types.
       type: flattened
-    process.macho.go_imports_names_entropy:
-      dashed_name: process-macho-go-imports-names-entropy
+    process.entry_leader.macho.go_imports_names_entropy:
+      dashed_name: process-entry-leader-macho-go-imports-names-entropy
       description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.macho.go_imports_names_entropy
+      flat_name: process.entry_leader.macho.go_imports_names_entropy
       format: number
       level: extended
       name: go_imports_names_entropy
@@ -13387,10 +15894,10 @@ process:
       original_fieldset: macho
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.macho.go_imports_names_var_entropy:
-      dashed_name: process-macho-go-imports-names-var-entropy
+    process.entry_leader.macho.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-macho-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.macho.go_imports_names_var_entropy
+      flat_name: process.entry_leader.macho.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
@@ -13398,26 +15905,26 @@ process:
       original_fieldset: macho
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.macho.go_stripped:
-      dashed_name: process-macho-go-stripped
+    process.entry_leader.macho.go_stripped:
+      dashed_name: process-entry-leader-macho-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.macho.go_stripped
+      flat_name: process.entry_leader.macho.go_stripped
       level: extended
       name: go_stripped
       normalize: []
       original_fieldset: macho
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.macho.import_hash:
-      dashed_name: process-macho-import-hash
+    process.entry_leader.macho.import_hash:
+      dashed_name: process-entry-leader-macho-import-hash
       description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         This is a synonym for symhash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.macho.import_hash
+      flat_name: process.entry_leader.macho.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
@@ -13425,10 +15932,10 @@ process:
       original_fieldset: macho
       short: A hash of the imports in a Mach-O file.
       type: keyword
-    process.macho.imports:
-      dashed_name: process-macho-imports
+    process.entry_leader.macho.imports:
+      dashed_name: process-entry-leader-macho-imports
       description: List of imported element names and types.
-      flat_name: process.macho.imports
+      flat_name: process.entry_leader.macho.imports
       level: extended
       name: imports
       normalize:
@@ -13436,11 +15943,11 @@ process:
       original_fieldset: macho
       short: List of imported element names and types.
       type: flattened
-    process.macho.imports_names_entropy:
-      dashed_name: process-macho-imports-names-entropy
+    process.entry_leader.macho.imports_names_entropy:
+      dashed_name: process-entry-leader-macho-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.macho.imports_names_entropy
+      flat_name: process.entry_leader.macho.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
@@ -13449,11 +15956,11 @@ process:
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.macho.imports_names_var_entropy:
-      dashed_name: process-macho-imports-names-var-entropy
+    process.entry_leader.macho.imports_names_var_entropy:
+      dashed_name: process-entry-leader-macho-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.macho.imports_names_var_entropy
+      flat_name: process.entry_leader.macho.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
@@ -13462,13 +15969,13 @@ process:
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.macho.sections:
-      dashed_name: process-macho-sections
+    process.entry_leader.macho.sections:
+      dashed_name: process-entry-leader-macho-sections
       description: 'An array containing an object for each section of the Mach-O file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `macho.sections.*`.'
-      flat_name: process.macho.sections
+      flat_name: process.entry_leader.macho.sections
       level: extended
       name: sections
       normalize:
@@ -13476,10 +15983,10 @@ process:
       original_fieldset: macho
       short: Section information of the Mach-O file.
       type: nested
-    process.macho.sections.entropy:
-      dashed_name: process-macho-sections-entropy
+    process.entry_leader.macho.sections.entropy:
+      dashed_name: process-entry-leader-macho-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.macho.sections.entropy
+      flat_name: process.entry_leader.macho.sections.entropy
       format: number
       level: extended
       name: sections.entropy
@@ -13487,10 +15994,10 @@ process:
       original_fieldset: macho
       short: Shannon entropy calculation from the section.
       type: long
-    process.macho.sections.name:
-      dashed_name: process-macho-sections-name
+    process.entry_leader.macho.sections.name:
+      dashed_name: process-entry-leader-macho-sections-name
       description: Mach-O Section List name.
-      flat_name: process.macho.sections.name
+      flat_name: process.entry_leader.macho.sections.name
       ignore_above: 1024
       level: extended
       name: sections.name
@@ -13498,10 +16005,10 @@ process:
       original_fieldset: macho
       short: Mach-O Section List name.
       type: keyword
-    process.macho.sections.physical_size:
-      dashed_name: process-macho-sections-physical-size
+    process.entry_leader.macho.sections.physical_size:
+      dashed_name: process-entry-leader-macho-sections-physical-size
       description: Mach-O Section List physical size.
-      flat_name: process.macho.sections.physical_size
+      flat_name: process.entry_leader.macho.sections.physical_size
       format: bytes
       level: extended
       name: sections.physical_size
@@ -13509,10 +16016,10 @@ process:
       original_fieldset: macho
       short: Mach-O Section List physical size.
       type: long
-    process.macho.sections.var_entropy:
-      dashed_name: process-macho-sections-var-entropy
+    process.entry_leader.macho.sections.var_entropy:
+      dashed_name: process-entry-leader-macho-sections-var-entropy
       description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.macho.sections.var_entropy
+      flat_name: process.entry_leader.macho.sections.var_entropy
       format: number
       level: extended
       name: sections.var_entropy
@@ -13520,10 +16027,10 @@ process:
       original_fieldset: macho
       short: Variance for Shannon entropy calculation from the section.
       type: long
-    process.macho.sections.virtual_size:
-      dashed_name: process-macho-sections-virtual-size
+    process.entry_leader.macho.sections.virtual_size:
+      dashed_name: process-entry-leader-macho-sections-virtual-size
       description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.macho.sections.virtual_size
+      flat_name: process.entry_leader.macho.sections.virtual_size
       format: string
       level: extended
       name: sections.virtual_size
@@ -13531,15 +16038,15 @@ process:
       original_fieldset: macho
       short: Mach-O Section List virtual size. This is always the same as `physical_size`.
       type: long
-    process.macho.symhash:
-      dashed_name: process-macho-symhash
+    process.entry_leader.macho.symhash:
+      dashed_name: process-entry-leader-macho-symhash
       description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         This is a Mach-O implementation of the Windows PE imphash'
       example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.macho.symhash
+      flat_name: process.entry_leader.macho.symhash
       ignore_above: 1024
       level: extended
       name: symhash
@@ -13547,31 +16054,59 @@ process:
       original_fieldset: macho
       short: A hash of the imports in a Mach-O file.
       type: keyword
-    process.name:
-      dashed_name: process-name
+    process.entry_leader.name:
+      dashed_name: process-entry-leader-name
       description: 'Process name.
 
         Sometimes called program name or similar.'
       example: ssh
-      flat_name: process.name
+      flat_name: process.entry_leader.name
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.name.text
+      - flat_name: process.entry_leader.name.text
         name: text
         type: match_only_text
       name: name
       normalize: []
+      original_fieldset: process
       short: Process name.
       type: keyword
-    process.parent.args:
-      dashed_name: process-parent-args
+    process.entry_leader.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.entry_leader.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.entry_leader.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.entry_leader.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.entry_leader.parent.args:
+      dashed_name: process-entry-leader-parent-args
       description: 'Array of process arguments, starting with the absolute path to
         the executable.
 
         May be filtered to protect sensitive information.'
       example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.parent.args
+      flat_name: process.entry_leader.parent.args
       ignore_above: 1024
       level: extended
       name: args
@@ -13580,124 +16115,626 @@ process:
       original_fieldset: process
       short: Array of process arguments.
       type: keyword
-    process.parent.args_count:
-      dashed_name: process-parent-args-count
+    process.entry_leader.parent.args_count:
+      dashed_name: process-entry-leader-parent-args-count
       description: 'Length of the process.args array.
 
         This field can be useful for querying or performing bucket analysis on how
         many arguments were provided to start a process. More arguments may be an
         indication of suspicious activity.'
       example: 4
-      flat_name: process.parent.args_count
+      flat_name: process.entry_leader.parent.args_count
       level: extended
       name: args_count
       normalize: []
       original_fieldset: process
       short: Length of the process.args array.
       type: long
-    process.parent.code_signature.digest_algorithm:
-      dashed_name: process-parent-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
+    process.entry_leader.parent.attested_groups.domain:
+      dashed_name: process-entry-leader-parent-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
 
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.parent.code_signature.digest_algorithm
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.attested_groups.domain
       ignore_above: 1024
       level: extended
-      name: digest_algorithm
+      name: domain
       normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
       type: keyword
-    process.parent.code_signature.exists:
-      dashed_name: process-parent-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.parent.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.parent.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.parent.code_signature.flags
+    process.entry_leader.parent.attested_groups.id:
+      dashed_name: process-entry-leader-parent-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.attested_groups.id
       ignore_above: 1024
       level: extended
-      name: flags
+      name: id
       normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.parent.code_signature.signing_id:
-      dashed_name: process-parent-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.parent.code_signature.signing_id
+    process.entry_leader.parent.attested_groups.name:
+      dashed_name: process-entry-leader-parent-attested-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.attested_groups.name
       ignore_above: 1024
       level: extended
-      name: signing_id
+      name: name
       normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.parent.code_signature.status:
-      dashed_name: process-parent-code-signature-status
-      description: 'Additional information about the certificate status.
+    process.entry_leader.parent.attested_user.domain:
+      dashed_name: process-entry-leader-parent-attested-user-domain
+      description: 'Name of the directory the user is a member of.
 
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.parent.code_signature.status
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.attested_user.domain
       ignore_above: 1024
       level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.parent.code_signature.subject_name:
-      dashed_name: process-parent-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.parent.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
+      name: domain
       normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
       type: keyword
-    process.parent.code_signature.team_id:
-      dashed_name: process-parent-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.parent.code_signature.team_id
+    process.entry_leader.parent.attested_user.email:
+      dashed_name: process-entry-leader-parent-attested-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.attested_user.email
       ignore_above: 1024
       level: extended
-      name: team_id
+      name: email
       normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
+      original_fieldset: user
+      short: User email address.
       type: keyword
-    process.parent.code_signature.thumbprint_sha256:
+    process.entry_leader.parent.attested_user.entity.attributes:
       beta: This field is beta and subject to change.
-      dashed_name: process-parent-code-signature-thumbprint-sha256
+      dashed_name: process-entry-leader-parent-attested-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.entry_leader.parent.attested_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.entry_leader.parent.attested_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-attested-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.attested_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.entry_leader.parent.attested_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-attested-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.entry_leader.parent.attested_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.attested_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.entry_leader.parent.attested_user.entity.id:
+      dashed_name: process-entry-leader-parent-attested-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.entry_leader.parent.attested_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.entry_leader.parent.attested_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-attested-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.entry_leader.parent.attested_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.entry_leader.parent.attested_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-attested-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.attested_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.entry_leader.parent.attested_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-attested-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.entry_leader.parent.attested_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.entry_leader.parent.attested_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-attested-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.entry_leader.parent.attested_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.attested_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.entry_leader.parent.attested_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-attested-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.entry_leader.parent.attested_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.entry_leader.parent.attested_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-attested-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.entry_leader.parent.attested_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.entry_leader.parent.attested_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-attested-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.entry_leader.parent.attested_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.entry_leader.parent.attested_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-attested-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.entry_leader.parent.attested_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.entry_leader.parent.attested_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-attested-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.entry_leader.parent.attested_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.entry_leader.parent.attested_user.full_name:
+      dashed_name: process-entry-leader-parent-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.attested_user.group.domain:
+      dashed_name: process-entry-leader-parent-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.attested_user.group.id:
+      dashed_name: process-entry-leader-parent-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.attested_user.group.name:
+      dashed_name: process-entry-leader-parent-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.attested_user.hash:
+      dashed_name: process-entry-leader-parent-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.attested_user.id:
+      dashed_name: process-entry-leader-parent-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.attested_user.name:
+      dashed_name: process-entry-leader-parent-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.attested_user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.attested_user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.attested_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.attested_user.risk.static_level:
+      dashed_name: process-entry-leader-parent-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.attested_user.risk.static_score:
+      dashed_name: process-entry-leader-parent-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.attested_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.attested_user.roles:
+      dashed_name: process-entry-leader-parent-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.code_signature.digest_algorithm:
+      dashed_name: process-entry-leader-parent-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.entry_leader.parent.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.entry_leader.parent.code_signature.exists:
+      dashed_name: process-entry-leader-parent-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.entry_leader.parent.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.entry_leader.parent.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.entry_leader.parent.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.entry_leader.parent.code_signature.signing_id:
+      dashed_name: process-entry-leader-parent-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.entry_leader.parent.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.entry_leader.parent.code_signature.status:
+      dashed_name: process-entry-leader-parent-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.entry_leader.parent.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.entry_leader.parent.code_signature.subject_name:
+      dashed_name: process-entry-leader-parent-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.entry_leader.parent.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.entry_leader.parent.code_signature.team_id:
+      dashed_name: process-entry-leader-parent-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.entry_leader.parent.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.entry_leader.parent.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-code-signature-thumbprint-sha256
       description: Certificate SHA256 hash that uniquely identifies the code signer.
       example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.parent.code_signature.thumbprint_sha256
+      flat_name: process.entry_leader.parent.code_signature.thumbprint_sha256
       ignore_above: 64
       level: extended
       name: thumbprint_sha256
@@ -13706,39 +16743,39 @@ process:
       pattern: ^[0-9a-f]{64}$
       short: SHA256 hash of the certificate.
       type: keyword
-    process.parent.code_signature.timestamp:
-      dashed_name: process-parent-code-signature-timestamp
+    process.entry_leader.parent.code_signature.timestamp:
+      dashed_name: process-entry-leader-parent-code-signature-timestamp
       description: Date and time when the code signature was generated and signed.
       example: '2021-01-01T12:10:30Z'
-      flat_name: process.parent.code_signature.timestamp
+      flat_name: process.entry_leader.parent.code_signature.timestamp
       level: extended
       name: timestamp
       normalize: []
       original_fieldset: code_signature
       short: When the signature was generated and signed.
       type: date
-    process.parent.code_signature.trusted:
-      dashed_name: process-parent-code-signature-trusted
+    process.entry_leader.parent.code_signature.trusted:
+      dashed_name: process-entry-leader-parent-code-signature-trusted
       description: 'Stores the trust status of the certificate chain.
 
         Validating the trust of the certificate chain may be complicated, and this
         field should only be populated by tools that actively check the status.'
       example: 'true'
-      flat_name: process.parent.code_signature.trusted
+      flat_name: process.entry_leader.parent.code_signature.trusted
       level: extended
       name: trusted
       normalize: []
       original_fieldset: code_signature
       short: Stores the trust status of the certificate chain.
       type: boolean
-    process.parent.code_signature.valid:
-      dashed_name: process-parent-code-signature-valid
+    process.entry_leader.parent.code_signature.valid:
+      dashed_name: process-entry-leader-parent-code-signature-valid
       description: 'Boolean to capture if the digital signature is verified against
         the binary content.
 
         Leave unpopulated if a certificate was unchecked.'
       example: 'true'
-      flat_name: process.parent.code_signature.valid
+      flat_name: process.entry_leader.parent.code_signature.valid
       level: extended
       name: valid
       normalize: []
@@ -13746,17 +16783,17 @@ process:
       short: Boolean to capture if the digital signature is verified against the binary
         content.
       type: boolean
-    process.parent.command_line:
-      dashed_name: process-parent-command-line
+    process.entry_leader.parent.command_line:
+      dashed_name: process-entry-leader-parent-command-line
       description: 'Full command line that started the process, including the absolute
         path to the executable, and all arguments.
 
         Some arguments may be filtered to protect sensitive information.'
       example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.parent.command_line
+      flat_name: process.entry_leader.parent.command_line
       level: extended
       multi_fields:
-      - flat_name: process.parent.command_line.text
+      - flat_name: process.entry_leader.parent.command_line.text
         name: text
         type: match_only_text
       name: command_line
@@ -13764,11 +16801,11 @@ process:
       original_fieldset: process
       short: Full command line that started the process.
       type: wildcard
-    process.parent.elf.architecture:
-      dashed_name: process-parent-elf-architecture
+    process.entry_leader.parent.elf.architecture:
+      dashed_name: process-entry-leader-parent-elf-architecture
       description: Machine architecture of the ELF file.
       example: x86-64
-      flat_name: process.parent.elf.architecture
+      flat_name: process.entry_leader.parent.elf.architecture
       ignore_above: 1024
       level: extended
       name: architecture
@@ -13776,11 +16813,11 @@ process:
       original_fieldset: elf
       short: Machine architecture of the ELF file.
       type: keyword
-    process.parent.elf.byte_order:
-      dashed_name: process-parent-elf-byte-order
+    process.entry_leader.parent.elf.byte_order:
+      dashed_name: process-entry-leader-parent-elf-byte-order
       description: Byte sequence of ELF file.
       example: Little Endian
-      flat_name: process.parent.elf.byte_order
+      flat_name: process.entry_leader.parent.elf.byte_order
       ignore_above: 1024
       level: extended
       name: byte_order
@@ -13788,11 +16825,11 @@ process:
       original_fieldset: elf
       short: Byte sequence of ELF file.
       type: keyword
-    process.parent.elf.cpu_type:
-      dashed_name: process-parent-elf-cpu-type
+    process.entry_leader.parent.elf.cpu_type:
+      dashed_name: process-entry-leader-parent-elf-cpu-type
       description: CPU type of the ELF file.
       example: Intel
-      flat_name: process.parent.elf.cpu_type
+      flat_name: process.entry_leader.parent.elf.cpu_type
       ignore_above: 1024
       level: extended
       name: cpu_type
@@ -13800,21 +16837,21 @@ process:
       original_fieldset: elf
       short: CPU type of the ELF file.
       type: keyword
-    process.parent.elf.creation_date:
-      dashed_name: process-parent-elf-creation-date
+    process.entry_leader.parent.elf.creation_date:
+      dashed_name: process-entry-leader-parent-elf-creation-date
       description: Extracted when possible from the file's metadata. Indicates when
         it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.parent.elf.creation_date
+      flat_name: process.entry_leader.parent.elf.creation_date
       level: extended
       name: creation_date
       normalize: []
       original_fieldset: elf
       short: Build or compile date.
       type: date
-    process.parent.elf.exports:
-      dashed_name: process-parent-elf-exports
+    process.entry_leader.parent.elf.exports:
+      dashed_name: process-entry-leader-parent-elf-exports
       description: List of exported element names and types.
-      flat_name: process.parent.elf.exports
+      flat_name: process.entry_leader.parent.elf.exports
       level: extended
       name: exports
       normalize:
@@ -13822,8 +16859,8 @@ process:
       original_fieldset: elf
       short: List of exported element names and types.
       type: flattened
-    process.parent.elf.go_import_hash:
-      dashed_name: process-parent-elf-go-import-hash
+    process.entry_leader.parent.elf.go_import_hash:
+      dashed_name: process-entry-leader-parent-elf-go-import-hash
       description: 'A hash of the Go language imports in an ELF file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
@@ -13832,7 +16869,7 @@ process:
         The algorithm used to calculate the Go symbol hash and a reference implementation
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.elf.go_import_hash
+      flat_name: process.entry_leader.parent.elf.go_import_hash
       ignore_above: 1024
       level: extended
       name: go_import_hash
@@ -13840,20 +16877,20 @@ process:
       original_fieldset: elf
       short: A hash of the Go language imports in an ELF file.
       type: keyword
-    process.parent.elf.go_imports:
-      dashed_name: process-parent-elf-go-imports
+    process.entry_leader.parent.elf.go_imports:
+      dashed_name: process-entry-leader-parent-elf-go-imports
       description: List of imported Go language element names and types.
-      flat_name: process.parent.elf.go_imports
+      flat_name: process.entry_leader.parent.elf.go_imports
       level: extended
       name: go_imports
       normalize: []
       original_fieldset: elf
       short: List of imported Go language element names and types.
       type: flattened
-    process.parent.elf.go_imports_names_entropy:
-      dashed_name: process-parent-elf-go-imports-names-entropy
+    process.entry_leader.parent.elf.go_imports_names_entropy:
+      dashed_name: process-entry-leader-parent-elf-go-imports-names-entropy
       description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.elf.go_imports_names_entropy
+      flat_name: process.entry_leader.parent.elf.go_imports_names_entropy
       format: number
       level: extended
       name: go_imports_names_entropy
@@ -13861,10 +16898,10 @@ process:
       original_fieldset: elf
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.parent.elf.go_imports_names_var_entropy:
-      dashed_name: process-parent-elf-go-imports-names-var-entropy
+    process.entry_leader.parent.elf.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-elf-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.elf.go_imports_names_var_entropy
+      flat_name: process.entry_leader.parent.elf.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
@@ -13872,21 +16909,21 @@ process:
       original_fieldset: elf
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.parent.elf.go_stripped:
-      dashed_name: process-parent-elf-go-stripped
+    process.entry_leader.parent.elf.go_stripped:
+      dashed_name: process-entry-leader-parent-elf-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.elf.go_stripped
+      flat_name: process.entry_leader.parent.elf.go_stripped
       level: extended
       name: go_stripped
       normalize: []
       original_fieldset: elf
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.parent.elf.header.abi_version:
-      dashed_name: process-parent-elf-header-abi-version
+    process.entry_leader.parent.elf.header.abi_version:
+      dashed_name: process-entry-leader-parent-elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.parent.elf.header.abi_version
+      flat_name: process.entry_leader.parent.elf.header.abi_version
       ignore_above: 1024
       level: extended
       name: header.abi_version
@@ -13894,10 +16931,10 @@ process:
       original_fieldset: elf
       short: Version of the ELF Application Binary Interface (ABI).
       type: keyword
-    process.parent.elf.header.class:
-      dashed_name: process-parent-elf-header-class
+    process.entry_leader.parent.elf.header.class:
+      dashed_name: process-entry-leader-parent-elf-header-class
       description: Header class of the ELF file.
-      flat_name: process.parent.elf.header.class
+      flat_name: process.entry_leader.parent.elf.header.class
       ignore_above: 1024
       level: extended
       name: header.class
@@ -13905,10 +16942,10 @@ process:
       original_fieldset: elf
       short: Header class of the ELF file.
       type: keyword
-    process.parent.elf.header.data:
-      dashed_name: process-parent-elf-header-data
+    process.entry_leader.parent.elf.header.data:
+      dashed_name: process-entry-leader-parent-elf-header-data
       description: Data table of the ELF header.
-      flat_name: process.parent.elf.header.data
+      flat_name: process.entry_leader.parent.elf.header.data
       ignore_above: 1024
       level: extended
       name: header.data
@@ -13916,10 +16953,10 @@ process:
       original_fieldset: elf
       short: Data table of the ELF header.
       type: keyword
-    process.parent.elf.header.entrypoint:
-      dashed_name: process-parent-elf-header-entrypoint
+    process.entry_leader.parent.elf.header.entrypoint:
+      dashed_name: process-entry-leader-parent-elf-header-entrypoint
       description: Header entrypoint of the ELF file.
-      flat_name: process.parent.elf.header.entrypoint
+      flat_name: process.entry_leader.parent.elf.header.entrypoint
       format: string
       level: extended
       name: header.entrypoint
@@ -13927,10 +16964,10 @@ process:
       original_fieldset: elf
       short: Header entrypoint of the ELF file.
       type: long
-    process.parent.elf.header.object_version:
-      dashed_name: process-parent-elf-header-object-version
+    process.entry_leader.parent.elf.header.object_version:
+      dashed_name: process-entry-leader-parent-elf-header-object-version
       description: '"0x1" for original ELF files.'
-      flat_name: process.parent.elf.header.object_version
+      flat_name: process.entry_leader.parent.elf.header.object_version
       ignore_above: 1024
       level: extended
       name: header.object_version
@@ -13938,10 +16975,10 @@ process:
       original_fieldset: elf
       short: '"0x1" for original ELF files.'
       type: keyword
-    process.parent.elf.header.os_abi:
-      dashed_name: process-parent-elf-header-os-abi
+    process.entry_leader.parent.elf.header.os_abi:
+      dashed_name: process-entry-leader-parent-elf-header-os-abi
       description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.parent.elf.header.os_abi
+      flat_name: process.entry_leader.parent.elf.header.os_abi
       ignore_above: 1024
       level: extended
       name: header.os_abi
@@ -13949,10 +16986,10 @@ process:
       original_fieldset: elf
       short: Application Binary Interface (ABI) of the Linux OS.
       type: keyword
-    process.parent.elf.header.type:
-      dashed_name: process-parent-elf-header-type
+    process.entry_leader.parent.elf.header.type:
+      dashed_name: process-entry-leader-parent-elf-header-type
       description: Header type of the ELF file.
-      flat_name: process.parent.elf.header.type
+      flat_name: process.entry_leader.parent.elf.header.type
       ignore_above: 1024
       level: extended
       name: header.type
@@ -13960,10 +16997,10 @@ process:
       original_fieldset: elf
       short: Header type of the ELF file.
       type: keyword
-    process.parent.elf.header.version:
-      dashed_name: process-parent-elf-header-version
+    process.entry_leader.parent.elf.header.version:
+      dashed_name: process-entry-leader-parent-elf-header-version
       description: Version of the ELF header.
-      flat_name: process.parent.elf.header.version
+      flat_name: process.entry_leader.parent.elf.header.version
       ignore_above: 1024
       level: extended
       name: header.version
@@ -13971,15 +17008,15 @@ process:
       original_fieldset: elf
       short: Version of the ELF header.
       type: keyword
-    process.parent.elf.import_hash:
-      dashed_name: process-parent-elf-import-hash
+    process.entry_leader.parent.elf.import_hash:
+      dashed_name: process-entry-leader-parent-elf-import-hash
       description: 'A hash of the imports in an ELF file. An import hash can be used
         to fingerprint binaries even after recompilation or other code-level transformations
         have occurred, which would change more traditional hash values.
 
         This is an ELF implementation of the Windows PE imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.elf.import_hash
+      flat_name: process.entry_leader.parent.elf.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
@@ -13987,10 +17024,10 @@ process:
       original_fieldset: elf
       short: A hash of the imports in an ELF file.
       type: keyword
-    process.parent.elf.imports:
-      dashed_name: process-parent-elf-imports
+    process.entry_leader.parent.elf.imports:
+      dashed_name: process-entry-leader-parent-elf-imports
       description: List of imported element names and types.
-      flat_name: process.parent.elf.imports
+      flat_name: process.entry_leader.parent.elf.imports
       level: extended
       name: imports
       normalize:
@@ -13998,11 +17035,11 @@ process:
       original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
-    process.parent.elf.imports_names_entropy:
-      dashed_name: process-parent-elf-imports-names-entropy
+    process.entry_leader.parent.elf.imports_names_entropy:
+      dashed_name: process-entry-leader-parent-elf-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.parent.elf.imports_names_entropy
+      flat_name: process.entry_leader.parent.elf.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
@@ -14011,11 +17048,11 @@ process:
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.parent.elf.imports_names_var_entropy:
-      dashed_name: process-parent-elf-imports-names-var-entropy
+    process.entry_leader.parent.elf.imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-elf-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.parent.elf.imports_names_var_entropy
+      flat_name: process.entry_leader.parent.elf.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
@@ -14024,13 +17061,13 @@ process:
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.parent.elf.sections:
-      dashed_name: process-parent-elf-sections
+    process.entry_leader.parent.elf.sections:
+      dashed_name: process-entry-leader-parent-elf-sections
       description: 'An array containing an object for each section of the ELF file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `elf.sections.*`.'
-      flat_name: process.parent.elf.sections
+      flat_name: process.entry_leader.parent.elf.sections
       level: extended
       name: sections
       normalize:
@@ -14038,10 +17075,10 @@ process:
       original_fieldset: elf
       short: Section information of the ELF file.
       type: nested
-    process.parent.elf.sections.chi2:
-      dashed_name: process-parent-elf-sections-chi2
+    process.entry_leader.parent.elf.sections.chi2:
+      dashed_name: process-entry-leader-parent-elf-sections-chi2
       description: Chi-square probability distribution of the section.
-      flat_name: process.parent.elf.sections.chi2
+      flat_name: process.entry_leader.parent.elf.sections.chi2
       format: number
       level: extended
       name: sections.chi2
@@ -14049,10 +17086,10 @@ process:
       original_fieldset: elf
       short: Chi-square probability distribution of the section.
       type: long
-    process.parent.elf.sections.entropy:
-      dashed_name: process-parent-elf-sections-entropy
+    process.entry_leader.parent.elf.sections.entropy:
+      dashed_name: process-entry-leader-parent-elf-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.parent.elf.sections.entropy
+      flat_name: process.entry_leader.parent.elf.sections.entropy
       format: number
       level: extended
       name: sections.entropy
@@ -14060,10 +17097,10 @@ process:
       original_fieldset: elf
       short: Shannon entropy calculation from the section.
       type: long
-    process.parent.elf.sections.flags:
-      dashed_name: process-parent-elf-sections-flags
+    process.entry_leader.parent.elf.sections.flags:
+      dashed_name: process-entry-leader-parent-elf-sections-flags
       description: ELF Section List flags.
-      flat_name: process.parent.elf.sections.flags
+      flat_name: process.entry_leader.parent.elf.sections.flags
       ignore_above: 1024
       level: extended
       name: sections.flags
@@ -14071,10 +17108,10 @@ process:
       original_fieldset: elf
       short: ELF Section List flags.
       type: keyword
-    process.parent.elf.sections.name:
-      dashed_name: process-parent-elf-sections-name
+    process.entry_leader.parent.elf.sections.name:
+      dashed_name: process-entry-leader-parent-elf-sections-name
       description: ELF Section List name.
-      flat_name: process.parent.elf.sections.name
+      flat_name: process.entry_leader.parent.elf.sections.name
       ignore_above: 1024
       level: extended
       name: sections.name
@@ -14082,10 +17119,10 @@ process:
       original_fieldset: elf
       short: ELF Section List name.
       type: keyword
-    process.parent.elf.sections.physical_offset:
-      dashed_name: process-parent-elf-sections-physical-offset
+    process.entry_leader.parent.elf.sections.physical_offset:
+      dashed_name: process-entry-leader-parent-elf-sections-physical-offset
       description: ELF Section List offset.
-      flat_name: process.parent.elf.sections.physical_offset
+      flat_name: process.entry_leader.parent.elf.sections.physical_offset
       ignore_above: 1024
       level: extended
       name: sections.physical_offset
@@ -14093,10 +17130,10 @@ process:
       original_fieldset: elf
       short: ELF Section List offset.
       type: keyword
-    process.parent.elf.sections.physical_size:
-      dashed_name: process-parent-elf-sections-physical-size
+    process.entry_leader.parent.elf.sections.physical_size:
+      dashed_name: process-entry-leader-parent-elf-sections-physical-size
       description: ELF Section List physical size.
-      flat_name: process.parent.elf.sections.physical_size
+      flat_name: process.entry_leader.parent.elf.sections.physical_size
       format: bytes
       level: extended
       name: sections.physical_size
@@ -14104,10 +17141,10 @@ process:
       original_fieldset: elf
       short: ELF Section List physical size.
       type: long
-    process.parent.elf.sections.type:
-      dashed_name: process-parent-elf-sections-type
+    process.entry_leader.parent.elf.sections.type:
+      dashed_name: process-entry-leader-parent-elf-sections-type
       description: ELF Section List type.
-      flat_name: process.parent.elf.sections.type
+      flat_name: process.entry_leader.parent.elf.sections.type
       ignore_above: 1024
       level: extended
       name: sections.type
@@ -14115,10 +17152,10 @@ process:
       original_fieldset: elf
       short: ELF Section List type.
       type: keyword
-    process.parent.elf.sections.var_entropy:
-      dashed_name: process-parent-elf-sections-var-entropy
+    process.entry_leader.parent.elf.sections.var_entropy:
+      dashed_name: process-entry-leader-parent-elf-sections-var-entropy
       description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.elf.sections.var_entropy
+      flat_name: process.entry_leader.parent.elf.sections.var_entropy
       format: number
       level: extended
       name: sections.var_entropy
@@ -14126,10 +17163,10 @@ process:
       original_fieldset: elf
       short: Variance for Shannon entropy calculation from the section.
       type: long
-    process.parent.elf.sections.virtual_address:
-      dashed_name: process-parent-elf-sections-virtual-address
+    process.entry_leader.parent.elf.sections.virtual_address:
+      dashed_name: process-entry-leader-parent-elf-sections-virtual-address
       description: ELF Section List virtual address.
-      flat_name: process.parent.elf.sections.virtual_address
+      flat_name: process.entry_leader.parent.elf.sections.virtual_address
       format: string
       level: extended
       name: sections.virtual_address
@@ -14137,10 +17174,10 @@ process:
       original_fieldset: elf
       short: ELF Section List virtual address.
       type: long
-    process.parent.elf.sections.virtual_size:
-      dashed_name: process-parent-elf-sections-virtual-size
+    process.entry_leader.parent.elf.sections.virtual_size:
+      dashed_name: process-entry-leader-parent-elf-sections-virtual-size
       description: ELF Section List virtual size.
-      flat_name: process.parent.elf.sections.virtual_size
+      flat_name: process.entry_leader.parent.elf.sections.virtual_size
       format: string
       level: extended
       name: sections.virtual_size
@@ -14148,13 +17185,13 @@ process:
       original_fieldset: elf
       short: ELF Section List virtual size.
       type: long
-    process.parent.elf.segments:
-      dashed_name: process-parent-elf-segments
+    process.entry_leader.parent.elf.segments:
+      dashed_name: process-entry-leader-parent-elf-segments
       description: 'An array containing an object for each segment of the ELF file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `elf.segments.*`.'
-      flat_name: process.parent.elf.segments
+      flat_name: process.entry_leader.parent.elf.segments
       level: extended
       name: segments
       normalize:
@@ -14162,10 +17199,10 @@ process:
       original_fieldset: elf
       short: ELF object segment list.
       type: nested
-    process.parent.elf.segments.sections:
-      dashed_name: process-parent-elf-segments-sections
+    process.entry_leader.parent.elf.segments.sections:
+      dashed_name: process-entry-leader-parent-elf-segments-sections
       description: ELF object segment sections.
-      flat_name: process.parent.elf.segments.sections
+      flat_name: process.entry_leader.parent.elf.segments.sections
       ignore_above: 1024
       level: extended
       name: segments.sections
@@ -14173,10 +17210,10 @@ process:
       original_fieldset: elf
       short: ELF object segment sections.
       type: keyword
-    process.parent.elf.segments.type:
-      dashed_name: process-parent-elf-segments-type
+    process.entry_leader.parent.elf.segments.type:
+      dashed_name: process-entry-leader-parent-elf-segments-type
       description: ELF object segment type.
-      flat_name: process.parent.elf.segments.type
+      flat_name: process.entry_leader.parent.elf.segments.type
       ignore_above: 1024
       level: extended
       name: segments.type
@@ -14184,10 +17221,10 @@ process:
       original_fieldset: elf
       short: ELF object segment type.
       type: keyword
-    process.parent.elf.shared_libraries:
-      dashed_name: process-parent-elf-shared-libraries
+    process.entry_leader.parent.elf.shared_libraries:
+      dashed_name: process-entry-leader-parent-elf-shared-libraries
       description: List of shared libraries used by this ELF object.
-      flat_name: process.parent.elf.shared_libraries
+      flat_name: process.entry_leader.parent.elf.shared_libraries
       ignore_above: 1024
       level: extended
       name: shared_libraries
@@ -14196,10 +17233,10 @@ process:
       original_fieldset: elf
       short: List of shared libraries used by this ELF object.
       type: keyword
-    process.parent.elf.telfhash:
-      dashed_name: process-parent-elf-telfhash
+    process.entry_leader.parent.elf.telfhash:
+      dashed_name: process-entry-leader-parent-elf-telfhash
       description: telfhash symbol hash for ELF file.
-      flat_name: process.parent.elf.telfhash
+      flat_name: process.entry_leader.parent.elf.telfhash
       ignore_above: 1024
       level: extended
       name: telfhash
@@ -14207,19 +17244,31 @@ process:
       original_fieldset: elf
       short: telfhash hash for ELF file.
       type: keyword
-    process.parent.end:
-      dashed_name: process-parent-end
+    process.entry_leader.parent.end:
+      dashed_name: process-entry-leader-parent-end
       description: The time the process ended.
       example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.end
+      flat_name: process.entry_leader.parent.end
       level: extended
       name: end
       normalize: []
       original_fieldset: process
       short: The time the process ended.
       type: date
-    process.parent.entity_id:
-      dashed_name: process-parent-entity-id
+    process.entry_leader.parent.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.entry_leader.parent.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.entry_leader.parent.entity_id:
+      dashed_name: process-entry-leader-parent-entity-id
       description: 'Unique identifier for the process.
 
         The implementation of this is specified by the data source, but some examples
@@ -14230,7 +17279,7 @@ process:
         PID reuse as well as to identify a specific process over time, across multiple
         monitored hosts.'
       example: c2c455d9f99375d
-      flat_name: process.parent.entity_id
+      flat_name: process.entry_leader.parent.entity_id
       ignore_above: 1024
       level: extended
       name: entity_id
@@ -14238,15 +17287,390 @@ process:
       original_fieldset: process
       short: Unique identifier for the process.
       type: keyword
-    process.parent.executable:
-      dashed_name: process-parent-executable
+    process.entry_leader.parent.entry_meta.source.address:
+      dashed_name: process-entry-leader-parent-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.entry_leader.parent.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.as.number:
+      dashed_name: process-entry-leader-parent-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.entry_leader.parent.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.entry_leader.parent.entry_meta.source.as.organization.name:
+      dashed_name: process-entry-leader-parent-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.bytes:
+      dashed_name: process-entry-leader-parent-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.entry_leader.parent.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.entry_leader.parent.entry_meta.source.domain:
+      dashed_name: process-entry-leader-parent-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.entry_leader.parent.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.city_name:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.continent_code:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.continent_name:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.country_name:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.location:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.entry_leader.parent.entry_meta.source.geo.name:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.postal_code:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.region_name:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.geo.timezone:
+      dashed_name: process-entry-leader-parent-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.entry_leader.parent.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.ip:
+      dashed_name: process-entry-leader-parent-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.entry_leader.parent.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.entry_leader.parent.entry_meta.source.mac:
+      dashed_name: process-entry-leader-parent-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.entry_leader.parent.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.nat.ip:
+      dashed_name: process-entry-leader-parent-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.entry_leader.parent.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.entry_leader.parent.entry_meta.source.nat.port:
+      dashed_name: process-entry-leader-parent-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.entry_leader.parent.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.entry_leader.parent.entry_meta.source.packets:
+      dashed_name: process-entry-leader-parent-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.entry_leader.parent.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.entry_leader.parent.entry_meta.source.port:
+      dashed_name: process-entry-leader-parent-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.entry_leader.parent.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.entry_leader.parent.entry_meta.source.registered_domain:
+      dashed_name: process-entry-leader-parent-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.entry_leader.parent.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.subdomain:
+      dashed_name: process-entry-leader-parent-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.entry_leader.parent.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.entry_leader.parent.entry_meta.source.top_level_domain:
+      dashed_name: process-entry-leader-parent-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.entry_leader.parent.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.entry_leader.parent.entry_meta.type:
+      dashed_name: process-entry-leader-parent-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.entry_leader.parent.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.entry_leader.parent.env_vars:
+      dashed_name: process-entry-leader-parent-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.entry_leader.parent.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.executable:
+      dashed_name: process-entry-leader-parent-executable
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
-      flat_name: process.parent.executable
+      flat_name: process.entry_leader.parent.executable
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.parent.executable.text
+      - flat_name: process.entry_leader.parent.executable.text
         name: text
         type: match_only_text
       name: executable
@@ -14254,24 +17678,37 @@ process:
       original_fieldset: process
       short: Absolute path to the process executable.
       type: keyword
-    process.parent.exit_code:
-      dashed_name: process-parent-exit-code
+    process.entry_leader.parent.exit_code:
+      dashed_name: process-entry-leader-parent-exit-code
       description: 'The exit code of the process, if this is a termination event.
 
         The field should be absent if there is no exit code for the event (e.g. process
         start).'
       example: 137
-      flat_name: process.parent.exit_code
+      flat_name: process.entry_leader.parent.exit_code
       level: extended
       name: exit_code
       normalize: []
       original_fieldset: process
       short: The exit code of the process.
       type: long
-    process.parent.group.id:
-      dashed_name: process-parent-group-id
+    process.entry_leader.parent.group.domain:
+      dashed_name: process-entry-leader-parent-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.group.id:
+      dashed_name: process-entry-leader-parent-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group.id
+      flat_name: process.entry_leader.parent.group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -14279,10 +17716,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.parent.group.name:
-      dashed_name: process-parent-group-name
+    process.entry_leader.parent.group.name:
+      dashed_name: process-entry-leader-parent-group-name
       description: Name of the group.
-      flat_name: process.parent.group.name
+      flat_name: process.entry_leader.parent.group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -14290,72 +17727,13 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.parent.group_leader.entity_id:
-      dashed_name: process-parent-group-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.parent.group_leader.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.parent.group_leader.pid:
-      dashed_name: process-parent-group-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.parent.group_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.parent.group_leader.start:
-      dashed_name: process-parent-group-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.group_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.parent.group_leader.vpid:
-      dashed_name: process-parent-group-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.parent.group_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.parent.hash.cdhash:
+    process.entry_leader.parent.hash.cdhash:
       beta: This field is beta and subject to change.
-      dashed_name: process-parent-hash-cdhash
+      dashed_name: process-entry-leader-parent-hash-cdhash
       description: Code directory hash, utilized to uniquely identify and authenticate
         the integrity of the executable code.
       example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.parent.hash.cdhash
+      flat_name: process.entry_leader.parent.hash.cdhash
       ignore_above: 1024
       level: extended
       name: cdhash
@@ -14363,10 +17741,10 @@ process:
       original_fieldset: hash
       short: The Code Directory (CD) hash of an executable.
       type: keyword
-    process.parent.hash.md5:
-      dashed_name: process-parent-hash-md5
+    process.entry_leader.parent.hash.md5:
+      dashed_name: process-entry-leader-parent-hash-md5
       description: MD5 hash.
-      flat_name: process.parent.hash.md5
+      flat_name: process.entry_leader.parent.hash.md5
       ignore_above: 1024
       level: extended
       name: md5
@@ -14374,10 +17752,10 @@ process:
       original_fieldset: hash
       short: MD5 hash.
       type: keyword
-    process.parent.hash.sha1:
-      dashed_name: process-parent-hash-sha1
+    process.entry_leader.parent.hash.sha1:
+      dashed_name: process-entry-leader-parent-hash-sha1
       description: SHA1 hash.
-      flat_name: process.parent.hash.sha1
+      flat_name: process.entry_leader.parent.hash.sha1
       ignore_above: 1024
       level: extended
       name: sha1
@@ -14385,10 +17763,10 @@ process:
       original_fieldset: hash
       short: SHA1 hash.
       type: keyword
-    process.parent.hash.sha256:
-      dashed_name: process-parent-hash-sha256
+    process.entry_leader.parent.hash.sha256:
+      dashed_name: process-entry-leader-parent-hash-sha256
       description: SHA256 hash.
-      flat_name: process.parent.hash.sha256
+      flat_name: process.entry_leader.parent.hash.sha256
       ignore_above: 1024
       level: extended
       name: sha256
@@ -14396,10 +17774,10 @@ process:
       original_fieldset: hash
       short: SHA256 hash.
       type: keyword
-    process.parent.hash.sha384:
-      dashed_name: process-parent-hash-sha384
+    process.entry_leader.parent.hash.sha384:
+      dashed_name: process-entry-leader-parent-hash-sha384
       description: SHA384 hash.
-      flat_name: process.parent.hash.sha384
+      flat_name: process.entry_leader.parent.hash.sha384
       ignore_above: 1024
       level: extended
       name: sha384
@@ -14407,10 +17785,10 @@ process:
       original_fieldset: hash
       short: SHA384 hash.
       type: keyword
-    process.parent.hash.sha512:
-      dashed_name: process-parent-hash-sha512
+    process.entry_leader.parent.hash.sha512:
+      dashed_name: process-entry-leader-parent-hash-sha512
       description: SHA512 hash.
-      flat_name: process.parent.hash.sha512
+      flat_name: process.entry_leader.parent.hash.sha512
       ignore_above: 1024
       level: extended
       name: sha512
@@ -14418,10 +17796,10 @@ process:
       original_fieldset: hash
       short: SHA512 hash.
       type: keyword
-    process.parent.hash.ssdeep:
-      dashed_name: process-parent-hash-ssdeep
+    process.entry_leader.parent.hash.ssdeep:
+      dashed_name: process-entry-leader-parent-hash-ssdeep
       description: SSDEEP hash.
-      flat_name: process.parent.hash.ssdeep
+      flat_name: process.entry_leader.parent.hash.ssdeep
       ignore_above: 1024
       level: extended
       name: ssdeep
@@ -14429,10 +17807,10 @@ process:
       original_fieldset: hash
       short: SSDEEP hash.
       type: keyword
-    process.parent.hash.tlsh:
-      dashed_name: process-parent-hash-tlsh
+    process.entry_leader.parent.hash.tlsh:
+      dashed_name: process-entry-leader-parent-hash-tlsh
       description: TLSH hash.
-      flat_name: process.parent.hash.tlsh
+      flat_name: process.entry_leader.parent.hash.tlsh
       ignore_above: 1024
       level: extended
       name: tlsh
@@ -14440,8 +17818,8 @@ process:
       original_fieldset: hash
       short: TLSH hash.
       type: keyword
-    process.parent.interactive:
-      dashed_name: process-parent-interactive
+    process.entry_leader.parent.interactive:
+      dashed_name: process-entry-leader-parent-interactive
       description: 'Whether the process is connected to an interactive shell.
 
         Process interactivity is inferred from the processes file descriptors. If
@@ -14454,56 +17832,170 @@ process:
         backgrounded process is still considered interactive if stdin and stderr are
         connected to the controlling TTY.'
       example: true
-      flat_name: process.parent.interactive
+      flat_name: process.entry_leader.parent.interactive
       level: extended
       name: interactive
       normalize: []
       original_fieldset: process
       short: Whether the process is connected to an interactive shell.
       type: boolean
-    process.parent.macho.go_import_hash:
-      dashed_name: process-parent-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
+    process.entry_leader.parent.io:
+      dashed_name: process-entry-leader-parent-io
+      description: 'A chunk of input or output (IO) from a single process.
 
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.macho.go_import_hash
-      ignore_above: 1024
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.entry_leader.parent.io
       level: extended
-      name: go_import_hash
+      name: io
       normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.parent.macho.go_imports:
-      dashed_name: process-parent-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.parent.macho.go_imports
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.entry_leader.parent.io.bytes_skipped:
+      dashed_name: process-entry-leader-parent-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.entry_leader.parent.io.bytes_skipped
       level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.parent.macho.go_imports_names_entropy:
-      dashed_name: process-parent-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.macho.go_imports_names_entropy
-      format: number
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.entry_leader.parent.io.bytes_skipped.length:
+      dashed_name: process-entry-leader-parent-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.entry_leader.parent.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.entry_leader.parent.io.bytes_skipped.offset:
+      dashed_name: process-entry-leader-parent-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.entry_leader.parent.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.entry_leader.parent.io.max_bytes_per_process_exceeded:
+      dashed_name: process-entry-leader-parent-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.entry_leader.parent.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.entry_leader.parent.io.text:
+      dashed_name: process-entry-leader-parent-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.entry_leader.parent.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.entry_leader.parent.io.total_bytes_captured:
+      dashed_name: process-entry-leader-parent-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.entry_leader.parent.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.entry_leader.parent.io.total_bytes_skipped:
+      dashed_name: process-entry-leader-parent-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.entry_leader.parent.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.entry_leader.parent.io.type:
+      dashed_name: process-entry-leader-parent-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.entry_leader.parent.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.entry_leader.parent.macho.go_import_hash:
+      dashed_name: process-entry-leader-parent-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.parent.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.entry_leader.parent.macho.go_imports:
+      dashed_name: process-entry-leader-parent-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.parent.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.parent.macho.go_imports_names_entropy:
+      dashed_name: process-entry-leader-parent-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.macho.go_imports_names_entropy
+      format: number
       level: extended
       name: go_imports_names_entropy
       normalize: []
       original_fieldset: macho
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.parent.macho.go_imports_names_var_entropy:
-      dashed_name: process-parent-macho-go-imports-names-var-entropy
+    process.entry_leader.parent.macho.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-macho-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.macho.go_imports_names_var_entropy
+      flat_name: process.entry_leader.parent.macho.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
@@ -14511,26 +18003,26 @@ process:
       original_fieldset: macho
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.parent.macho.go_stripped:
-      dashed_name: process-parent-macho-go-stripped
+    process.entry_leader.parent.macho.go_stripped:
+      dashed_name: process-entry-leader-parent-macho-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.macho.go_stripped
+      flat_name: process.entry_leader.parent.macho.go_stripped
       level: extended
       name: go_stripped
       normalize: []
       original_fieldset: macho
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.parent.macho.import_hash:
-      dashed_name: process-parent-macho-import-hash
+    process.entry_leader.parent.macho.import_hash:
+      dashed_name: process-entry-leader-parent-macho-import-hash
       description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         This is a synonym for symhash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.macho.import_hash
+      flat_name: process.entry_leader.parent.macho.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
@@ -14538,10 +18030,10 @@ process:
       original_fieldset: macho
       short: A hash of the imports in a Mach-O file.
       type: keyword
-    process.parent.macho.imports:
-      dashed_name: process-parent-macho-imports
+    process.entry_leader.parent.macho.imports:
+      dashed_name: process-entry-leader-parent-macho-imports
       description: List of imported element names and types.
-      flat_name: process.parent.macho.imports
+      flat_name: process.entry_leader.parent.macho.imports
       level: extended
       name: imports
       normalize:
@@ -14549,11 +18041,11 @@ process:
       original_fieldset: macho
       short: List of imported element names and types.
       type: flattened
-    process.parent.macho.imports_names_entropy:
-      dashed_name: process-parent-macho-imports-names-entropy
+    process.entry_leader.parent.macho.imports_names_entropy:
+      dashed_name: process-entry-leader-parent-macho-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.parent.macho.imports_names_entropy
+      flat_name: process.entry_leader.parent.macho.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
@@ -14562,11 +18054,11 @@ process:
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.parent.macho.imports_names_var_entropy:
-      dashed_name: process-parent-macho-imports-names-var-entropy
+    process.entry_leader.parent.macho.imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-macho-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.parent.macho.imports_names_var_entropy
+      flat_name: process.entry_leader.parent.macho.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
@@ -14575,13 +18067,13 @@ process:
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.parent.macho.sections:
-      dashed_name: process-parent-macho-sections
+    process.entry_leader.parent.macho.sections:
+      dashed_name: process-entry-leader-parent-macho-sections
       description: 'An array containing an object for each section of the Mach-O file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `macho.sections.*`.'
-      flat_name: process.parent.macho.sections
+      flat_name: process.entry_leader.parent.macho.sections
       level: extended
       name: sections
       normalize:
@@ -14589,10 +18081,10 @@ process:
       original_fieldset: macho
       short: Section information of the Mach-O file.
       type: nested
-    process.parent.macho.sections.entropy:
-      dashed_name: process-parent-macho-sections-entropy
+    process.entry_leader.parent.macho.sections.entropy:
+      dashed_name: process-entry-leader-parent-macho-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.parent.macho.sections.entropy
+      flat_name: process.entry_leader.parent.macho.sections.entropy
       format: number
       level: extended
       name: sections.entropy
@@ -14600,10 +18092,10 @@ process:
       original_fieldset: macho
       short: Shannon entropy calculation from the section.
       type: long
-    process.parent.macho.sections.name:
-      dashed_name: process-parent-macho-sections-name
+    process.entry_leader.parent.macho.sections.name:
+      dashed_name: process-entry-leader-parent-macho-sections-name
       description: Mach-O Section List name.
-      flat_name: process.parent.macho.sections.name
+      flat_name: process.entry_leader.parent.macho.sections.name
       ignore_above: 1024
       level: extended
       name: sections.name
@@ -14611,10 +18103,10 @@ process:
       original_fieldset: macho
       short: Mach-O Section List name.
       type: keyword
-    process.parent.macho.sections.physical_size:
-      dashed_name: process-parent-macho-sections-physical-size
+    process.entry_leader.parent.macho.sections.physical_size:
+      dashed_name: process-entry-leader-parent-macho-sections-physical-size
       description: Mach-O Section List physical size.
-      flat_name: process.parent.macho.sections.physical_size
+      flat_name: process.entry_leader.parent.macho.sections.physical_size
       format: bytes
       level: extended
       name: sections.physical_size
@@ -14622,10 +18114,10 @@ process:
       original_fieldset: macho
       short: Mach-O Section List physical size.
       type: long
-    process.parent.macho.sections.var_entropy:
-      dashed_name: process-parent-macho-sections-var-entropy
+    process.entry_leader.parent.macho.sections.var_entropy:
+      dashed_name: process-entry-leader-parent-macho-sections-var-entropy
       description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.macho.sections.var_entropy
+      flat_name: process.entry_leader.parent.macho.sections.var_entropy
       format: number
       level: extended
       name: sections.var_entropy
@@ -14633,10 +18125,10 @@ process:
       original_fieldset: macho
       short: Variance for Shannon entropy calculation from the section.
       type: long
-    process.parent.macho.sections.virtual_size:
-      dashed_name: process-parent-macho-sections-virtual-size
+    process.entry_leader.parent.macho.sections.virtual_size:
+      dashed_name: process-entry-leader-parent-macho-sections-virtual-size
       description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.parent.macho.sections.virtual_size
+      flat_name: process.entry_leader.parent.macho.sections.virtual_size
       format: string
       level: extended
       name: sections.virtual_size
@@ -14644,15 +18136,15 @@ process:
       original_fieldset: macho
       short: Mach-O Section List virtual size. This is always the same as `physical_size`.
       type: long
-    process.parent.macho.symhash:
-      dashed_name: process-parent-macho-symhash
+    process.entry_leader.parent.macho.symhash:
+      dashed_name: process-entry-leader-parent-macho-symhash
       description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         This is a Mach-O implementation of the Windows PE imphash'
       example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.parent.macho.symhash
+      flat_name: process.entry_leader.parent.macho.symhash
       ignore_above: 1024
       level: extended
       name: symhash
@@ -14660,17 +18152,17 @@ process:
       original_fieldset: macho
       short: A hash of the imports in a Mach-O file.
       type: keyword
-    process.parent.name:
-      dashed_name: process-parent-name
+    process.entry_leader.parent.name:
+      dashed_name: process-entry-leader-parent-name
       description: 'Process name.
 
         Sometimes called program name or similar.'
       example: ssh
-      flat_name: process.parent.name
+      flat_name: process.entry_leader.parent.name
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.parent.name.text
+      - flat_name: process.entry_leader.parent.name.text
         name: text
         type: match_only_text
       name: name
@@ -14678,11 +18170,38 @@ process:
       original_fieldset: process
       short: Process name.
       type: keyword
-    process.parent.pe.architecture:
-      dashed_name: process-parent-pe-architecture
+    process.entry_leader.parent.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.entry_leader.parent.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.entry_leader.parent.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.entry_leader.parent.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.entry_leader.parent.pe.architecture:
+      dashed_name: process-entry-leader-parent-pe-architecture
       description: CPU architecture target for the file.
       example: x64
-      flat_name: process.parent.pe.architecture
+      flat_name: process.entry_leader.parent.pe.architecture
       ignore_above: 1024
       level: extended
       name: architecture
@@ -14690,11 +18209,11 @@ process:
       original_fieldset: pe
       short: CPU architecture target for the file.
       type: keyword
-    process.parent.pe.company:
-      dashed_name: process-parent-pe-company
+    process.entry_leader.parent.pe.company:
+      dashed_name: process-entry-leader-parent-pe-company
       description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
-      flat_name: process.parent.pe.company
+      flat_name: process.entry_leader.parent.pe.company
       ignore_above: 1024
       level: extended
       name: company
@@ -14702,11 +18221,11 @@ process:
       original_fieldset: pe
       short: Internal company name of the file, provided at compile-time.
       type: keyword
-    process.parent.pe.description:
-      dashed_name: process-parent-pe-description
+    process.entry_leader.parent.pe.description:
+      dashed_name: process-entry-leader-parent-pe-description
       description: Internal description of the file, provided at compile-time.
       example: Paint
-      flat_name: process.parent.pe.description
+      flat_name: process.entry_leader.parent.pe.description
       ignore_above: 1024
       level: extended
       name: description
@@ -14714,11 +18233,11 @@ process:
       original_fieldset: pe
       short: Internal description of the file, provided at compile-time.
       type: keyword
-    process.parent.pe.file_version:
-      dashed_name: process-parent-pe-file-version
+    process.entry_leader.parent.pe.file_version:
+      dashed_name: process-entry-leader-parent-pe-file-version
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
-      flat_name: process.parent.pe.file_version
+      flat_name: process.entry_leader.parent.pe.file_version
       ignore_above: 1024
       level: extended
       name: file_version
@@ -14726,8 +18245,8 @@ process:
       original_fieldset: pe
       short: Process name.
       type: keyword
-    process.parent.pe.go_import_hash:
-      dashed_name: process-parent-pe-go-import-hash
+    process.entry_leader.parent.pe.go_import_hash:
+      dashed_name: process-entry-leader-parent-pe-go-import-hash
       description: 'A hash of the Go language imports in a PE file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
@@ -14736,7 +18255,7 @@ process:
         The algorithm used to calculate the Go symbol hash and a reference implementation
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.pe.go_import_hash
+      flat_name: process.entry_leader.parent.pe.go_import_hash
       ignore_above: 1024
       level: extended
       name: go_import_hash
@@ -14744,20 +18263,20 @@ process:
       original_fieldset: pe
       short: A hash of the Go language imports in a PE file.
       type: keyword
-    process.parent.pe.go_imports:
-      dashed_name: process-parent-pe-go-imports
+    process.entry_leader.parent.pe.go_imports:
+      dashed_name: process-entry-leader-parent-pe-go-imports
       description: List of imported Go language element names and types.
-      flat_name: process.parent.pe.go_imports
+      flat_name: process.entry_leader.parent.pe.go_imports
       level: extended
       name: go_imports
       normalize: []
       original_fieldset: pe
       short: List of imported Go language element names and types.
       type: flattened
-    process.parent.pe.go_imports_names_entropy:
-      dashed_name: process-parent-pe-go-imports-names-entropy
+    process.entry_leader.parent.pe.go_imports_names_entropy:
+      dashed_name: process-entry-leader-parent-pe-go-imports-names-entropy
       description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.pe.go_imports_names_entropy
+      flat_name: process.entry_leader.parent.pe.go_imports_names_entropy
       format: number
       level: extended
       name: go_imports_names_entropy
@@ -14765,10 +18284,10 @@ process:
       original_fieldset: pe
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.parent.pe.go_imports_names_var_entropy:
-      dashed_name: process-parent-pe-go-imports-names-var-entropy
+    process.entry_leader.parent.pe.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-pe-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.pe.go_imports_names_var_entropy
+      flat_name: process.entry_leader.parent.pe.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
@@ -14776,26 +18295,26 @@ process:
       original_fieldset: pe
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.parent.pe.go_stripped:
-      dashed_name: process-parent-pe-go-stripped
+    process.entry_leader.parent.pe.go_stripped:
+      dashed_name: process-entry-leader-parent-pe-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.pe.go_stripped
+      flat_name: process.entry_leader.parent.pe.go_stripped
       level: extended
       name: go_stripped
       normalize: []
       original_fieldset: pe
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.parent.pe.imphash:
-      dashed_name: process-parent-pe-imphash
+    process.entry_leader.parent.pe.imphash:
+      dashed_name: process-entry-leader-parent-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
         -- can be used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.parent.pe.imphash
+      flat_name: process.entry_leader.parent.pe.imphash
       ignore_above: 1024
       level: extended
       name: imphash
@@ -14803,15 +18322,15 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
-    process.parent.pe.import_hash:
-      dashed_name: process-parent-pe-import-hash
+    process.entry_leader.parent.pe.import_hash:
+      dashed_name: process-entry-leader-parent-pe-import-hash
       description: 'A hash of the imports in a PE file. An import hash can be used
         to fingerprint binaries even after recompilation or other code-level transformations
         have occurred, which would change more traditional hash values.
 
         This is a synonym for imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.pe.import_hash
+      flat_name: process.entry_leader.parent.pe.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
@@ -14819,10 +18338,10 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
-    process.parent.pe.imports:
-      dashed_name: process-parent-pe-imports
+    process.entry_leader.parent.pe.imports:
+      dashed_name: process-entry-leader-parent-pe-imports
       description: List of imported element names and types.
-      flat_name: process.parent.pe.imports
+      flat_name: process.entry_leader.parent.pe.imports
       level: extended
       name: imports
       normalize:
@@ -14830,11 +18349,11 @@ process:
       original_fieldset: pe
       short: List of imported element names and types.
       type: flattened
-    process.parent.pe.imports_names_entropy:
-      dashed_name: process-parent-pe-imports-names-entropy
+    process.entry_leader.parent.pe.imports_names_entropy:
+      dashed_name: process-entry-leader-parent-pe-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.parent.pe.imports_names_entropy
+      flat_name: process.entry_leader.parent.pe.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
@@ -14843,11 +18362,11 @@ process:
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.parent.pe.imports_names_var_entropy:
-      dashed_name: process-parent-pe-imports-names-var-entropy
+    process.entry_leader.parent.pe.imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-pe-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.parent.pe.imports_names_var_entropy
+      flat_name: process.entry_leader.parent.pe.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
@@ -14856,11 +18375,11 @@ process:
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.parent.pe.original_file_name:
-      dashed_name: process-parent-pe-original-file-name
+    process.entry_leader.parent.pe.original_file_name:
+      dashed_name: process-entry-leader-parent-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
-      flat_name: process.parent.pe.original_file_name
+      flat_name: process.entry_leader.parent.pe.original_file_name
       ignore_above: 1024
       level: extended
       name: original_file_name
@@ -14868,15 +18387,15 @@ process:
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
       type: keyword
-    process.parent.pe.pehash:
-      dashed_name: process-parent-pe-pehash
+    process.entry_leader.parent.pe.pehash:
+      dashed_name: process-entry-leader-parent-pe-pehash
       description: 'A hash of the PE header and data from one or more PE sections.
         An pehash can be used to cluster files by transforming structural information
         about a file into a hash value.
 
         Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
       example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.parent.pe.pehash
+      flat_name: process.entry_leader.parent.pe.pehash
       ignore_above: 1024
       level: extended
       name: pehash
@@ -14884,11 +18403,11 @@ process:
       original_fieldset: pe
       short: A hash of the PE header and data from one or more PE sections.
       type: keyword
-    process.parent.pe.product:
-      dashed_name: process-parent-pe-product
+    process.entry_leader.parent.pe.product:
+      dashed_name: process-entry-leader-parent-pe-product
       description: Internal product name of the file, provided at compile-time.
       example: Microsoft® Windows® Operating System
-      flat_name: process.parent.pe.product
+      flat_name: process.entry_leader.parent.pe.product
       ignore_above: 1024
       level: extended
       name: product
@@ -14896,13 +18415,13 @@ process:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
-    process.parent.pe.sections:
-      dashed_name: process-parent-pe-sections
+    process.entry_leader.parent.pe.sections:
+      dashed_name: process-entry-leader-parent-pe-sections
       description: 'An array containing an object for each section of the PE file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `pe.sections.*`.'
-      flat_name: process.parent.pe.sections
+      flat_name: process.entry_leader.parent.pe.sections
       level: extended
       name: sections
       normalize:
@@ -14910,10 +18429,10 @@ process:
       original_fieldset: pe
       short: Section information of the PE file.
       type: nested
-    process.parent.pe.sections.entropy:
-      dashed_name: process-parent-pe-sections-entropy
+    process.entry_leader.parent.pe.sections.entropy:
+      dashed_name: process-entry-leader-parent-pe-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.parent.pe.sections.entropy
+      flat_name: process.entry_leader.parent.pe.sections.entropy
       format: number
       level: extended
       name: sections.entropy
@@ -14921,10 +18440,10 @@ process:
       original_fieldset: pe
       short: Shannon entropy calculation from the section.
       type: long
-    process.parent.pe.sections.name:
-      dashed_name: process-parent-pe-sections-name
+    process.entry_leader.parent.pe.sections.name:
+      dashed_name: process-entry-leader-parent-pe-sections-name
       description: PE Section List name.
-      flat_name: process.parent.pe.sections.name
+      flat_name: process.entry_leader.parent.pe.sections.name
       ignore_above: 1024
       level: extended
       name: sections.name
@@ -14932,10 +18451,10 @@ process:
       original_fieldset: pe
       short: PE Section List name.
       type: keyword
-    process.parent.pe.sections.physical_size:
-      dashed_name: process-parent-pe-sections-physical-size
+    process.entry_leader.parent.pe.sections.physical_size:
+      dashed_name: process-entry-leader-parent-pe-sections-physical-size
       description: PE Section List physical size.
-      flat_name: process.parent.pe.sections.physical_size
+      flat_name: process.entry_leader.parent.pe.sections.physical_size
       format: bytes
       level: extended
       name: sections.physical_size
@@ -14943,10 +18462,10 @@ process:
       original_fieldset: pe
       short: PE Section List physical size.
       type: long
-    process.parent.pe.sections.var_entropy:
-      dashed_name: process-parent-pe-sections-var-entropy
+    process.entry_leader.parent.pe.sections.var_entropy:
+      dashed_name: process-entry-leader-parent-pe-sections-var-entropy
       description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.pe.sections.var_entropy
+      flat_name: process.entry_leader.parent.pe.sections.var_entropy
       format: number
       level: extended
       name: sections.var_entropy
@@ -14954,10 +18473,10 @@ process:
       original_fieldset: pe
       short: Variance for Shannon entropy calculation from the section.
       type: long
-    process.parent.pe.sections.virtual_size:
-      dashed_name: process-parent-pe-sections-virtual-size
+    process.entry_leader.parent.pe.sections.virtual_size:
+      dashed_name: process-entry-leader-parent-pe-sections-virtual-size
       description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.parent.pe.sections.virtual_size
+      flat_name: process.entry_leader.parent.pe.sections.virtual_size
       format: string
       level: extended
       name: sections.virtual_size
@@ -14965,11 +18484,11 @@ process:
       original_fieldset: pe
       short: PE Section List virtual size. This is always the same as `physical_size`.
       type: long
-    process.parent.pid:
-      dashed_name: process-parent-pid
+    process.entry_leader.parent.pid:
+      dashed_name: process-entry-leader-parent-pid
       description: Process id.
       example: 4242
-      flat_name: process.parent.pid
+      flat_name: process.entry_leader.parent.pid
       format: string
       level: core
       name: pid
@@ -14977,60 +18496,36 @@ process:
       original_fieldset: process
       short: Process id.
       type: long
-    process.parent.real_group.id:
-      dashed_name: process-parent-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.real_group.id
-      ignore_above: 1024
+    process.entry_leader.parent.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.entry_leader.parent.platform_binary
       level: extended
-      name: id
+      name: platform_binary
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.real_group.name:
-      dashed_name: process-parent-real-group-name
-      description: Name of the group.
-      flat_name: process.parent.real_group.name
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.entry_leader.parent.real_group.domain:
+      dashed_name: process-entry-leader-parent-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.real_group.domain
       ignore_above: 1024
       level: extended
-      name: name
+      name: domain
       normalize: []
       original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.real_user.id:
-      dashed_name: process-parent-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.real_user.name:
-      dashed_name: process-parent-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
+      short: Name of the directory the group is a member of.
       type: keyword
-    process.parent.saved_group.id:
-      dashed_name: process-parent-saved-group-id
+    process.entry_leader.parent.real_group.id:
+      dashed_name: process-entry-leader-parent-real-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.saved_group.id
+      flat_name: process.entry_leader.parent.real_group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -15038,10 +18533,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.parent.saved_group.name:
-      dashed_name: process-parent-saved-group-name
+    process.entry_leader.parent.real_group.name:
+      dashed_name: process-entry-leader-parent-real-group-name
       description: Name of the group.
-      flat_name: process.parent.saved_group.name
+      flat_name: process.entry_leader.parent.real_group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -15049,196 +18544,356 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.parent.saved_user.id:
-      dashed_name: process-parent-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.saved_user.id
+    process.entry_leader.parent.real_user.domain:
+      dashed_name: process-entry-leader-parent-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.real_user.domain
       ignore_above: 1024
-      level: core
-      name: id
+      level: extended
+      name: domain
       normalize: []
       original_fieldset: user
-      short: Unique identifier of the user.
+      short: Name of the directory the user is a member of.
       type: keyword
-    process.parent.saved_user.name:
-      dashed_name: process-parent-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.saved_user.name
+    process.entry_leader.parent.real_user.email:
+      dashed_name: process-entry-leader-parent-real-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.real_user.email
       ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
+      level: extended
+      name: email
       normalize: []
       original_fieldset: user
-      short: Short name or login of the user.
+      short: User email address.
       type: keyword
-    process.parent.start:
-      dashed_name: process-parent-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.start
+    process.entry_leader.parent.real_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-real-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.entry_leader.parent.real_user.entity.attributes
       level: extended
-      name: start
+      name: attributes
       normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.parent.supplemental_groups.id:
-      dashed_name: process-parent-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.supplemental_groups.id
-      ignore_above: 1024
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.entry_leader.parent.real_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-real-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.real_user.entity.behavior
       level: extended
-      name: id
+      name: behavior
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.supplemental_groups.name:
-      dashed_name: process-parent-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.parent.supplemental_groups.name
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.entry_leader.parent.real_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-real-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.entry_leader.parent.real_user.entity.display_name
       ignore_above: 1024
       level: extended
-      name: name
+      multi_fields:
+      - flat_name: process.entry_leader.parent.real_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
       type: keyword
-    process.parent.thread.capabilities.effective:
-      dashed_name: process-parent-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.parent.thread.capabilities.effective
+    process.entry_leader.parent.real_user.entity.id:
+      dashed_name: process-entry-leader-parent-real-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.entry_leader.parent.real_user.entity.id
       ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
       type: keyword
-    process.parent.thread.capabilities.permitted:
-      dashed_name: process-parent-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.parent.thread.capabilities.permitted
-      ignore_above: 1024
+    process.entry_leader.parent.real_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-real-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.entry_leader.parent.real_user.entity.last_seen_timestamp
       level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.thread.id:
-      dashed_name: process-parent-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.parent.thread.id
-      format: string
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.entry_leader.parent.real_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-real-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.real_user.entity.lifecycle
       level: extended
-      name: thread.id
+      name: lifecycle
       normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.parent.thread.name:
-      dashed_name: process-parent-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.parent.thread.name
-      ignore_above: 1024
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.entry_leader.parent.real_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-real-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.entry_leader.parent.real_user.entity.metrics
       level: extended
-      name: thread.name
+      name: metrics
       normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.parent.title:
-      dashed_name: process-parent-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.parent.title
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.entry_leader.parent.real_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-real-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.entry_leader.parent.real_user.entity.name
       ignore_above: 1024
-      level: extended
+      level: core
       multi_fields:
-      - flat_name: process.parent.title.text
+      - flat_name: process.entry_leader.parent.real_user.entity.name.text
         name: text
-        type: match_only_text
-      name: title
+        norms: false
+        type: text
+      name: name
       normalize: []
-      original_fieldset: process
-      short: Process title.
+      original_fieldset: entity
+      short: The name of the entity.
       type: keyword
-    process.parent.tty:
-      dashed_name: process-parent-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.parent.tty
+    process.entry_leader.parent.real_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-real-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.entry_leader.parent.real_user.entity.raw
       level: extended
-      name: tty
+      name: raw
       normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
       type: object
-    process.parent.tty.char_device.major:
-      dashed_name: process-parent-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.parent.tty.char_device.major
+    process.entry_leader.parent.real_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-real-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.entry_leader.parent.real_user.entity.reference
+      ignore_above: 1024
       level: extended
-      name: tty.char_device.major
+      name: reference
       normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.parent.tty.char_device.minor:
-      dashed_name: process-parent-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.parent.tty.char_device.minor
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.entry_leader.parent.real_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-real-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.entry_leader.parent.real_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.entry_leader.parent.real_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-real-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.entry_leader.parent.real_user.entity.sub_type
+      ignore_above: 1024
       level: extended
-      name: tty.char_device.minor
+      name: sub_type
       normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.parent.uptime:
-      dashed_name: process-parent-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.parent.uptime
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.entry_leader.parent.real_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-real-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.entry_leader.parent.real_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.entry_leader.parent.real_user.full_name:
+      dashed_name: process-entry-leader-parent-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.real_user.full_name
+      ignore_above: 1024
       level: extended
-      name: uptime
+      multi_fields:
+      - flat_name: process.entry_leader.parent.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
       normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.parent.user.id:
-      dashed_name: process-parent-user-id
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.real_user.group.domain:
+      dashed_name: process-entry-leader-parent-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.real_user.group.id:
+      dashed_name: process-entry-leader-parent-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.real_user.group.name:
+      dashed_name: process-entry-leader-parent-real-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.real_user.hash:
+      dashed_name: process-entry-leader-parent-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.real_user.id:
+      dashed_name: process-entry-leader-parent-real-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.user.id
+      flat_name: process.entry_leader.parent.real_user.id
       ignore_above: 1024
       level: core
       name: id
@@ -15246,15 +18901,15 @@ process:
       original_fieldset: user
       short: Unique identifier of the user.
       type: keyword
-    process.parent.user.name:
-      dashed_name: process-parent-user-name
+    process.entry_leader.parent.real_user.name:
+      dashed_name: process-entry-leader-parent-real-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.parent.user.name
+      flat_name: process.entry_leader.parent.real_user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.parent.user.name.text
+      - flat_name: process.entry_leader.parent.real_user.name.text
         name: text
         type: match_only_text
       name: name
@@ -15262,446 +18917,42053 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.parent.vpid:
-      dashed_name: process-parent-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.parent.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.parent.working_directory:
-      dashed_name: process-parent-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.parent.working_directory
+    process.entry_leader.parent.real_user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.real_user.risk.calculated_level
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.parent.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
+      name: calculated_level
       normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
       type: keyword
-    process.pe.architecture:
-      dashed_name: process-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.pe.architecture
-      ignore_above: 1024
+    process.entry_leader.parent.real_user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.real_user.risk.calculated_score
       level: extended
-      name: architecture
+      name: calculated_score
       normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.pe.company:
-      dashed_name: process-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.pe.company
-      ignore_above: 1024
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.real_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.real_user.risk.calculated_score_norm
       level: extended
-      name: company
+      name: calculated_score_norm
       normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.pe.description:
-      dashed_name: process-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.pe.description
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.real_user.risk.static_level:
+      dashed_name: process-entry-leader-parent-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.real_user.risk.static_level
       ignore_above: 1024
       level: extended
-      name: description
+      name: static_level
       normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
       type: keyword
-    process.pe.file_version:
-      dashed_name: process-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.pe.file_version
-      ignore_above: 1024
+    process.entry_leader.parent.real_user.risk.static_score:
+      dashed_name: process-entry-leader-parent-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.real_user.risk.static_score
       level: extended
-      name: file_version
+      name: static_score
       normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.pe.go_import_hash:
-      dashed_name: process-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.pe.go_import_hash
-      ignore_above: 1024
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.real_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.real_user.risk.static_score_norm
       level: extended
-      name: go_import_hash
+      name: static_score_norm
       normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.real_user.roles:
+      dashed_name: process-entry-leader-parent-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
       type: keyword
-    process.pe.go_imports:
-      dashed_name: process-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.pe.go_imports
+    process.entry_leader.parent.same_as_process:
+      dashed_name: process-entry-leader-parent-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.entry_leader.parent.same_as_process
       level: extended
-      name: go_imports
+      name: same_as_process
       normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.pe.go_imports_names_entropy:
-      dashed_name: process-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.pe.go_imports_names_entropy
-      format: number
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.entry_leader.parent.saved_group.domain:
+      dashed_name: process-entry-leader-parent-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.saved_group.domain
+      ignore_above: 1024
       level: extended
-      name: go_imports_names_entropy
+      name: domain
       normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.pe.go_imports_names_var_entropy:
-      dashed_name: process-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.pe.go_imports_names_var_entropy
-      format: number
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.saved_group.id:
+      dashed_name: process-entry-leader-parent-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.saved_group.id
+      ignore_above: 1024
       level: extended
-      name: go_imports_names_var_entropy
+      name: id
       normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.pe.go_stripped:
-      dashed_name: process-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.pe.go_stripped
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.saved_group.name:
+      dashed_name: process-entry-leader-parent-saved-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.saved_group.name
+      ignore_above: 1024
       level: extended
-      name: go_stripped
+      name: name
       normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.pe.imphash:
-      dashed_name: process-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.saved_user.domain:
+      dashed_name: process-entry-leader-parent-saved-user-domain
+      description: 'Name of the directory the user is a member of.
 
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.pe.imphash
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.saved_user.domain
       ignore_above: 1024
       level: extended
-      name: imphash
+      name: domain
       normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
       type: keyword
-    process.pe.import_hash:
-      dashed_name: process-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.pe.import_hash
+    process.entry_leader.parent.saved_user.email:
+      dashed_name: process-entry-leader-parent-saved-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.saved_user.email
       ignore_above: 1024
       level: extended
-      name: import_hash
+      name: email
       normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
+      original_fieldset: user
+      short: User email address.
       type: keyword
-    process.pe.imports:
-      dashed_name: process-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.pe.imports_names_entropy:
-      dashed_name: process-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.pe.imports_names_entropy
-      format: number
+    process.entry_leader.parent.saved_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-saved-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.entry_leader.parent.saved_user.entity.attributes
       level: extended
-      name: imports_names_entropy
+      name: attributes
       normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.pe.imports_names_var_entropy:
-      dashed_name: process-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.pe.imports_names_var_entropy
-      format: number
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.entry_leader.parent.saved_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-saved-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.saved_user.entity.behavior
       level: extended
-      name: imports_names_var_entropy
+      name: behavior
       normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.pe.original_file_name:
-      dashed_name: process-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.pe.original_file_name
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.entry_leader.parent.saved_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-saved-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.entry_leader.parent.saved_user.entity.display_name
       ignore_above: 1024
       level: extended
-      name: original_file_name
+      multi_fields:
+      - flat_name: process.entry_leader.parent.saved_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
       normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
       type: keyword
-    process.pe.pehash:
-      dashed_name: process-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.pe.pehash
+    process.entry_leader.parent.saved_user.entity.id:
+      dashed_name: process-entry-leader-parent-saved-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.entry_leader.parent.saved_user.entity.id
       ignore_above: 1024
-      level: extended
-      name: pehash
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.entry_leader.parent.saved_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-saved-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.entry_leader.parent.saved_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.entry_leader.parent.saved_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-saved-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.saved_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.entry_leader.parent.saved_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-saved-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.entry_leader.parent.saved_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.entry_leader.parent.saved_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-saved-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.entry_leader.parent.saved_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.saved_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.entry_leader.parent.saved_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-saved-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.entry_leader.parent.saved_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.entry_leader.parent.saved_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-saved-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.entry_leader.parent.saved_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.entry_leader.parent.saved_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-saved-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.entry_leader.parent.saved_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.entry_leader.parent.saved_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-saved-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.entry_leader.parent.saved_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.entry_leader.parent.saved_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-saved-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.entry_leader.parent.saved_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.entry_leader.parent.saved_user.full_name:
+      dashed_name: process-entry-leader-parent-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.saved_user.group.domain:
+      dashed_name: process-entry-leader-parent-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.saved_user.group.id:
+      dashed_name: process-entry-leader-parent-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.saved_user.group.name:
+      dashed_name: process-entry-leader-parent-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.saved_user.hash:
+      dashed_name: process-entry-leader-parent-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.saved_user.id:
+      dashed_name: process-entry-leader-parent-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.saved_user.name:
+      dashed_name: process-entry-leader-parent-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.saved_user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.saved_user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.saved_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.saved_user.risk.static_level:
+      dashed_name: process-entry-leader-parent-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.saved_user.risk.static_score:
+      dashed_name: process-entry-leader-parent-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.saved_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.saved_user.roles:
+      dashed_name: process-entry-leader-parent-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.args:
+      dashed_name: process-entry-leader-parent-session-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.entry_leader.parent.session_leader.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.entry_leader.parent.session_leader.args_count:
+      dashed_name: process-entry-leader-parent-session-leader-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.entry_leader.parent.session_leader.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.entry_leader.parent.session_leader.attested_groups.domain:
+      dashed_name: process-entry-leader-parent-session-leader-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_groups.id:
+      dashed_name: process-entry-leader-parent-session-leader-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_groups.name:
+      dashed_name: process-entry-leader-parent-session-leader-attested-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.domain:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.email:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.entry_leader.parent.session_leader.attested_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.entry_leader.parent.session_leader.attested_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.entity.id:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.entry_leader.parent.session_leader.attested_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.entry_leader.parent.session_leader.attested_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.entry_leader.parent.session_leader.attested_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.entry_leader.parent.session_leader.attested_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.full_name:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.session_leader.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.group.id:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.group.name:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.hash:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.session_leader.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.id:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.session_leader.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.name:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.session_leader.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.session_leader.attested_user.risk.static_level:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.attested_user.risk.static_score:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.session_leader.attested_user.roles:
+      dashed_name: process-entry-leader-parent-session-leader-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.session_leader.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.digest_algorithm:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.entry_leader.parent.session_leader.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.exists:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.entry_leader.parent.session_leader.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.entry_leader.parent.session_leader.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.entry_leader.parent.session_leader.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.signing_id:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.entry_leader.parent.session_leader.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.status:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.entry_leader.parent.session_leader.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.subject_name:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.entry_leader.parent.session_leader.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.team_id:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.entry_leader.parent.session_leader.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.entry_leader.parent.session_leader.code_signature.timestamp:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.entry_leader.parent.session_leader.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.entry_leader.parent.session_leader.code_signature.trusted:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.entry_leader.parent.session_leader.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.entry_leader.parent.session_leader.code_signature.valid:
+      dashed_name: process-entry-leader-parent-session-leader-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.entry_leader.parent.session_leader.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.entry_leader.parent.session_leader.command_line:
+      dashed_name: process-entry-leader-parent-session-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.entry_leader.parent.session_leader.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.entry_leader.parent.session_leader.elf.architecture:
+      dashed_name: process-entry-leader-parent-session-leader-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.entry_leader.parent.session_leader.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.byte_order:
+      dashed_name: process-entry-leader-parent-session-leader-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.entry_leader.parent.session_leader.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.cpu_type:
+      dashed_name: process-entry-leader-parent-session-leader-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.entry_leader.parent.session_leader.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.creation_date:
+      dashed_name: process-entry-leader-parent-session-leader-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.entry_leader.parent.session_leader.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.entry_leader.parent.session_leader.elf.exports:
+      dashed_name: process-entry-leader-parent-session-leader-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.entry_leader.parent.session_leader.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.elf.go_import_hash:
+      dashed_name: process-entry-leader-parent-session-leader-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.parent.session_leader.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.go_imports:
+      dashed_name: process-entry-leader-parent-session-leader-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.parent.session_leader.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.elf.go_imports_names_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.session_leader.elf.go_stripped:
+      dashed_name: process-entry-leader-parent-session-leader-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.parent.session_leader.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.entry_leader.parent.session_leader.elf.header.abi_version:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.entry_leader.parent.session_leader.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.header.class:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.entry_leader.parent.session_leader.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.header.data:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.entry_leader.parent.session_leader.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.header.entrypoint:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.entry_leader.parent.session_leader.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.entry_leader.parent.session_leader.elf.header.object_version:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.entry_leader.parent.session_leader.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.header.os_abi:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.entry_leader.parent.session_leader.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.header.type:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.entry_leader.parent.session_leader.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.header.version:
+      dashed_name: process-entry-leader-parent-session-leader-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.entry_leader.parent.session_leader.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.import_hash:
+      dashed_name: process-entry-leader-parent-session-leader-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.parent.session_leader.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.imports:
+      dashed_name: process-entry-leader-parent-session-leader-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.parent.session_leader.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.elf.imports_names_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.parent.session_leader.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.parent.session_leader.elf.imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.parent.session_leader.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.parent.session_leader.elf.sections:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.entry_leader.parent.session_leader.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.entry_leader.parent.session_leader.elf.sections.chi2:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.entry_leader.parent.session_leader.elf.sections.entropy:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.session_leader.elf.sections.flags:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.sections.name:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.sections.physical_offset:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.sections.physical_size:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.entry_leader.parent.session_leader.elf.sections.type:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.sections.var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.session_leader.elf.sections.virtual_address:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.entry_leader.parent.session_leader.elf.sections.virtual_size:
+      dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.entry_leader.parent.session_leader.elf.segments:
+      dashed_name: process-entry-leader-parent-session-leader-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.entry_leader.parent.session_leader.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.entry_leader.parent.session_leader.elf.segments.sections:
+      dashed_name: process-entry-leader-parent-session-leader-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.entry_leader.parent.session_leader.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.segments.type:
+      dashed_name: process-entry-leader-parent-session-leader-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.entry_leader.parent.session_leader.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.shared_libraries:
+      dashed_name: process-entry-leader-parent-session-leader-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.entry_leader.parent.session_leader.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.entry_leader.parent.session_leader.elf.telfhash:
+      dashed_name: process-entry-leader-parent-session-leader-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.entry_leader.parent.session_leader.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.entry_leader.parent.session_leader.end:
+      dashed_name: process-entry-leader-parent-session-leader-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.parent.session_leader.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.entry_leader.parent.session_leader.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.entry_leader.parent.session_leader.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.entry_leader.parent.session_leader.entity_id:
+      dashed_name: process-entry-leader-parent-session-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.entry_leader.parent.session_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.address:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.as.number:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.bytes:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.entry_leader.parent.session_leader.entry_meta.source.domain:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.location:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.name:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.ip:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.entry_leader.parent.session_leader.entry_meta.source.mac:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.nat.ip:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.entry_leader.parent.session_leader.entry_meta.source.nat.port:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.entry_leader.parent.session_leader.entry_meta.source.packets:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.entry_leader.parent.session_leader.entry_meta.source.port:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.entry_leader.parent.session_leader.entry_meta.source.registered_domain:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.subdomain:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.entry_leader.parent.session_leader.entry_meta.type:
+      dashed_name: process-entry-leader-parent-session-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.entry_leader.parent.session_leader.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.entry_leader.parent.session_leader.env_vars:
+      dashed_name: process-entry-leader-parent-session-leader-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.entry_leader.parent.session_leader.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.executable:
+      dashed_name: process-entry-leader-parent-session-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.entry_leader.parent.session_leader.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.entry_leader.parent.session_leader.exit_code:
+      dashed_name: process-entry-leader-parent-session-leader-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.entry_leader.parent.session_leader.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.entry_leader.parent.session_leader.group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.group.id:
+      dashed_name: process-entry-leader-parent-session-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.group.name:
+      dashed_name: process-entry-leader-parent-session-leader-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.entry_leader.parent.session_leader.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.md5:
+      dashed_name: process-entry-leader-parent-session-leader-hash-md5
+      description: MD5 hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.sha1:
+      dashed_name: process-entry-leader-parent-session-leader-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.sha256:
+      dashed_name: process-entry-leader-parent-session-leader-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.sha384:
+      dashed_name: process-entry-leader-parent-session-leader-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.sha512:
+      dashed_name: process-entry-leader-parent-session-leader-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.ssdeep:
+      dashed_name: process-entry-leader-parent-session-leader-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.hash.tlsh:
+      dashed_name: process-entry-leader-parent-session-leader-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.entry_leader.parent.session_leader.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.entry_leader.parent.session_leader.interactive:
+      dashed_name: process-entry-leader-parent-session-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.entry_leader.parent.session_leader.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.entry_leader.parent.session_leader.io:
+      dashed_name: process-entry-leader-parent-session-leader-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.entry_leader.parent.session_leader.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.entry_leader.parent.session_leader.io.bytes_skipped:
+      dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.entry_leader.parent.session_leader.io.bytes_skipped.length:
+      dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.entry_leader.parent.session_leader.io.bytes_skipped.offset:
+      dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
+      dashed_name: process-entry-leader-parent-session-leader-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.entry_leader.parent.session_leader.io.text:
+      dashed_name: process-entry-leader-parent-session-leader-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.entry_leader.parent.session_leader.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.entry_leader.parent.session_leader.io.total_bytes_captured:
+      dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.entry_leader.parent.session_leader.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.entry_leader.parent.session_leader.io.total_bytes_skipped:
+      dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.entry_leader.parent.session_leader.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.entry_leader.parent.session_leader.io.type:
+      dashed_name: process-entry-leader-parent-session-leader-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.entry_leader.parent.session_leader.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.entry_leader.parent.session_leader.macho.go_import_hash:
+      dashed_name: process-entry-leader-parent-session-leader-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.parent.session_leader.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.entry_leader.parent.session_leader.macho.go_imports:
+      dashed_name: process-entry-leader-parent-session-leader-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.parent.session_leader.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.macho.go_imports_names_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.session_leader.macho.go_stripped:
+      dashed_name: process-entry-leader-parent-session-leader-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.parent.session_leader.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.entry_leader.parent.session_leader.macho.import_hash:
+      dashed_name: process-entry-leader-parent-session-leader-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.parent.session_leader.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.entry_leader.parent.session_leader.macho.imports:
+      dashed_name: process-entry-leader-parent-session-leader-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.parent.session_leader.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.macho.imports_names_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.parent.session_leader.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.parent.session_leader.macho.imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.parent.session_leader.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.parent.session_leader.macho.sections:
+      dashed_name: process-entry-leader-parent-session-leader-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.entry_leader.parent.session_leader.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.entry_leader.parent.session_leader.macho.sections.entropy:
+      dashed_name: process-entry-leader-parent-session-leader-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.session_leader.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.session_leader.macho.sections.name:
+      dashed_name: process-entry-leader-parent-session-leader-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.entry_leader.parent.session_leader.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.entry_leader.parent.session_leader.macho.sections.physical_size:
+      dashed_name: process-entry-leader-parent-session-leader-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.entry_leader.parent.session_leader.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.entry_leader.parent.session_leader.macho.sections.var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.session_leader.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.session_leader.macho.sections.virtual_size:
+      dashed_name: process-entry-leader-parent-session-leader-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.entry_leader.parent.session_leader.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.entry_leader.parent.session_leader.macho.symhash:
+      dashed_name: process-entry-leader-parent-session-leader-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.entry_leader.parent.session_leader.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.entry_leader.parent.session_leader.name:
+      dashed_name: process-entry-leader-parent-session-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.entry_leader.parent.session_leader.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.entry_leader.parent.session_leader.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.entry_leader.parent.session_leader.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.entry_leader.parent.session_leader.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.entry_leader.parent.session_leader.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.architecture:
+      dashed_name: process-entry-leader-parent-session-leader-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.entry_leader.parent.session_leader.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.company:
+      dashed_name: process-entry-leader-parent-session-leader-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.entry_leader.parent.session_leader.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.description:
+      dashed_name: process-entry-leader-parent-session-leader-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.entry_leader.parent.session_leader.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.file_version:
+      dashed_name: process-entry-leader-parent-session-leader-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.entry_leader.parent.session_leader.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.go_import_hash:
+      dashed_name: process-entry-leader-parent-session-leader-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.parent.session_leader.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.go_imports:
+      dashed_name: process-entry-leader-parent-session-leader-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.parent.session_leader.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.pe.go_imports_names_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.parent.session_leader.pe.go_stripped:
+      dashed_name: process-entry-leader-parent-session-leader-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.parent.session_leader.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.entry_leader.parent.session_leader.pe.imphash:
+      dashed_name: process-entry-leader-parent-session-leader-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.entry_leader.parent.session_leader.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.import_hash:
+      dashed_name: process-entry-leader-parent-session-leader-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.parent.session_leader.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.imports:
+      dashed_name: process-entry-leader-parent-session-leader-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.parent.session_leader.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.parent.session_leader.pe.imports_names_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.parent.session_leader.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.parent.session_leader.pe.imports_names_var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.parent.session_leader.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.parent.session_leader.pe.original_file_name:
+      dashed_name: process-entry-leader-parent-session-leader-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.entry_leader.parent.session_leader.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.pehash:
+      dashed_name: process-entry-leader-parent-session-leader-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.entry_leader.parent.session_leader.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.product:
+      dashed_name: process-entry-leader-parent-session-leader-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.entry_leader.parent.session_leader.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.sections:
+      dashed_name: process-entry-leader-parent-session-leader-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.entry_leader.parent.session_leader.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.entry_leader.parent.session_leader.pe.sections.entropy:
+      dashed_name: process-entry-leader-parent-session-leader-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.session_leader.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.session_leader.pe.sections.name:
+      dashed_name: process-entry-leader-parent-session-leader-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.entry_leader.parent.session_leader.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.entry_leader.parent.session_leader.pe.sections.physical_size:
+      dashed_name: process-entry-leader-parent-session-leader-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.entry_leader.parent.session_leader.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.entry_leader.parent.session_leader.pe.sections.var_entropy:
+      dashed_name: process-entry-leader-parent-session-leader-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.parent.session_leader.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.parent.session_leader.pe.sections.virtual_size:
+      dashed_name: process-entry-leader-parent-session-leader-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.entry_leader.parent.session_leader.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.entry_leader.parent.session_leader.pid:
+      dashed_name: process-entry-leader-parent-session-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.entry_leader.parent.session_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.entry_leader.parent.session_leader.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.entry_leader.parent.session_leader.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.entry_leader.parent.session_leader.real_group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_group.id:
+      dashed_name: process-entry-leader-parent-session-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_group.name:
+      dashed_name: process-entry-leader-parent-session-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.domain:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.email:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.session_leader.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.entry_leader.parent.session_leader.real_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.entry_leader.parent.session_leader.real_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.session_leader.real_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.entry_leader.parent.session_leader.real_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.entity.id:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.entry_leader.parent.session_leader.real_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.entry_leader.parent.session_leader.real_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.session_leader.real_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.entry_leader.parent.session_leader.real_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.entry_leader.parent.session_leader.real_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.entry_leader.parent.session_leader.real_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.entry_leader.parent.session_leader.real_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.real_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.entry_leader.parent.session_leader.real_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.entry_leader.parent.session_leader.real_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.entry_leader.parent.session_leader.real_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.entry_leader.parent.session_leader.real_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.entry_leader.parent.session_leader.real_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.entry_leader.parent.session_leader.real_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.full_name:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.session_leader.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.group.id:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.group.name:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.hash:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.session_leader.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.id:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.session_leader.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.name:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.session_leader.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.session_leader.real_user.risk.static_level:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.real_user.risk.static_score:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.session_leader.real_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.session_leader.real_user.roles:
+      dashed_name: process-entry-leader-parent-session-leader-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.session_leader.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.same_as_process:
+      dashed_name: process-entry-leader-parent-session-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.entry_leader.parent.session_leader.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.entry_leader.parent.session_leader.saved_group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_group.id:
+      dashed_name: process-entry-leader-parent-session-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_group.name:
+      dashed_name: process-entry-leader-parent-session-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.domain:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.email:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.entry_leader.parent.session_leader.saved_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.entry_leader.parent.session_leader.saved_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.entity.id:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.entry_leader.parent.session_leader.saved_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.entry_leader.parent.session_leader.saved_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.entry_leader.parent.session_leader.saved_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.entry_leader.parent.session_leader.saved_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.full_name:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.session_leader.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.group.id:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.group.name:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.hash:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.session_leader.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.id:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.session_leader.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.name:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.session_leader.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.session_leader.saved_user.risk.static_level:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.saved_user.risk.static_score:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.session_leader.saved_user.roles:
+      dashed_name: process-entry-leader-parent-session-leader-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.session_leader.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.start:
+      dashed_name: process-entry-leader-parent-session-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.parent.session_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.entry_leader.parent.session_leader.supplemental_groups.domain:
+      dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.supplemental_groups.id:
+      dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.supplemental_groups.name:
+      dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.thread.capabilities.effective:
+      dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.entry_leader.parent.session_leader.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.thread.capabilities.permitted:
+      dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.entry_leader.parent.session_leader.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.thread.id:
+      dashed_name: process-entry-leader-parent-session-leader-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.entry_leader.parent.session_leader.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.entry_leader.parent.session_leader.thread.name:
+      dashed_name: process-entry-leader-parent-session-leader-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.entry_leader.parent.session_leader.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.entry_leader.parent.session_leader.title:
+      dashed_name: process-entry-leader-parent-session-leader-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.entry_leader.parent.session_leader.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.entry_leader.parent.session_leader.tty:
+      dashed_name: process-entry-leader-parent-session-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.entry_leader.parent.session_leader.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.entry_leader.parent.session_leader.tty.char_device.major:
+      dashed_name: process-entry-leader-parent-session-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.entry_leader.parent.session_leader.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.entry_leader.parent.session_leader.tty.char_device.minor:
+      dashed_name: process-entry-leader-parent-session-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.entry_leader.parent.session_leader.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.entry_leader.parent.session_leader.tty.columns:
+      dashed_name: process-entry-leader-parent-session-leader-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.entry_leader.parent.session_leader.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.entry_leader.parent.session_leader.tty.rows:
+      dashed_name: process-entry-leader-parent-session-leader-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.entry_leader.parent.session_leader.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.entry_leader.parent.session_leader.uptime:
+      dashed_name: process-entry-leader-parent-session-leader-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.entry_leader.parent.session_leader.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.entry_leader.parent.session_leader.user.domain:
+      dashed_name: process-entry-leader-parent-session-leader-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.email:
+      dashed_name: process-entry-leader-parent-session-leader-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.session_leader.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.entry_leader.parent.session_leader.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.entry_leader.parent.session_leader.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.session_leader.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.entry_leader.parent.session_leader.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.entry_leader.parent.session_leader.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.entity.id:
+      dashed_name: process-entry-leader-parent-session-leader-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.entry_leader.parent.session_leader.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.entry_leader.parent.session_leader.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.session_leader.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.entry_leader.parent.session_leader.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.entry_leader.parent.session_leader.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.entry_leader.parent.session_leader.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.entry_leader.parent.session_leader.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.entry_leader.parent.session_leader.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.entry_leader.parent.session_leader.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.entry_leader.parent.session_leader.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.entry_leader.parent.session_leader.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.entry_leader.parent.session_leader.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-session-leader-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.entry_leader.parent.session_leader.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.full_name:
+      dashed_name: process-entry-leader-parent-session-leader-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.session_leader.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.group.domain:
+      dashed_name: process-entry-leader-parent-session-leader-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.session_leader.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.group.id:
+      dashed_name: process-entry-leader-parent-session-leader-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.session_leader.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.group.name:
+      dashed_name: process-entry-leader-parent-session-leader-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.session_leader.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.hash:
+      dashed_name: process-entry-leader-parent-session-leader-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.session_leader.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.id:
+      dashed_name: process-entry-leader-parent-session-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.session_leader.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.name:
+      dashed_name: process-entry-leader-parent-session-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.session_leader.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.session_leader.user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.session_leader.user.risk.static_level:
+      dashed_name: process-entry-leader-parent-session-leader-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.session_leader.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.session_leader.user.risk.static_score:
+      dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.session_leader.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.session_leader.user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.session_leader.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.session_leader.user.roles:
+      dashed_name: process-entry-leader-parent-session-leader-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.session_leader.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.session_leader.vpid:
+      dashed_name: process-entry-leader-parent-session-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.parent.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.entry_leader.parent.session_leader.working_directory:
+      dashed_name: process-entry-leader-parent-session-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.entry_leader.parent.session_leader.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.session_leader.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.entry_leader.parent.start:
+      dashed_name: process-entry-leader-parent-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.parent.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.entry_leader.parent.supplemental_groups.domain:
+      dashed_name: process-entry-leader-parent-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.supplemental_groups.id:
+      dashed_name: process-entry-leader-parent-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.supplemental_groups.name:
+      dashed_name: process-entry-leader-parent-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.thread.capabilities.effective:
+      dashed_name: process-entry-leader-parent-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.entry_leader.parent.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.thread.capabilities.permitted:
+      dashed_name: process-entry-leader-parent-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.entry_leader.parent.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.thread.id:
+      dashed_name: process-entry-leader-parent-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.entry_leader.parent.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.entry_leader.parent.thread.name:
+      dashed_name: process-entry-leader-parent-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.entry_leader.parent.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.entry_leader.parent.title:
+      dashed_name: process-entry-leader-parent-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.entry_leader.parent.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.entry_leader.parent.tty:
+      dashed_name: process-entry-leader-parent-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.entry_leader.parent.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.entry_leader.parent.tty.char_device.major:
+      dashed_name: process-entry-leader-parent-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.entry_leader.parent.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.entry_leader.parent.tty.char_device.minor:
+      dashed_name: process-entry-leader-parent-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.entry_leader.parent.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.entry_leader.parent.tty.columns:
+      dashed_name: process-entry-leader-parent-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.entry_leader.parent.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.entry_leader.parent.tty.rows:
+      dashed_name: process-entry-leader-parent-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.entry_leader.parent.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.entry_leader.parent.uptime:
+      dashed_name: process-entry-leader-parent-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.entry_leader.parent.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.entry_leader.parent.user.domain:
+      dashed_name: process-entry-leader-parent-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.parent.user.email:
+      dashed_name: process-entry-leader-parent-user-email
+      description: User email address.
+      flat_name: process.entry_leader.parent.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.parent.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.entry_leader.parent.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.entry_leader.parent.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.entry_leader.parent.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.entry_leader.parent.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.entry_leader.parent.user.entity.id:
+      dashed_name: process-entry-leader-parent-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.entry_leader.parent.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.entry_leader.parent.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.entry_leader.parent.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.entry_leader.parent.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.parent.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.entry_leader.parent.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.entry_leader.parent.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.entry_leader.parent.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.entry_leader.parent.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.entry_leader.parent.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.entry_leader.parent.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.entry_leader.parent.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.entry_leader.parent.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.entry_leader.parent.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.entry_leader.parent.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.entry_leader.parent.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.entry_leader.parent.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.entry_leader.parent.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-parent-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.entry_leader.parent.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.entry_leader.parent.user.full_name:
+      dashed_name: process-entry-leader-parent-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.parent.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.parent.user.group.domain:
+      dashed_name: process-entry-leader-parent-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.parent.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.parent.user.group.id:
+      dashed_name: process-entry-leader-parent-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.parent.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.parent.user.group.name:
+      dashed_name: process-entry-leader-parent-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.parent.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.parent.user.hash:
+      dashed_name: process-entry-leader-parent-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.parent.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.parent.user.id:
+      dashed_name: process-entry-leader-parent-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.parent.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.parent.user.name:
+      dashed_name: process-entry-leader-parent-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.parent.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.parent.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.parent.user.risk.calculated_level:
+      dashed_name: process-entry-leader-parent-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.parent.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.parent.user.risk.calculated_score:
+      dashed_name: process-entry-leader-parent-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.parent.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.parent.user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-parent-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.parent.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.parent.user.risk.static_level:
+      dashed_name: process-entry-leader-parent-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.parent.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.parent.user.risk.static_score:
+      dashed_name: process-entry-leader-parent-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.parent.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.parent.user.risk.static_score_norm:
+      dashed_name: process-entry-leader-parent-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.parent.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.parent.user.roles:
+      dashed_name: process-entry-leader-parent-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.parent.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.parent.vpid:
+      dashed_name: process-entry-leader-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.entry_leader.parent.working_directory:
+      dashed_name: process-entry-leader-parent-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.entry_leader.parent.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.parent.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.entry_leader.pe.architecture:
+      dashed_name: process-entry-leader-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.entry_leader.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.entry_leader.pe.company:
+      dashed_name: process-entry-leader-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.entry_leader.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.pe.description:
+      dashed_name: process-entry-leader-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.entry_leader.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.pe.file_version:
+      dashed_name: process-entry-leader-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.entry_leader.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.entry_leader.pe.go_import_hash:
+      dashed_name: process-entry-leader-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.entry_leader.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.entry_leader.pe.go_imports:
+      dashed_name: process-entry-leader-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.entry_leader.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.entry_leader.pe.go_imports_names_entropy:
+      dashed_name: process-entry-leader-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.pe.go_imports_names_var_entropy:
+      dashed_name: process-entry-leader-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.entry_leader.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.entry_leader.pe.go_stripped:
+      dashed_name: process-entry-leader-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.entry_leader.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.entry_leader.pe.imphash:
+      dashed_name: process-entry-leader-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.entry_leader.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.entry_leader.pe.import_hash:
+      dashed_name: process-entry-leader-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.entry_leader.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.entry_leader.pe.imports:
+      dashed_name: process-entry-leader-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.entry_leader.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.entry_leader.pe.imports_names_entropy:
+      dashed_name: process-entry-leader-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.entry_leader.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.entry_leader.pe.imports_names_var_entropy:
+      dashed_name: process-entry-leader-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.entry_leader.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.entry_leader.pe.original_file_name:
+      dashed_name: process-entry-leader-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.entry_leader.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.pe.pehash:
+      dashed_name: process-entry-leader-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.entry_leader.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.entry_leader.pe.product:
+      dashed_name: process-entry-leader-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.entry_leader.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.entry_leader.pe.sections:
+      dashed_name: process-entry-leader-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.entry_leader.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.entry_leader.pe.sections.entropy:
+      dashed_name: process-entry-leader-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.pe.sections.name:
+      dashed_name: process-entry-leader-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.entry_leader.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.entry_leader.pe.sections.physical_size:
+      dashed_name: process-entry-leader-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.entry_leader.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.entry_leader.pe.sections.var_entropy:
+      dashed_name: process-entry-leader-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.entry_leader.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.entry_leader.pe.sections.virtual_size:
+      dashed_name: process-entry-leader-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.entry_leader.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.entry_leader.pid:
+      dashed_name: process-entry-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.entry_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.entry_leader.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.entry_leader.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.entry_leader.real_group.domain:
+      dashed_name: process-entry-leader-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.real_group.id:
+      dashed_name: process-entry-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.real_group.name:
+      dashed_name: process-entry-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.real_user.domain:
+      dashed_name: process-entry-leader-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.real_user.email:
+      dashed_name: process-entry-leader-real-user-email
+      description: User email address.
+      flat_name: process.entry_leader.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.real_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-real-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.entry_leader.real_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.entry_leader.real_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-real-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.real_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.entry_leader.real_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-real-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.entry_leader.real_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.real_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.entry_leader.real_user.entity.id:
+      dashed_name: process-entry-leader-real-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.entry_leader.real_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.entry_leader.real_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-real-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.entry_leader.real_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.entry_leader.real_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-real-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.real_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.entry_leader.real_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-real-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.entry_leader.real_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.entry_leader.real_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-real-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.entry_leader.real_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.real_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.entry_leader.real_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-real-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.entry_leader.real_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.entry_leader.real_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-real-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.entry_leader.real_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.entry_leader.real_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-real-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.entry_leader.real_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.entry_leader.real_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-real-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.entry_leader.real_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.entry_leader.real_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-real-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.entry_leader.real_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.entry_leader.real_user.full_name:
+      dashed_name: process-entry-leader-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.real_user.group.domain:
+      dashed_name: process-entry-leader-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.real_user.group.id:
+      dashed_name: process-entry-leader-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.real_user.group.name:
+      dashed_name: process-entry-leader-real-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.real_user.hash:
+      dashed_name: process-entry-leader-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.real_user.id:
+      dashed_name: process-entry-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.real_user.name:
+      dashed_name: process-entry-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.real_user.risk.calculated_level:
+      dashed_name: process-entry-leader-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.real_user.risk.calculated_score:
+      dashed_name: process-entry-leader-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.real_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.real_user.risk.static_level:
+      dashed_name: process-entry-leader-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.real_user.risk.static_score:
+      dashed_name: process-entry-leader-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.real_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.real_user.roles:
+      dashed_name: process-entry-leader-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.same_as_process:
+      dashed_name: process-entry-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.entry_leader.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.entry_leader.saved_group.domain:
+      dashed_name: process-entry-leader-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.saved_group.id:
+      dashed_name: process-entry-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.saved_group.name:
+      dashed_name: process-entry-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.saved_user.domain:
+      dashed_name: process-entry-leader-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.saved_user.email:
+      dashed_name: process-entry-leader-saved-user-email
+      description: User email address.
+      flat_name: process.entry_leader.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.saved_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-saved-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.entry_leader.saved_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.entry_leader.saved_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-saved-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.saved_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.entry_leader.saved_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-saved-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.entry_leader.saved_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.saved_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.entry_leader.saved_user.entity.id:
+      dashed_name: process-entry-leader-saved-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.entry_leader.saved_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.entry_leader.saved_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-saved-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.entry_leader.saved_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.entry_leader.saved_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-saved-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.saved_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.entry_leader.saved_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-saved-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.entry_leader.saved_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.entry_leader.saved_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-saved-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.entry_leader.saved_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.saved_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.entry_leader.saved_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-saved-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.entry_leader.saved_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.entry_leader.saved_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-saved-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.entry_leader.saved_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.entry_leader.saved_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-saved-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.entry_leader.saved_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.entry_leader.saved_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-saved-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.entry_leader.saved_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.entry_leader.saved_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-saved-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.entry_leader.saved_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.entry_leader.saved_user.full_name:
+      dashed_name: process-entry-leader-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.saved_user.group.domain:
+      dashed_name: process-entry-leader-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.saved_user.group.id:
+      dashed_name: process-entry-leader-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.saved_user.group.name:
+      dashed_name: process-entry-leader-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.saved_user.hash:
+      dashed_name: process-entry-leader-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.saved_user.id:
+      dashed_name: process-entry-leader-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.saved_user.name:
+      dashed_name: process-entry-leader-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.saved_user.risk.calculated_level:
+      dashed_name: process-entry-leader-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.saved_user.risk.calculated_score:
+      dashed_name: process-entry-leader-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.saved_user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.saved_user.risk.static_level:
+      dashed_name: process-entry-leader-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.saved_user.risk.static_score:
+      dashed_name: process-entry-leader-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.saved_user.risk.static_score_norm:
+      dashed_name: process-entry-leader-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.saved_user.roles:
+      dashed_name: process-entry-leader-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.start:
+      dashed_name: process-entry-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.entry_leader.supplemental_groups.domain:
+      dashed_name: process-entry-leader-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.supplemental_groups.id:
+      dashed_name: process-entry-leader-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.supplemental_groups.name:
+      dashed_name: process-entry-leader-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.thread.capabilities.effective:
+      dashed_name: process-entry-leader-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.entry_leader.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.thread.capabilities.permitted:
+      dashed_name: process-entry-leader-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.entry_leader.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.thread.id:
+      dashed_name: process-entry-leader-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.entry_leader.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.entry_leader.thread.name:
+      dashed_name: process-entry-leader-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.entry_leader.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.entry_leader.title:
+      dashed_name: process-entry-leader-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.entry_leader.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.entry_leader.tty:
+      dashed_name: process-entry-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.entry_leader.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.entry_leader.tty.char_device.major:
+      dashed_name: process-entry-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.entry_leader.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.entry_leader.tty.char_device.minor:
+      dashed_name: process-entry-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.entry_leader.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.entry_leader.tty.columns:
+      dashed_name: process-entry-leader-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.entry_leader.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.entry_leader.tty.rows:
+      dashed_name: process-entry-leader-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.entry_leader.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.entry_leader.uptime:
+      dashed_name: process-entry-leader-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.entry_leader.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.entry_leader.user.domain:
+      dashed_name: process-entry-leader-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.entry_leader.user.email:
+      dashed_name: process-entry-leader-user-email
+      description: User email address.
+      flat_name: process.entry_leader.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.entry_leader.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.entry_leader.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.entry_leader.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.entry_leader.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.entry_leader.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.entry_leader.user.entity.id:
+      dashed_name: process-entry-leader-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.entry_leader.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.entry_leader.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.entry_leader.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.entry_leader.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.entry_leader.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.entry_leader.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.entry_leader.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.entry_leader.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.entry_leader.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.entry_leader.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.entry_leader.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.entry_leader.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.entry_leader.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.entry_leader.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.entry_leader.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.entry_leader.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.entry_leader.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.entry_leader.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-entry-leader-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.entry_leader.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.entry_leader.user.full_name:
+      dashed_name: process-entry-leader-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.entry_leader.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.entry_leader.user.group.domain:
+      dashed_name: process-entry-leader-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.entry_leader.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.entry_leader.user.group.id:
+      dashed_name: process-entry-leader-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.user.group.name:
+      dashed_name: process-entry-leader-user-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.user.hash:
+      dashed_name: process-entry-leader-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.entry_leader.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.entry_leader.user.id:
+      dashed_name: process-entry-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.entry_leader.user.name:
+      dashed_name: process-entry-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.entry_leader.user.risk.calculated_level:
+      dashed_name: process-entry-leader-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.entry_leader.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.entry_leader.user.risk.calculated_score:
+      dashed_name: process-entry-leader-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.entry_leader.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.entry_leader.user.risk.calculated_score_norm:
+      dashed_name: process-entry-leader-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.entry_leader.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.entry_leader.user.risk.static_level:
+      dashed_name: process-entry-leader-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.entry_leader.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.entry_leader.user.risk.static_score:
+      dashed_name: process-entry-leader-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.entry_leader.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.entry_leader.user.risk.static_score_norm:
+      dashed_name: process-entry-leader-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.entry_leader.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.entry_leader.user.roles:
+      dashed_name: process-entry-leader-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.entry_leader.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.entry_leader.vpid:
+      dashed_name: process-entry-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.entry_leader.working_directory:
+      dashed_name: process-entry-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.entry_leader.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_leader.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.entry_meta.source.address:
+      dashed_name: process-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.entry_meta.source.as.number:
+      dashed_name: process-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.entry_meta.source.as.organization.name:
+      dashed_name: process-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.entry_meta.source.bytes:
+      dashed_name: process-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.entry_meta.source.domain:
+      dashed_name: process-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.entry_meta.source.geo.city_name:
+      dashed_name: process-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.entry_meta.source.geo.continent_code:
+      dashed_name: process-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.entry_meta.source.geo.continent_name:
+      dashed_name: process-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.entry_meta.source.geo.country_name:
+      dashed_name: process-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.entry_meta.source.geo.location:
+      dashed_name: process-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.entry_meta.source.geo.name:
+      dashed_name: process-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.entry_meta.source.geo.postal_code:
+      dashed_name: process-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.entry_meta.source.geo.region_name:
+      dashed_name: process-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.entry_meta.source.geo.timezone:
+      dashed_name: process-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.entry_meta.source.ip:
+      dashed_name: process-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.entry_meta.source.mac:
+      dashed_name: process-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.entry_meta.source.nat.ip:
+      dashed_name: process-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.entry_meta.source.nat.port:
+      dashed_name: process-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.entry_meta.source.packets:
+      dashed_name: process-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.entry_meta.source.port:
+      dashed_name: process-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.entry_meta.source.registered_domain:
+      dashed_name: process-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.entry_meta.source.subdomain:
+      dashed_name: process-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.entry_meta.source.top_level_domain:
+      dashed_name: process-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.entry_meta.type:
+      dashed_name: process-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.env_vars:
+      dashed_name: process-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.executable:
+      dashed_name: process-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      otel:
+      - attribute: process.executable.path
+        relation: equivalent
+        stability: development
+      short: Absolute path to the process executable.
+      type: keyword
+    process.exit_code:
+      dashed_name: process-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      short: The exit code of the process.
+      type: long
+    process.group.domain:
+      dashed_name: process-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group.id:
+      dashed_name: process-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group.name:
+      dashed_name: process-group-name
+      description: Name of the group.
+      flat_name: process.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.args:
+      dashed_name: process-group-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.group_leader.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.group_leader.args_count:
+      dashed_name: process-group-leader-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.group_leader.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.group_leader.attested_groups.domain:
+      dashed_name: process-group-leader-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.attested_groups.id:
+      dashed_name: process-group-leader-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.attested_groups.name:
+      dashed_name: process-group-leader-attested-groups-name
+      description: Name of the group.
+      flat_name: process.group_leader.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.attested_user.domain:
+      dashed_name: process-group-leader-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.group_leader.attested_user.email:
+      dashed_name: process-group-leader-attested-user-email
+      description: User email address.
+      flat_name: process.group_leader.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.group_leader.attested_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-attested-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.group_leader.attested_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.group_leader.attested_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-attested-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.group_leader.attested_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.group_leader.attested_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-attested-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.group_leader.attested_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.attested_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.group_leader.attested_user.entity.id:
+      dashed_name: process-group-leader-attested-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.group_leader.attested_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.group_leader.attested_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-attested-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.group_leader.attested_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.group_leader.attested_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-attested-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.group_leader.attested_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.group_leader.attested_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-attested-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.group_leader.attested_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.group_leader.attested_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-attested-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.group_leader.attested_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.attested_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.group_leader.attested_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-attested-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.group_leader.attested_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.group_leader.attested_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-attested-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.group_leader.attested_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.group_leader.attested_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-attested-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.group_leader.attested_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.group_leader.attested_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-attested-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.group_leader.attested_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.group_leader.attested_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-attested-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.group_leader.attested_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.group_leader.attested_user.full_name:
+      dashed_name: process-group-leader-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.group_leader.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.group_leader.attested_user.group.domain:
+      dashed_name: process-group-leader-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.attested_user.group.id:
+      dashed_name: process-group-leader-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.attested_user.group.name:
+      dashed_name: process-group-leader-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.attested_user.hash:
+      dashed_name: process-group-leader-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.group_leader.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.group_leader.attested_user.id:
+      dashed_name: process-group-leader-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.group_leader.attested_user.name:
+      dashed_name: process-group-leader-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.group_leader.attested_user.risk.calculated_level:
+      dashed_name: process-group-leader-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.group_leader.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.group_leader.attested_user.risk.calculated_score:
+      dashed_name: process-group-leader-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.group_leader.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.group_leader.attested_user.risk.calculated_score_norm:
+      dashed_name: process-group-leader-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.group_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.group_leader.attested_user.risk.static_level:
+      dashed_name: process-group-leader-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.group_leader.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.group_leader.attested_user.risk.static_score:
+      dashed_name: process-group-leader-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.group_leader.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.group_leader.attested_user.risk.static_score_norm:
+      dashed_name: process-group-leader-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.group_leader.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.group_leader.attested_user.roles:
+      dashed_name: process-group-leader-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.group_leader.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.code_signature.digest_algorithm:
+      dashed_name: process-group-leader-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.group_leader.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.group_leader.code_signature.exists:
+      dashed_name: process-group-leader-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.group_leader.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.group_leader.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.group_leader.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.group_leader.code_signature.signing_id:
+      dashed_name: process-group-leader-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.group_leader.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.group_leader.code_signature.status:
+      dashed_name: process-group-leader-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.group_leader.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.group_leader.code_signature.subject_name:
+      dashed_name: process-group-leader-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.group_leader.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.group_leader.code_signature.team_id:
+      dashed_name: process-group-leader-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.group_leader.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.group_leader.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.group_leader.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.group_leader.code_signature.timestamp:
+      dashed_name: process-group-leader-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.group_leader.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.group_leader.code_signature.trusted:
+      dashed_name: process-group-leader-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.group_leader.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.group_leader.code_signature.valid:
+      dashed_name: process-group-leader-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.group_leader.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.group_leader.command_line:
+      dashed_name: process-group-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.group_leader.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.group_leader.elf.architecture:
+      dashed_name: process-group-leader-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.group_leader.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.group_leader.elf.byte_order:
+      dashed_name: process-group-leader-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.group_leader.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.group_leader.elf.cpu_type:
+      dashed_name: process-group-leader-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.group_leader.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.group_leader.elf.creation_date:
+      dashed_name: process-group-leader-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.group_leader.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.group_leader.elf.exports:
+      dashed_name: process-group-leader-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.group_leader.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.group_leader.elf.go_import_hash:
+      dashed_name: process-group-leader-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.group_leader.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.group_leader.elf.go_imports:
+      dashed_name: process-group-leader-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.group_leader.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.group_leader.elf.go_imports_names_entropy:
+      dashed_name: process-group-leader-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.group_leader.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.group_leader.elf.go_imports_names_var_entropy:
+      dashed_name: process-group-leader-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.group_leader.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.group_leader.elf.go_stripped:
+      dashed_name: process-group-leader-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.group_leader.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.group_leader.elf.header.abi_version:
+      dashed_name: process-group-leader-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.group_leader.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.group_leader.elf.header.class:
+      dashed_name: process-group-leader-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.group_leader.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.group_leader.elf.header.data:
+      dashed_name: process-group-leader-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.group_leader.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.group_leader.elf.header.entrypoint:
+      dashed_name: process-group-leader-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.group_leader.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.group_leader.elf.header.object_version:
+      dashed_name: process-group-leader-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.group_leader.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.group_leader.elf.header.os_abi:
+      dashed_name: process-group-leader-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.group_leader.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.group_leader.elf.header.type:
+      dashed_name: process-group-leader-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.group_leader.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.group_leader.elf.header.version:
+      dashed_name: process-group-leader-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.group_leader.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.group_leader.elf.import_hash:
+      dashed_name: process-group-leader-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.group_leader.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.group_leader.elf.imports:
+      dashed_name: process-group-leader-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.group_leader.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.group_leader.elf.imports_names_entropy:
+      dashed_name: process-group-leader-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.group_leader.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.group_leader.elf.imports_names_var_entropy:
+      dashed_name: process-group-leader-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.group_leader.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.group_leader.elf.sections:
+      dashed_name: process-group-leader-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.group_leader.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.group_leader.elf.sections.chi2:
+      dashed_name: process-group-leader-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.group_leader.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.group_leader.elf.sections.entropy:
+      dashed_name: process-group-leader-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.group_leader.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.group_leader.elf.sections.flags:
+      dashed_name: process-group-leader-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.group_leader.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.group_leader.elf.sections.name:
+      dashed_name: process-group-leader-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.group_leader.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.group_leader.elf.sections.physical_offset:
+      dashed_name: process-group-leader-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.group_leader.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.group_leader.elf.sections.physical_size:
+      dashed_name: process-group-leader-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.group_leader.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.group_leader.elf.sections.type:
+      dashed_name: process-group-leader-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.group_leader.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.group_leader.elf.sections.var_entropy:
+      dashed_name: process-group-leader-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.group_leader.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.group_leader.elf.sections.virtual_address:
+      dashed_name: process-group-leader-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.group_leader.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.group_leader.elf.sections.virtual_size:
+      dashed_name: process-group-leader-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.group_leader.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.group_leader.elf.segments:
+      dashed_name: process-group-leader-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.group_leader.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.group_leader.elf.segments.sections:
+      dashed_name: process-group-leader-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.group_leader.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.group_leader.elf.segments.type:
+      dashed_name: process-group-leader-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.group_leader.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.group_leader.elf.shared_libraries:
+      dashed_name: process-group-leader-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.group_leader.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.group_leader.elf.telfhash:
+      dashed_name: process-group-leader-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.group_leader.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.group_leader.end:
+      dashed_name: process-group-leader-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.group_leader.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.group_leader.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.group_leader.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.group_leader.entity_id:
+      dashed_name: process-group-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.group_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.group_leader.entry_meta.source.address:
+      dashed_name: process-group-leader-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.group_leader.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.group_leader.entry_meta.source.as.number:
+      dashed_name: process-group-leader-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.group_leader.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.group_leader.entry_meta.source.as.organization.name:
+      dashed_name: process-group-leader-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.group_leader.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.group_leader.entry_meta.source.bytes:
+      dashed_name: process-group-leader-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.group_leader.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.group_leader.entry_meta.source.domain:
+      dashed_name: process-group-leader-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.group_leader.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.city_name:
+      dashed_name: process-group-leader-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.group_leader.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.continent_code:
+      dashed_name: process-group-leader-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.group_leader.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.continent_name:
+      dashed_name: process-group-leader-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.group_leader.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-group-leader-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.group_leader.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.country_name:
+      dashed_name: process-group-leader-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.group_leader.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.location:
+      dashed_name: process-group-leader-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.group_leader.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.group_leader.entry_meta.source.geo.name:
+      dashed_name: process-group-leader-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.group_leader.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.postal_code:
+      dashed_name: process-group-leader-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.group_leader.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-group-leader-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.group_leader.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.region_name:
+      dashed_name: process-group-leader-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.group_leader.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.group_leader.entry_meta.source.geo.timezone:
+      dashed_name: process-group-leader-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.group_leader.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.group_leader.entry_meta.source.ip:
+      dashed_name: process-group-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.group_leader.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.group_leader.entry_meta.source.mac:
+      dashed_name: process-group-leader-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.group_leader.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.group_leader.entry_meta.source.nat.ip:
+      dashed_name: process-group-leader-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.group_leader.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.group_leader.entry_meta.source.nat.port:
+      dashed_name: process-group-leader-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.group_leader.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.group_leader.entry_meta.source.packets:
+      dashed_name: process-group-leader-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.group_leader.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.group_leader.entry_meta.source.port:
+      dashed_name: process-group-leader-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.group_leader.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.group_leader.entry_meta.source.registered_domain:
+      dashed_name: process-group-leader-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.group_leader.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.group_leader.entry_meta.source.subdomain:
+      dashed_name: process-group-leader-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.group_leader.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.group_leader.entry_meta.source.top_level_domain:
+      dashed_name: process-group-leader-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.group_leader.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.group_leader.entry_meta.type:
+      dashed_name: process-group-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.group_leader.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.group_leader.env_vars:
+      dashed_name: process-group-leader-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.group_leader.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.executable:
+      dashed_name: process-group-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.group_leader.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.group_leader.exit_code:
+      dashed_name: process-group-leader-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.group_leader.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.group_leader.group.domain:
+      dashed_name: process-group-leader-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.group.id:
+      dashed_name: process-group-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.group.name:
+      dashed_name: process-group-leader-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.group_leader.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.group_leader.hash.md5:
+      dashed_name: process-group-leader-hash-md5
+      description: MD5 hash.
+      flat_name: process.group_leader.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.group_leader.hash.sha1:
+      dashed_name: process-group-leader-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.group_leader.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.group_leader.hash.sha256:
+      dashed_name: process-group-leader-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.group_leader.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.group_leader.hash.sha384:
+      dashed_name: process-group-leader-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.group_leader.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.group_leader.hash.sha512:
+      dashed_name: process-group-leader-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.group_leader.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.group_leader.hash.ssdeep:
+      dashed_name: process-group-leader-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.group_leader.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.group_leader.hash.tlsh:
+      dashed_name: process-group-leader-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.group_leader.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.group_leader.interactive:
+      dashed_name: process-group-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.group_leader.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.group_leader.io:
+      dashed_name: process-group-leader-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.group_leader.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.group_leader.io.bytes_skipped:
+      dashed_name: process-group-leader-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.group_leader.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.group_leader.io.bytes_skipped.length:
+      dashed_name: process-group-leader-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.group_leader.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.group_leader.io.bytes_skipped.offset:
+      dashed_name: process-group-leader-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.group_leader.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.group_leader.io.max_bytes_per_process_exceeded:
+      dashed_name: process-group-leader-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.group_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.group_leader.io.text:
+      dashed_name: process-group-leader-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.group_leader.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.group_leader.io.total_bytes_captured:
+      dashed_name: process-group-leader-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.group_leader.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.group_leader.io.total_bytes_skipped:
+      dashed_name: process-group-leader-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.group_leader.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.group_leader.io.type:
+      dashed_name: process-group-leader-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.group_leader.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.group_leader.macho.go_import_hash:
+      dashed_name: process-group-leader-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.group_leader.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.group_leader.macho.go_imports:
+      dashed_name: process-group-leader-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.group_leader.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.group_leader.macho.go_imports_names_entropy:
+      dashed_name: process-group-leader-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.group_leader.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.group_leader.macho.go_imports_names_var_entropy:
+      dashed_name: process-group-leader-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.group_leader.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.group_leader.macho.go_stripped:
+      dashed_name: process-group-leader-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.group_leader.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.group_leader.macho.import_hash:
+      dashed_name: process-group-leader-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.group_leader.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.group_leader.macho.imports:
+      dashed_name: process-group-leader-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.group_leader.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.group_leader.macho.imports_names_entropy:
+      dashed_name: process-group-leader-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.group_leader.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.group_leader.macho.imports_names_var_entropy:
+      dashed_name: process-group-leader-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.group_leader.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.group_leader.macho.sections:
+      dashed_name: process-group-leader-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.group_leader.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.group_leader.macho.sections.entropy:
+      dashed_name: process-group-leader-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.group_leader.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.group_leader.macho.sections.name:
+      dashed_name: process-group-leader-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.group_leader.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.group_leader.macho.sections.physical_size:
+      dashed_name: process-group-leader-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.group_leader.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.group_leader.macho.sections.var_entropy:
+      dashed_name: process-group-leader-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.group_leader.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.group_leader.macho.sections.virtual_size:
+      dashed_name: process-group-leader-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.group_leader.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.group_leader.macho.symhash:
+      dashed_name: process-group-leader-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.group_leader.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.group_leader.name:
+      dashed_name: process-group-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.group_leader.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.group_leader.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.group_leader.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.group_leader.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.group_leader.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.group_leader.pe.architecture:
+      dashed_name: process-group-leader-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.group_leader.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.group_leader.pe.company:
+      dashed_name: process-group-leader-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.group_leader.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.group_leader.pe.description:
+      dashed_name: process-group-leader-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.group_leader.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.group_leader.pe.file_version:
+      dashed_name: process-group-leader-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.group_leader.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.group_leader.pe.go_import_hash:
+      dashed_name: process-group-leader-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.group_leader.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.group_leader.pe.go_imports:
+      dashed_name: process-group-leader-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.group_leader.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.group_leader.pe.go_imports_names_entropy:
+      dashed_name: process-group-leader-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.group_leader.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.group_leader.pe.go_imports_names_var_entropy:
+      dashed_name: process-group-leader-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.group_leader.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.group_leader.pe.go_stripped:
+      dashed_name: process-group-leader-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.group_leader.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.group_leader.pe.imphash:
+      dashed_name: process-group-leader-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.group_leader.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.group_leader.pe.import_hash:
+      dashed_name: process-group-leader-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.group_leader.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.group_leader.pe.imports:
+      dashed_name: process-group-leader-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.group_leader.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.group_leader.pe.imports_names_entropy:
+      dashed_name: process-group-leader-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.group_leader.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.group_leader.pe.imports_names_var_entropy:
+      dashed_name: process-group-leader-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.group_leader.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.group_leader.pe.original_file_name:
+      dashed_name: process-group-leader-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.group_leader.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.group_leader.pe.pehash:
+      dashed_name: process-group-leader-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.group_leader.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.group_leader.pe.product:
+      dashed_name: process-group-leader-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.group_leader.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.group_leader.pe.sections:
+      dashed_name: process-group-leader-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.group_leader.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.group_leader.pe.sections.entropy:
+      dashed_name: process-group-leader-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.group_leader.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.group_leader.pe.sections.name:
+      dashed_name: process-group-leader-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.group_leader.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.group_leader.pe.sections.physical_size:
+      dashed_name: process-group-leader-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.group_leader.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.group_leader.pe.sections.var_entropy:
+      dashed_name: process-group-leader-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.group_leader.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.group_leader.pe.sections.virtual_size:
+      dashed_name: process-group-leader-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.group_leader.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.group_leader.pid:
+      dashed_name: process-group-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.group_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      otel:
+      - relation: match
+        stability: development
+      short: Process id.
+      type: long
+    process.group_leader.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.group_leader.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.group_leader.real_group.domain:
+      dashed_name: process-group-leader-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.real_group.id:
+      dashed_name: process-group-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.real_group.name:
+      dashed_name: process-group-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.real_user.domain:
+      dashed_name: process-group-leader-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.group_leader.real_user.email:
+      dashed_name: process-group-leader-real-user-email
+      description: User email address.
+      flat_name: process.group_leader.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.group_leader.real_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-real-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.group_leader.real_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.group_leader.real_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-real-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.group_leader.real_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.group_leader.real_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-real-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.group_leader.real_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.real_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.group_leader.real_user.entity.id:
+      dashed_name: process-group-leader-real-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.group_leader.real_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.group_leader.real_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-real-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.group_leader.real_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.group_leader.real_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-real-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.group_leader.real_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.group_leader.real_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-real-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.group_leader.real_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.group_leader.real_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-real-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.group_leader.real_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.real_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.group_leader.real_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-real-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.group_leader.real_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.group_leader.real_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-real-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.group_leader.real_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.group_leader.real_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-real-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.group_leader.real_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.group_leader.real_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-real-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.group_leader.real_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.group_leader.real_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-real-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.group_leader.real_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.group_leader.real_user.full_name:
+      dashed_name: process-group-leader-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.group_leader.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.group_leader.real_user.group.domain:
+      dashed_name: process-group-leader-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.real_user.group.id:
+      dashed_name: process-group-leader-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.real_user.group.name:
+      dashed_name: process-group-leader-real-user-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.real_user.hash:
+      dashed_name: process-group-leader-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.group_leader.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.group_leader.real_user.id:
+      dashed_name: process-group-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.group_leader.real_user.name:
+      dashed_name: process-group-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.group_leader.real_user.risk.calculated_level:
+      dashed_name: process-group-leader-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.group_leader.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.group_leader.real_user.risk.calculated_score:
+      dashed_name: process-group-leader-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.group_leader.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.group_leader.real_user.risk.calculated_score_norm:
+      dashed_name: process-group-leader-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.group_leader.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.group_leader.real_user.risk.static_level:
+      dashed_name: process-group-leader-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.group_leader.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.group_leader.real_user.risk.static_score:
+      dashed_name: process-group-leader-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.group_leader.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.group_leader.real_user.risk.static_score_norm:
+      dashed_name: process-group-leader-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.group_leader.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.group_leader.real_user.roles:
+      dashed_name: process-group-leader-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.group_leader.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.same_as_process:
+      dashed_name: process-group-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.group_leader.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.group_leader.saved_group.domain:
+      dashed_name: process-group-leader-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.saved_group.id:
+      dashed_name: process-group-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.saved_group.name:
+      dashed_name: process-group-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.saved_user.domain:
+      dashed_name: process-group-leader-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.group_leader.saved_user.email:
+      dashed_name: process-group-leader-saved-user-email
+      description: User email address.
+      flat_name: process.group_leader.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.group_leader.saved_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-saved-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.group_leader.saved_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.group_leader.saved_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-saved-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.group_leader.saved_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.group_leader.saved_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-saved-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.group_leader.saved_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.saved_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.group_leader.saved_user.entity.id:
+      dashed_name: process-group-leader-saved-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.group_leader.saved_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.group_leader.saved_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-saved-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.group_leader.saved_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.group_leader.saved_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-saved-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.group_leader.saved_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.group_leader.saved_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-saved-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.group_leader.saved_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.group_leader.saved_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-saved-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.group_leader.saved_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.saved_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.group_leader.saved_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-saved-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.group_leader.saved_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.group_leader.saved_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-saved-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.group_leader.saved_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.group_leader.saved_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-saved-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.group_leader.saved_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.group_leader.saved_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-saved-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.group_leader.saved_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.group_leader.saved_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-saved-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.group_leader.saved_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.group_leader.saved_user.full_name:
+      dashed_name: process-group-leader-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.group_leader.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.group_leader.saved_user.group.domain:
+      dashed_name: process-group-leader-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.saved_user.group.id:
+      dashed_name: process-group-leader-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.saved_user.group.name:
+      dashed_name: process-group-leader-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.saved_user.hash:
+      dashed_name: process-group-leader-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.group_leader.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.group_leader.saved_user.id:
+      dashed_name: process-group-leader-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.group_leader.saved_user.name:
+      dashed_name: process-group-leader-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.group_leader.saved_user.risk.calculated_level:
+      dashed_name: process-group-leader-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.group_leader.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.group_leader.saved_user.risk.calculated_score:
+      dashed_name: process-group-leader-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.group_leader.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.group_leader.saved_user.risk.calculated_score_norm:
+      dashed_name: process-group-leader-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.group_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.group_leader.saved_user.risk.static_level:
+      dashed_name: process-group-leader-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.group_leader.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.group_leader.saved_user.risk.static_score:
+      dashed_name: process-group-leader-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.group_leader.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.group_leader.saved_user.risk.static_score_norm:
+      dashed_name: process-group-leader-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.group_leader.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.group_leader.saved_user.roles:
+      dashed_name: process-group-leader-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.group_leader.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.start:
+      dashed_name: process-group-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.group_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.group_leader.supplemental_groups.domain:
+      dashed_name: process-group-leader-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.supplemental_groups.id:
+      dashed_name: process-group-leader-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.supplemental_groups.name:
+      dashed_name: process-group-leader-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.group_leader.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.thread.capabilities.effective:
+      dashed_name: process-group-leader-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.group_leader.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.thread.capabilities.permitted:
+      dashed_name: process-group-leader-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.group_leader.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.thread.id:
+      dashed_name: process-group-leader-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.group_leader.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.group_leader.thread.name:
+      dashed_name: process-group-leader-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.group_leader.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.group_leader.title:
+      dashed_name: process-group-leader-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.group_leader.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.group_leader.tty:
+      dashed_name: process-group-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.group_leader.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.group_leader.tty.char_device.major:
+      dashed_name: process-group-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.group_leader.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.group_leader.tty.char_device.minor:
+      dashed_name: process-group-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.group_leader.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.group_leader.tty.columns:
+      dashed_name: process-group-leader-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.group_leader.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.group_leader.tty.rows:
+      dashed_name: process-group-leader-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.group_leader.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.group_leader.uptime:
+      dashed_name: process-group-leader-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.group_leader.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.group_leader.user.domain:
+      dashed_name: process-group-leader-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.group_leader.user.email:
+      dashed_name: process-group-leader-user-email
+      description: User email address.
+      flat_name: process.group_leader.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.group_leader.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.group_leader.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.group_leader.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.group_leader.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.group_leader.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.group_leader.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.group_leader.user.entity.id:
+      dashed_name: process-group-leader-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.group_leader.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.group_leader.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.group_leader.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.group_leader.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.group_leader.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.group_leader.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.group_leader.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.group_leader.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.group_leader.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.group_leader.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.group_leader.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.group_leader.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.group_leader.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.group_leader.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.group_leader.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.group_leader.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.group_leader.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.group_leader.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-group-leader-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.group_leader.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.group_leader.user.full_name:
+      dashed_name: process-group-leader-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.group_leader.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.group_leader.user.group.domain:
+      dashed_name: process-group-leader-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.group_leader.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.group_leader.user.group.id:
+      dashed_name: process-group-leader-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.group_leader.user.group.name:
+      dashed_name: process-group-leader-user-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.user.hash:
+      dashed_name: process-group-leader-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.group_leader.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.group_leader.user.id:
+      dashed_name: process-group-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.group_leader.user.name:
+      dashed_name: process-group-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.group_leader.user.risk.calculated_level:
+      dashed_name: process-group-leader-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.group_leader.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.group_leader.user.risk.calculated_score:
+      dashed_name: process-group-leader-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.group_leader.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.group_leader.user.risk.calculated_score_norm:
+      dashed_name: process-group-leader-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.group_leader.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.group_leader.user.risk.static_level:
+      dashed_name: process-group-leader-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.group_leader.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.group_leader.user.risk.static_score:
+      dashed_name: process-group-leader-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.group_leader.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.group_leader.user.risk.static_score_norm:
+      dashed_name: process-group-leader-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.group_leader.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.group_leader.user.roles:
+      dashed_name: process-group-leader-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.group_leader.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.group_leader.vpid:
+      dashed_name: process-group-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.group_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.group_leader.working_directory:
+      dashed_name: process-group-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.group_leader.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.group_leader.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.hash.md5:
+      dashed_name: process-hash-md5
+      description: MD5 hash.
+      flat_name: process.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.hash.sha1:
+      dashed_name: process-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.hash.sha256:
+      dashed_name: process-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.hash.sha384:
+      dashed_name: process-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.hash.sha512:
+      dashed_name: process-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.hash.ssdeep:
+      dashed_name: process-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.hash.tlsh:
+      dashed_name: process-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.interactive:
+      dashed_name: process-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      otel:
+      - relation: match
+        stability: development
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.io:
+      dashed_name: process-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.io
+      level: extended
+      name: io
+      normalize: []
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.io.bytes_skipped:
+      dashed_name: process-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.io.bytes_skipped.length:
+      dashed_name: process-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      short: The length of bytes skipped.
+      type: long
+    process.io.bytes_skipped.offset:
+      dashed_name: process-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.io.max_bytes_per_process_exceeded:
+      dashed_name: process-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.io.text:
+      dashed_name: process-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.io.total_bytes_captured:
+      dashed_name: process-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      short: The total number of bytes captured in this event.
+      type: long
+    process.io.total_bytes_skipped:
+      dashed_name: process-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.io.type:
+      dashed_name: process-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.macho.go_import_hash:
+      dashed_name: process-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.macho.go_imports:
+      dashed_name: process-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.macho.go_imports_names_entropy:
+      dashed_name: process-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.macho.go_imports_names_var_entropy:
+      dashed_name: process-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.macho.go_stripped:
+      dashed_name: process-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.macho.import_hash:
+      dashed_name: process-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.macho.imports:
+      dashed_name: process-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.macho.imports_names_entropy:
+      dashed_name: process-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.macho.imports_names_var_entropy:
+      dashed_name: process-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.macho.sections:
+      dashed_name: process-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.macho.sections.entropy:
+      dashed_name: process-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.macho.sections.name:
+      dashed_name: process-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.macho.sections.physical_size:
+      dashed_name: process-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.macho.sections.var_entropy:
+      dashed_name: process-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.macho.sections.virtual_size:
+      dashed_name: process-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.macho.symhash:
+      dashed_name: process-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.name:
+      dashed_name: process-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      short: Process name.
+      type: keyword
+    process.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.parent.args:
+      dashed_name: process-parent-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.parent.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.parent.args_count:
+      dashed_name: process-parent-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.parent.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.parent.attested_groups.domain:
+      dashed_name: process-parent-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.attested_groups.id:
+      dashed_name: process-parent-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.attested_groups.name:
+      dashed_name: process-parent-attested-groups-name
+      description: Name of the group.
+      flat_name: process.parent.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.attested_user.domain:
+      dashed_name: process-parent-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.attested_user.email:
+      dashed_name: process-parent-attested-user-email
+      description: User email address.
+      flat_name: process.parent.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.attested_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-attested-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.parent.attested_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.parent.attested_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-attested-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.attested_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.parent.attested_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-attested-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.parent.attested_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.attested_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.parent.attested_user.entity.id:
+      dashed_name: process-parent-attested-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.parent.attested_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.parent.attested_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-attested-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.parent.attested_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.parent.attested_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-attested-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.attested_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.parent.attested_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-attested-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.parent.attested_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.parent.attested_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-attested-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.parent.attested_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.attested_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.parent.attested_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-attested-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.parent.attested_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.parent.attested_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-attested-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.parent.attested_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.parent.attested_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-attested-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.parent.attested_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.parent.attested_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-attested-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.parent.attested_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.parent.attested_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-attested-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.parent.attested_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.parent.attested_user.full_name:
+      dashed_name: process-parent-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.attested_user.group.domain:
+      dashed_name: process-parent-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.attested_user.group.id:
+      dashed_name: process-parent-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.attested_user.group.name:
+      dashed_name: process-parent-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.attested_user.hash:
+      dashed_name: process-parent-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.attested_user.id:
+      dashed_name: process-parent-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.attested_user.name:
+      dashed_name: process-parent-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.attested_user.risk.calculated_level:
+      dashed_name: process-parent-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.attested_user.risk.calculated_score:
+      dashed_name: process-parent-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.attested_user.risk.calculated_score_norm:
+      dashed_name: process-parent-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.attested_user.risk.static_level:
+      dashed_name: process-parent-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.attested_user.risk.static_score:
+      dashed_name: process-parent-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.attested_user.risk.static_score_norm:
+      dashed_name: process-parent-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.attested_user.roles:
+      dashed_name: process-parent-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.code_signature.digest_algorithm:
+      dashed_name: process-parent-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.parent.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.parent.code_signature.exists:
+      dashed_name: process-parent-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.parent.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.parent.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.parent.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.parent.code_signature.signing_id:
+      dashed_name: process-parent-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.parent.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.parent.code_signature.status:
+      dashed_name: process-parent-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.parent.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.parent.code_signature.subject_name:
+      dashed_name: process-parent-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.parent.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.parent.code_signature.team_id:
+      dashed_name: process-parent-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.parent.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.parent.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.parent.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.parent.code_signature.timestamp:
+      dashed_name: process-parent-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.parent.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.parent.code_signature.trusted:
+      dashed_name: process-parent-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.parent.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.parent.code_signature.valid:
+      dashed_name: process-parent-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.parent.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.parent.command_line:
+      dashed_name: process-parent-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.parent.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.parent.elf.architecture:
+      dashed_name: process-parent-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.parent.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.parent.elf.byte_order:
+      dashed_name: process-parent-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.parent.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.parent.elf.cpu_type:
+      dashed_name: process-parent-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.parent.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.parent.elf.creation_date:
+      dashed_name: process-parent-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.parent.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.parent.elf.exports:
+      dashed_name: process-parent-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.parent.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.parent.elf.go_import_hash:
+      dashed_name: process-parent-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.parent.elf.go_imports:
+      dashed_name: process-parent-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.elf.go_imports_names_entropy:
+      dashed_name: process-parent-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.elf.go_imports_names_var_entropy:
+      dashed_name: process-parent-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.elf.go_stripped:
+      dashed_name: process-parent-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.elf.header.abi_version:
+      dashed_name: process-parent-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.parent.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.parent.elf.header.class:
+      dashed_name: process-parent-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.parent.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.parent.elf.header.data:
+      dashed_name: process-parent-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.parent.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.parent.elf.header.entrypoint:
+      dashed_name: process-parent-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.parent.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.parent.elf.header.object_version:
+      dashed_name: process-parent-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.parent.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.parent.elf.header.os_abi:
+      dashed_name: process-parent-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.parent.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.parent.elf.header.type:
+      dashed_name: process-parent-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.parent.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.parent.elf.header.version:
+      dashed_name: process-parent-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.parent.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.parent.elf.import_hash:
+      dashed_name: process-parent-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.parent.elf.imports:
+      dashed_name: process-parent-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.elf.imports_names_entropy:
+      dashed_name: process-parent-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.elf.imports_names_var_entropy:
+      dashed_name: process-parent-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.elf.sections:
+      dashed_name: process-parent-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.parent.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.parent.elf.sections.chi2:
+      dashed_name: process-parent-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.parent.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.parent.elf.sections.entropy:
+      dashed_name: process-parent-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.elf.sections.flags:
+      dashed_name: process-parent-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.parent.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.parent.elf.sections.name:
+      dashed_name: process-parent-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.parent.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.parent.elf.sections.physical_offset:
+      dashed_name: process-parent-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.parent.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.parent.elf.sections.physical_size:
+      dashed_name: process-parent-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.parent.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.parent.elf.sections.type:
+      dashed_name: process-parent-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.parent.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.parent.elf.sections.var_entropy:
+      dashed_name: process-parent-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.elf.sections.virtual_address:
+      dashed_name: process-parent-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.parent.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.parent.elf.sections.virtual_size:
+      dashed_name: process-parent-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.parent.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.parent.elf.segments:
+      dashed_name: process-parent-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.parent.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.parent.elf.segments.sections:
+      dashed_name: process-parent-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.parent.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.parent.elf.segments.type:
+      dashed_name: process-parent-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.parent.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.parent.elf.shared_libraries:
+      dashed_name: process-parent-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.parent.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.parent.elf.telfhash:
+      dashed_name: process-parent-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.parent.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.parent.end:
+      dashed_name: process-parent-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.parent.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.parent.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.parent.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.parent.entity_id:
+      dashed_name: process-parent-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.parent.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.parent.entry_meta.source.address:
+      dashed_name: process-parent-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.parent.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.parent.entry_meta.source.as.number:
+      dashed_name: process-parent-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.parent.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.parent.entry_meta.source.as.organization.name:
+      dashed_name: process-parent-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.parent.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.parent.entry_meta.source.bytes:
+      dashed_name: process-parent-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.parent.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.parent.entry_meta.source.domain:
+      dashed_name: process-parent-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.parent.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.parent.entry_meta.source.geo.city_name:
+      dashed_name: process-parent-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.parent.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.parent.entry_meta.source.geo.continent_code:
+      dashed_name: process-parent-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.parent.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.parent.entry_meta.source.geo.continent_name:
+      dashed_name: process-parent-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.parent.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.parent.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-parent-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.parent.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.parent.entry_meta.source.geo.country_name:
+      dashed_name: process-parent-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.parent.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.parent.entry_meta.source.geo.location:
+      dashed_name: process-parent-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.parent.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.parent.entry_meta.source.geo.name:
+      dashed_name: process-parent-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.parent.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.parent.entry_meta.source.geo.postal_code:
+      dashed_name: process-parent-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.parent.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.parent.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-parent-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.parent.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.parent.entry_meta.source.geo.region_name:
+      dashed_name: process-parent-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.parent.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.parent.entry_meta.source.geo.timezone:
+      dashed_name: process-parent-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.parent.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.parent.entry_meta.source.ip:
+      dashed_name: process-parent-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.parent.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.parent.entry_meta.source.mac:
+      dashed_name: process-parent-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.parent.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.parent.entry_meta.source.nat.ip:
+      dashed_name: process-parent-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.parent.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.parent.entry_meta.source.nat.port:
+      dashed_name: process-parent-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.parent.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.parent.entry_meta.source.packets:
+      dashed_name: process-parent-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.parent.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.parent.entry_meta.source.port:
+      dashed_name: process-parent-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.parent.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.parent.entry_meta.source.registered_domain:
+      dashed_name: process-parent-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.parent.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.parent.entry_meta.source.subdomain:
+      dashed_name: process-parent-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.parent.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.parent.entry_meta.source.top_level_domain:
+      dashed_name: process-parent-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.parent.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.parent.entry_meta.type:
+      dashed_name: process-parent-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.parent.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.parent.env_vars:
+      dashed_name: process-parent-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.parent.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.executable:
+      dashed_name: process-parent-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.parent.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.parent.exit_code:
+      dashed_name: process-parent-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.parent.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.parent.group.domain:
+      dashed_name: process-parent-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group.id:
+      dashed_name: process-parent-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group.name:
+      dashed_name: process-parent-group-name
+      description: Name of the group.
+      flat_name: process.parent.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.args:
+      dashed_name: process-parent-group-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.parent.group_leader.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.parent.group_leader.args_count:
+      dashed_name: process-parent-group-leader-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.parent.group_leader.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.parent.group_leader.attested_groups.domain:
+      dashed_name: process-parent-group-leader-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.attested_groups.id:
+      dashed_name: process-parent-group-leader-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.attested_groups.name:
+      dashed_name: process-parent-group-leader-attested-groups-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.attested_user.domain:
+      dashed_name: process-parent-group-leader-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.group_leader.attested_user.email:
+      dashed_name: process-parent-group-leader-attested-user-email
+      description: User email address.
+      flat_name: process.parent.group_leader.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.group_leader.attested_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-attested-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.parent.group_leader.attested_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.parent.group_leader.attested_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-attested-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.group_leader.attested_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.parent.group_leader.attested_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-attested-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.parent.group_leader.attested_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.attested_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.parent.group_leader.attested_user.entity.id:
+      dashed_name: process-parent-group-leader-attested-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.parent.group_leader.attested_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.parent.group_leader.attested_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-attested-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.parent.group_leader.attested_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.parent.group_leader.attested_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-attested-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.group_leader.attested_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.parent.group_leader.attested_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-attested-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.parent.group_leader.attested_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.parent.group_leader.attested_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-attested-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.parent.group_leader.attested_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.group_leader.attested_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.parent.group_leader.attested_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-attested-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.parent.group_leader.attested_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.parent.group_leader.attested_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-attested-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.parent.group_leader.attested_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.parent.group_leader.attested_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-attested-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.parent.group_leader.attested_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.parent.group_leader.attested_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-attested-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.parent.group_leader.attested_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.parent.group_leader.attested_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-attested-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.parent.group_leader.attested_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.parent.group_leader.attested_user.full_name:
+      dashed_name: process-parent-group-leader-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.group_leader.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.group_leader.attested_user.group.domain:
+      dashed_name: process-parent-group-leader-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.attested_user.group.id:
+      dashed_name: process-parent-group-leader-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.attested_user.group.name:
+      dashed_name: process-parent-group-leader-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.attested_user.hash:
+      dashed_name: process-parent-group-leader-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.group_leader.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.group_leader.attested_user.id:
+      dashed_name: process-parent-group-leader-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.group_leader.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.group_leader.attested_user.name:
+      dashed_name: process-parent-group-leader-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.group_leader.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.group_leader.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.group_leader.attested_user.risk.calculated_level:
+      dashed_name: process-parent-group-leader-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.group_leader.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.group_leader.attested_user.risk.calculated_score:
+      dashed_name: process-parent-group-leader-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.group_leader.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.group_leader.attested_user.risk.calculated_score_norm:
+      dashed_name: process-parent-group-leader-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.group_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.group_leader.attested_user.risk.static_level:
+      dashed_name: process-parent-group-leader-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.group_leader.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.group_leader.attested_user.risk.static_score:
+      dashed_name: process-parent-group-leader-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.group_leader.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.group_leader.attested_user.risk.static_score_norm:
+      dashed_name: process-parent-group-leader-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.group_leader.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.group_leader.attested_user.roles:
+      dashed_name: process-parent-group-leader-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.group_leader.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.code_signature.digest_algorithm:
+      dashed_name: process-parent-group-leader-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.parent.group_leader.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.parent.group_leader.code_signature.exists:
+      dashed_name: process-parent-group-leader-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.parent.group_leader.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.parent.group_leader.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.parent.group_leader.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.parent.group_leader.code_signature.signing_id:
+      dashed_name: process-parent-group-leader-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.parent.group_leader.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.parent.group_leader.code_signature.status:
+      dashed_name: process-parent-group-leader-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.parent.group_leader.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.parent.group_leader.code_signature.subject_name:
+      dashed_name: process-parent-group-leader-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.parent.group_leader.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.parent.group_leader.code_signature.team_id:
+      dashed_name: process-parent-group-leader-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.parent.group_leader.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.parent.group_leader.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.parent.group_leader.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.parent.group_leader.code_signature.timestamp:
+      dashed_name: process-parent-group-leader-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.parent.group_leader.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.parent.group_leader.code_signature.trusted:
+      dashed_name: process-parent-group-leader-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.parent.group_leader.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.parent.group_leader.code_signature.valid:
+      dashed_name: process-parent-group-leader-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.parent.group_leader.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.parent.group_leader.command_line:
+      dashed_name: process-parent-group-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.parent.group_leader.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.parent.group_leader.elf.architecture:
+      dashed_name: process-parent-group-leader-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.parent.group_leader.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.parent.group_leader.elf.byte_order:
+      dashed_name: process-parent-group-leader-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.parent.group_leader.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.parent.group_leader.elf.cpu_type:
+      dashed_name: process-parent-group-leader-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.parent.group_leader.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.parent.group_leader.elf.creation_date:
+      dashed_name: process-parent-group-leader-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.parent.group_leader.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.parent.group_leader.elf.exports:
+      dashed_name: process-parent-group-leader-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.parent.group_leader.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.parent.group_leader.elf.go_import_hash:
+      dashed_name: process-parent-group-leader-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.group_leader.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.parent.group_leader.elf.go_imports:
+      dashed_name: process-parent-group-leader-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.group_leader.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.group_leader.elf.go_imports_names_entropy:
+      dashed_name: process-parent-group-leader-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.group_leader.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.group_leader.elf.go_imports_names_var_entropy:
+      dashed_name: process-parent-group-leader-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.group_leader.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.group_leader.elf.go_stripped:
+      dashed_name: process-parent-group-leader-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.group_leader.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.group_leader.elf.header.abi_version:
+      dashed_name: process-parent-group-leader-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.parent.group_leader.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.parent.group_leader.elf.header.class:
+      dashed_name: process-parent-group-leader-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.parent.group_leader.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.parent.group_leader.elf.header.data:
+      dashed_name: process-parent-group-leader-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.parent.group_leader.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.parent.group_leader.elf.header.entrypoint:
+      dashed_name: process-parent-group-leader-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.parent.group_leader.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.parent.group_leader.elf.header.object_version:
+      dashed_name: process-parent-group-leader-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.parent.group_leader.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.parent.group_leader.elf.header.os_abi:
+      dashed_name: process-parent-group-leader-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.parent.group_leader.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.parent.group_leader.elf.header.type:
+      dashed_name: process-parent-group-leader-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.parent.group_leader.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.parent.group_leader.elf.header.version:
+      dashed_name: process-parent-group-leader-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.parent.group_leader.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.parent.group_leader.elf.import_hash:
+      dashed_name: process-parent-group-leader-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.group_leader.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.parent.group_leader.elf.imports:
+      dashed_name: process-parent-group-leader-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.group_leader.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.group_leader.elf.imports_names_entropy:
+      dashed_name: process-parent-group-leader-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.group_leader.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.group_leader.elf.imports_names_var_entropy:
+      dashed_name: process-parent-group-leader-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.group_leader.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.group_leader.elf.sections:
+      dashed_name: process-parent-group-leader-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.parent.group_leader.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.parent.group_leader.elf.sections.chi2:
+      dashed_name: process-parent-group-leader-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.parent.group_leader.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.parent.group_leader.elf.sections.entropy:
+      dashed_name: process-parent-group-leader-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.group_leader.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.group_leader.elf.sections.flags:
+      dashed_name: process-parent-group-leader-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.parent.group_leader.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.parent.group_leader.elf.sections.name:
+      dashed_name: process-parent-group-leader-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.parent.group_leader.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.parent.group_leader.elf.sections.physical_offset:
+      dashed_name: process-parent-group-leader-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.parent.group_leader.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.parent.group_leader.elf.sections.physical_size:
+      dashed_name: process-parent-group-leader-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.parent.group_leader.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.parent.group_leader.elf.sections.type:
+      dashed_name: process-parent-group-leader-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.parent.group_leader.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.parent.group_leader.elf.sections.var_entropy:
+      dashed_name: process-parent-group-leader-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.group_leader.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.group_leader.elf.sections.virtual_address:
+      dashed_name: process-parent-group-leader-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.parent.group_leader.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.parent.group_leader.elf.sections.virtual_size:
+      dashed_name: process-parent-group-leader-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.parent.group_leader.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.parent.group_leader.elf.segments:
+      dashed_name: process-parent-group-leader-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.parent.group_leader.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.parent.group_leader.elf.segments.sections:
+      dashed_name: process-parent-group-leader-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.parent.group_leader.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.parent.group_leader.elf.segments.type:
+      dashed_name: process-parent-group-leader-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.parent.group_leader.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.parent.group_leader.elf.shared_libraries:
+      dashed_name: process-parent-group-leader-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.parent.group_leader.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.parent.group_leader.elf.telfhash:
+      dashed_name: process-parent-group-leader-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.parent.group_leader.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.parent.group_leader.end:
+      dashed_name: process-parent-group-leader-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.parent.group_leader.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.parent.group_leader.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.parent.group_leader.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.parent.group_leader.entity_id:
+      dashed_name: process-parent-group-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.parent.group_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.address:
+      dashed_name: process-parent-group-leader-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.parent.group_leader.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.as.number:
+      dashed_name: process-parent-group-leader-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.parent.group_leader.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.parent.group_leader.entry_meta.source.as.organization.name:
+      dashed_name: process-parent-group-leader-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.parent.group_leader.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.bytes:
+      dashed_name: process-parent-group-leader-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.parent.group_leader.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.parent.group_leader.entry_meta.source.domain:
+      dashed_name: process-parent-group-leader-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.parent.group_leader.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.city_name:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.parent.group_leader.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.continent_code:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.parent.group_leader.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.continent_name:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.parent.group_leader.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.parent.group_leader.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.country_name:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.parent.group_leader.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.location:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.parent.group_leader.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.parent.group_leader.entry_meta.source.geo.name:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.parent.group_leader.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.postal_code:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.parent.group_leader.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.parent.group_leader.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.region_name:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.parent.group_leader.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.geo.timezone:
+      dashed_name: process-parent-group-leader-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.parent.group_leader.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.ip:
+      dashed_name: process-parent-group-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.parent.group_leader.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.parent.group_leader.entry_meta.source.mac:
+      dashed_name: process-parent-group-leader-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.parent.group_leader.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.nat.ip:
+      dashed_name: process-parent-group-leader-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.parent.group_leader.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.parent.group_leader.entry_meta.source.nat.port:
+      dashed_name: process-parent-group-leader-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.parent.group_leader.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.parent.group_leader.entry_meta.source.packets:
+      dashed_name: process-parent-group-leader-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.parent.group_leader.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.parent.group_leader.entry_meta.source.port:
+      dashed_name: process-parent-group-leader-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.parent.group_leader.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.parent.group_leader.entry_meta.source.registered_domain:
+      dashed_name: process-parent-group-leader-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.parent.group_leader.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.subdomain:
+      dashed_name: process-parent-group-leader-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.parent.group_leader.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.parent.group_leader.entry_meta.source.top_level_domain:
+      dashed_name: process-parent-group-leader-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.parent.group_leader.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.parent.group_leader.entry_meta.type:
+      dashed_name: process-parent-group-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.parent.group_leader.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.parent.group_leader.env_vars:
+      dashed_name: process-parent-group-leader-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.parent.group_leader.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.executable:
+      dashed_name: process-parent-group-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.parent.group_leader.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.parent.group_leader.exit_code:
+      dashed_name: process-parent-group-leader-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.parent.group_leader.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.parent.group_leader.group.domain:
+      dashed_name: process-parent-group-leader-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.group.id:
+      dashed_name: process-parent-group-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.group.name:
+      dashed_name: process-parent-group-leader-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.parent.group_leader.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.parent.group_leader.hash.md5:
+      dashed_name: process-parent-group-leader-hash-md5
+      description: MD5 hash.
+      flat_name: process.parent.group_leader.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.parent.group_leader.hash.sha1:
+      dashed_name: process-parent-group-leader-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.parent.group_leader.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.parent.group_leader.hash.sha256:
+      dashed_name: process-parent-group-leader-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.parent.group_leader.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.parent.group_leader.hash.sha384:
+      dashed_name: process-parent-group-leader-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.parent.group_leader.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.parent.group_leader.hash.sha512:
+      dashed_name: process-parent-group-leader-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.parent.group_leader.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.parent.group_leader.hash.ssdeep:
+      dashed_name: process-parent-group-leader-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.parent.group_leader.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.parent.group_leader.hash.tlsh:
+      dashed_name: process-parent-group-leader-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.parent.group_leader.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.parent.group_leader.interactive:
+      dashed_name: process-parent-group-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.parent.group_leader.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.parent.group_leader.io:
+      dashed_name: process-parent-group-leader-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.parent.group_leader.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.parent.group_leader.io.bytes_skipped:
+      dashed_name: process-parent-group-leader-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.parent.group_leader.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.parent.group_leader.io.bytes_skipped.length:
+      dashed_name: process-parent-group-leader-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.parent.group_leader.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.parent.group_leader.io.bytes_skipped.offset:
+      dashed_name: process-parent-group-leader-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.parent.group_leader.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.parent.group_leader.io.max_bytes_per_process_exceeded:
+      dashed_name: process-parent-group-leader-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.parent.group_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.parent.group_leader.io.text:
+      dashed_name: process-parent-group-leader-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.parent.group_leader.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.parent.group_leader.io.total_bytes_captured:
+      dashed_name: process-parent-group-leader-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.parent.group_leader.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.parent.group_leader.io.total_bytes_skipped:
+      dashed_name: process-parent-group-leader-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.parent.group_leader.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.parent.group_leader.io.type:
+      dashed_name: process-parent-group-leader-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.parent.group_leader.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.parent.group_leader.macho.go_import_hash:
+      dashed_name: process-parent-group-leader-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.group_leader.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.parent.group_leader.macho.go_imports:
+      dashed_name: process-parent-group-leader-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.group_leader.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.group_leader.macho.go_imports_names_entropy:
+      dashed_name: process-parent-group-leader-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.group_leader.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.group_leader.macho.go_imports_names_var_entropy:
+      dashed_name: process-parent-group-leader-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.group_leader.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.group_leader.macho.go_stripped:
+      dashed_name: process-parent-group-leader-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.group_leader.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.group_leader.macho.import_hash:
+      dashed_name: process-parent-group-leader-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.group_leader.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.parent.group_leader.macho.imports:
+      dashed_name: process-parent-group-leader-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.group_leader.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.group_leader.macho.imports_names_entropy:
+      dashed_name: process-parent-group-leader-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.group_leader.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.group_leader.macho.imports_names_var_entropy:
+      dashed_name: process-parent-group-leader-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.group_leader.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.group_leader.macho.sections:
+      dashed_name: process-parent-group-leader-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.parent.group_leader.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.parent.group_leader.macho.sections.entropy:
+      dashed_name: process-parent-group-leader-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.group_leader.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.group_leader.macho.sections.name:
+      dashed_name: process-parent-group-leader-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.parent.group_leader.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.parent.group_leader.macho.sections.physical_size:
+      dashed_name: process-parent-group-leader-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.parent.group_leader.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.parent.group_leader.macho.sections.var_entropy:
+      dashed_name: process-parent-group-leader-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.group_leader.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.group_leader.macho.sections.virtual_size:
+      dashed_name: process-parent-group-leader-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.group_leader.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.parent.group_leader.macho.symhash:
+      dashed_name: process-parent-group-leader-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.parent.group_leader.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.parent.group_leader.name:
+      dashed_name: process-parent-group-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.parent.group_leader.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.parent.group_leader.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.parent.group_leader.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.parent.group_leader.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.parent.group_leader.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.parent.group_leader.pe.architecture:
+      dashed_name: process-parent-group-leader-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.parent.group_leader.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.parent.group_leader.pe.company:
+      dashed_name: process-parent-group-leader-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.parent.group_leader.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.parent.group_leader.pe.description:
+      dashed_name: process-parent-group-leader-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.parent.group_leader.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.parent.group_leader.pe.file_version:
+      dashed_name: process-parent-group-leader-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.parent.group_leader.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.parent.group_leader.pe.go_import_hash:
+      dashed_name: process-parent-group-leader-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.group_leader.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.parent.group_leader.pe.go_imports:
+      dashed_name: process-parent-group-leader-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.group_leader.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.group_leader.pe.go_imports_names_entropy:
+      dashed_name: process-parent-group-leader-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.group_leader.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.group_leader.pe.go_imports_names_var_entropy:
+      dashed_name: process-parent-group-leader-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.group_leader.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.group_leader.pe.go_stripped:
+      dashed_name: process-parent-group-leader-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.group_leader.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.group_leader.pe.imphash:
+      dashed_name: process-parent-group-leader-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.parent.group_leader.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.parent.group_leader.pe.import_hash:
+      dashed_name: process-parent-group-leader-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.group_leader.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.parent.group_leader.pe.imports:
+      dashed_name: process-parent-group-leader-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.group_leader.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.group_leader.pe.imports_names_entropy:
+      dashed_name: process-parent-group-leader-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.group_leader.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.group_leader.pe.imports_names_var_entropy:
+      dashed_name: process-parent-group-leader-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.group_leader.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.group_leader.pe.original_file_name:
+      dashed_name: process-parent-group-leader-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.parent.group_leader.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.parent.group_leader.pe.pehash:
+      dashed_name: process-parent-group-leader-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.parent.group_leader.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.parent.group_leader.pe.product:
+      dashed_name: process-parent-group-leader-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.parent.group_leader.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.parent.group_leader.pe.sections:
+      dashed_name: process-parent-group-leader-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.parent.group_leader.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.parent.group_leader.pe.sections.entropy:
+      dashed_name: process-parent-group-leader-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.group_leader.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.group_leader.pe.sections.name:
+      dashed_name: process-parent-group-leader-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.parent.group_leader.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.parent.group_leader.pe.sections.physical_size:
+      dashed_name: process-parent-group-leader-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.parent.group_leader.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.parent.group_leader.pe.sections.var_entropy:
+      dashed_name: process-parent-group-leader-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.group_leader.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.group_leader.pe.sections.virtual_size:
+      dashed_name: process-parent-group-leader-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.group_leader.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.parent.group_leader.pid:
+      dashed_name: process-parent-group-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.parent.group_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.parent.group_leader.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.parent.group_leader.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.parent.group_leader.real_group.domain:
+      dashed_name: process-parent-group-leader-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.real_group.id:
+      dashed_name: process-parent-group-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.real_group.name:
+      dashed_name: process-parent-group-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.real_user.domain:
+      dashed_name: process-parent-group-leader-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.group_leader.real_user.email:
+      dashed_name: process-parent-group-leader-real-user-email
+      description: User email address.
+      flat_name: process.parent.group_leader.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.group_leader.real_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-real-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.parent.group_leader.real_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.parent.group_leader.real_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-real-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.group_leader.real_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.parent.group_leader.real_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-real-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.parent.group_leader.real_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.real_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.parent.group_leader.real_user.entity.id:
+      dashed_name: process-parent-group-leader-real-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.parent.group_leader.real_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.parent.group_leader.real_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-real-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.parent.group_leader.real_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.parent.group_leader.real_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-real-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.group_leader.real_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.parent.group_leader.real_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-real-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.parent.group_leader.real_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.parent.group_leader.real_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-real-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.parent.group_leader.real_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.group_leader.real_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.parent.group_leader.real_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-real-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.parent.group_leader.real_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.parent.group_leader.real_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-real-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.parent.group_leader.real_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.parent.group_leader.real_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-real-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.parent.group_leader.real_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.parent.group_leader.real_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-real-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.parent.group_leader.real_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.parent.group_leader.real_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-real-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.parent.group_leader.real_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.parent.group_leader.real_user.full_name:
+      dashed_name: process-parent-group-leader-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.group_leader.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.group_leader.real_user.group.domain:
+      dashed_name: process-parent-group-leader-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.real_user.group.id:
+      dashed_name: process-parent-group-leader-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.real_user.group.name:
+      dashed_name: process-parent-group-leader-real-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.real_user.hash:
+      dashed_name: process-parent-group-leader-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.group_leader.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.group_leader.real_user.id:
+      dashed_name: process-parent-group-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.group_leader.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.group_leader.real_user.name:
+      dashed_name: process-parent-group-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.group_leader.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.group_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.group_leader.real_user.risk.calculated_level:
+      dashed_name: process-parent-group-leader-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.group_leader.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.group_leader.real_user.risk.calculated_score:
+      dashed_name: process-parent-group-leader-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.group_leader.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.group_leader.real_user.risk.calculated_score_norm:
+      dashed_name: process-parent-group-leader-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.group_leader.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.group_leader.real_user.risk.static_level:
+      dashed_name: process-parent-group-leader-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.group_leader.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.group_leader.real_user.risk.static_score:
+      dashed_name: process-parent-group-leader-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.group_leader.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.group_leader.real_user.risk.static_score_norm:
+      dashed_name: process-parent-group-leader-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.group_leader.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.group_leader.real_user.roles:
+      dashed_name: process-parent-group-leader-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.group_leader.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.same_as_process:
+      dashed_name: process-parent-group-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.parent.group_leader.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.parent.group_leader.saved_group.domain:
+      dashed_name: process-parent-group-leader-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.saved_group.id:
+      dashed_name: process-parent-group-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.saved_group.name:
+      dashed_name: process-parent-group-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.saved_user.domain:
+      dashed_name: process-parent-group-leader-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.group_leader.saved_user.email:
+      dashed_name: process-parent-group-leader-saved-user-email
+      description: User email address.
+      flat_name: process.parent.group_leader.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.group_leader.saved_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-saved-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.parent.group_leader.saved_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.parent.group_leader.saved_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-saved-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.group_leader.saved_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.parent.group_leader.saved_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-saved-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.parent.group_leader.saved_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.saved_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.parent.group_leader.saved_user.entity.id:
+      dashed_name: process-parent-group-leader-saved-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.parent.group_leader.saved_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.parent.group_leader.saved_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-saved-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.parent.group_leader.saved_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.parent.group_leader.saved_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-saved-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.group_leader.saved_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.parent.group_leader.saved_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-saved-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.parent.group_leader.saved_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.parent.group_leader.saved_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-saved-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.parent.group_leader.saved_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.group_leader.saved_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.parent.group_leader.saved_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-saved-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.parent.group_leader.saved_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.parent.group_leader.saved_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-saved-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.parent.group_leader.saved_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.parent.group_leader.saved_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-saved-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.parent.group_leader.saved_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.parent.group_leader.saved_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-saved-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.parent.group_leader.saved_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.parent.group_leader.saved_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-saved-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.parent.group_leader.saved_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.parent.group_leader.saved_user.full_name:
+      dashed_name: process-parent-group-leader-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.group_leader.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.group_leader.saved_user.group.domain:
+      dashed_name: process-parent-group-leader-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.saved_user.group.id:
+      dashed_name: process-parent-group-leader-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.saved_user.group.name:
+      dashed_name: process-parent-group-leader-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.saved_user.hash:
+      dashed_name: process-parent-group-leader-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.group_leader.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.group_leader.saved_user.id:
+      dashed_name: process-parent-group-leader-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.group_leader.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.group_leader.saved_user.name:
+      dashed_name: process-parent-group-leader-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.group_leader.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.group_leader.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.group_leader.saved_user.risk.calculated_level:
+      dashed_name: process-parent-group-leader-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.group_leader.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.group_leader.saved_user.risk.calculated_score:
+      dashed_name: process-parent-group-leader-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.group_leader.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.group_leader.saved_user.risk.calculated_score_norm:
+      dashed_name: process-parent-group-leader-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.group_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.group_leader.saved_user.risk.static_level:
+      dashed_name: process-parent-group-leader-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.group_leader.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.group_leader.saved_user.risk.static_score:
+      dashed_name: process-parent-group-leader-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.group_leader.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.group_leader.saved_user.risk.static_score_norm:
+      dashed_name: process-parent-group-leader-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.group_leader.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.group_leader.saved_user.roles:
+      dashed_name: process-parent-group-leader-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.group_leader.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.start:
+      dashed_name: process-parent-group-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.parent.group_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.parent.group_leader.supplemental_groups.domain:
+      dashed_name: process-parent-group-leader-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.supplemental_groups.id:
+      dashed_name: process-parent-group-leader-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.supplemental_groups.name:
+      dashed_name: process-parent-group-leader-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.thread.capabilities.effective:
+      dashed_name: process-parent-group-leader-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.group_leader.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.thread.capabilities.permitted:
+      dashed_name: process-parent-group-leader-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.group_leader.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.thread.id:
+      dashed_name: process-parent-group-leader-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.parent.group_leader.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.parent.group_leader.thread.name:
+      dashed_name: process-parent-group-leader-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.parent.group_leader.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.parent.group_leader.title:
+      dashed_name: process-parent-group-leader-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.parent.group_leader.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.parent.group_leader.tty:
+      dashed_name: process-parent-group-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.parent.group_leader.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.parent.group_leader.tty.char_device.major:
+      dashed_name: process-parent-group-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.parent.group_leader.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.parent.group_leader.tty.char_device.minor:
+      dashed_name: process-parent-group-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.parent.group_leader.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.parent.group_leader.tty.columns:
+      dashed_name: process-parent-group-leader-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.parent.group_leader.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.parent.group_leader.tty.rows:
+      dashed_name: process-parent-group-leader-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.parent.group_leader.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.parent.group_leader.uptime:
+      dashed_name: process-parent-group-leader-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.parent.group_leader.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.parent.group_leader.user.domain:
+      dashed_name: process-parent-group-leader-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.group_leader.user.email:
+      dashed_name: process-parent-group-leader-user-email
+      description: User email address.
+      flat_name: process.parent.group_leader.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.group_leader.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.parent.group_leader.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.parent.group_leader.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.group_leader.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.parent.group_leader.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.parent.group_leader.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.parent.group_leader.user.entity.id:
+      dashed_name: process-parent-group-leader-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.parent.group_leader.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.parent.group_leader.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.parent.group_leader.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.parent.group_leader.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.group_leader.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.parent.group_leader.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.parent.group_leader.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.parent.group_leader.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.parent.group_leader.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.group_leader.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.parent.group_leader.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.parent.group_leader.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.parent.group_leader.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.parent.group_leader.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.parent.group_leader.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.parent.group_leader.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.parent.group_leader.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.parent.group_leader.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.parent.group_leader.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-group-leader-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.parent.group_leader.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.parent.group_leader.user.full_name:
+      dashed_name: process-parent-group-leader-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.group_leader.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.group_leader.user.group.domain:
+      dashed_name: process-parent-group-leader-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.group_leader.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.group_leader.user.group.id:
+      dashed_name: process-parent-group-leader-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.group_leader.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.group_leader.user.group.name:
+      dashed_name: process-parent-group-leader-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.group_leader.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.group_leader.user.hash:
+      dashed_name: process-parent-group-leader-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.group_leader.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.group_leader.user.id:
+      dashed_name: process-parent-group-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.group_leader.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.group_leader.user.name:
+      dashed_name: process-parent-group-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.group_leader.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.group_leader.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.group_leader.user.risk.calculated_level:
+      dashed_name: process-parent-group-leader-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.group_leader.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.group_leader.user.risk.calculated_score:
+      dashed_name: process-parent-group-leader-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.group_leader.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.group_leader.user.risk.calculated_score_norm:
+      dashed_name: process-parent-group-leader-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.group_leader.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.group_leader.user.risk.static_level:
+      dashed_name: process-parent-group-leader-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.group_leader.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.group_leader.user.risk.static_score:
+      dashed_name: process-parent-group-leader-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.group_leader.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.group_leader.user.risk.static_score_norm:
+      dashed_name: process-parent-group-leader-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.group_leader.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.group_leader.user.roles:
+      dashed_name: process-parent-group-leader-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.group_leader.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.group_leader.vpid:
+      dashed_name: process-parent-group-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.parent.group_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.parent.group_leader.working_directory:
+      dashed_name: process-parent-group-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.parent.group_leader.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.group_leader.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.parent.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.parent.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.parent.hash.md5:
+      dashed_name: process-parent-hash-md5
+      description: MD5 hash.
+      flat_name: process.parent.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.parent.hash.sha1:
+      dashed_name: process-parent-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.parent.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.parent.hash.sha256:
+      dashed_name: process-parent-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.parent.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.parent.hash.sha384:
+      dashed_name: process-parent-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.parent.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.parent.hash.sha512:
+      dashed_name: process-parent-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.parent.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.parent.hash.ssdeep:
+      dashed_name: process-parent-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.parent.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.parent.hash.tlsh:
+      dashed_name: process-parent-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.parent.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.parent.interactive:
+      dashed_name: process-parent-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.parent.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.parent.io:
+      dashed_name: process-parent-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.parent.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.parent.io.bytes_skipped:
+      dashed_name: process-parent-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.parent.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.parent.io.bytes_skipped.length:
+      dashed_name: process-parent-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.parent.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.parent.io.bytes_skipped.offset:
+      dashed_name: process-parent-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.parent.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.parent.io.max_bytes_per_process_exceeded:
+      dashed_name: process-parent-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.parent.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.parent.io.text:
+      dashed_name: process-parent-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.parent.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.parent.io.total_bytes_captured:
+      dashed_name: process-parent-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.parent.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.parent.io.total_bytes_skipped:
+      dashed_name: process-parent-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.parent.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.parent.io.type:
+      dashed_name: process-parent-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.parent.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.parent.macho.go_import_hash:
+      dashed_name: process-parent-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.parent.macho.go_imports:
+      dashed_name: process-parent-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.macho.go_imports_names_entropy:
+      dashed_name: process-parent-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.macho.go_imports_names_var_entropy:
+      dashed_name: process-parent-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.macho.go_stripped:
+      dashed_name: process-parent-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.macho.import_hash:
+      dashed_name: process-parent-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.parent.macho.imports:
+      dashed_name: process-parent-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.macho.imports_names_entropy:
+      dashed_name: process-parent-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.macho.imports_names_var_entropy:
+      dashed_name: process-parent-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.macho.sections:
+      dashed_name: process-parent-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.parent.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.parent.macho.sections.entropy:
+      dashed_name: process-parent-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.macho.sections.name:
+      dashed_name: process-parent-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.parent.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.parent.macho.sections.physical_size:
+      dashed_name: process-parent-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.parent.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.parent.macho.sections.var_entropy:
+      dashed_name: process-parent-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.macho.sections.virtual_size:
+      dashed_name: process-parent-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.parent.macho.symhash:
+      dashed_name: process-parent-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.parent.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.parent.name:
+      dashed_name: process-parent-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.parent.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.parent.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.parent.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.parent.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.parent.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.parent.pe.architecture:
+      dashed_name: process-parent-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.parent.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.parent.pe.company:
+      dashed_name: process-parent-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.parent.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.parent.pe.description:
+      dashed_name: process-parent-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.parent.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.parent.pe.file_version:
+      dashed_name: process-parent-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.parent.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.parent.pe.go_import_hash:
+      dashed_name: process-parent-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.parent.pe.go_imports:
+      dashed_name: process-parent-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.parent.pe.go_imports_names_entropy:
+      dashed_name: process-parent-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.pe.go_imports_names_var_entropy:
+      dashed_name: process-parent-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.parent.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.parent.pe.go_stripped:
+      dashed_name: process-parent-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.parent.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.parent.pe.imphash:
+      dashed_name: process-parent-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.parent.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.parent.pe.import_hash:
+      dashed_name: process-parent-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.parent.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.parent.pe.imports:
+      dashed_name: process-parent-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.parent.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.parent.pe.imports_names_entropy:
+      dashed_name: process-parent-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.parent.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.parent.pe.imports_names_var_entropy:
+      dashed_name: process-parent-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.parent.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.parent.pe.original_file_name:
+      dashed_name: process-parent-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.parent.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.parent.pe.pehash:
+      dashed_name: process-parent-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.parent.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.parent.pe.product:
+      dashed_name: process-parent-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.parent.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.parent.pe.sections:
+      dashed_name: process-parent-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.parent.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.parent.pe.sections.entropy:
+      dashed_name: process-parent-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.parent.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.parent.pe.sections.name:
+      dashed_name: process-parent-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.parent.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.parent.pe.sections.physical_size:
+      dashed_name: process-parent-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.parent.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.parent.pe.sections.var_entropy:
+      dashed_name: process-parent-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.parent.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.parent.pe.sections.virtual_size:
+      dashed_name: process-parent-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.parent.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.parent.pid:
+      dashed_name: process-parent-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.parent.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.parent.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.parent.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.parent.real_group.domain:
+      dashed_name: process-parent-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.real_group.id:
+      dashed_name: process-parent-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.real_group.name:
+      dashed_name: process-parent-real-group-name
+      description: Name of the group.
+      flat_name: process.parent.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.real_user.domain:
+      dashed_name: process-parent-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.real_user.email:
+      dashed_name: process-parent-real-user-email
+      description: User email address.
+      flat_name: process.parent.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.real_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-real-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.parent.real_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.parent.real_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-real-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.real_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.parent.real_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-real-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.parent.real_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.real_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.parent.real_user.entity.id:
+      dashed_name: process-parent-real-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.parent.real_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.parent.real_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-real-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.parent.real_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.parent.real_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-real-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.real_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.parent.real_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-real-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.parent.real_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.parent.real_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-real-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.parent.real_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.real_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.parent.real_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-real-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.parent.real_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.parent.real_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-real-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.parent.real_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.parent.real_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-real-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.parent.real_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.parent.real_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-real-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.parent.real_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.parent.real_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-real-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.parent.real_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.parent.real_user.full_name:
+      dashed_name: process-parent-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.real_user.group.domain:
+      dashed_name: process-parent-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.real_user.group.id:
+      dashed_name: process-parent-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.real_user.group.name:
+      dashed_name: process-parent-real-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.real_user.hash:
+      dashed_name: process-parent-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.real_user.id:
+      dashed_name: process-parent-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.real_user.name:
+      dashed_name: process-parent-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.real_user.risk.calculated_level:
+      dashed_name: process-parent-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.real_user.risk.calculated_score:
+      dashed_name: process-parent-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.real_user.risk.calculated_score_norm:
+      dashed_name: process-parent-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.real_user.risk.static_level:
+      dashed_name: process-parent-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.real_user.risk.static_score:
+      dashed_name: process-parent-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.real_user.risk.static_score_norm:
+      dashed_name: process-parent-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.real_user.roles:
+      dashed_name: process-parent-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.same_as_process:
+      dashed_name: process-parent-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.parent.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.parent.saved_group.domain:
+      dashed_name: process-parent-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.saved_group.id:
+      dashed_name: process-parent-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.saved_group.name:
+      dashed_name: process-parent-saved-group-name
+      description: Name of the group.
+      flat_name: process.parent.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.saved_user.domain:
+      dashed_name: process-parent-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.saved_user.email:
+      dashed_name: process-parent-saved-user-email
+      description: User email address.
+      flat_name: process.parent.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.saved_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-saved-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.parent.saved_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.parent.saved_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-saved-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.saved_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.parent.saved_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-saved-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.parent.saved_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.saved_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.parent.saved_user.entity.id:
+      dashed_name: process-parent-saved-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.parent.saved_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.parent.saved_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-saved-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.parent.saved_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.parent.saved_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-saved-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.saved_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.parent.saved_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-saved-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.parent.saved_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.parent.saved_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-saved-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.parent.saved_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.saved_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.parent.saved_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-saved-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.parent.saved_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.parent.saved_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-saved-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.parent.saved_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.parent.saved_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-saved-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.parent.saved_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.parent.saved_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-saved-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.parent.saved_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.parent.saved_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-saved-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.parent.saved_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.parent.saved_user.full_name:
+      dashed_name: process-parent-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.saved_user.group.domain:
+      dashed_name: process-parent-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.saved_user.group.id:
+      dashed_name: process-parent-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.saved_user.group.name:
+      dashed_name: process-parent-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.saved_user.hash:
+      dashed_name: process-parent-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.saved_user.id:
+      dashed_name: process-parent-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.saved_user.name:
+      dashed_name: process-parent-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.saved_user.risk.calculated_level:
+      dashed_name: process-parent-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.saved_user.risk.calculated_score:
+      dashed_name: process-parent-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.saved_user.risk.calculated_score_norm:
+      dashed_name: process-parent-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.saved_user.risk.static_level:
+      dashed_name: process-parent-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.saved_user.risk.static_score:
+      dashed_name: process-parent-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.saved_user.risk.static_score_norm:
+      dashed_name: process-parent-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.saved_user.roles:
+      dashed_name: process-parent-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.start:
+      dashed_name: process-parent-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.parent.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.parent.supplemental_groups.domain:
+      dashed_name: process-parent-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.supplemental_groups.id:
+      dashed_name: process-parent-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.supplemental_groups.name:
+      dashed_name: process-parent-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.parent.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.thread.capabilities.effective:
+      dashed_name: process-parent-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.thread.capabilities.permitted:
+      dashed_name: process-parent-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.thread.id:
+      dashed_name: process-parent-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.parent.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.parent.thread.name:
+      dashed_name: process-parent-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.parent.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.parent.title:
+      dashed_name: process-parent-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.parent.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.parent.tty:
+      dashed_name: process-parent-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.parent.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.parent.tty.char_device.major:
+      dashed_name: process-parent-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.parent.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.parent.tty.char_device.minor:
+      dashed_name: process-parent-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.parent.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.parent.tty.columns:
+      dashed_name: process-parent-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.parent.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.parent.tty.rows:
+      dashed_name: process-parent-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.parent.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.parent.uptime:
+      dashed_name: process-parent-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.parent.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.parent.user.domain:
+      dashed_name: process-parent-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.parent.user.email:
+      dashed_name: process-parent-user-email
+      description: User email address.
+      flat_name: process.parent.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.parent.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.parent.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.parent.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.parent.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.parent.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.parent.user.entity.id:
+      dashed_name: process-parent-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.parent.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.parent.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.parent.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.parent.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.parent.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.parent.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.parent.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.parent.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.parent.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.parent.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.parent.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.parent.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.parent.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.parent.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.parent.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.parent.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.parent.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.parent.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.parent.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.parent.user.full_name:
+      dashed_name: process-parent-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.parent.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.parent.user.group.domain:
+      dashed_name: process-parent-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.parent.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.parent.user.group.id:
+      dashed_name: process-parent-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.user.group.name:
+      dashed_name: process-parent-user-group-name
+      description: Name of the group.
+      flat_name: process.parent.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.parent.user.hash:
+      dashed_name: process-parent-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.parent.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.parent.user.id:
+      dashed_name: process-parent-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.user.name:
+      dashed_name: process-parent-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.parent.user.risk.calculated_level:
+      dashed_name: process-parent-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.parent.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.parent.user.risk.calculated_score:
+      dashed_name: process-parent-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.parent.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.parent.user.risk.calculated_score_norm:
+      dashed_name: process-parent-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.parent.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.parent.user.risk.static_level:
+      dashed_name: process-parent-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.parent.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.parent.user.risk.static_score:
+      dashed_name: process-parent-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.parent.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.parent.user.risk.static_score_norm:
+      dashed_name: process-parent-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.parent.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.parent.user.roles:
+      dashed_name: process-parent-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.parent.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.vpid:
+      dashed_name: process-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.parent.working_directory:
+      dashed_name: process-parent-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.parent.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.parent.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.pe.architecture:
+      dashed_name: process-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.pe.company:
+      dashed_name: process-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.pe.description:
+      dashed_name: process-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.pe.file_version:
+      dashed_name: process-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.pe.go_import_hash:
+      dashed_name: process-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.pe.go_imports:
+      dashed_name: process-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.pe.go_imports_names_entropy:
+      dashed_name: process-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.pe.go_imports_names_var_entropy:
+      dashed_name: process-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.pe.go_stripped:
+      dashed_name: process-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.pe.imphash:
+      dashed_name: process-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.pe.import_hash:
+      dashed_name: process-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.pe.imports:
+      dashed_name: process-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.pe.imports_names_entropy:
+      dashed_name: process-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.pe.imports_names_var_entropy:
+      dashed_name: process-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.pe.original_file_name:
+      dashed_name: process-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.pe.pehash:
+      dashed_name: process-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.pe.product:
+      dashed_name: process-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.pe.sections:
+      dashed_name: process-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.pe.sections.entropy:
+      dashed_name: process-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.pe.sections.name:
+      dashed_name: process-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.pe.sections.physical_size:
+      dashed_name: process-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.pe.sections.var_entropy:
+      dashed_name: process-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.pe.sections.virtual_size:
+      dashed_name: process-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.pid:
+      dashed_name: process-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      otel:
+      - relation: match
+        stability: development
+      short: Process id.
+      type: long
+    process.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.previous.args:
+      dashed_name: process-previous-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.previous.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.previous.args_count:
+      dashed_name: process-previous-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.previous.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.previous.attested_groups.domain:
+      dashed_name: process-previous-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.attested_groups.id:
+      dashed_name: process-previous-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.attested_groups.name:
+      dashed_name: process-previous-attested-groups-name
+      description: Name of the group.
+      flat_name: process.previous.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.attested_user.domain:
+      dashed_name: process-previous-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.previous.attested_user.email:
+      dashed_name: process-previous-attested-user-email
+      description: User email address.
+      flat_name: process.previous.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.previous.attested_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-attested-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.previous.attested_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.previous.attested_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-attested-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.previous.attested_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.previous.attested_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-attested-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.previous.attested_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.attested_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.previous.attested_user.entity.id:
+      dashed_name: process-previous-attested-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.previous.attested_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.previous.attested_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-attested-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.previous.attested_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.previous.attested_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-attested-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.previous.attested_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.previous.attested_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-attested-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.previous.attested_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.previous.attested_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-attested-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.previous.attested_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.previous.attested_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.previous.attested_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-attested-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.previous.attested_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.previous.attested_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-attested-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.previous.attested_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.previous.attested_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-attested-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.previous.attested_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.previous.attested_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-attested-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.previous.attested_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.previous.attested_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-attested-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.previous.attested_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.previous.attested_user.full_name:
+      dashed_name: process-previous-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.previous.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.previous.attested_user.group.domain:
+      dashed_name: process-previous-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.attested_user.group.id:
+      dashed_name: process-previous-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.attested_user.group.name:
+      dashed_name: process-previous-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.previous.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.attested_user.hash:
+      dashed_name: process-previous-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.previous.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.previous.attested_user.id:
+      dashed_name: process-previous-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.previous.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.previous.attested_user.name:
+      dashed_name: process-previous-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.previous.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.previous.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.previous.attested_user.risk.calculated_level:
+      dashed_name: process-previous-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.previous.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.previous.attested_user.risk.calculated_score:
+      dashed_name: process-previous-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.previous.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.previous.attested_user.risk.calculated_score_norm:
+      dashed_name: process-previous-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.previous.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.previous.attested_user.risk.static_level:
+      dashed_name: process-previous-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.previous.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.previous.attested_user.risk.static_score:
+      dashed_name: process-previous-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.previous.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.previous.attested_user.risk.static_score_norm:
+      dashed_name: process-previous-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.previous.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.previous.attested_user.roles:
+      dashed_name: process-previous-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.previous.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.code_signature.digest_algorithm:
+      dashed_name: process-previous-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.previous.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.previous.code_signature.exists:
+      dashed_name: process-previous-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.previous.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.previous.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.previous.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.previous.code_signature.signing_id:
+      dashed_name: process-previous-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.previous.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.previous.code_signature.status:
+      dashed_name: process-previous-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.previous.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.previous.code_signature.subject_name:
+      dashed_name: process-previous-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.previous.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.previous.code_signature.team_id:
+      dashed_name: process-previous-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.previous.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.previous.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.previous.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.previous.code_signature.timestamp:
+      dashed_name: process-previous-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.previous.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.previous.code_signature.trusted:
+      dashed_name: process-previous-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.previous.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.previous.code_signature.valid:
+      dashed_name: process-previous-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.previous.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.previous.command_line:
+      dashed_name: process-previous-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.previous.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.previous.elf.architecture:
+      dashed_name: process-previous-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.previous.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.previous.elf.byte_order:
+      dashed_name: process-previous-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.previous.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.previous.elf.cpu_type:
+      dashed_name: process-previous-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.previous.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.previous.elf.creation_date:
+      dashed_name: process-previous-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.previous.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.previous.elf.exports:
+      dashed_name: process-previous-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.previous.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.previous.elf.go_import_hash:
+      dashed_name: process-previous-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.previous.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.previous.elf.go_imports:
+      dashed_name: process-previous-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.previous.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.previous.elf.go_imports_names_entropy:
+      dashed_name: process-previous-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.previous.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.previous.elf.go_imports_names_var_entropy:
+      dashed_name: process-previous-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.previous.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.previous.elf.go_stripped:
+      dashed_name: process-previous-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.previous.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.previous.elf.header.abi_version:
+      dashed_name: process-previous-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.previous.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.previous.elf.header.class:
+      dashed_name: process-previous-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.previous.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.previous.elf.header.data:
+      dashed_name: process-previous-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.previous.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.previous.elf.header.entrypoint:
+      dashed_name: process-previous-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.previous.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.previous.elf.header.object_version:
+      dashed_name: process-previous-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.previous.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.previous.elf.header.os_abi:
+      dashed_name: process-previous-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.previous.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.previous.elf.header.type:
+      dashed_name: process-previous-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.previous.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.previous.elf.header.version:
+      dashed_name: process-previous-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.previous.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.previous.elf.import_hash:
+      dashed_name: process-previous-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.previous.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.previous.elf.imports:
+      dashed_name: process-previous-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.previous.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.previous.elf.imports_names_entropy:
+      dashed_name: process-previous-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.previous.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.previous.elf.imports_names_var_entropy:
+      dashed_name: process-previous-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.previous.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.previous.elf.sections:
+      dashed_name: process-previous-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.previous.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.previous.elf.sections.chi2:
+      dashed_name: process-previous-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.previous.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.previous.elf.sections.entropy:
+      dashed_name: process-previous-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.previous.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.previous.elf.sections.flags:
+      dashed_name: process-previous-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.previous.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.previous.elf.sections.name:
+      dashed_name: process-previous-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.previous.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.previous.elf.sections.physical_offset:
+      dashed_name: process-previous-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.previous.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.previous.elf.sections.physical_size:
+      dashed_name: process-previous-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.previous.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.previous.elf.sections.type:
+      dashed_name: process-previous-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.previous.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.previous.elf.sections.var_entropy:
+      dashed_name: process-previous-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.previous.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.previous.elf.sections.virtual_address:
+      dashed_name: process-previous-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.previous.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.previous.elf.sections.virtual_size:
+      dashed_name: process-previous-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.previous.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.previous.elf.segments:
+      dashed_name: process-previous-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.previous.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.previous.elf.segments.sections:
+      dashed_name: process-previous-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.previous.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.previous.elf.segments.type:
+      dashed_name: process-previous-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.previous.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.previous.elf.shared_libraries:
+      dashed_name: process-previous-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.previous.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.previous.elf.telfhash:
+      dashed_name: process-previous-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.previous.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.previous.end:
+      dashed_name: process-previous-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.previous.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.previous.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.previous.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.previous.entity_id:
+      dashed_name: process-previous-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.previous.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.previous.entry_meta.source.address:
+      dashed_name: process-previous-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.previous.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.previous.entry_meta.source.as.number:
+      dashed_name: process-previous-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.previous.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.previous.entry_meta.source.as.organization.name:
+      dashed_name: process-previous-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.previous.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.previous.entry_meta.source.bytes:
+      dashed_name: process-previous-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.previous.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.previous.entry_meta.source.domain:
+      dashed_name: process-previous-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.previous.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.previous.entry_meta.source.geo.city_name:
+      dashed_name: process-previous-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.previous.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.previous.entry_meta.source.geo.continent_code:
+      dashed_name: process-previous-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.previous.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.previous.entry_meta.source.geo.continent_name:
+      dashed_name: process-previous-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.previous.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.previous.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-previous-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.previous.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.previous.entry_meta.source.geo.country_name:
+      dashed_name: process-previous-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.previous.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.previous.entry_meta.source.geo.location:
+      dashed_name: process-previous-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.previous.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.previous.entry_meta.source.geo.name:
+      dashed_name: process-previous-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.previous.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.previous.entry_meta.source.geo.postal_code:
+      dashed_name: process-previous-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.previous.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.previous.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-previous-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.previous.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.previous.entry_meta.source.geo.region_name:
+      dashed_name: process-previous-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.previous.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.previous.entry_meta.source.geo.timezone:
+      dashed_name: process-previous-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.previous.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.previous.entry_meta.source.ip:
+      dashed_name: process-previous-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.previous.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.previous.entry_meta.source.mac:
+      dashed_name: process-previous-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.previous.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.previous.entry_meta.source.nat.ip:
+      dashed_name: process-previous-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.previous.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.previous.entry_meta.source.nat.port:
+      dashed_name: process-previous-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.previous.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.previous.entry_meta.source.packets:
+      dashed_name: process-previous-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.previous.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.previous.entry_meta.source.port:
+      dashed_name: process-previous-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.previous.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.previous.entry_meta.source.registered_domain:
+      dashed_name: process-previous-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.previous.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.previous.entry_meta.source.subdomain:
+      dashed_name: process-previous-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.previous.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.previous.entry_meta.source.top_level_domain:
+      dashed_name: process-previous-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.previous.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.previous.entry_meta.type:
+      dashed_name: process-previous-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.previous.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.previous.env_vars:
+      dashed_name: process-previous-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.previous.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.executable:
+      dashed_name: process-previous-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.previous.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.previous.exit_code:
+      dashed_name: process-previous-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.previous.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.previous.group.domain:
+      dashed_name: process-previous-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.group.id:
+      dashed_name: process-previous-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.group.name:
+      dashed_name: process-previous-group-name
+      description: Name of the group.
+      flat_name: process.previous.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.previous.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.previous.hash.md5:
+      dashed_name: process-previous-hash-md5
+      description: MD5 hash.
+      flat_name: process.previous.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.previous.hash.sha1:
+      dashed_name: process-previous-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.previous.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.previous.hash.sha256:
+      dashed_name: process-previous-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.previous.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.previous.hash.sha384:
+      dashed_name: process-previous-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.previous.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.previous.hash.sha512:
+      dashed_name: process-previous-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.previous.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.previous.hash.ssdeep:
+      dashed_name: process-previous-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.previous.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.previous.hash.tlsh:
+      dashed_name: process-previous-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.previous.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.previous.interactive:
+      dashed_name: process-previous-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.previous.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.previous.io:
+      dashed_name: process-previous-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.previous.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.previous.io.bytes_skipped:
+      dashed_name: process-previous-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.previous.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.previous.io.bytes_skipped.length:
+      dashed_name: process-previous-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.previous.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.previous.io.bytes_skipped.offset:
+      dashed_name: process-previous-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.previous.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.previous.io.max_bytes_per_process_exceeded:
+      dashed_name: process-previous-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.previous.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.previous.io.text:
+      dashed_name: process-previous-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.previous.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.previous.io.total_bytes_captured:
+      dashed_name: process-previous-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.previous.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.previous.io.total_bytes_skipped:
+      dashed_name: process-previous-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.previous.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.previous.io.type:
+      dashed_name: process-previous-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.previous.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.previous.macho.go_import_hash:
+      dashed_name: process-previous-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.previous.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.previous.macho.go_imports:
+      dashed_name: process-previous-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.previous.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.previous.macho.go_imports_names_entropy:
+      dashed_name: process-previous-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.previous.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.previous.macho.go_imports_names_var_entropy:
+      dashed_name: process-previous-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.previous.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.previous.macho.go_stripped:
+      dashed_name: process-previous-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.previous.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.previous.macho.import_hash:
+      dashed_name: process-previous-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.previous.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.previous.macho.imports:
+      dashed_name: process-previous-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.previous.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.previous.macho.imports_names_entropy:
+      dashed_name: process-previous-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.previous.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.previous.macho.imports_names_var_entropy:
+      dashed_name: process-previous-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.previous.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.previous.macho.sections:
+      dashed_name: process-previous-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.previous.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.previous.macho.sections.entropy:
+      dashed_name: process-previous-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.previous.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.previous.macho.sections.name:
+      dashed_name: process-previous-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.previous.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.previous.macho.sections.physical_size:
+      dashed_name: process-previous-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.previous.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.previous.macho.sections.var_entropy:
+      dashed_name: process-previous-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.previous.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.previous.macho.sections.virtual_size:
+      dashed_name: process-previous-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.previous.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.previous.macho.symhash:
+      dashed_name: process-previous-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.previous.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.previous.name:
+      dashed_name: process-previous-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.previous.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.previous.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.previous.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.previous.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.previous.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.previous.pe.architecture:
+      dashed_name: process-previous-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.previous.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.previous.pe.company:
+      dashed_name: process-previous-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.previous.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.previous.pe.description:
+      dashed_name: process-previous-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.previous.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.previous.pe.file_version:
+      dashed_name: process-previous-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.previous.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.previous.pe.go_import_hash:
+      dashed_name: process-previous-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.previous.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.previous.pe.go_imports:
+      dashed_name: process-previous-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.previous.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.previous.pe.go_imports_names_entropy:
+      dashed_name: process-previous-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.previous.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.previous.pe.go_imports_names_var_entropy:
+      dashed_name: process-previous-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.previous.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.previous.pe.go_stripped:
+      dashed_name: process-previous-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.previous.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.previous.pe.imphash:
+      dashed_name: process-previous-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.previous.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.previous.pe.import_hash:
+      dashed_name: process-previous-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.previous.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.previous.pe.imports:
+      dashed_name: process-previous-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.previous.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.previous.pe.imports_names_entropy:
+      dashed_name: process-previous-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.previous.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.previous.pe.imports_names_var_entropy:
+      dashed_name: process-previous-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.previous.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.previous.pe.original_file_name:
+      dashed_name: process-previous-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.previous.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.previous.pe.pehash:
+      dashed_name: process-previous-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.previous.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.previous.pe.product:
+      dashed_name: process-previous-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.previous.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.previous.pe.sections:
+      dashed_name: process-previous-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.previous.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.previous.pe.sections.entropy:
+      dashed_name: process-previous-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.previous.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.previous.pe.sections.name:
+      dashed_name: process-previous-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.previous.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.previous.pe.sections.physical_size:
+      dashed_name: process-previous-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.previous.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.previous.pe.sections.var_entropy:
+      dashed_name: process-previous-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.previous.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.previous.pe.sections.virtual_size:
+      dashed_name: process-previous-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.previous.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.previous.pid:
+      dashed_name: process-previous-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.previous.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.previous.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.previous.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.previous.real_group.domain:
+      dashed_name: process-previous-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.real_group.id:
+      dashed_name: process-previous-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.real_group.name:
+      dashed_name: process-previous-real-group-name
+      description: Name of the group.
+      flat_name: process.previous.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.real_user.domain:
+      dashed_name: process-previous-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.previous.real_user.email:
+      dashed_name: process-previous-real-user-email
+      description: User email address.
+      flat_name: process.previous.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.previous.real_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-real-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.previous.real_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.previous.real_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-real-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.previous.real_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.previous.real_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-real-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.previous.real_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.real_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.previous.real_user.entity.id:
+      dashed_name: process-previous-real-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.previous.real_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.previous.real_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-real-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.previous.real_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.previous.real_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-real-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.previous.real_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.previous.real_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-real-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.previous.real_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.previous.real_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-real-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.previous.real_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.previous.real_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.previous.real_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-real-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.previous.real_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.previous.real_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-real-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.previous.real_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.previous.real_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-real-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.previous.real_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.previous.real_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-real-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.previous.real_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.previous.real_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-real-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.previous.real_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.previous.real_user.full_name:
+      dashed_name: process-previous-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.previous.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.previous.real_user.group.domain:
+      dashed_name: process-previous-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.real_user.group.id:
+      dashed_name: process-previous-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.real_user.group.name:
+      dashed_name: process-previous-real-user-group-name
+      description: Name of the group.
+      flat_name: process.previous.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.real_user.hash:
+      dashed_name: process-previous-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.previous.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.previous.real_user.id:
+      dashed_name: process-previous-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.previous.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.previous.real_user.name:
+      dashed_name: process-previous-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.previous.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.previous.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.previous.real_user.risk.calculated_level:
+      dashed_name: process-previous-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.previous.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.previous.real_user.risk.calculated_score:
+      dashed_name: process-previous-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.previous.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.previous.real_user.risk.calculated_score_norm:
+      dashed_name: process-previous-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.previous.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.previous.real_user.risk.static_level:
+      dashed_name: process-previous-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.previous.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.previous.real_user.risk.static_score:
+      dashed_name: process-previous-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.previous.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.previous.real_user.risk.static_score_norm:
+      dashed_name: process-previous-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.previous.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.previous.real_user.roles:
+      dashed_name: process-previous-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.previous.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.same_as_process:
+      dashed_name: process-previous-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.previous.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.previous.saved_group.domain:
+      dashed_name: process-previous-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.saved_group.id:
+      dashed_name: process-previous-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.saved_group.name:
+      dashed_name: process-previous-saved-group-name
+      description: Name of the group.
+      flat_name: process.previous.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.saved_user.domain:
+      dashed_name: process-previous-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.previous.saved_user.email:
+      dashed_name: process-previous-saved-user-email
+      description: User email address.
+      flat_name: process.previous.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.previous.saved_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-saved-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.previous.saved_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.previous.saved_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-saved-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.previous.saved_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.previous.saved_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-saved-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.previous.saved_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.saved_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.previous.saved_user.entity.id:
+      dashed_name: process-previous-saved-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.previous.saved_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.previous.saved_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-saved-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.previous.saved_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.previous.saved_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-saved-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.previous.saved_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.previous.saved_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-saved-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.previous.saved_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.previous.saved_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-saved-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.previous.saved_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.previous.saved_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.previous.saved_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-saved-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.previous.saved_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.previous.saved_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-saved-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.previous.saved_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.previous.saved_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-saved-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.previous.saved_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.previous.saved_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-saved-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.previous.saved_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.previous.saved_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-saved-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.previous.saved_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.previous.saved_user.full_name:
+      dashed_name: process-previous-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.previous.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.previous.saved_user.group.domain:
+      dashed_name: process-previous-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.saved_user.group.id:
+      dashed_name: process-previous-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.saved_user.group.name:
+      dashed_name: process-previous-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.previous.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.saved_user.hash:
+      dashed_name: process-previous-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.previous.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.previous.saved_user.id:
+      dashed_name: process-previous-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.previous.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.previous.saved_user.name:
+      dashed_name: process-previous-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.previous.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.previous.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.previous.saved_user.risk.calculated_level:
+      dashed_name: process-previous-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.previous.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.previous.saved_user.risk.calculated_score:
+      dashed_name: process-previous-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.previous.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.previous.saved_user.risk.calculated_score_norm:
+      dashed_name: process-previous-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.previous.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.previous.saved_user.risk.static_level:
+      dashed_name: process-previous-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.previous.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.previous.saved_user.risk.static_score:
+      dashed_name: process-previous-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.previous.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.previous.saved_user.risk.static_score_norm:
+      dashed_name: process-previous-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.previous.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.previous.saved_user.roles:
+      dashed_name: process-previous-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.previous.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.start:
+      dashed_name: process-previous-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.previous.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.previous.supplemental_groups.domain:
+      dashed_name: process-previous-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.supplemental_groups.id:
+      dashed_name: process-previous-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.supplemental_groups.name:
+      dashed_name: process-previous-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.previous.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.thread.capabilities.effective:
+      dashed_name: process-previous-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.previous.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.thread.capabilities.permitted:
+      dashed_name: process-previous-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.previous.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.thread.id:
+      dashed_name: process-previous-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.previous.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.previous.thread.name:
+      dashed_name: process-previous-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.previous.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.previous.title:
+      dashed_name: process-previous-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.previous.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.previous.tty:
+      dashed_name: process-previous-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.previous.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.previous.tty.char_device.major:
+      dashed_name: process-previous-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.previous.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.previous.tty.char_device.minor:
+      dashed_name: process-previous-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.previous.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.previous.tty.columns:
+      dashed_name: process-previous-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.previous.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.previous.tty.rows:
+      dashed_name: process-previous-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.previous.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.previous.uptime:
+      dashed_name: process-previous-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.previous.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.previous.user.domain:
+      dashed_name: process-previous-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.previous.user.email:
+      dashed_name: process-previous-user-email
+      description: User email address.
+      flat_name: process.previous.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.previous.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.previous.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.previous.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.previous.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.previous.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.previous.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.previous.user.entity.id:
+      dashed_name: process-previous-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.previous.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.previous.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.previous.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.previous.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.previous.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.previous.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.previous.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.previous.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.previous.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.previous.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.previous.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.previous.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.previous.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.previous.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.previous.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.previous.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.previous.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.previous.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.previous.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-previous-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.previous.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.previous.user.full_name:
+      dashed_name: process-previous-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.previous.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.previous.user.group.domain:
+      dashed_name: process-previous-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.previous.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.previous.user.group.id:
+      dashed_name: process-previous-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.previous.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.previous.user.group.name:
+      dashed_name: process-previous-user-group-name
+      description: Name of the group.
+      flat_name: process.previous.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.previous.user.hash:
+      dashed_name: process-previous-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.previous.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.previous.user.id:
+      dashed_name: process-previous-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.previous.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.previous.user.name:
+      dashed_name: process-previous-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.previous.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.previous.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.previous.user.risk.calculated_level:
+      dashed_name: process-previous-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.previous.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.previous.user.risk.calculated_score:
+      dashed_name: process-previous-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.previous.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.previous.user.risk.calculated_score_norm:
+      dashed_name: process-previous-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.previous.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.previous.user.risk.static_level:
+      dashed_name: process-previous-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.previous.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.previous.user.risk.static_score:
+      dashed_name: process-previous-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.previous.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.previous.user.risk.static_score_norm:
+      dashed_name: process-previous-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.previous.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.previous.user.roles:
+      dashed_name: process-previous-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.previous.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.previous.vpid:
+      dashed_name: process-previous-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.previous.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.previous.working_directory:
+      dashed_name: process-previous-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.previous.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.previous.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.real_group.domain:
+      dashed_name: process-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.real_group.id:
+      dashed_name: process-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.real_group.name:
+      dashed_name: process-real-group-name
+      description: Name of the group.
+      flat_name: process.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.real_user.domain:
+      dashed_name: process-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.real_user.email:
+      dashed_name: process-real-user-email
+      description: User email address.
+      flat_name: process.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.real_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-real-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.real_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.real_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-real-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.real_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.real_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-real-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.real_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.real_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.real_user.entity.id:
+      dashed_name: process-real-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.real_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.real_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-real-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.real_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.real_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-real-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.real_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.real_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-real-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.real_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.real_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-real-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.real_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.real_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.real_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-real-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.real_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.real_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-real-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.real_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.real_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-real-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.real_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.real_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-real-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.real_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.real_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-real-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.real_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.real_user.full_name:
+      dashed_name: process-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.real_user.group.domain:
+      dashed_name: process-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.real_user.group.id:
+      dashed_name: process-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.real_user.group.name:
+      dashed_name: process-real-user-group-name
+      description: Name of the group.
+      flat_name: process.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.real_user.hash:
+      dashed_name: process-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.real_user.id:
+      dashed_name: process-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      otel:
+      - relation: match
+        stability: development
+      short: Unique identifier of the user.
+      type: keyword
+    process.real_user.name:
+      dashed_name: process-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      otel:
+      - relation: match
+        stability: development
+      short: Short name or login of the user.
+      type: keyword
+    process.real_user.risk.calculated_level:
+      dashed_name: process-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.real_user.risk.calculated_score:
+      dashed_name: process-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.real_user.risk.calculated_score_norm:
+      dashed_name: process-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.real_user.risk.static_level:
+      dashed_name: process-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.real_user.risk.static_score:
+      dashed_name: process-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.real_user.risk.static_score_norm:
+      dashed_name: process-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.real_user.roles:
+      dashed_name: process-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.args:
+      dashed_name: process-responsible-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.responsible.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.responsible.args_count:
+      dashed_name: process-responsible-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.responsible.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.responsible.attested_groups.domain:
+      dashed_name: process-responsible-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.attested_groups.id:
+      dashed_name: process-responsible-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.attested_groups.name:
+      dashed_name: process-responsible-attested-groups-name
+      description: Name of the group.
+      flat_name: process.responsible.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.attested_user.domain:
+      dashed_name: process-responsible-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.responsible.attested_user.email:
+      dashed_name: process-responsible-attested-user-email
+      description: User email address.
+      flat_name: process.responsible.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.responsible.attested_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-attested-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.responsible.attested_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.responsible.attested_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-attested-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.responsible.attested_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.responsible.attested_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-attested-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.responsible.attested_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.attested_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.responsible.attested_user.entity.id:
+      dashed_name: process-responsible-attested-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.responsible.attested_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.responsible.attested_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-attested-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.responsible.attested_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.responsible.attested_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-attested-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.responsible.attested_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.responsible.attested_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-attested-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.responsible.attested_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.responsible.attested_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-attested-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.responsible.attested_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.responsible.attested_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.responsible.attested_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-attested-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.responsible.attested_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.responsible.attested_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-attested-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.responsible.attested_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.responsible.attested_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-attested-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.responsible.attested_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.responsible.attested_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-attested-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.responsible.attested_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.responsible.attested_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-attested-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.responsible.attested_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.responsible.attested_user.full_name:
+      dashed_name: process-responsible-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.responsible.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.responsible.attested_user.group.domain:
+      dashed_name: process-responsible-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.attested_user.group.id:
+      dashed_name: process-responsible-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.attested_user.group.name:
+      dashed_name: process-responsible-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.responsible.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.attested_user.hash:
+      dashed_name: process-responsible-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.responsible.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.responsible.attested_user.id:
+      dashed_name: process-responsible-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.responsible.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.responsible.attested_user.name:
+      dashed_name: process-responsible-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.responsible.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.responsible.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.responsible.attested_user.risk.calculated_level:
+      dashed_name: process-responsible-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.responsible.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.responsible.attested_user.risk.calculated_score:
+      dashed_name: process-responsible-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.responsible.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.responsible.attested_user.risk.calculated_score_norm:
+      dashed_name: process-responsible-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.responsible.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.responsible.attested_user.risk.static_level:
+      dashed_name: process-responsible-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.responsible.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.responsible.attested_user.risk.static_score:
+      dashed_name: process-responsible-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.responsible.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.responsible.attested_user.risk.static_score_norm:
+      dashed_name: process-responsible-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.responsible.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.responsible.attested_user.roles:
+      dashed_name: process-responsible-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.responsible.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.code_signature.digest_algorithm:
+      dashed_name: process-responsible-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.responsible.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.responsible.code_signature.exists:
+      dashed_name: process-responsible-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.responsible.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.responsible.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.responsible.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.responsible.code_signature.signing_id:
+      dashed_name: process-responsible-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.responsible.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.responsible.code_signature.status:
+      dashed_name: process-responsible-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.responsible.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.responsible.code_signature.subject_name:
+      dashed_name: process-responsible-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.responsible.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.responsible.code_signature.team_id:
+      dashed_name: process-responsible-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.responsible.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.responsible.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.responsible.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.responsible.code_signature.timestamp:
+      dashed_name: process-responsible-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.responsible.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.responsible.code_signature.trusted:
+      dashed_name: process-responsible-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.responsible.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.responsible.code_signature.valid:
+      dashed_name: process-responsible-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.responsible.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.responsible.command_line:
+      dashed_name: process-responsible-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.responsible.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.responsible.elf.architecture:
+      dashed_name: process-responsible-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.responsible.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.responsible.elf.byte_order:
+      dashed_name: process-responsible-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.responsible.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.responsible.elf.cpu_type:
+      dashed_name: process-responsible-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.responsible.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.responsible.elf.creation_date:
+      dashed_name: process-responsible-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.responsible.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.responsible.elf.exports:
+      dashed_name: process-responsible-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.responsible.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.responsible.elf.go_import_hash:
+      dashed_name: process-responsible-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.responsible.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.responsible.elf.go_imports:
+      dashed_name: process-responsible-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.responsible.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.responsible.elf.go_imports_names_entropy:
+      dashed_name: process-responsible-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.responsible.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.responsible.elf.go_imports_names_var_entropy:
+      dashed_name: process-responsible-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.responsible.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.responsible.elf.go_stripped:
+      dashed_name: process-responsible-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.responsible.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.responsible.elf.header.abi_version:
+      dashed_name: process-responsible-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.responsible.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.responsible.elf.header.class:
+      dashed_name: process-responsible-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.responsible.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.responsible.elf.header.data:
+      dashed_name: process-responsible-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.responsible.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.responsible.elf.header.entrypoint:
+      dashed_name: process-responsible-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.responsible.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.responsible.elf.header.object_version:
+      dashed_name: process-responsible-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.responsible.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.responsible.elf.header.os_abi:
+      dashed_name: process-responsible-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.responsible.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.responsible.elf.header.type:
+      dashed_name: process-responsible-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.responsible.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.responsible.elf.header.version:
+      dashed_name: process-responsible-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.responsible.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.responsible.elf.import_hash:
+      dashed_name: process-responsible-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.responsible.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.responsible.elf.imports:
+      dashed_name: process-responsible-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.responsible.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.responsible.elf.imports_names_entropy:
+      dashed_name: process-responsible-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.responsible.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.responsible.elf.imports_names_var_entropy:
+      dashed_name: process-responsible-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.responsible.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.responsible.elf.sections:
+      dashed_name: process-responsible-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.responsible.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.responsible.elf.sections.chi2:
+      dashed_name: process-responsible-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.responsible.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.responsible.elf.sections.entropy:
+      dashed_name: process-responsible-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.responsible.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.responsible.elf.sections.flags:
+      dashed_name: process-responsible-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.responsible.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.responsible.elf.sections.name:
+      dashed_name: process-responsible-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.responsible.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.responsible.elf.sections.physical_offset:
+      dashed_name: process-responsible-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.responsible.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.responsible.elf.sections.physical_size:
+      dashed_name: process-responsible-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.responsible.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.responsible.elf.sections.type:
+      dashed_name: process-responsible-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.responsible.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.responsible.elf.sections.var_entropy:
+      dashed_name: process-responsible-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.responsible.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.responsible.elf.sections.virtual_address:
+      dashed_name: process-responsible-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.responsible.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.responsible.elf.sections.virtual_size:
+      dashed_name: process-responsible-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.responsible.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.responsible.elf.segments:
+      dashed_name: process-responsible-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.responsible.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.responsible.elf.segments.sections:
+      dashed_name: process-responsible-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.responsible.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.responsible.elf.segments.type:
+      dashed_name: process-responsible-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.responsible.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.responsible.elf.shared_libraries:
+      dashed_name: process-responsible-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.responsible.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.responsible.elf.telfhash:
+      dashed_name: process-responsible-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.responsible.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.responsible.end:
+      dashed_name: process-responsible-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.responsible.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.responsible.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.responsible.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.responsible.entity_id:
+      dashed_name: process-responsible-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.responsible.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.responsible.entry_meta.source.address:
+      dashed_name: process-responsible-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.responsible.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.responsible.entry_meta.source.as.number:
+      dashed_name: process-responsible-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.responsible.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.responsible.entry_meta.source.as.organization.name:
+      dashed_name: process-responsible-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.responsible.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.responsible.entry_meta.source.bytes:
+      dashed_name: process-responsible-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.responsible.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.responsible.entry_meta.source.domain:
+      dashed_name: process-responsible-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.responsible.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.responsible.entry_meta.source.geo.city_name:
+      dashed_name: process-responsible-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.responsible.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.responsible.entry_meta.source.geo.continent_code:
+      dashed_name: process-responsible-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.responsible.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.responsible.entry_meta.source.geo.continent_name:
+      dashed_name: process-responsible-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.responsible.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.responsible.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-responsible-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.responsible.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.responsible.entry_meta.source.geo.country_name:
+      dashed_name: process-responsible-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.responsible.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.responsible.entry_meta.source.geo.location:
+      dashed_name: process-responsible-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.responsible.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.responsible.entry_meta.source.geo.name:
+      dashed_name: process-responsible-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.responsible.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.responsible.entry_meta.source.geo.postal_code:
+      dashed_name: process-responsible-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.responsible.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.responsible.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-responsible-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.responsible.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.responsible.entry_meta.source.geo.region_name:
+      dashed_name: process-responsible-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.responsible.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.responsible.entry_meta.source.geo.timezone:
+      dashed_name: process-responsible-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.responsible.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.responsible.entry_meta.source.ip:
+      dashed_name: process-responsible-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.responsible.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.responsible.entry_meta.source.mac:
+      dashed_name: process-responsible-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.responsible.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.responsible.entry_meta.source.nat.ip:
+      dashed_name: process-responsible-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.responsible.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.responsible.entry_meta.source.nat.port:
+      dashed_name: process-responsible-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.responsible.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.responsible.entry_meta.source.packets:
+      dashed_name: process-responsible-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.responsible.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.responsible.entry_meta.source.port:
+      dashed_name: process-responsible-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.responsible.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.responsible.entry_meta.source.registered_domain:
+      dashed_name: process-responsible-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.responsible.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.responsible.entry_meta.source.subdomain:
+      dashed_name: process-responsible-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.responsible.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.responsible.entry_meta.source.top_level_domain:
+      dashed_name: process-responsible-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.responsible.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.responsible.entry_meta.type:
+      dashed_name: process-responsible-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.responsible.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.responsible.env_vars:
+      dashed_name: process-responsible-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.responsible.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.executable:
+      dashed_name: process-responsible-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.responsible.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.responsible.exit_code:
+      dashed_name: process-responsible-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.responsible.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.responsible.group.domain:
+      dashed_name: process-responsible-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.group.id:
+      dashed_name: process-responsible-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.group.name:
+      dashed_name: process-responsible-group-name
+      description: Name of the group.
+      flat_name: process.responsible.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.responsible.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.responsible.hash.md5:
+      dashed_name: process-responsible-hash-md5
+      description: MD5 hash.
+      flat_name: process.responsible.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.responsible.hash.sha1:
+      dashed_name: process-responsible-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.responsible.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.responsible.hash.sha256:
+      dashed_name: process-responsible-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.responsible.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.responsible.hash.sha384:
+      dashed_name: process-responsible-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.responsible.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.responsible.hash.sha512:
+      dashed_name: process-responsible-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.responsible.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.responsible.hash.ssdeep:
+      dashed_name: process-responsible-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.responsible.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.responsible.hash.tlsh:
+      dashed_name: process-responsible-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.responsible.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.responsible.interactive:
+      dashed_name: process-responsible-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.responsible.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.responsible.io:
+      dashed_name: process-responsible-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.responsible.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.responsible.io.bytes_skipped:
+      dashed_name: process-responsible-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.responsible.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.responsible.io.bytes_skipped.length:
+      dashed_name: process-responsible-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.responsible.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.responsible.io.bytes_skipped.offset:
+      dashed_name: process-responsible-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.responsible.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.responsible.io.max_bytes_per_process_exceeded:
+      dashed_name: process-responsible-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.responsible.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.responsible.io.text:
+      dashed_name: process-responsible-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.responsible.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.responsible.io.total_bytes_captured:
+      dashed_name: process-responsible-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.responsible.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.responsible.io.total_bytes_skipped:
+      dashed_name: process-responsible-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.responsible.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.responsible.io.type:
+      dashed_name: process-responsible-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.responsible.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.responsible.macho.go_import_hash:
+      dashed_name: process-responsible-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.responsible.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.responsible.macho.go_imports:
+      dashed_name: process-responsible-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.responsible.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.responsible.macho.go_imports_names_entropy:
+      dashed_name: process-responsible-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.responsible.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.responsible.macho.go_imports_names_var_entropy:
+      dashed_name: process-responsible-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.responsible.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.responsible.macho.go_stripped:
+      dashed_name: process-responsible-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.responsible.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.responsible.macho.import_hash:
+      dashed_name: process-responsible-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.responsible.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.responsible.macho.imports:
+      dashed_name: process-responsible-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.responsible.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.responsible.macho.imports_names_entropy:
+      dashed_name: process-responsible-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.responsible.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.responsible.macho.imports_names_var_entropy:
+      dashed_name: process-responsible-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.responsible.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.responsible.macho.sections:
+      dashed_name: process-responsible-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.responsible.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.responsible.macho.sections.entropy:
+      dashed_name: process-responsible-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.responsible.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.responsible.macho.sections.name:
+      dashed_name: process-responsible-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.responsible.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.responsible.macho.sections.physical_size:
+      dashed_name: process-responsible-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.responsible.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.responsible.macho.sections.var_entropy:
+      dashed_name: process-responsible-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.responsible.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.responsible.macho.sections.virtual_size:
+      dashed_name: process-responsible-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.responsible.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.responsible.macho.symhash:
+      dashed_name: process-responsible-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.responsible.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.responsible.name:
+      dashed_name: process-responsible-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.responsible.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.responsible.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.responsible.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.responsible.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.responsible.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.responsible.pe.architecture:
+      dashed_name: process-responsible-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.responsible.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.responsible.pe.company:
+      dashed_name: process-responsible-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.responsible.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.responsible.pe.description:
+      dashed_name: process-responsible-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.responsible.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.responsible.pe.file_version:
+      dashed_name: process-responsible-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.responsible.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.responsible.pe.go_import_hash:
+      dashed_name: process-responsible-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.responsible.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.responsible.pe.go_imports:
+      dashed_name: process-responsible-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.responsible.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.responsible.pe.go_imports_names_entropy:
+      dashed_name: process-responsible-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.responsible.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.responsible.pe.go_imports_names_var_entropy:
+      dashed_name: process-responsible-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.responsible.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.responsible.pe.go_stripped:
+      dashed_name: process-responsible-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.responsible.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.responsible.pe.imphash:
+      dashed_name: process-responsible-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.responsible.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.responsible.pe.import_hash:
+      dashed_name: process-responsible-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.responsible.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.responsible.pe.imports:
+      dashed_name: process-responsible-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.responsible.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.responsible.pe.imports_names_entropy:
+      dashed_name: process-responsible-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.responsible.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.responsible.pe.imports_names_var_entropy:
+      dashed_name: process-responsible-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.responsible.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.responsible.pe.original_file_name:
+      dashed_name: process-responsible-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.responsible.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.responsible.pe.pehash:
+      dashed_name: process-responsible-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.responsible.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.responsible.pe.product:
+      dashed_name: process-responsible-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.responsible.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.responsible.pe.sections:
+      dashed_name: process-responsible-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.responsible.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.responsible.pe.sections.entropy:
+      dashed_name: process-responsible-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.responsible.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.responsible.pe.sections.name:
+      dashed_name: process-responsible-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.responsible.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.responsible.pe.sections.physical_size:
+      dashed_name: process-responsible-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.responsible.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.responsible.pe.sections.var_entropy:
+      dashed_name: process-responsible-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.responsible.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.responsible.pe.sections.virtual_size:
+      dashed_name: process-responsible-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.responsible.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.responsible.pid:
+      dashed_name: process-responsible-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.responsible.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.responsible.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.responsible.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.responsible.real_group.domain:
+      dashed_name: process-responsible-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.real_group.id:
+      dashed_name: process-responsible-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.real_group.name:
+      dashed_name: process-responsible-real-group-name
+      description: Name of the group.
+      flat_name: process.responsible.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.real_user.domain:
+      dashed_name: process-responsible-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.responsible.real_user.email:
+      dashed_name: process-responsible-real-user-email
+      description: User email address.
+      flat_name: process.responsible.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.responsible.real_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-real-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.responsible.real_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.responsible.real_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-real-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.responsible.real_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.responsible.real_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-real-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.responsible.real_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.real_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.responsible.real_user.entity.id:
+      dashed_name: process-responsible-real-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.responsible.real_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.responsible.real_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-real-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.responsible.real_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.responsible.real_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-real-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.responsible.real_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.responsible.real_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-real-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.responsible.real_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.responsible.real_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-real-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.responsible.real_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.responsible.real_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.responsible.real_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-real-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.responsible.real_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.responsible.real_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-real-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.responsible.real_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.responsible.real_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-real-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.responsible.real_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.responsible.real_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-real-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.responsible.real_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.responsible.real_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-real-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.responsible.real_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.responsible.real_user.full_name:
+      dashed_name: process-responsible-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.responsible.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.responsible.real_user.group.domain:
+      dashed_name: process-responsible-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.real_user.group.id:
+      dashed_name: process-responsible-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.real_user.group.name:
+      dashed_name: process-responsible-real-user-group-name
+      description: Name of the group.
+      flat_name: process.responsible.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.real_user.hash:
+      dashed_name: process-responsible-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.responsible.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.responsible.real_user.id:
+      dashed_name: process-responsible-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.responsible.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.responsible.real_user.name:
+      dashed_name: process-responsible-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.responsible.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.responsible.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.responsible.real_user.risk.calculated_level:
+      dashed_name: process-responsible-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.responsible.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.responsible.real_user.risk.calculated_score:
+      dashed_name: process-responsible-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.responsible.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.responsible.real_user.risk.calculated_score_norm:
+      dashed_name: process-responsible-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.responsible.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.responsible.real_user.risk.static_level:
+      dashed_name: process-responsible-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.responsible.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.responsible.real_user.risk.static_score:
+      dashed_name: process-responsible-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.responsible.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.responsible.real_user.risk.static_score_norm:
+      dashed_name: process-responsible-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.responsible.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.responsible.real_user.roles:
+      dashed_name: process-responsible-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.responsible.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.same_as_process:
+      dashed_name: process-responsible-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.responsible.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.responsible.saved_group.domain:
+      dashed_name: process-responsible-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.saved_group.id:
+      dashed_name: process-responsible-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.saved_group.name:
+      dashed_name: process-responsible-saved-group-name
+      description: Name of the group.
+      flat_name: process.responsible.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.saved_user.domain:
+      dashed_name: process-responsible-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.responsible.saved_user.email:
+      dashed_name: process-responsible-saved-user-email
+      description: User email address.
+      flat_name: process.responsible.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.responsible.saved_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-saved-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.responsible.saved_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.responsible.saved_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-saved-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.responsible.saved_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.responsible.saved_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-saved-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.responsible.saved_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.saved_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.responsible.saved_user.entity.id:
+      dashed_name: process-responsible-saved-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.responsible.saved_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.responsible.saved_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-saved-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.responsible.saved_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.responsible.saved_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-saved-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.responsible.saved_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.responsible.saved_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-saved-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.responsible.saved_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.responsible.saved_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-saved-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.responsible.saved_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.responsible.saved_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.responsible.saved_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-saved-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.responsible.saved_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.responsible.saved_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-saved-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.responsible.saved_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.responsible.saved_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-saved-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.responsible.saved_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.responsible.saved_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-saved-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.responsible.saved_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.responsible.saved_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-saved-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.responsible.saved_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.responsible.saved_user.full_name:
+      dashed_name: process-responsible-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.responsible.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.responsible.saved_user.group.domain:
+      dashed_name: process-responsible-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.saved_user.group.id:
+      dashed_name: process-responsible-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.saved_user.group.name:
+      dashed_name: process-responsible-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.responsible.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.saved_user.hash:
+      dashed_name: process-responsible-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.responsible.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.responsible.saved_user.id:
+      dashed_name: process-responsible-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.responsible.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.responsible.saved_user.name:
+      dashed_name: process-responsible-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.responsible.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.responsible.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.responsible.saved_user.risk.calculated_level:
+      dashed_name: process-responsible-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.responsible.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.responsible.saved_user.risk.calculated_score:
+      dashed_name: process-responsible-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.responsible.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.responsible.saved_user.risk.calculated_score_norm:
+      dashed_name: process-responsible-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.responsible.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.responsible.saved_user.risk.static_level:
+      dashed_name: process-responsible-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.responsible.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.responsible.saved_user.risk.static_score:
+      dashed_name: process-responsible-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.responsible.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.responsible.saved_user.risk.static_score_norm:
+      dashed_name: process-responsible-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.responsible.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.responsible.saved_user.roles:
+      dashed_name: process-responsible-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.responsible.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.start:
+      dashed_name: process-responsible-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.responsible.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.responsible.supplemental_groups.domain:
+      dashed_name: process-responsible-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.supplemental_groups.id:
+      dashed_name: process-responsible-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.supplemental_groups.name:
+      dashed_name: process-responsible-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.responsible.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.thread.capabilities.effective:
+      dashed_name: process-responsible-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.responsible.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.thread.capabilities.permitted:
+      dashed_name: process-responsible-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.responsible.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.thread.id:
+      dashed_name: process-responsible-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.responsible.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.responsible.thread.name:
+      dashed_name: process-responsible-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.responsible.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.responsible.title:
+      dashed_name: process-responsible-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.responsible.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.responsible.tty:
+      dashed_name: process-responsible-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.responsible.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.responsible.tty.char_device.major:
+      dashed_name: process-responsible-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.responsible.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.responsible.tty.char_device.minor:
+      dashed_name: process-responsible-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.responsible.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.responsible.tty.columns:
+      dashed_name: process-responsible-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.responsible.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.responsible.tty.rows:
+      dashed_name: process-responsible-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.responsible.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.responsible.uptime:
+      dashed_name: process-responsible-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.responsible.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.responsible.user.domain:
+      dashed_name: process-responsible-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.responsible.user.email:
+      dashed_name: process-responsible-user-email
+      description: User email address.
+      flat_name: process.responsible.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.responsible.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.responsible.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.responsible.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.responsible.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.responsible.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.responsible.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.responsible.user.entity.id:
+      dashed_name: process-responsible-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.responsible.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.responsible.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.responsible.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.responsible.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.responsible.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.responsible.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.responsible.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.responsible.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.responsible.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.responsible.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.responsible.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.responsible.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.responsible.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.responsible.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.responsible.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.responsible.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.responsible.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.responsible.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.responsible.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-responsible-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.responsible.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.responsible.user.full_name:
+      dashed_name: process-responsible-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.responsible.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.responsible.user.group.domain:
+      dashed_name: process-responsible-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.responsible.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.responsible.user.group.id:
+      dashed_name: process-responsible-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.responsible.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.responsible.user.group.name:
+      dashed_name: process-responsible-user-group-name
+      description: Name of the group.
+      flat_name: process.responsible.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.responsible.user.hash:
+      dashed_name: process-responsible-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.responsible.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.responsible.user.id:
+      dashed_name: process-responsible-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.responsible.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.responsible.user.name:
+      dashed_name: process-responsible-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.responsible.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.responsible.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.responsible.user.risk.calculated_level:
+      dashed_name: process-responsible-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.responsible.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.responsible.user.risk.calculated_score:
+      dashed_name: process-responsible-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.responsible.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.responsible.user.risk.calculated_score_norm:
+      dashed_name: process-responsible-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.responsible.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.responsible.user.risk.static_level:
+      dashed_name: process-responsible-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.responsible.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.responsible.user.risk.static_score:
+      dashed_name: process-responsible-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.responsible.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.responsible.user.risk.static_score_norm:
+      dashed_name: process-responsible-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.responsible.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.responsible.user.roles:
+      dashed_name: process-responsible-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.responsible.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.responsible.vpid:
+      dashed_name: process-responsible-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.responsible.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.responsible.working_directory:
+      dashed_name: process-responsible-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.responsible.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.responsible.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.same_as_process:
+      dashed_name: process-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.saved_group.domain:
+      dashed_name: process-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.saved_group.id:
+      dashed_name: process-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.saved_group.name:
+      dashed_name: process-saved-group-name
+      description: Name of the group.
+      flat_name: process.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.saved_user.domain:
+      dashed_name: process-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.saved_user.email:
+      dashed_name: process-saved-user-email
+      description: User email address.
+      flat_name: process.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.saved_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-saved-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.saved_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.saved_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-saved-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.saved_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.saved_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-saved-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.saved_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.saved_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.saved_user.entity.id:
+      dashed_name: process-saved-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.saved_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.saved_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-saved-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.saved_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.saved_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-saved-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.saved_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.saved_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-saved-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.saved_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.saved_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-saved-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.saved_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.saved_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.saved_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-saved-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.saved_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.saved_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-saved-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.saved_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.saved_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-saved-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.saved_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.saved_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-saved-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.saved_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.saved_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-saved-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.saved_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.saved_user.full_name:
+      dashed_name: process-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.saved_user.group.domain:
+      dashed_name: process-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.saved_user.group.id:
+      dashed_name: process-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.saved_user.group.name:
+      dashed_name: process-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.saved_user.hash:
+      dashed_name: process-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.saved_user.id:
+      dashed_name: process-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      otel:
+      - relation: match
+        stability: development
+      short: Unique identifier of the user.
+      type: keyword
+    process.saved_user.name:
+      dashed_name: process-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      otel:
+      - relation: match
+        stability: development
+      short: Short name or login of the user.
+      type: keyword
+    process.saved_user.risk.calculated_level:
+      dashed_name: process-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.saved_user.risk.calculated_score:
+      dashed_name: process-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.saved_user.risk.calculated_score_norm:
+      dashed_name: process-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.saved_user.risk.static_level:
+      dashed_name: process-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.saved_user.risk.static_score:
+      dashed_name: process-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.saved_user.risk.static_score_norm:
+      dashed_name: process-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.saved_user.roles:
+      dashed_name: process-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.args:
+      dashed_name: process-session-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.session_leader.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.session_leader.args_count:
+      dashed_name: process-session-leader-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.session_leader.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.session_leader.attested_groups.domain:
+      dashed_name: process-session-leader-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.attested_groups.id:
+      dashed_name: process-session-leader-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.attested_groups.name:
+      dashed_name: process-session-leader-attested-groups-name
+      description: Name of the group.
+      flat_name: process.session_leader.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.attested_user.domain:
+      dashed_name: process-session-leader-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.attested_user.email:
+      dashed_name: process-session-leader-attested-user-email
+      description: User email address.
+      flat_name: process.session_leader.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.attested_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-attested-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.session_leader.attested_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.session_leader.attested_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-attested-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.attested_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.session_leader.attested_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-attested-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.session_leader.attested_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.attested_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.session_leader.attested_user.entity.id:
+      dashed_name: process-session-leader-attested-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.session_leader.attested_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.session_leader.attested_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-attested-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.session_leader.attested_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.session_leader.attested_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-attested-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.attested_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.session_leader.attested_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-attested-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.session_leader.attested_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.session_leader.attested_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-attested-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.session_leader.attested_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.attested_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.session_leader.attested_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-attested-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.session_leader.attested_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.session_leader.attested_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-attested-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.session_leader.attested_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.session_leader.attested_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-attested-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.session_leader.attested_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.session_leader.attested_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-attested-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.session_leader.attested_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.session_leader.attested_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-attested-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.session_leader.attested_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.session_leader.attested_user.full_name:
+      dashed_name: process-session-leader-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.attested_user.group.domain:
+      dashed_name: process-session-leader-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.attested_user.group.id:
+      dashed_name: process-session-leader-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.attested_user.group.name:
+      dashed_name: process-session-leader-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.attested_user.hash:
+      dashed_name: process-session-leader-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.attested_user.id:
+      dashed_name: process-session-leader-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.attested_user.name:
+      dashed_name: process-session-leader-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.attested_user.risk.calculated_level:
+      dashed_name: process-session-leader-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.attested_user.risk.calculated_score:
+      dashed_name: process-session-leader-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.attested_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.attested_user.risk.static_level:
+      dashed_name: process-session-leader-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.attested_user.risk.static_score:
+      dashed_name: process-session-leader-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.attested_user.risk.static_score_norm:
+      dashed_name: process-session-leader-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.attested_user.roles:
+      dashed_name: process-session-leader-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.code_signature.digest_algorithm:
+      dashed_name: process-session-leader-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.session_leader.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.session_leader.code_signature.exists:
+      dashed_name: process-session-leader-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.session_leader.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.session_leader.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.session_leader.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.session_leader.code_signature.signing_id:
+      dashed_name: process-session-leader-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.session_leader.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.session_leader.code_signature.status:
+      dashed_name: process-session-leader-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.session_leader.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.session_leader.code_signature.subject_name:
+      dashed_name: process-session-leader-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.session_leader.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.session_leader.code_signature.team_id:
+      dashed_name: process-session-leader-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.session_leader.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.session_leader.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.session_leader.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.session_leader.code_signature.timestamp:
+      dashed_name: process-session-leader-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.session_leader.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.session_leader.code_signature.trusted:
+      dashed_name: process-session-leader-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.session_leader.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.session_leader.code_signature.valid:
+      dashed_name: process-session-leader-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.session_leader.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.session_leader.command_line:
+      dashed_name: process-session-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.session_leader.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.session_leader.elf.architecture:
+      dashed_name: process-session-leader-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.session_leader.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.session_leader.elf.byte_order:
+      dashed_name: process-session-leader-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.session_leader.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.session_leader.elf.cpu_type:
+      dashed_name: process-session-leader-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.session_leader.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.session_leader.elf.creation_date:
+      dashed_name: process-session-leader-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.session_leader.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.session_leader.elf.exports:
+      dashed_name: process-session-leader-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.session_leader.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.session_leader.elf.go_import_hash:
+      dashed_name: process-session-leader-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.session_leader.elf.go_imports:
+      dashed_name: process-session-leader-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.elf.go_imports_names_entropy:
+      dashed_name: process-session-leader-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.elf.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.elf.go_stripped:
+      dashed_name: process-session-leader-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.elf.header.abi_version:
+      dashed_name: process-session-leader-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.session_leader.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.session_leader.elf.header.class:
+      dashed_name: process-session-leader-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.session_leader.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.session_leader.elf.header.data:
+      dashed_name: process-session-leader-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.session_leader.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.session_leader.elf.header.entrypoint:
+      dashed_name: process-session-leader-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.session_leader.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.session_leader.elf.header.object_version:
+      dashed_name: process-session-leader-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.session_leader.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.session_leader.elf.header.os_abi:
+      dashed_name: process-session-leader-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.session_leader.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.session_leader.elf.header.type:
+      dashed_name: process-session-leader-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.session_leader.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.session_leader.elf.header.version:
+      dashed_name: process-session-leader-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.session_leader.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.session_leader.elf.import_hash:
+      dashed_name: process-session-leader-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.session_leader.elf.imports:
+      dashed_name: process-session-leader-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.elf.imports_names_entropy:
+      dashed_name: process-session-leader-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.elf.imports_names_var_entropy:
+      dashed_name: process-session-leader-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.elf.sections:
+      dashed_name: process-session-leader-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.session_leader.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.session_leader.elf.sections.chi2:
+      dashed_name: process-session-leader-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.session_leader.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.session_leader.elf.sections.entropy:
+      dashed_name: process-session-leader-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.elf.sections.flags:
+      dashed_name: process-session-leader-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.session_leader.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.session_leader.elf.sections.name:
+      dashed_name: process-session-leader-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.session_leader.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.session_leader.elf.sections.physical_offset:
+      dashed_name: process-session-leader-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.session_leader.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.session_leader.elf.sections.physical_size:
+      dashed_name: process-session-leader-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.session_leader.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.session_leader.elf.sections.type:
+      dashed_name: process-session-leader-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.session_leader.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.session_leader.elf.sections.var_entropy:
+      dashed_name: process-session-leader-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.elf.sections.virtual_address:
+      dashed_name: process-session-leader-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.session_leader.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.session_leader.elf.sections.virtual_size:
+      dashed_name: process-session-leader-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.session_leader.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.session_leader.elf.segments:
+      dashed_name: process-session-leader-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.session_leader.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.session_leader.elf.segments.sections:
+      dashed_name: process-session-leader-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.session_leader.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.session_leader.elf.segments.type:
+      dashed_name: process-session-leader-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.session_leader.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.session_leader.elf.shared_libraries:
+      dashed_name: process-session-leader-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.session_leader.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.session_leader.elf.telfhash:
+      dashed_name: process-session-leader-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.session_leader.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.session_leader.end:
+      dashed_name: process-session-leader-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.session_leader.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.session_leader.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.session_leader.entity_id:
+      dashed_name: process-session-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.session_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.session_leader.entry_meta.source.address:
+      dashed_name: process-session-leader-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.session_leader.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.session_leader.entry_meta.source.as.number:
+      dashed_name: process-session-leader-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.session_leader.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.session_leader.entry_meta.source.as.organization.name:
+      dashed_name: process-session-leader-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.session_leader.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.session_leader.entry_meta.source.bytes:
+      dashed_name: process-session-leader-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.session_leader.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.session_leader.entry_meta.source.domain:
+      dashed_name: process-session-leader-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.session_leader.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.city_name:
+      dashed_name: process-session-leader-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.session_leader.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.continent_code:
+      dashed_name: process-session-leader-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.session_leader.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.continent_name:
+      dashed_name: process-session-leader-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.session_leader.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-session-leader-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.session_leader.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.country_name:
+      dashed_name: process-session-leader-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.session_leader.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.location:
+      dashed_name: process-session-leader-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.session_leader.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.session_leader.entry_meta.source.geo.name:
+      dashed_name: process-session-leader-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.session_leader.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.postal_code:
+      dashed_name: process-session-leader-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.session_leader.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-session-leader-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.session_leader.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.region_name:
+      dashed_name: process-session-leader-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.session_leader.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.session_leader.entry_meta.source.geo.timezone:
+      dashed_name: process-session-leader-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.session_leader.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.session_leader.entry_meta.source.ip:
+      dashed_name: process-session-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.session_leader.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.session_leader.entry_meta.source.mac:
+      dashed_name: process-session-leader-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.session_leader.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.session_leader.entry_meta.source.nat.ip:
+      dashed_name: process-session-leader-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.session_leader.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.session_leader.entry_meta.source.nat.port:
+      dashed_name: process-session-leader-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.session_leader.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.session_leader.entry_meta.source.packets:
+      dashed_name: process-session-leader-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.session_leader.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.session_leader.entry_meta.source.port:
+      dashed_name: process-session-leader-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.session_leader.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.session_leader.entry_meta.source.registered_domain:
+      dashed_name: process-session-leader-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.session_leader.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.session_leader.entry_meta.source.subdomain:
+      dashed_name: process-session-leader-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.session_leader.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.session_leader.entry_meta.source.top_level_domain:
+      dashed_name: process-session-leader-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.session_leader.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.session_leader.entry_meta.type:
+      dashed_name: process-session-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.session_leader.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.session_leader.env_vars:
+      dashed_name: process-session-leader-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.session_leader.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.executable:
+      dashed_name: process-session-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.session_leader.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.session_leader.exit_code:
+      dashed_name: process-session-leader-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.session_leader.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.session_leader.group.domain:
+      dashed_name: process-session-leader-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.group.id:
+      dashed_name: process-session-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.group.name:
+      dashed_name: process-session-leader-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.session_leader.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.session_leader.hash.md5:
+      dashed_name: process-session-leader-hash-md5
+      description: MD5 hash.
+      flat_name: process.session_leader.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.session_leader.hash.sha1:
+      dashed_name: process-session-leader-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.session_leader.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.session_leader.hash.sha256:
+      dashed_name: process-session-leader-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.session_leader.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.session_leader.hash.sha384:
+      dashed_name: process-session-leader-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.session_leader.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.session_leader.hash.sha512:
+      dashed_name: process-session-leader-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.session_leader.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.session_leader.hash.ssdeep:
+      dashed_name: process-session-leader-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.session_leader.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.session_leader.hash.tlsh:
+      dashed_name: process-session-leader-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.session_leader.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.session_leader.interactive:
+      dashed_name: process-session-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.session_leader.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.session_leader.io:
+      dashed_name: process-session-leader-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.session_leader.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.session_leader.io.bytes_skipped:
+      dashed_name: process-session-leader-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.session_leader.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.session_leader.io.bytes_skipped.length:
+      dashed_name: process-session-leader-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.session_leader.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.session_leader.io.bytes_skipped.offset:
+      dashed_name: process-session-leader-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.session_leader.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.session_leader.io.max_bytes_per_process_exceeded:
+      dashed_name: process-session-leader-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.session_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.session_leader.io.text:
+      dashed_name: process-session-leader-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.session_leader.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.session_leader.io.total_bytes_captured:
+      dashed_name: process-session-leader-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.session_leader.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.session_leader.io.total_bytes_skipped:
+      dashed_name: process-session-leader-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.session_leader.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.session_leader.io.type:
+      dashed_name: process-session-leader-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.session_leader.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.session_leader.macho.go_import_hash:
+      dashed_name: process-session-leader-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.session_leader.macho.go_imports:
+      dashed_name: process-session-leader-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.macho.go_imports_names_entropy:
+      dashed_name: process-session-leader-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.macho.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.macho.go_stripped:
+      dashed_name: process-session-leader-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.macho.import_hash:
+      dashed_name: process-session-leader-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.session_leader.macho.imports:
+      dashed_name: process-session-leader-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.macho.imports_names_entropy:
+      dashed_name: process-session-leader-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.macho.imports_names_var_entropy:
+      dashed_name: process-session-leader-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.macho.sections:
+      dashed_name: process-session-leader-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.session_leader.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.session_leader.macho.sections.entropy:
+      dashed_name: process-session-leader-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.macho.sections.name:
+      dashed_name: process-session-leader-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.session_leader.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.session_leader.macho.sections.physical_size:
+      dashed_name: process-session-leader-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.session_leader.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.session_leader.macho.sections.var_entropy:
+      dashed_name: process-session-leader-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.macho.sections.virtual_size:
+      dashed_name: process-session-leader-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.session_leader.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.session_leader.macho.symhash:
+      dashed_name: process-session-leader-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.session_leader.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.session_leader.name:
+      dashed_name: process-session-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.session_leader.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.session_leader.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.session_leader.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.session_leader.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.session_leader.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.session_leader.parent.args:
+      dashed_name: process-session-leader-parent-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.session_leader.parent.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.session_leader.parent.args_count:
+      dashed_name: process-session-leader-parent-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.session_leader.parent.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.session_leader.parent.attested_groups.domain:
+      dashed_name: process-session-leader-parent-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.attested_groups.id:
+      dashed_name: process-session-leader-parent-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.attested_groups.name:
+      dashed_name: process-session-leader-parent-attested-groups-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.attested_user.domain:
+      dashed_name: process-session-leader-parent-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.parent.attested_user.email:
+      dashed_name: process-session-leader-parent-attested-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.attested_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-attested-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.session_leader.parent.attested_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.session_leader.parent.attested_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-attested-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.attested_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.session_leader.parent.attested_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-attested-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.session_leader.parent.attested_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.attested_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.session_leader.parent.attested_user.entity.id:
+      dashed_name: process-session-leader-parent-attested-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.session_leader.parent.attested_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.session_leader.parent.attested_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-attested-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.session_leader.parent.attested_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.session_leader.parent.attested_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-attested-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.attested_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.session_leader.parent.attested_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-attested-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.session_leader.parent.attested_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.session_leader.parent.attested_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-attested-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.session_leader.parent.attested_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.attested_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.session_leader.parent.attested_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-attested-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.session_leader.parent.attested_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.session_leader.parent.attested_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-attested-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.session_leader.parent.attested_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.session_leader.parent.attested_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-attested-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.session_leader.parent.attested_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.session_leader.parent.attested_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-attested-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.session_leader.parent.attested_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.session_leader.parent.attested_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-attested-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.session_leader.parent.attested_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.session_leader.parent.attested_user.full_name:
+      dashed_name: process-session-leader-parent-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.parent.attested_user.group.domain:
+      dashed_name: process-session-leader-parent-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.attested_user.group.id:
+      dashed_name: process-session-leader-parent-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.attested_user.group.name:
+      dashed_name: process-session-leader-parent-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.attested_user.hash:
+      dashed_name: process-session-leader-parent-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.attested_user.id:
+      dashed_name: process-session-leader-parent-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.parent.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.parent.attested_user.name:
+      dashed_name: process-session-leader-parent-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.parent.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.parent.attested_user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.parent.attested_user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.attested_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.attested_user.risk.static_level:
+      dashed_name: process-session-leader-parent-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.attested_user.risk.static_score:
+      dashed_name: process-session-leader-parent-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.attested_user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.attested_user.roles:
+      dashed_name: process-session-leader-parent-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.code_signature.digest_algorithm:
+      dashed_name: process-session-leader-parent-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.session_leader.parent.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.session_leader.parent.code_signature.exists:
+      dashed_name: process-session-leader-parent-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.session_leader.parent.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.session_leader.parent.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.session_leader.parent.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.session_leader.parent.code_signature.signing_id:
+      dashed_name: process-session-leader-parent-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.session_leader.parent.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.session_leader.parent.code_signature.status:
+      dashed_name: process-session-leader-parent-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.session_leader.parent.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.session_leader.parent.code_signature.subject_name:
+      dashed_name: process-session-leader-parent-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.session_leader.parent.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.session_leader.parent.code_signature.team_id:
+      dashed_name: process-session-leader-parent-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.session_leader.parent.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.session_leader.parent.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.session_leader.parent.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.session_leader.parent.code_signature.timestamp:
+      dashed_name: process-session-leader-parent-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.session_leader.parent.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.session_leader.parent.code_signature.trusted:
+      dashed_name: process-session-leader-parent-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.session_leader.parent.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.session_leader.parent.code_signature.valid:
+      dashed_name: process-session-leader-parent-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.session_leader.parent.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.session_leader.parent.command_line:
+      dashed_name: process-session-leader-parent-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.session_leader.parent.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.session_leader.parent.elf.architecture:
+      dashed_name: process-session-leader-parent-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.session_leader.parent.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.session_leader.parent.elf.byte_order:
+      dashed_name: process-session-leader-parent-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.session_leader.parent.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.session_leader.parent.elf.cpu_type:
+      dashed_name: process-session-leader-parent-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.session_leader.parent.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.session_leader.parent.elf.creation_date:
+      dashed_name: process-session-leader-parent-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.session_leader.parent.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.session_leader.parent.elf.exports:
+      dashed_name: process-session-leader-parent-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.session_leader.parent.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.session_leader.parent.elf.go_import_hash:
+      dashed_name: process-session-leader-parent-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.parent.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.session_leader.parent.elf.go_imports:
+      dashed_name: process-session-leader-parent-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.parent.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.parent.elf.go_imports_names_entropy:
+      dashed_name: process-session-leader-parent-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.elf.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.elf.go_stripped:
+      dashed_name: process-session-leader-parent-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.parent.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.parent.elf.header.abi_version:
+      dashed_name: process-session-leader-parent-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.session_leader.parent.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.session_leader.parent.elf.header.class:
+      dashed_name: process-session-leader-parent-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.session_leader.parent.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.session_leader.parent.elf.header.data:
+      dashed_name: process-session-leader-parent-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.session_leader.parent.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.session_leader.parent.elf.header.entrypoint:
+      dashed_name: process-session-leader-parent-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.session_leader.parent.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.session_leader.parent.elf.header.object_version:
+      dashed_name: process-session-leader-parent-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.session_leader.parent.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.session_leader.parent.elf.header.os_abi:
+      dashed_name: process-session-leader-parent-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.session_leader.parent.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.session_leader.parent.elf.header.type:
+      dashed_name: process-session-leader-parent-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.session_leader.parent.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.session_leader.parent.elf.header.version:
+      dashed_name: process-session-leader-parent-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.session_leader.parent.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.session_leader.parent.elf.import_hash:
+      dashed_name: process-session-leader-parent-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.parent.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.session_leader.parent.elf.imports:
+      dashed_name: process-session-leader-parent-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.parent.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.parent.elf.imports_names_entropy:
+      dashed_name: process-session-leader-parent-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.parent.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.parent.elf.imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.parent.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.parent.elf.sections:
+      dashed_name: process-session-leader-parent-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.session_leader.parent.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.session_leader.parent.elf.sections.chi2:
+      dashed_name: process-session-leader-parent-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.session_leader.parent.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.session_leader.parent.elf.sections.entropy:
+      dashed_name: process-session-leader-parent-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.elf.sections.flags:
+      dashed_name: process-session-leader-parent-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.session_leader.parent.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.session_leader.parent.elf.sections.name:
+      dashed_name: process-session-leader-parent-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.session_leader.parent.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.session_leader.parent.elf.sections.physical_offset:
+      dashed_name: process-session-leader-parent-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.session_leader.parent.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.session_leader.parent.elf.sections.physical_size:
+      dashed_name: process-session-leader-parent-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.session_leader.parent.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.session_leader.parent.elf.sections.type:
+      dashed_name: process-session-leader-parent-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.session_leader.parent.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.session_leader.parent.elf.sections.var_entropy:
+      dashed_name: process-session-leader-parent-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.elf.sections.virtual_address:
+      dashed_name: process-session-leader-parent-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.session_leader.parent.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.session_leader.parent.elf.sections.virtual_size:
+      dashed_name: process-session-leader-parent-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.session_leader.parent.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.session_leader.parent.elf.segments:
+      dashed_name: process-session-leader-parent-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.session_leader.parent.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.session_leader.parent.elf.segments.sections:
+      dashed_name: process-session-leader-parent-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.session_leader.parent.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.session_leader.parent.elf.segments.type:
+      dashed_name: process-session-leader-parent-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.session_leader.parent.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.session_leader.parent.elf.shared_libraries:
+      dashed_name: process-session-leader-parent-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.session_leader.parent.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.session_leader.parent.elf.telfhash:
+      dashed_name: process-session-leader-parent-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.session_leader.parent.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.session_leader.parent.end:
+      dashed_name: process-session-leader-parent-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.parent.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.session_leader.parent.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.session_leader.parent.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.session_leader.parent.entity_id:
+      dashed_name: process-session-leader-parent-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.session_leader.parent.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.address:
+      dashed_name: process-session-leader-parent-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.session_leader.parent.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.as.number:
+      dashed_name: process-session-leader-parent-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.session_leader.parent.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.session_leader.parent.entry_meta.source.as.organization.name:
+      dashed_name: process-session-leader-parent-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.session_leader.parent.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.bytes:
+      dashed_name: process-session-leader-parent-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.session_leader.parent.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.session_leader.parent.entry_meta.source.domain:
+      dashed_name: process-session-leader-parent-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.session_leader.parent.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.city_name:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.session_leader.parent.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.continent_code:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.session_leader.parent.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.continent_name:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.session_leader.parent.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.session_leader.parent.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.country_name:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.session_leader.parent.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.location:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.session_leader.parent.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.session_leader.parent.entry_meta.source.geo.name:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.session_leader.parent.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.postal_code:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.session_leader.parent.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.session_leader.parent.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.region_name:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.session_leader.parent.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.geo.timezone:
+      dashed_name: process-session-leader-parent-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.session_leader.parent.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.ip:
+      dashed_name: process-session-leader-parent-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.session_leader.parent.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.session_leader.parent.entry_meta.source.mac:
+      dashed_name: process-session-leader-parent-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.session_leader.parent.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.nat.ip:
+      dashed_name: process-session-leader-parent-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.session_leader.parent.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.session_leader.parent.entry_meta.source.nat.port:
+      dashed_name: process-session-leader-parent-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.session_leader.parent.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.session_leader.parent.entry_meta.source.packets:
+      dashed_name: process-session-leader-parent-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.session_leader.parent.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.session_leader.parent.entry_meta.source.port:
+      dashed_name: process-session-leader-parent-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.session_leader.parent.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.session_leader.parent.entry_meta.source.registered_domain:
+      dashed_name: process-session-leader-parent-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.session_leader.parent.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.subdomain:
+      dashed_name: process-session-leader-parent-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.session_leader.parent.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.session_leader.parent.entry_meta.source.top_level_domain:
+      dashed_name: process-session-leader-parent-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.session_leader.parent.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.session_leader.parent.entry_meta.type:
+      dashed_name: process-session-leader-parent-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.session_leader.parent.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.session_leader.parent.env_vars:
+      dashed_name: process-session-leader-parent-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.session_leader.parent.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.executable:
+      dashed_name: process-session-leader-parent-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.session_leader.parent.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.session_leader.parent.exit_code:
+      dashed_name: process-session-leader-parent-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.session_leader.parent.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.session_leader.parent.group.domain:
+      dashed_name: process-session-leader-parent-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.group.id:
+      dashed_name: process-session-leader-parent-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.group.name:
+      dashed_name: process-session-leader-parent-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.session_leader.parent.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.session_leader.parent.hash.md5:
+      dashed_name: process-session-leader-parent-hash-md5
+      description: MD5 hash.
+      flat_name: process.session_leader.parent.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.session_leader.parent.hash.sha1:
+      dashed_name: process-session-leader-parent-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.session_leader.parent.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.session_leader.parent.hash.sha256:
+      dashed_name: process-session-leader-parent-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.session_leader.parent.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.session_leader.parent.hash.sha384:
+      dashed_name: process-session-leader-parent-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.session_leader.parent.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.session_leader.parent.hash.sha512:
+      dashed_name: process-session-leader-parent-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.session_leader.parent.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.session_leader.parent.hash.ssdeep:
+      dashed_name: process-session-leader-parent-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.session_leader.parent.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.session_leader.parent.hash.tlsh:
+      dashed_name: process-session-leader-parent-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.session_leader.parent.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.session_leader.parent.interactive:
+      dashed_name: process-session-leader-parent-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.session_leader.parent.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.session_leader.parent.io:
+      dashed_name: process-session-leader-parent-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.session_leader.parent.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.session_leader.parent.io.bytes_skipped:
+      dashed_name: process-session-leader-parent-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.session_leader.parent.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.session_leader.parent.io.bytes_skipped.length:
+      dashed_name: process-session-leader-parent-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.session_leader.parent.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.session_leader.parent.io.bytes_skipped.offset:
+      dashed_name: process-session-leader-parent-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.session_leader.parent.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.session_leader.parent.io.max_bytes_per_process_exceeded:
+      dashed_name: process-session-leader-parent-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.session_leader.parent.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.session_leader.parent.io.text:
+      dashed_name: process-session-leader-parent-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.session_leader.parent.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.session_leader.parent.io.total_bytes_captured:
+      dashed_name: process-session-leader-parent-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.session_leader.parent.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.session_leader.parent.io.total_bytes_skipped:
+      dashed_name: process-session-leader-parent-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.session_leader.parent.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.session_leader.parent.io.type:
+      dashed_name: process-session-leader-parent-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.session_leader.parent.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.session_leader.parent.macho.go_import_hash:
+      dashed_name: process-session-leader-parent-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.parent.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.session_leader.parent.macho.go_imports:
+      dashed_name: process-session-leader-parent-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.parent.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.parent.macho.go_imports_names_entropy:
+      dashed_name: process-session-leader-parent-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.macho.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.macho.go_stripped:
+      dashed_name: process-session-leader-parent-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.parent.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.parent.macho.import_hash:
+      dashed_name: process-session-leader-parent-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.parent.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.session_leader.parent.macho.imports:
+      dashed_name: process-session-leader-parent-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.parent.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.parent.macho.imports_names_entropy:
+      dashed_name: process-session-leader-parent-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.parent.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.parent.macho.imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.parent.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.parent.macho.sections:
+      dashed_name: process-session-leader-parent-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.session_leader.parent.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.session_leader.parent.macho.sections.entropy:
+      dashed_name: process-session-leader-parent-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.macho.sections.name:
+      dashed_name: process-session-leader-parent-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.session_leader.parent.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.session_leader.parent.macho.sections.physical_size:
+      dashed_name: process-session-leader-parent-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.session_leader.parent.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.session_leader.parent.macho.sections.var_entropy:
+      dashed_name: process-session-leader-parent-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.macho.sections.virtual_size:
+      dashed_name: process-session-leader-parent-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.session_leader.parent.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.session_leader.parent.macho.symhash:
+      dashed_name: process-session-leader-parent-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.session_leader.parent.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.session_leader.parent.name:
+      dashed_name: process-session-leader-parent-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.session_leader.parent.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.session_leader.parent.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.session_leader.parent.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.session_leader.parent.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.session_leader.parent.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.session_leader.parent.pe.architecture:
+      dashed_name: process-session-leader-parent-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.session_leader.parent.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.session_leader.parent.pe.company:
+      dashed_name: process-session-leader-parent-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.session_leader.parent.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.parent.pe.description:
+      dashed_name: process-session-leader-parent-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.session_leader.parent.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.parent.pe.file_version:
+      dashed_name: process-session-leader-parent-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.session_leader.parent.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.session_leader.parent.pe.go_import_hash:
+      dashed_name: process-session-leader-parent-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.parent.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.session_leader.parent.pe.go_imports:
+      dashed_name: process-session-leader-parent-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.parent.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.parent.pe.go_imports_names_entropy:
+      dashed_name: process-session-leader-parent-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.pe.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.pe.go_stripped:
+      dashed_name: process-session-leader-parent-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.parent.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.parent.pe.imphash:
+      dashed_name: process-session-leader-parent-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.session_leader.parent.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.session_leader.parent.pe.import_hash:
+      dashed_name: process-session-leader-parent-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.parent.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.session_leader.parent.pe.imports:
+      dashed_name: process-session-leader-parent-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.parent.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.parent.pe.imports_names_entropy:
+      dashed_name: process-session-leader-parent-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.parent.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.parent.pe.imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.parent.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.parent.pe.original_file_name:
+      dashed_name: process-session-leader-parent-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.session_leader.parent.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.parent.pe.pehash:
+      dashed_name: process-session-leader-parent-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.session_leader.parent.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.session_leader.parent.pe.product:
+      dashed_name: process-session-leader-parent-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.session_leader.parent.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.parent.pe.sections:
+      dashed_name: process-session-leader-parent-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.session_leader.parent.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.session_leader.parent.pe.sections.entropy:
+      dashed_name: process-session-leader-parent-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.pe.sections.name:
+      dashed_name: process-session-leader-parent-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.session_leader.parent.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.session_leader.parent.pe.sections.physical_size:
+      dashed_name: process-session-leader-parent-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.session_leader.parent.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.session_leader.parent.pe.sections.var_entropy:
+      dashed_name: process-session-leader-parent-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.pe.sections.virtual_size:
+      dashed_name: process-session-leader-parent-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.session_leader.parent.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.session_leader.parent.pid:
+      dashed_name: process-session-leader-parent-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.session_leader.parent.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.session_leader.parent.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.session_leader.parent.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.session_leader.parent.real_group.domain:
+      dashed_name: process-session-leader-parent-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.real_group.id:
+      dashed_name: process-session-leader-parent-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.real_group.name:
+      dashed_name: process-session-leader-parent-real-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.real_user.domain:
+      dashed_name: process-session-leader-parent-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.parent.real_user.email:
+      dashed_name: process-session-leader-parent-real-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.real_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-real-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.session_leader.parent.real_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.session_leader.parent.real_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-real-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.real_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.session_leader.parent.real_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-real-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.session_leader.parent.real_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.real_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.session_leader.parent.real_user.entity.id:
+      dashed_name: process-session-leader-parent-real-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.session_leader.parent.real_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.session_leader.parent.real_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-real-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.session_leader.parent.real_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.session_leader.parent.real_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-real-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.real_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.session_leader.parent.real_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-real-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.session_leader.parent.real_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.session_leader.parent.real_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-real-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.session_leader.parent.real_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.real_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.session_leader.parent.real_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-real-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.session_leader.parent.real_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.session_leader.parent.real_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-real-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.session_leader.parent.real_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.session_leader.parent.real_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-real-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.session_leader.parent.real_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.session_leader.parent.real_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-real-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.session_leader.parent.real_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.session_leader.parent.real_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-real-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.session_leader.parent.real_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.session_leader.parent.real_user.full_name:
+      dashed_name: process-session-leader-parent-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.parent.real_user.group.domain:
+      dashed_name: process-session-leader-parent-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.real_user.group.id:
+      dashed_name: process-session-leader-parent-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.real_user.group.name:
+      dashed_name: process-session-leader-parent-real-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.real_user.hash:
+      dashed_name: process-session-leader-parent-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.real_user.id:
+      dashed_name: process-session-leader-parent-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.parent.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.parent.real_user.name:
+      dashed_name: process-session-leader-parent-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.parent.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.parent.real_user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.parent.real_user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.real_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.real_user.risk.static_level:
+      dashed_name: process-session-leader-parent-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.real_user.risk.static_score:
+      dashed_name: process-session-leader-parent-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.real_user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.real_user.roles:
+      dashed_name: process-session-leader-parent-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.same_as_process:
+      dashed_name: process-session-leader-parent-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.session_leader.parent.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.session_leader.parent.saved_group.domain:
+      dashed_name: process-session-leader-parent-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.saved_group.id:
+      dashed_name: process-session-leader-parent-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.saved_group.name:
+      dashed_name: process-session-leader-parent-saved-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.saved_user.domain:
+      dashed_name: process-session-leader-parent-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.parent.saved_user.email:
+      dashed_name: process-session-leader-parent-saved-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.saved_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-saved-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.session_leader.parent.saved_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.session_leader.parent.saved_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-saved-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.saved_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.session_leader.parent.saved_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-saved-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.session_leader.parent.saved_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.saved_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.session_leader.parent.saved_user.entity.id:
+      dashed_name: process-session-leader-parent-saved-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.session_leader.parent.saved_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.session_leader.parent.saved_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-saved-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.session_leader.parent.saved_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.session_leader.parent.saved_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-saved-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.saved_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.session_leader.parent.saved_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-saved-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.session_leader.parent.saved_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.session_leader.parent.saved_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-saved-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.session_leader.parent.saved_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.saved_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.session_leader.parent.saved_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-saved-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.session_leader.parent.saved_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.session_leader.parent.saved_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-saved-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.session_leader.parent.saved_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.session_leader.parent.saved_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-saved-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.session_leader.parent.saved_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.session_leader.parent.saved_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-saved-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.session_leader.parent.saved_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.session_leader.parent.saved_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-saved-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.session_leader.parent.saved_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.session_leader.parent.saved_user.full_name:
+      dashed_name: process-session-leader-parent-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.parent.saved_user.group.domain:
+      dashed_name: process-session-leader-parent-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.saved_user.group.id:
+      dashed_name: process-session-leader-parent-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.saved_user.group.name:
+      dashed_name: process-session-leader-parent-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.saved_user.hash:
+      dashed_name: process-session-leader-parent-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.saved_user.id:
+      dashed_name: process-session-leader-parent-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.parent.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.parent.saved_user.name:
+      dashed_name: process-session-leader-parent-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.parent.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.parent.saved_user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.parent.saved_user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.saved_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.saved_user.risk.static_level:
+      dashed_name: process-session-leader-parent-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.saved_user.risk.static_score:
+      dashed_name: process-session-leader-parent-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.saved_user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.saved_user.roles:
+      dashed_name: process-session-leader-parent-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.session_leader.args:
+      dashed_name: process-session-leader-parent-session-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.session_leader.parent.session_leader.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.session_leader.parent.session_leader.args_count:
+      dashed_name: process-session-leader-parent-session-leader-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.session_leader.parent.session_leader.args_count
+      level: extended
+      name: args_count
+      normalize: []
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.session_leader.parent.session_leader.attested_groups.domain:
+      dashed_name: process-session-leader-parent-session-leader-attested-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.attested_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_groups.id:
+      dashed_name: process-session-leader-parent-session-leader-attested-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.attested_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_groups.name:
+      dashed_name: process-session-leader-parent-session-leader-attested-groups-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.attested_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.domain:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.attested_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.email:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.session_leader.attested_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.session_leader.parent.session_leader.attested_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.session_leader.parent.session_leader.attested_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.session_leader.attested_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.session_leader.parent.session_leader.attested_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.entity.id:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.session_leader.parent.session_leader.attested_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.session_leader.parent.session_leader.attested_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.session_leader.attested_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.session_leader.parent.session_leader.attested_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.session_leader.parent.session_leader.attested_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.session_leader.parent.session_leader.attested_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.session_leader.parent.session_leader.attested_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.attested_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.session_leader.parent.session_leader.attested_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.session_leader.parent.session_leader.attested_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.session_leader.parent.session_leader.attested_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.session_leader.parent.session_leader.attested_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.session_leader.parent.session_leader.attested_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.session_leader.parent.session_leader.attested_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.full_name:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.session_leader.attested_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.attested_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.group.domain:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.attested_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.group.id:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.attested_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.group.name:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.attested_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.hash:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.session_leader.attested_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.id:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.parent.session_leader.attested_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.name:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.parent.session_leader.attested_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.session_leader.attested_user.risk.static_level:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.session_leader.attested_user.risk.static_score:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.session_leader.attested_user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.session_leader.attested_user.roles:
+      dashed_name: process-session-leader-parent-session-leader-attested-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.session_leader.attested_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.session_leader.code_signature.digest_algorithm:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.session_leader.parent.session_leader.code_signature.digest_algorithm
+      ignore_above: 1024
+      level: extended
+      name: digest_algorithm
+      normalize: []
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
+      type: keyword
+    process.session_leader.parent.session_leader.code_signature.exists:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.session_leader.parent.session_leader.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.session_leader.parent.session_leader.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.session_leader.parent.session_leader.code_signature.flags
+      ignore_above: 1024
+      level: extended
+      name: flags
+      normalize: []
+      original_fieldset: code_signature
+      short: Code signing flags of the process
+      type: keyword
+    process.session_leader.parent.session_leader.code_signature.signing_id:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.session_leader.parent.session_leader.code_signature.signing_id
+      ignore_above: 1024
+      level: extended
+      name: signing_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
+      type: keyword
+    process.session_leader.parent.session_leader.code_signature.status:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-status
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.session_leader.parent.session_leader.code_signature.status
+      ignore_above: 1024
+      level: extended
+      name: status
+      normalize: []
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
+      type: keyword
+    process.session_leader.parent.session_leader.code_signature.subject_name:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.session_leader.parent.session_leader.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.session_leader.parent.session_leader.code_signature.team_id:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.session_leader.parent.session_leader.code_signature.team_id
+      ignore_above: 1024
+      level: extended
+      name: team_id
+      normalize: []
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
+      type: keyword
+    process.session_leader.parent.session_leader.code_signature.thumbprint_sha256:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-code-signature-thumbprint-sha256
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      flat_name: process.session_leader.parent.session_leader.code_signature.thumbprint_sha256
+      ignore_above: 64
+      level: extended
+      name: thumbprint_sha256
+      normalize: []
+      original_fieldset: code_signature
+      pattern: ^[0-9a-f]{64}$
+      short: SHA256 hash of the certificate.
+      type: keyword
+    process.session_leader.parent.session_leader.code_signature.timestamp:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-timestamp
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      flat_name: process.session_leader.parent.session_leader.code_signature.timestamp
+      level: extended
+      name: timestamp
+      normalize: []
+      original_fieldset: code_signature
+      short: When the signature was generated and signed.
+      type: date
+    process.session_leader.parent.session_leader.code_signature.trusted:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-trusted
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
+      flat_name: process.session_leader.parent.session_leader.code_signature.trusted
+      level: extended
+      name: trusted
+      normalize: []
+      original_fieldset: code_signature
+      short: Stores the trust status of the certificate chain.
+      type: boolean
+    process.session_leader.parent.session_leader.code_signature.valid:
+      dashed_name: process-session-leader-parent-session-leader-code-signature-valid
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
+      flat_name: process.session_leader.parent.session_leader.code_signature.valid
+      level: extended
+      name: valid
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if the digital signature is verified against the binary
+        content.
+      type: boolean
+    process.session_leader.parent.session_leader.command_line:
+      dashed_name: process-session-leader-parent-session-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.session_leader.parent.session_leader.command_line
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
+      normalize: []
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.session_leader.parent.session_leader.elf.architecture:
+      dashed_name: process-session-leader-parent-session-leader-elf-architecture
+      description: Machine architecture of the ELF file.
+      example: x86-64
+      flat_name: process.session_leader.parent.session_leader.elf.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: elf
+      short: Machine architecture of the ELF file.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.byte_order:
+      dashed_name: process-session-leader-parent-session-leader-elf-byte-order
+      description: Byte sequence of ELF file.
+      example: Little Endian
+      flat_name: process.session_leader.parent.session_leader.elf.byte_order
+      ignore_above: 1024
+      level: extended
+      name: byte_order
+      normalize: []
+      original_fieldset: elf
+      short: Byte sequence of ELF file.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.cpu_type:
+      dashed_name: process-session-leader-parent-session-leader-elf-cpu-type
+      description: CPU type of the ELF file.
+      example: Intel
+      flat_name: process.session_leader.parent.session_leader.elf.cpu_type
+      ignore_above: 1024
+      level: extended
+      name: cpu_type
+      normalize: []
+      original_fieldset: elf
+      short: CPU type of the ELF file.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.creation_date:
+      dashed_name: process-session-leader-parent-session-leader-elf-creation-date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      flat_name: process.session_leader.parent.session_leader.elf.creation_date
+      level: extended
+      name: creation_date
+      normalize: []
+      original_fieldset: elf
+      short: Build or compile date.
+      type: date
+    process.session_leader.parent.session_leader.elf.exports:
+      dashed_name: process-session-leader-parent-session-leader-elf-exports
+      description: List of exported element names and types.
+      flat_name: process.session_leader.parent.session_leader.elf.exports
+      level: extended
+      name: exports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of exported element names and types.
+      type: flattened
+    process.session_leader.parent.session_leader.elf.go_import_hash:
+      dashed_name: process-session-leader-parent-session-leader-elf-go-import-hash
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.parent.session_leader.elf.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the Go language imports in an ELF file.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.go_imports:
+      dashed_name: process-session-leader-parent-session-leader-elf-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.parent.session_leader.elf.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: elf
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.parent.session_leader.elf.go_imports_names_entropy:
+      dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.session_leader.elf.go_stripped:
+      dashed_name: process-session-leader-parent-session-leader-elf-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.parent.session_leader.elf.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: elf
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.parent.session_leader.elf.header.abi_version:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-abi-version
+      description: Version of the ELF Application Binary Interface (ABI).
+      flat_name: process.session_leader.parent.session_leader.elf.header.abi_version
+      ignore_above: 1024
+      level: extended
+      name: header.abi_version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF Application Binary Interface (ABI).
+      type: keyword
+    process.session_leader.parent.session_leader.elf.header.class:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-class
+      description: Header class of the ELF file.
+      flat_name: process.session_leader.parent.session_leader.elf.header.class
+      ignore_above: 1024
+      level: extended
+      name: header.class
+      normalize: []
+      original_fieldset: elf
+      short: Header class of the ELF file.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.header.data:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-data
+      description: Data table of the ELF header.
+      flat_name: process.session_leader.parent.session_leader.elf.header.data
+      ignore_above: 1024
+      level: extended
+      name: header.data
+      normalize: []
+      original_fieldset: elf
+      short: Data table of the ELF header.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.header.entrypoint:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-entrypoint
+      description: Header entrypoint of the ELF file.
+      flat_name: process.session_leader.parent.session_leader.elf.header.entrypoint
+      format: string
+      level: extended
+      name: header.entrypoint
+      normalize: []
+      original_fieldset: elf
+      short: Header entrypoint of the ELF file.
+      type: long
+    process.session_leader.parent.session_leader.elf.header.object_version:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-object-version
+      description: '"0x1" for original ELF files.'
+      flat_name: process.session_leader.parent.session_leader.elf.header.object_version
+      ignore_above: 1024
+      level: extended
+      name: header.object_version
+      normalize: []
+      original_fieldset: elf
+      short: '"0x1" for original ELF files.'
+      type: keyword
+    process.session_leader.parent.session_leader.elf.header.os_abi:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-os-abi
+      description: Application Binary Interface (ABI) of the Linux OS.
+      flat_name: process.session_leader.parent.session_leader.elf.header.os_abi
+      ignore_above: 1024
+      level: extended
+      name: header.os_abi
+      normalize: []
+      original_fieldset: elf
+      short: Application Binary Interface (ABI) of the Linux OS.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.header.type:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-type
+      description: Header type of the ELF file.
+      flat_name: process.session_leader.parent.session_leader.elf.header.type
+      ignore_above: 1024
+      level: extended
+      name: header.type
+      normalize: []
+      original_fieldset: elf
+      short: Header type of the ELF file.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.header.version:
+      dashed_name: process-session-leader-parent-session-leader-elf-header-version
+      description: Version of the ELF header.
+      flat_name: process.session_leader.parent.session_leader.elf.header.version
+      ignore_above: 1024
+      level: extended
+      name: header.version
+      normalize: []
+      original_fieldset: elf
+      short: Version of the ELF header.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.import_hash:
+      dashed_name: process-session-leader-parent-session-leader-elf-import-hash
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.parent.session_leader.elf.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: elf
+      short: A hash of the imports in an ELF file.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.imports:
+      dashed_name: process-session-leader-parent-session-leader-elf-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.parent.session_leader.elf.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.parent.session_leader.elf.imports_names_entropy:
+      dashed_name: process-session-leader-parent-session-leader-elf-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.parent.session_leader.elf.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.parent.session_leader.elf.imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.parent.session_leader.elf.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.parent.session_leader.elf.sections:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      flat_name: process.session_leader.parent.session_leader.elf.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: elf
+      short: Section information of the ELF file.
+      type: nested
+    process.session_leader.parent.session_leader.elf.sections.chi2:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-chi2
+      description: Chi-square probability distribution of the section.
+      flat_name: process.session_leader.parent.session_leader.elf.sections.chi2
+      format: number
+      level: extended
+      name: sections.chi2
+      normalize: []
+      original_fieldset: elf
+      short: Chi-square probability distribution of the section.
+      type: long
+    process.session_leader.parent.session_leader.elf.sections.entropy:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.session_leader.elf.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: elf
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.session_leader.elf.sections.flags:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-flags
+      description: ELF Section List flags.
+      flat_name: process.session_leader.parent.session_leader.elf.sections.flags
+      ignore_above: 1024
+      level: extended
+      name: sections.flags
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List flags.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.sections.name:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-name
+      description: ELF Section List name.
+      flat_name: process.session_leader.parent.session_leader.elf.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List name.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.sections.physical_offset:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-offset
+      description: ELF Section List offset.
+      flat_name: process.session_leader.parent.session_leader.elf.sections.physical_offset
+      ignore_above: 1024
+      level: extended
+      name: sections.physical_offset
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List offset.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.sections.physical_size:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-size
+      description: ELF Section List physical size.
+      flat_name: process.session_leader.parent.session_leader.elf.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List physical size.
+      type: long
+    process.session_leader.parent.session_leader.elf.sections.type:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-type
+      description: ELF Section List type.
+      flat_name: process.session_leader.parent.session_leader.elf.sections.type
+      ignore_above: 1024
+      level: extended
+      name: sections.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List type.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.sections.var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.session_leader.elf.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: elf
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.session_leader.elf.sections.virtual_address:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-address
+      description: ELF Section List virtual address.
+      flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_address
+      format: string
+      level: extended
+      name: sections.virtual_address
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual address.
+      type: long
+    process.session_leader.parent.session_leader.elf.sections.virtual_size:
+      dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-size
+      description: ELF Section List virtual size.
+      flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: elf
+      short: ELF Section List virtual size.
+      type: long
+    process.session_leader.parent.session_leader.elf.segments:
+      dashed_name: process-session-leader-parent-session-leader-elf-segments
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      flat_name: process.session_leader.parent.session_leader.elf.segments
+      level: extended
+      name: segments
+      normalize:
+      - array
+      original_fieldset: elf
+      short: ELF object segment list.
+      type: nested
+    process.session_leader.parent.session_leader.elf.segments.sections:
+      dashed_name: process-session-leader-parent-session-leader-elf-segments-sections
+      description: ELF object segment sections.
+      flat_name: process.session_leader.parent.session_leader.elf.segments.sections
+      ignore_above: 1024
+      level: extended
+      name: segments.sections
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment sections.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.segments.type:
+      dashed_name: process-session-leader-parent-session-leader-elf-segments-type
+      description: ELF object segment type.
+      flat_name: process.session_leader.parent.session_leader.elf.segments.type
+      ignore_above: 1024
+      level: extended
+      name: segments.type
+      normalize: []
+      original_fieldset: elf
+      short: ELF object segment type.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.shared_libraries:
+      dashed_name: process-session-leader-parent-session-leader-elf-shared-libraries
+      description: List of shared libraries used by this ELF object.
+      flat_name: process.session_leader.parent.session_leader.elf.shared_libraries
+      ignore_above: 1024
+      level: extended
+      name: shared_libraries
+      normalize:
+      - array
+      original_fieldset: elf
+      short: List of shared libraries used by this ELF object.
+      type: keyword
+    process.session_leader.parent.session_leader.elf.telfhash:
+      dashed_name: process-session-leader-parent-session-leader-elf-telfhash
+      description: telfhash symbol hash for ELF file.
+      flat_name: process.session_leader.parent.session_leader.elf.telfhash
+      ignore_above: 1024
+      level: extended
+      name: telfhash
+      normalize: []
+      original_fieldset: elf
+      short: telfhash hash for ELF file.
+      type: keyword
+    process.session_leader.parent.session_leader.end:
+      dashed_name: process-session-leader-parent-session-leader-end
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.parent.session_leader.end
+      level: extended
+      name: end
+      normalize: []
+      original_fieldset: process
+      short: The time the process ended.
+      type: date
+    process.session_leader.parent.session_leader.endpoint_security_client:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-endpoint-security-client
+      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
+        entitlement and the value is set to true in the message.
+      flat_name: process.session_leader.parent.session_leader.endpoint_security_client
+      level: extended
+      name: endpoint_security_client
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is an Endpoint Security client.
+      type: boolean
+    process.session_leader.parent.session_leader.entity_id:
+      dashed_name: process-session-leader-parent-session-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.session_leader.parent.session_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.address:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-address
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.address
+      ignore_above: 1024
+      level: extended
+      name: address
+      normalize: []
+      original_fieldset: source
+      short: Source network address.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.as.number:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-number
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.number
+      level: extended
+      name: number
+      normalize: []
+      original_fieldset: as
+      short: Unique number allocated to the autonomous system.
+      type: long
+    process.session_leader.parent.session_leader.entry_meta.source.as.organization.name:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-organization-name
+      description: Organization name.
+      example: Google LLC
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text
+        name: text
+        type: match_only_text
+      name: organization.name
+      normalize: []
+      original_fieldset: as
+      short: Organization name.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.bytes:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.bytes
+      format: bytes
+      level: core
+      name: bytes
+      normalize: []
+      original_fieldset: source
+      short: Bytes sent from the source to the destination.
+      type: long
+    process.session_leader.parent.session_leader.entry_meta.source.domain:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-domain
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.domain
+      ignore_above: 1024
+      level: core
+      name: domain
+      normalize: []
+      original_fieldset: source
+      short: The domain name of the source.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.city_name:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-city-name
+      description: City name.
+      example: Montreal
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.city_name
+      ignore_above: 1024
+      level: core
+      name: city_name
+      normalize: []
+      original_fieldset: geo
+      short: City name.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-code
+      description: Two-letter code representing continent's name.
+      example: NA
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code
+      ignore_above: 1024
+      level: core
+      name: continent_code
+      normalize: []
+      original_fieldset: geo
+      short: Continent code.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-name
+      description: Name of the continent.
+      example: North America
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name
+      ignore_above: 1024
+      level: core
+      name: continent_name
+      normalize: []
+      original_fieldset: geo
+      short: Name of the continent.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
+      description: Country ISO code.
+      example: CA
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
+      ignore_above: 1024
+      level: core
+      name: country_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Country ISO code.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.country_name:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-name
+      description: Country name.
+      example: Canada
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_name
+      ignore_above: 1024
+      level: core
+      name: country_name
+      normalize: []
+      original_fieldset: geo
+      short: Country name.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.location:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-location
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.location
+      level: core
+      name: location
+      normalize: []
+      original_fieldset: geo
+      short: Longitude and latitude.
+      type: geo_point
+    process.session_leader.parent.session_leader.entry_meta.source.geo.name:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-name
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: geo
+      short: User-defined description of a location.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-postal-code
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code
+      ignore_above: 1024
+      level: core
+      name: postal_code
+      normalize: []
+      original_fieldset: geo
+      short: Postal code.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
+      description: Region ISO code.
+      example: CA-QC
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
+      ignore_above: 1024
+      level: core
+      name: region_iso_code
+      normalize: []
+      original_fieldset: geo
+      short: Region ISO code.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.region_name:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-name
+      description: Region name.
+      example: Quebec
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_name
+      ignore_above: 1024
+      level: core
+      name: region_name
+      normalize: []
+      original_fieldset: geo
+      short: Region name.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.geo.timezone:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-timezone
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.timezone
+      ignore_above: 1024
+      level: core
+      name: timezone
+      normalize: []
+      original_fieldset: geo
+      short: Time zone.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.ip:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.session_leader.parent.session_leader.entry_meta.source.mac:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-mac
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.mac
+      ignore_above: 1024
+      level: core
+      name: mac
+      normalize: []
+      original_fieldset: source
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+      short: MAC address of the source.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.nat.ip:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.ip
+      level: extended
+      name: nat.ip
+      normalize: []
+      original_fieldset: source
+      short: Source NAT ip
+      type: ip
+    process.session_leader.parent.session_leader.entry_meta.source.nat.port:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-port
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.port
+      format: string
+      level: extended
+      name: nat.port
+      normalize: []
+      original_fieldset: source
+      short: Source NAT port
+      type: long
+    process.session_leader.parent.session_leader.entry_meta.source.packets:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-packets
+      description: Packets sent from the source to the destination.
+      example: 12
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.packets
+      level: core
+      name: packets
+      normalize: []
+      original_fieldset: source
+      short: Packets sent from the source to the destination.
+      type: long
+    process.session_leader.parent.session_leader.entry_meta.source.port:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-port
+      description: Port of the source.
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.port
+      format: string
+      level: core
+      name: port
+      normalize: []
+      original_fieldset: source
+      short: Port of the source.
+      type: long
+    process.session_leader.parent.session_leader.entry_meta.source.registered_domain:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-registered-domain
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.registered_domain
+      ignore_above: 1024
+      level: extended
+      name: registered_domain
+      normalize: []
+      original_fieldset: source
+      short: The highest registered source domain, stripped of the subdomain.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.subdomain:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.subdomain
+      ignore_above: 1024
+      level: extended
+      name: subdomain
+      normalize: []
+      original_fieldset: source
+      short: The subdomain of the domain.
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.source.top_level_domain:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: process.session_leader.parent.session_leader.entry_meta.source.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      original_fieldset: source
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    process.session_leader.parent.session_leader.entry_meta.type:
+      dashed_name: process-session-leader-parent-session-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.session_leader.parent.session_leader.entry_meta.type
+      ignore_above: 1024
+      level: extended
+      name: entry_meta.type
+      normalize: []
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.session_leader.parent.session_leader.env_vars:
+      dashed_name: process-session-leader-parent-session-leader-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.session_leader.parent.session_leader.env_vars
+      ignore_above: 1024
+      level: extended
+      name: env_vars
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.session_leader.executable:
+      dashed_name: process-session-leader-parent-session-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.session_leader.parent.session_leader.executable
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
+      normalize: []
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.session_leader.parent.session_leader.exit_code:
+      dashed_name: process-session-leader-parent-session-leader-exit-code
+      description: 'The exit code of the process, if this is a termination event.
+
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.session_leader.parent.session_leader.exit_code
+      level: extended
+      name: exit_code
+      normalize: []
+      original_fieldset: process
+      short: The exit code of the process.
+      type: long
+    process.session_leader.parent.session_leader.group.domain:
+      dashed_name: process-session-leader-parent-session-leader-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.group.id:
+      dashed_name: process-session-leader-parent-session-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.session_leader.group.name:
+      dashed_name: process-session-leader-parent-session-leader-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.session_leader.parent.session_leader.hash.cdhash
+      ignore_above: 1024
+      level: extended
+      name: cdhash
+      normalize: []
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
+      type: keyword
+    process.session_leader.parent.session_leader.hash.md5:
+      dashed_name: process-session-leader-parent-session-leader-hash-md5
+      description: MD5 hash.
+      flat_name: process.session_leader.parent.session_leader.hash.md5
+      ignore_above: 1024
+      level: extended
+      name: md5
+      normalize: []
+      original_fieldset: hash
+      short: MD5 hash.
+      type: keyword
+    process.session_leader.parent.session_leader.hash.sha1:
+      dashed_name: process-session-leader-parent-session-leader-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.session_leader.parent.session_leader.hash.sha1
+      ignore_above: 1024
+      level: extended
+      name: sha1
+      normalize: []
+      original_fieldset: hash
+      short: SHA1 hash.
+      type: keyword
+    process.session_leader.parent.session_leader.hash.sha256:
+      dashed_name: process-session-leader-parent-session-leader-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.session_leader.parent.session_leader.hash.sha256
+      ignore_above: 1024
+      level: extended
+      name: sha256
+      normalize: []
+      original_fieldset: hash
+      short: SHA256 hash.
+      type: keyword
+    process.session_leader.parent.session_leader.hash.sha384:
+      dashed_name: process-session-leader-parent-session-leader-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.session_leader.parent.session_leader.hash.sha384
+      ignore_above: 1024
+      level: extended
+      name: sha384
+      normalize: []
+      original_fieldset: hash
+      short: SHA384 hash.
+      type: keyword
+    process.session_leader.parent.session_leader.hash.sha512:
+      dashed_name: process-session-leader-parent-session-leader-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.session_leader.parent.session_leader.hash.sha512
+      ignore_above: 1024
+      level: extended
+      name: sha512
+      normalize: []
+      original_fieldset: hash
+      short: SHA512 hash.
+      type: keyword
+    process.session_leader.parent.session_leader.hash.ssdeep:
+      dashed_name: process-session-leader-parent-session-leader-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.session_leader.parent.session_leader.hash.ssdeep
+      ignore_above: 1024
+      level: extended
+      name: ssdeep
+      normalize: []
+      original_fieldset: hash
+      short: SSDEEP hash.
+      type: keyword
+    process.session_leader.parent.session_leader.hash.tlsh:
+      dashed_name: process-session-leader-parent-session-leader-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.session_leader.parent.session_leader.hash.tlsh
+      ignore_above: 1024
+      level: extended
+      name: tlsh
+      normalize: []
+      original_fieldset: hash
+      short: TLSH hash.
+      type: keyword
+    process.session_leader.parent.session_leader.interactive:
+      dashed_name: process-session-leader-parent-session-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.session_leader.parent.session_leader.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.session_leader.parent.session_leader.io:
+      dashed_name: process-session-leader-parent-session-leader-io
+      description: 'A chunk of input or output (IO) from a single process.
+
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
+      flat_name: process.session_leader.parent.session_leader.io
+      level: extended
+      name: io
+      normalize: []
+      original_fieldset: process
+      short: A chunk of input or output (IO) from a single process.
+      type: object
+    process.session_leader.parent.session_leader.io.bytes_skipped:
+      dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
+      flat_name: process.session_leader.parent.session_leader.io.bytes_skipped
+      level: extended
+      name: io.bytes_skipped
+      normalize:
+      - array
+      original_fieldset: process
+      short: An array of byte offsets and lengths denoting where IO data has been
+        skipped.
+      type: object
+    process.session_leader.parent.session_leader.io.bytes_skipped.length:
+      dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-length
+      description: The length of bytes skipped.
+      flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.length
+      level: extended
+      name: io.bytes_skipped.length
+      normalize: []
+      original_fieldset: process
+      short: The length of bytes skipped.
+      type: long
+    process.session_leader.parent.session_leader.io.bytes_skipped.offset:
+      dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-offset
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.offset
+      level: extended
+      name: io.bytes_skipped.offset
+      normalize: []
+      original_fieldset: process
+      short: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
+      type: long
+    process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
+      dashed_name: process-session-leader-parent-session-leader-io-max-bytes-per-process-exceeded
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      flat_name: process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded
+      level: extended
+      name: io.max_bytes_per_process_exceeded
+      normalize: []
+      original_fieldset: process
+      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
+      type: boolean
+    process.session_leader.parent.session_leader.io.text:
+      dashed_name: process-session-leader-parent-session-leader-io-text
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
+      flat_name: process.session_leader.parent.session_leader.io.text
+      level: extended
+      name: io.text
+      normalize: []
+      original_fieldset: process
+      short: A chunk of output or input sanitized to UTF-8.
+      type: wildcard
+    process.session_leader.parent.session_leader.io.total_bytes_captured:
+      dashed_name: process-session-leader-parent-session-leader-io-total-bytes-captured
+      description: The total number of bytes captured in this event.
+      flat_name: process.session_leader.parent.session_leader.io.total_bytes_captured
+      level: extended
+      name: io.total_bytes_captured
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes captured in this event.
+      type: long
+    process.session_leader.parent.session_leader.io.total_bytes_skipped:
+      dashed_name: process-session-leader-parent-session-leader-io-total-bytes-skipped
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
+      flat_name: process.session_leader.parent.session_leader.io.total_bytes_skipped
+      level: extended
+      name: io.total_bytes_skipped
+      normalize: []
+      original_fieldset: process
+      short: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits.
+      type: long
+    process.session_leader.parent.session_leader.io.type:
+      dashed_name: process-session-leader-parent-session-leader-io-type
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
+
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
+      flat_name: process.session_leader.parent.session_leader.io.type
+      ignore_above: 1024
+      level: extended
+      name: io.type
+      normalize: []
+      original_fieldset: process
+      short: The type of object on which the IO action (read or write) was taken.
+      type: keyword
+    process.session_leader.parent.session_leader.macho.go_import_hash:
+      dashed_name: process-session-leader-parent-session-leader-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.parent.session_leader.macho.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.session_leader.parent.session_leader.macho.go_imports:
+      dashed_name: process-session-leader-parent-session-leader-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.parent.session_leader.macho.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: macho
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.parent.session_leader.macho.go_imports_names_entropy:
+      dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.session_leader.macho.go_stripped:
+      dashed_name: process-session-leader-parent-session-leader-macho-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.parent.session_leader.macho.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: macho
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.parent.session_leader.macho.import_hash:
+      dashed_name: process-session-leader-parent-session-leader-macho-import-hash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.parent.session_leader.macho.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.session_leader.parent.session_leader.macho.imports:
+      dashed_name: process-session-leader-parent-session-leader-macho-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.parent.session_leader.macho.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: macho
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.parent.session_leader.macho.imports_names_entropy:
+      dashed_name: process-session-leader-parent-session-leader-macho-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.parent.session_leader.macho.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.parent.session_leader.macho.imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-macho-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.parent.session_leader.macho.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.parent.session_leader.macho.sections:
+      dashed_name: process-session-leader-parent-session-leader-macho-sections
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      flat_name: process.session_leader.parent.session_leader.macho.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: macho
+      short: Section information of the Mach-O file.
+      type: nested
+    process.session_leader.parent.session_leader.macho.sections.entropy:
+      dashed_name: process-session-leader-parent-session-leader-macho-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.session_leader.macho.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: macho
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.session_leader.macho.sections.name:
+      dashed_name: process-session-leader-parent-session-leader-macho-sections-name
+      description: Mach-O Section List name.
+      flat_name: process.session_leader.parent.session_leader.macho.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List name.
+      type: keyword
+    process.session_leader.parent.session_leader.macho.sections.physical_size:
+      dashed_name: process-session-leader-parent-session-leader-macho-sections-physical-size
+      description: Mach-O Section List physical size.
+      flat_name: process.session_leader.parent.session_leader.macho.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List physical size.
+      type: long
+    process.session_leader.parent.session_leader.macho.sections.var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-macho-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.session_leader.macho.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: macho
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.session_leader.macho.sections.virtual_size:
+      dashed_name: process-session-leader-parent-session-leader-macho-sections-virtual-size
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.session_leader.parent.session_leader.macho.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: macho
+      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.session_leader.parent.session_leader.macho.symhash:
+      dashed_name: process-session-leader-parent-session-leader-macho-symhash
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
+      flat_name: process.session_leader.parent.session_leader.macho.symhash
+      ignore_above: 1024
+      level: extended
+      name: symhash
+      normalize: []
+      original_fieldset: macho
+      short: A hash of the imports in a Mach-O file.
+      type: keyword
+    process.session_leader.parent.session_leader.name:
+      dashed_name: process-session-leader-parent-session-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.session_leader.parent.session_leader.name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: process
+      short: Process name.
+      type: keyword
+    process.session_leader.parent.session_leader.origin_referrer_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-origin-referrer-url
+      description: The URL of the webpage that linked to the process's executable
+        file.
+      example: http://example.com/article1.html
+      flat_name: process.session_leader.parent.session_leader.origin_referrer_url
+      ignore_above: 8192
+      level: extended
+      name: origin_referrer_url
+      normalize: []
+      original_fieldset: process
+      short: The URL of the webpage that linked to the process's executable file.
+      type: keyword
+    process.session_leader.parent.session_leader.origin_url:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-origin-url
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      flat_name: process.session_leader.parent.session_leader.origin_url
+      ignore_above: 8192
+      level: extended
+      name: origin_url
+      normalize: []
+      original_fieldset: process
+      short: The URL where the process's executable file is hosted.
+      type: keyword
+    process.session_leader.parent.session_leader.pe.architecture:
+      dashed_name: process-session-leader-parent-session-leader-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.session_leader.parent.session_leader.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.session_leader.parent.session_leader.pe.company:
+      dashed_name: process-session-leader-parent-session-leader-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.session_leader.parent.session_leader.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.parent.session_leader.pe.description:
+      dashed_name: process-session-leader-parent-session-leader-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.session_leader.parent.session_leader.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.parent.session_leader.pe.file_version:
+      dashed_name: process-session-leader-parent-session-leader-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.session_leader.parent.session_leader.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.session_leader.parent.session_leader.pe.go_import_hash:
+      dashed_name: process-session-leader-parent-session-leader-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.parent.session_leader.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.session_leader.parent.session_leader.pe.go_imports:
+      dashed_name: process-session-leader-parent-session-leader-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.parent.session_leader.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.parent.session_leader.pe.go_imports_names_entropy:
+      dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.parent.session_leader.pe.go_stripped:
+      dashed_name: process-session-leader-parent-session-leader-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.parent.session_leader.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.parent.session_leader.pe.imphash:
+      dashed_name: process-session-leader-parent-session-leader-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.session_leader.parent.session_leader.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.session_leader.parent.session_leader.pe.import_hash:
+      dashed_name: process-session-leader-parent-session-leader-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.parent.session_leader.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.session_leader.parent.session_leader.pe.imports:
+      dashed_name: process-session-leader-parent-session-leader-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.parent.session_leader.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.parent.session_leader.pe.imports_names_entropy:
+      dashed_name: process-session-leader-parent-session-leader-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.parent.session_leader.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.parent.session_leader.pe.imports_names_var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.parent.session_leader.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.parent.session_leader.pe.original_file_name:
+      dashed_name: process-session-leader-parent-session-leader-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.session_leader.parent.session_leader.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.parent.session_leader.pe.pehash:
+      dashed_name: process-session-leader-parent-session-leader-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.session_leader.parent.session_leader.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.session_leader.parent.session_leader.pe.product:
+      dashed_name: process-session-leader-parent-session-leader-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.session_leader.parent.session_leader.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.parent.session_leader.pe.sections:
+      dashed_name: process-session-leader-parent-session-leader-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.session_leader.parent.session_leader.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.session_leader.parent.session_leader.pe.sections.entropy:
+      dashed_name: process-session-leader-parent-session-leader-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.session_leader.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.session_leader.pe.sections.name:
+      dashed_name: process-session-leader-parent-session-leader-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.session_leader.parent.session_leader.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.session_leader.parent.session_leader.pe.sections.physical_size:
+      dashed_name: process-session-leader-parent-session-leader-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.session_leader.parent.session_leader.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.session_leader.parent.session_leader.pe.sections.var_entropy:
+      dashed_name: process-session-leader-parent-session-leader-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.parent.session_leader.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.parent.session_leader.pe.sections.virtual_size:
+      dashed_name: process-session-leader-parent-session-leader-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.session_leader.parent.session_leader.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.session_leader.parent.session_leader.pid:
+      dashed_name: process-session-leader-parent-session-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.session_leader.parent.session_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.session_leader.parent.session_leader.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.session_leader.parent.session_leader.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.session_leader.parent.session_leader.real_group.domain:
+      dashed_name: process-session-leader-parent-session-leader-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.real_group.id:
+      dashed_name: process-session-leader-parent-session-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.session_leader.real_group.name:
+      dashed_name: process-session-leader-parent-session-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.domain:
+      dashed_name: process-session-leader-parent-session-leader-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.email:
+      dashed_name: process-session-leader-parent-session-leader-real-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.session_leader.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-real-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.session_leader.parent.session_leader.real_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.session_leader.parent.session_leader.real_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-real-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.session_leader.real_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.session_leader.parent.session_leader.real_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-real-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.entity.id:
+      dashed_name: process-session-leader-parent-session-leader-real-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.session_leader.parent.session_leader.real_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-real-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.session_leader.parent.session_leader.real_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-real-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.session_leader.real_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.session_leader.parent.session_leader.real_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-real-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.session_leader.parent.session_leader.real_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.session_leader.parent.session_leader.real_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-real-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.session_leader.parent.session_leader.real_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.real_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-real-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.session_leader.parent.session_leader.real_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.session_leader.parent.session_leader.real_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-real-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.session_leader.parent.session_leader.real_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-real-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.session_leader.parent.session_leader.real_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-real-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.session_leader.parent.session_leader.real_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-real-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.session_leader.parent.session_leader.real_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.full_name:
+      dashed_name: process-session-leader-parent-session-leader-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.session_leader.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.group.domain:
+      dashed_name: process-session-leader-parent-session-leader-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.group.id:
+      dashed_name: process-session-leader-parent-session-leader-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.group.name:
+      dashed_name: process-session-leader-parent-session-leader-real-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.hash:
+      dashed_name: process-session-leader-parent-session-leader-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.session_leader.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.id:
+      dashed_name: process-session-leader-parent-session-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.parent.session_leader.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.name:
+      dashed_name: process-session-leader-parent-session-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.parent.session_leader.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.session_leader.real_user.risk.static_level:
+      dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.session_leader.real_user.risk.static_score:
+      dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.session_leader.real_user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.session_leader.real_user.roles:
+      dashed_name: process-session-leader-parent-session-leader-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.session_leader.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.session_leader.same_as_process:
+      dashed_name: process-session-leader-parent-session-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.session_leader.parent.session_leader.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.session_leader.parent.session_leader.saved_group.domain:
+      dashed_name: process-session-leader-parent-session-leader-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_group.id:
+      dashed_name: process-session-leader-parent-session-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_group.name:
+      dashed_name: process-session-leader-parent-session-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.domain:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.email:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.session_leader.saved_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.session_leader.parent.session_leader.saved_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.session_leader.parent.session_leader.saved_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.session_leader.saved_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.session_leader.parent.session_leader.saved_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.entity.id:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.session_leader.parent.session_leader.saved_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.session_leader.parent.session_leader.saved_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.session_leader.saved_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.session_leader.parent.session_leader.saved_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.session_leader.parent.session_leader.saved_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.session_leader.parent.session_leader.saved_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.session_leader.parent.session_leader.saved_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.saved_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.session_leader.parent.session_leader.saved_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.session_leader.parent.session_leader.saved_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.session_leader.parent.session_leader.saved_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.session_leader.parent.session_leader.saved_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.session_leader.parent.session_leader.saved_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.session_leader.parent.session_leader.saved_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.full_name:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.session_leader.saved_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.saved_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.group.domain:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.group.id:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.saved_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.group.name:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.saved_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.hash:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.session_leader.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.id:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.parent.session_leader.saved_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.name:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.parent.session_leader.saved_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.session_leader.saved_user.risk.static_level:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.session_leader.saved_user.risk.static_score:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.session_leader.saved_user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.session_leader.saved_user.roles:
+      dashed_name: process-session-leader-parent-session-leader-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.session_leader.saved_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.session_leader.start:
+      dashed_name: process-session-leader-parent-session-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.parent.session_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.session_leader.parent.session_leader.supplemental_groups.domain:
+      dashed_name: process-session-leader-parent-session-leader-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.supplemental_groups.id:
+      dashed_name: process-session-leader-parent-session-leader-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.session_leader.supplemental_groups.name:
+      dashed_name: process-session-leader-parent-session-leader-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.thread.capabilities.effective:
+      dashed_name: process-session-leader-parent-session-leader-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.session_leader.parent.session_leader.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.session_leader.thread.capabilities.permitted:
+      dashed_name: process-session-leader-parent-session-leader-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.session_leader.parent.session_leader.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.session_leader.thread.id:
+      dashed_name: process-session-leader-parent-session-leader-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.session_leader.parent.session_leader.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.session_leader.parent.session_leader.thread.name:
+      dashed_name: process-session-leader-parent-session-leader-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.session_leader.parent.session_leader.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.session_leader.parent.session_leader.title:
+      dashed_name: process-session-leader-parent-session-leader-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.session_leader.parent.session_leader.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.session_leader.parent.session_leader.tty:
+      dashed_name: process-session-leader-parent-session-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.session_leader.parent.session_leader.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.session_leader.parent.session_leader.tty.char_device.major:
+      dashed_name: process-session-leader-parent-session-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.session_leader.parent.session_leader.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.session_leader.parent.session_leader.tty.char_device.minor:
+      dashed_name: process-session-leader-parent-session-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.session_leader.parent.session_leader.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.session_leader.parent.session_leader.tty.columns:
+      dashed_name: process-session-leader-parent-session-leader-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.session_leader.parent.session_leader.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.session_leader.parent.session_leader.tty.rows:
+      dashed_name: process-session-leader-parent-session-leader-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.session_leader.parent.session_leader.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.session_leader.parent.session_leader.uptime:
+      dashed_name: process-session-leader-parent-session-leader-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.session_leader.parent.session_leader.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.session_leader.parent.session_leader.user.domain:
+      dashed_name: process-session-leader-parent-session-leader-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.user.email:
+      dashed_name: process-session-leader-parent-session-leader-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.session_leader.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.session_leader.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.session_leader.parent.session_leader.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.session_leader.parent.session_leader.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.session_leader.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.session_leader.parent.session_leader.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.session_leader.parent.session_leader.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.session_leader.parent.session_leader.user.entity.id:
+      dashed_name: process-session-leader-parent-session-leader-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.session_leader.parent.session_leader.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.session_leader.parent.session_leader.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.session_leader.parent.session_leader.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.session_leader.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.session_leader.parent.session_leader.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.session_leader.parent.session_leader.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.session_leader.parent.session_leader.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.session_leader.parent.session_leader.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.session_leader.parent.session_leader.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.session_leader.parent.session_leader.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.session_leader.parent.session_leader.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.session_leader.parent.session_leader.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.session_leader.parent.session_leader.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.session_leader.parent.session_leader.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.session_leader.parent.session_leader.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-session-leader-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.session_leader.parent.session_leader.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.session_leader.parent.session_leader.user.full_name:
+      dashed_name: process-session-leader-parent-session-leader-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.session_leader.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.parent.session_leader.user.group.domain:
+      dashed_name: process-session-leader-parent-session-leader-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.session_leader.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.session_leader.user.group.id:
+      dashed_name: process-session-leader-parent-session-leader-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.session_leader.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.session_leader.user.group.name:
+      dashed_name: process-session-leader-parent-session-leader-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.session_leader.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.session_leader.user.hash:
+      dashed_name: process-session-leader-parent-session-leader-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.session_leader.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.session_leader.user.id:
+      dashed_name: process-session-leader-parent-session-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.parent.session_leader.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.parent.session_leader.user.name:
+      dashed_name: process-session-leader-parent-session-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.parent.session_leader.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.parent.session_leader.user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.parent.session_leader.user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.session_leader.user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.session_leader.user.risk.static_level:
+      dashed_name: process-session-leader-parent-session-leader-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.session_leader.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.session_leader.user.risk.static_score:
+      dashed_name: process-session-leader-parent-session-leader-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.session_leader.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.session_leader.user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-session-leader-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.session_leader.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.session_leader.user.roles:
+      dashed_name: process-session-leader-parent-session-leader-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.session_leader.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.session_leader.vpid:
+      dashed_name: process-session-leader-parent-session-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.parent.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.session_leader.parent.session_leader.working_directory:
+      dashed_name: process-session-leader-parent-session-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.session_leader.parent.session_leader.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.session_leader.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.session_leader.parent.start:
+      dashed_name: process-session-leader-parent-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.parent.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.session_leader.parent.supplemental_groups.domain:
+      dashed_name: process-session-leader-parent-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.supplemental_groups.id:
+      dashed_name: process-session-leader-parent-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.supplemental_groups.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.supplemental_groups.name:
+      dashed_name: process-session-leader-parent-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.supplemental_groups.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.thread.capabilities.effective:
+      dashed_name: process-session-leader-parent-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.session_leader.parent.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.thread.capabilities.permitted:
+      dashed_name: process-session-leader-parent-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.session_leader.parent.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.thread.id:
+      dashed_name: process-session-leader-parent-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.session_leader.parent.thread.id
+      format: string
+      level: extended
+      name: thread.id
+      normalize: []
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.session_leader.parent.thread.name:
+      dashed_name: process-session-leader-parent-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.session_leader.parent.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.session_leader.parent.title:
+      dashed_name: process-session-leader-parent-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.session_leader.parent.title
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.title.text
+        name: text
+        type: match_only_text
+      name: title
+      normalize: []
+      original_fieldset: process
+      short: Process title.
+      type: keyword
+    process.session_leader.parent.tty:
+      dashed_name: process-session-leader-parent-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.session_leader.parent.tty
+      level: extended
+      name: tty
+      normalize: []
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.session_leader.parent.tty.char_device.major:
+      dashed_name: process-session-leader-parent-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.session_leader.parent.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.session_leader.parent.tty.char_device.minor:
+      dashed_name: process-session-leader-parent-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.session_leader.parent.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.session_leader.parent.tty.columns:
+      dashed_name: process-session-leader-parent-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.session_leader.parent.tty.columns
+      level: extended
+      name: tty.columns
+      normalize: []
+      original_fieldset: process
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.session_leader.parent.tty.rows:
+      dashed_name: process-session-leader-parent-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.session_leader.parent.tty.rows
+      level: extended
+      name: tty.rows
+      normalize: []
+      original_fieldset: process
+      short: The number of character rows in the terminal. e.g terminal height
+      type: long
+    process.session_leader.parent.uptime:
+      dashed_name: process-session-leader-parent-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.session_leader.parent.uptime
+      level: extended
+      name: uptime
+      normalize: []
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.session_leader.parent.user.domain:
+      dashed_name: process-session-leader-parent-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.parent.user.email:
+      dashed_name: process-session-leader-parent-user-email
+      description: User email address.
+      flat_name: process.session_leader.parent.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.parent.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.session_leader.parent.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.session_leader.parent.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.session_leader.parent.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.session_leader.parent.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.session_leader.parent.user.entity.id:
+      dashed_name: process-session-leader-parent-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.session_leader.parent.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.session_leader.parent.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.session_leader.parent.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.session_leader.parent.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.parent.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.session_leader.parent.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.session_leader.parent.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.session_leader.parent.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.session_leader.parent.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.session_leader.parent.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.session_leader.parent.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.session_leader.parent.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.session_leader.parent.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.session_leader.parent.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.session_leader.parent.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.session_leader.parent.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.session_leader.parent.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.session_leader.parent.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-parent-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.session_leader.parent.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.session_leader.parent.user.full_name:
+      dashed_name: process-session-leader-parent-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.parent.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.parent.user.group.domain:
+      dashed_name: process-session-leader-parent-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.parent.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.parent.user.group.id:
+      dashed_name: process-session-leader-parent-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.parent.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.parent.user.group.name:
+      dashed_name: process-session-leader-parent-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.parent.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.parent.user.hash:
+      dashed_name: process-session-leader-parent-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.parent.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.parent.user.id:
+      dashed_name: process-session-leader-parent-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.parent.user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.parent.user.name:
+      dashed_name: process-session-leader-parent-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.parent.user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.parent.user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.parent.user.risk.calculated_level:
+      dashed_name: process-session-leader-parent-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.parent.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.parent.user.risk.calculated_score:
+      dashed_name: process-session-leader-parent-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.parent.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.parent.user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-parent-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.parent.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.parent.user.risk.static_level:
+      dashed_name: process-session-leader-parent-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.parent.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.parent.user.risk.static_score:
+      dashed_name: process-session-leader-parent-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.parent.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.parent.user.risk.static_score_norm:
+      dashed_name: process-session-leader-parent-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.parent.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.parent.user.roles:
+      dashed_name: process-session-leader-parent-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.parent.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.parent.vpid:
+      dashed_name: process-session-leader-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.session_leader.parent.working_directory:
+      dashed_name: process-session-leader-parent-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.session_leader.parent.working_directory
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.parent.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
+      normalize: []
+      original_fieldset: process
+      short: The working directory of the process.
+      type: keyword
+    process.session_leader.pe.architecture:
+      dashed_name: process-session-leader-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.session_leader.pe.architecture
+      ignore_above: 1024
+      level: extended
+      name: architecture
+      normalize: []
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.session_leader.pe.company:
+      dashed_name: process-session-leader-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.session_leader.pe.company
+      ignore_above: 1024
+      level: extended
+      name: company
+      normalize: []
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.pe.description:
+      dashed_name: process-session-leader-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.session_leader.pe.description
+      ignore_above: 1024
+      level: extended
+      name: description
+      normalize: []
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.pe.file_version:
+      dashed_name: process-session-leader-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.session_leader.pe.file_version
+      ignore_above: 1024
+      level: extended
+      name: file_version
+      normalize: []
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.session_leader.pe.go_import_hash:
+      dashed_name: process-session-leader-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.session_leader.pe.go_import_hash
+      ignore_above: 1024
+      level: extended
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
+      type: keyword
+    process.session_leader.pe.go_imports:
+      dashed_name: process-session-leader-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.session_leader.pe.go_imports
+      level: extended
+      name: go_imports
+      normalize: []
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.session_leader.pe.go_imports_names_entropy:
+      dashed_name: process-session-leader-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.pe.go_imports_names_entropy
+      format: number
+      level: extended
+      name: go_imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.pe.go_imports_names_var_entropy:
+      dashed_name: process-session-leader-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.session_leader.pe.go_imports_names_var_entropy
+      format: number
+      level: extended
+      name: go_imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.session_leader.pe.go_stripped:
+      dashed_name: process-session-leader-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.session_leader.pe.go_stripped
+      level: extended
+      name: go_stripped
+      normalize: []
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.session_leader.pe.imphash:
+      dashed_name: process-session-leader-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.session_leader.pe.imphash
+      ignore_above: 1024
+      level: extended
+      name: imphash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.session_leader.pe.import_hash:
+      dashed_name: process-session-leader-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.session_leader.pe.import_hash
+      ignore_above: 1024
+      level: extended
+      name: import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
+      type: keyword
+    process.session_leader.pe.imports:
+      dashed_name: process-session-leader-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.session_leader.pe.imports
+      level: extended
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.session_leader.pe.imports_names_entropy:
+      dashed_name: process-session-leader-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.session_leader.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.session_leader.pe.imports_names_var_entropy:
+      dashed_name: process-session-leader-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.session_leader.pe.imports_names_var_entropy
+      format: number
+      level: extended
+      name: imports_names_var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.session_leader.pe.original_file_name:
+      dashed_name: process-session-leader-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.session_leader.pe.original_file_name
+      ignore_above: 1024
+      level: extended
+      name: original_file_name
+      normalize: []
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.pe.pehash:
+      dashed_name: process-session-leader-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.session_leader.pe.pehash
+      ignore_above: 1024
+      level: extended
+      name: pehash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
+      type: keyword
+    process.session_leader.pe.product:
+      dashed_name: process-session-leader-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.session_leader.pe.product
+      ignore_above: 1024
+      level: extended
+      name: product
+      normalize: []
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
+      type: keyword
+    process.session_leader.pe.sections:
+      dashed_name: process-session-leader-pe-sections
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.session_leader.pe.sections
+      level: extended
+      name: sections
+      normalize:
+      - array
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.session_leader.pe.sections.entropy:
+      dashed_name: process-session-leader-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.session_leader.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
+      normalize: []
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.pe.sections.name:
+      dashed_name: process-session-leader-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.session_leader.pe.sections.name
+      ignore_above: 1024
+      level: extended
+      name: sections.name
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List name.
+      type: keyword
+    process.session_leader.pe.sections.physical_size:
+      dashed_name: process-session-leader-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.session_leader.pe.sections.physical_size
+      format: bytes
+      level: extended
+      name: sections.physical_size
+      normalize: []
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.session_leader.pe.sections.var_entropy:
+      dashed_name: process-session-leader-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.session_leader.pe.sections.var_entropy
+      format: number
+      level: extended
+      name: sections.var_entropy
+      normalize: []
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.session_leader.pe.sections.virtual_size:
+      dashed_name: process-session-leader-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.session_leader.pe.sections.virtual_size
+      format: string
+      level: extended
+      name: sections.virtual_size
       normalize: []
       original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.session_leader.pid:
+      dashed_name: process-session-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.session_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      otel:
+      - relation: match
+        stability: development
+      short: Process id.
+      type: long
+    process.session_leader.platform_binary:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-platform-binary
+      description: Binaries that are shipped by the operating system are defined as
+        platform binaries, this value is then set to true.
+      flat_name: process.session_leader.platform_binary
+      level: extended
+      name: platform_binary
+      normalize: []
+      original_fieldset: process
+      short: Indicates whether this process executable is a default platform binary
+        shipped with the operating system.
+      type: boolean
+    process.session_leader.real_group.domain:
+      dashed_name: process-session-leader-real-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.real_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.real_group.id:
+      dashed_name: process-session-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.real_group.name:
+      dashed_name: process-session-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.real_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.real_user.domain:
+      dashed_name: process-session-leader-real-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.real_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.session_leader.real_user.email:
+      dashed_name: process-session-leader-real-user-email
+      description: User email address.
+      flat_name: process.session_leader.real_user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.session_leader.real_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-real-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.session_leader.real_user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.session_leader.real_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-real-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.real_user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.session_leader.real_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-real-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.session_leader.real_user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.real_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.session_leader.real_user.entity.id:
+      dashed_name: process-session-leader-real-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.session_leader.real_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.session_leader.real_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-real-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.session_leader.real_user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.session_leader.real_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-real-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.real_user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.session_leader.real_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-real-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.session_leader.real_user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.session_leader.real_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-real-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.session_leader.real_user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.real_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.session_leader.real_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-real-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.session_leader.real_user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.session_leader.real_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-real-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.session_leader.real_user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.session_leader.real_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-real-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.session_leader.real_user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.session_leader.real_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-real-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.session_leader.real_user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.session_leader.real_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-real-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.session_leader.real_user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.session_leader.real_user.full_name:
+      dashed_name: process-session-leader-real-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.real_user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.real_user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.session_leader.real_user.group.domain:
+      dashed_name: process-session-leader-real-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.real_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.real_user.group.id:
+      dashed_name: process-session-leader-real-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.real_user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.real_user.group.name:
+      dashed_name: process-session-leader-real-user-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.real_user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.real_user.hash:
+      dashed_name: process-session-leader-real-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.real_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.real_user.id:
+      dashed_name: process-session-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.session_leader.real_user.name:
+      dashed_name: process-session-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    process.session_leader.real_user.risk.calculated_level:
+      dashed_name: process-session-leader-real-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.real_user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.session_leader.real_user.risk.calculated_score:
+      dashed_name: process-session-leader-real-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.real_user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.real_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-real-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.real_user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.real_user.risk.static_level:
+      dashed_name: process-session-leader-real-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.real_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.real_user.risk.static_score:
+      dashed_name: process-session-leader-real-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.real_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.real_user.risk.static_score_norm:
+      dashed_name: process-session-leader-real-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.real_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.real_user.roles:
+      dashed_name: process-session-leader-real-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.real_user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.same_as_process:
+      dashed_name: process-session-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.session_leader.same_as_process
+      level: extended
+      name: same_as_process
+      normalize: []
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.session_leader.saved_group.domain:
+      dashed_name: process-session-leader-saved-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.saved_group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.saved_group.id:
+      dashed_name: process-session-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.saved_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.session_leader.saved_group.name:
+      dashed_name: process-session-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.saved_group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.saved_user.domain:
+      dashed_name: process-session-leader-saved-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.saved_user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
       type: keyword
-    process.pe.product:
-      dashed_name: process-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.pe.product
+    process.session_leader.saved_user.email:
+      dashed_name: process-session-leader-saved-user-email
+      description: User email address.
+      flat_name: process.session_leader.saved_user.email
       ignore_above: 1024
       level: extended
-      name: product
+      name: email
       normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
+      original_fieldset: user
+      short: User email address.
       type: keyword
-    process.pe.sections:
-      dashed_name: process-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.pe.sections
+    process.session_leader.saved_user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-saved-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.session_leader.saved_user.entity.attributes
       level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.pe.sections.entropy:
-      dashed_name: process-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.pe.sections.entropy
-      format: number
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.session_leader.saved_user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-saved-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.saved_user.entity.behavior
       level: extended
-      name: sections.entropy
+      name: behavior
       normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.pe.sections.name:
-      dashed_name: process-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.pe.sections.name
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.session_leader.saved_user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-saved-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.session_leader.saved_user.entity.display_name
       ignore_above: 1024
       level: extended
-      name: sections.name
+      multi_fields:
+      - flat_name: process.session_leader.saved_user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
       normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
       type: keyword
-    process.pe.sections.physical_size:
-      dashed_name: process-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.pe.sections.physical_size
-      format: bytes
+    process.session_leader.saved_user.entity.id:
+      dashed_name: process-session-leader-saved-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.session_leader.saved_user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.session_leader.saved_user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-saved-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.session_leader.saved_user.entity.last_seen_timestamp
       level: extended
-      name: sections.physical_size
+      name: last_seen_timestamp
       normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.pe.sections.var_entropy:
-      dashed_name: process-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.pe.sections.var_entropy
-      format: number
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.session_leader.saved_user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-saved-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.saved_user.entity.lifecycle
       level: extended
-      name: sections.var_entropy
+      name: lifecycle
       normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.pe.sections.virtual_size:
-      dashed_name: process-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.pe.sections.virtual_size
-      format: string
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.session_leader.saved_user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-saved-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.session_leader.saved_user.entity.metrics
       level: extended
-      name: sections.virtual_size
+      name: metrics
       normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.pid:
-      dashed_name: process-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.pid
-      format: string
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.session_leader.saved_user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-saved-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.session_leader.saved_user.entity.name
+      ignore_above: 1024
       level: core
-      name: pid
+      multi_fields:
+      - flat_name: process.session_leader.saved_user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
       normalize: []
-      otel:
-      - relation: match
-        stability: development
-      short: Process id.
-      type: long
-    process.previous.args:
-      dashed_name: process-previous-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.previous.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
+      original_fieldset: entity
+      short: The name of the entity.
       type: keyword
-    process.previous.args_count:
-      dashed_name: process-previous-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.previous.args_count
+    process.session_leader.saved_user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-saved-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.session_leader.saved_user.entity.raw
       level: extended
-      name: args_count
+      name: raw
       normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.previous.executable:
-      dashed_name: process-previous-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.previous.executable
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.session_leader.saved_user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-saved-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.session_leader.saved_user.entity.reference
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.previous.executable.text
-        name: text
-        type: match_only_text
-      name: executable
+      name: reference
       normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
       type: keyword
-    process.real_group.id:
-      dashed_name: process-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.real_group.id
+    process.session_leader.saved_user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-saved-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.session_leader.saved_user.entity.source
       ignore_above: 1024
-      level: extended
-      name: id
+      level: core
+      name: source
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
       type: keyword
-    process.real_group.name:
-      dashed_name: process-real-group-name
-      description: Name of the group.
-      flat_name: process.real_group.name
+    process.session_leader.saved_user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-saved-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.session_leader.saved_user.entity.sub_type
       ignore_above: 1024
       level: extended
-      name: name
+      name: sub_type
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
       type: keyword
-    process.real_user.id:
-      dashed_name: process-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.real_user.id
+    process.session_leader.saved_user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-saved-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.session_leader.saved_user.entity.type
       ignore_above: 1024
       level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
-      short: Unique identifier of the user.
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
       type: keyword
-    process.real_user.name:
-      dashed_name: process-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.real_user.name
+    process.session_leader.saved_user.full_name:
+      dashed_name: process-session-leader-saved-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.saved_user.full_name
       ignore_above: 1024
-      level: core
+      level: extended
       multi_fields:
-      - flat_name: process.real_user.name.text
+      - flat_name: process.session_leader.saved_user.full_name.text
         name: text
         type: match_only_text
-      name: name
+      name: full_name
       normalize: []
       original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
-      short: Short name or login of the user.
+      short: User's full name, if available.
       type: keyword
-    process.saved_group.id:
-      dashed_name: process-saved-group-id
+    process.session_leader.saved_user.group.domain:
+      dashed_name: process-session-leader-saved-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.saved_user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.saved_user.group.id:
+      dashed_name: process-session-leader-saved-user-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.saved_group.id
+      flat_name: process.session_leader.saved_user.group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -15709,10 +60971,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.saved_group.name:
-      dashed_name: process-saved-group-name
+    process.session_leader.saved_user.group.name:
+      dashed_name: process-session-leader-saved-user-group-name
       description: Name of the group.
-      flat_name: process.saved_group.name
+      flat_name: process.session_leader.saved_user.group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -15720,129 +60982,171 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.saved_user.id:
-      dashed_name: process-saved-user-id
+    process.session_leader.saved_user.hash:
+      dashed_name: process-session-leader-saved-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.saved_user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.saved_user.id:
+      dashed_name: process-session-leader-saved-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.saved_user.id
+      flat_name: process.session_leader.saved_user.id
       ignore_above: 1024
       level: core
       name: id
       normalize: []
       original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
       short: Unique identifier of the user.
       type: keyword
-    process.saved_user.name:
-      dashed_name: process-saved-user-name
+    process.session_leader.saved_user.name:
+      dashed_name: process-session-leader-saved-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.saved_user.name
+      flat_name: process.session_leader.saved_user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.saved_user.name.text
+      - flat_name: process.session_leader.saved_user.name.text
         name: text
         type: match_only_text
       name: name
       normalize: []
       original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
       short: Short name or login of the user.
       type: keyword
-    process.session_leader.args:
-      dashed_name: process-session-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.session_leader.args
+    process.session_leader.saved_user.risk.calculated_level:
+      dashed_name: process-session-leader-saved-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.saved_user.risk.calculated_level
       ignore_above: 1024
       level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
       type: keyword
-    process.session_leader.args_count:
-      dashed_name: process-session-leader-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.session_leader.args_count
+    process.session_leader.saved_user.risk.calculated_score:
+      dashed_name: process-session-leader-saved-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.saved_user.risk.calculated_score
       level: extended
-      name: args_count
+      name: calculated_score
       normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.session_leader.command_line:
-      dashed_name: process-session-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.session_leader.command_line
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.saved_user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-saved-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.saved_user.risk.calculated_score_norm
       level: extended
-      multi_fields:
-      - flat_name: process.session_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
+      name: calculated_score_norm
       normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.session_leader.entity_id:
-      dashed_name: process-session-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.session_leader.entity_id
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.saved_user.risk.static_level:
+      dashed_name: process-session-leader-saved-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.saved_user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.saved_user.risk.static_score:
+      dashed_name: process-session-leader-saved-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.saved_user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.saved_user.risk.static_score_norm:
+      dashed_name: process-session-leader-saved-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.saved_user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.saved_user.roles:
+      dashed_name: process-session-leader-saved-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.saved_user.roles
       ignore_above: 1024
       level: extended
-      name: entity_id
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
+    process.session_leader.start:
+      dashed_name: process-session-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.start
+      level: extended
+      name: start
       normalize: []
       original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.session_leader.executable:
-      dashed_name: process-session-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.session_leader.executable
+      short: The time the process started.
+      type: date
+    process.session_leader.supplemental_groups.domain:
+      dashed_name: process-session-leader-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.supplemental_groups.domain
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.session_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
+      name: domain
       normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
       type: keyword
-    process.session_leader.group.id:
-      dashed_name: process-session-leader-group-id
+    process.session_leader.supplemental_groups.id:
+      dashed_name: process-session-leader-supplemental-groups-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.group.id
+      flat_name: process.session_leader.supplemental_groups.id
       ignore_above: 1024
       level: extended
       name: id
@@ -15850,10 +61154,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.group.name:
-      dashed_name: process-session-leader-group-name
+    process.session_leader.supplemental_groups.name:
+      dashed_name: process-session-leader-supplemental-groups-name
       description: Name of the group.
-      flat_name: process.session_leader.group.name
+      flat_name: process.session_leader.supplemental_groups.name
       ignore_above: 1024
       level: extended
       name: name
@@ -15861,262 +61165,470 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.session_leader.interactive:
-      dashed_name: process-session-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.session_leader.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.session_leader.name:
-      dashed_name: process-session-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.session_leader.name
+    process.session_leader.thread.capabilities.effective:
+      dashed_name: process-session-leader-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.session_leader.thread.capabilities.effective
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.session_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
+      name: thread.capabilities.effective
+      normalize:
+      - array
       original_fieldset: process
-      short: Process name.
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
       type: keyword
-    process.session_leader.parent.entity_id:
-      dashed_name: process-session-leader-parent-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.session_leader.parent.entity_id
+    process.session_leader.thread.capabilities.permitted:
+      dashed_name: process-session-leader-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.session_leader.thread.capabilities.permitted
       ignore_above: 1024
       level: extended
-      name: entity_id
-      normalize: []
+      name: thread.capabilities.permitted
+      normalize:
+      - array
       original_fieldset: process
-      short: Unique identifier for the process.
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
       type: keyword
-    process.session_leader.parent.pid:
-      dashed_name: process-session-leader-parent-pid
-      description: Process id.
+    process.session_leader.thread.id:
+      dashed_name: process-session-leader-thread-id
+      description: Thread ID.
       example: 4242
-      flat_name: process.session_leader.parent.pid
+      flat_name: process.session_leader.thread.id
       format: string
-      level: core
-      name: pid
+      level: extended
+      name: thread.id
       normalize: []
       original_fieldset: process
-      short: Process id.
+      short: Thread ID.
       type: long
-    process.session_leader.parent.session_leader.entity_id:
-      dashed_name: process-session-leader-parent-session-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
+    process.session_leader.thread.name:
+      dashed_name: process-session-leader-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.session_leader.thread.name
+      ignore_above: 1024
+      level: extended
+      name: thread.name
+      normalize: []
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.session_leader.title:
+      dashed_name: process-session-leader-title
+      description: 'Process title.
 
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.session_leader.parent.session_leader.entity_id
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.session_leader.title
       ignore_above: 1024
       level: extended
-      name: entity_id
+      multi_fields:
+      - flat_name: process.session_leader.title.text
+        name: text
+        type: match_only_text
+      name: title
       normalize: []
       original_fieldset: process
-      short: Unique identifier for the process.
+      short: Process title.
       type: keyword
-    process.session_leader.parent.session_leader.pid:
-      dashed_name: process-session-leader-parent-session-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.session_leader.parent.session_leader.pid
-      format: string
-      level: core
-      name: pid
+    process.session_leader.tty:
+      dashed_name: process-session-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.session_leader.tty
+      level: extended
+      name: tty
       normalize: []
       original_fieldset: process
-      short: Process id.
-      type: long
-    process.session_leader.parent.session_leader.start:
-      dashed_name: process-session-leader-parent-session-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.parent.session_leader.start
+      short: Information about the controlling TTY device.
+      type: object
+    process.session_leader.tty.char_device.major:
+      dashed_name: process-session-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.session_leader.tty.char_device.major
       level: extended
-      name: start
+      name: tty.char_device.major
       normalize: []
       original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.session_leader.parent.session_leader.vpid:
-      dashed_name: process-session-leader-parent-session-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.session_leader.parent.session_leader.vpid
-      format: string
-      level: core
-      name: vpid
+      short: The TTY character device's major number.
+      type: long
+    process.session_leader.tty.char_device.minor:
+      dashed_name: process-session-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.session_leader.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
       normalize: []
       original_fieldset: process
-      short: Virtual process id.
+      short: The TTY character device's minor number.
       type: long
-    process.session_leader.parent.start:
-      dashed_name: process-session-leader-parent-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.parent.start
+    process.session_leader.tty.columns:
+      dashed_name: process-session-leader-tty-columns
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      flat_name: process.session_leader.tty.columns
       level: extended
-      name: start
+      name: tty.columns
       normalize: []
       original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.session_leader.parent.vpid:
-      dashed_name: process-session-leader-parent-vpid
-      description: 'Virtual process id.
+      short: The number of character columns per line. e.g terminal width
+      type: long
+    process.session_leader.tty.rows:
+      dashed_name: process-session-leader-tty-rows
+      description: 'The number of character rows in the terminal. e.g terminal height
 
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.session_leader.parent.vpid
-      format: string
-      level: core
-      name: vpid
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
+      flat_name: process.session_leader.tty.rows
+      level: extended
+      name: tty.rows
       normalize: []
       original_fieldset: process
-      short: Virtual process id.
+      short: The number of character rows in the terminal. e.g terminal height
       type: long
-    process.session_leader.pid:
-      dashed_name: process-session-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.session_leader.pid
-      format: string
-      level: core
-      name: pid
+    process.session_leader.uptime:
+      dashed_name: process-session-leader-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.session_leader.uptime
+      level: extended
+      name: uptime
       normalize: []
       original_fieldset: process
-      otel:
-      - relation: match
-        stability: development
-      short: Process id.
+      short: Seconds the process has been up.
       type: long
-    process.session_leader.real_group.id:
-      dashed_name: process-session-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.real_group.id
+    process.session_leader.user.domain:
+      dashed_name: process-session-leader-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.user.domain
       ignore_above: 1024
       level: extended
-      name: id
+      name: domain
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
       type: keyword
-    process.session_leader.real_group.name:
-      dashed_name: process-session-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.real_group.name
+    process.session_leader.user.email:
+      dashed_name: process-session-leader-user-email
+      description: User email address.
+      flat_name: process.session_leader.user.email
       ignore_above: 1024
       level: extended
-      name: name
+      name: email
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: user
+      short: User email address.
       type: keyword
-    process.session_leader.real_user.id:
-      dashed_name: process-session-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.real_user.id
+    process.session_leader.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.session_leader.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.session_leader.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.session_leader.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.session_leader.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.session_leader.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.session_leader.user.entity.id:
+      dashed_name: process-session-leader-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.session_leader.user.entity.id
       ignore_above: 1024
       level: core
       name: id
       normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
+      original_fieldset: entity
+      short: Unique identifier for the entity.
       type: keyword
-    process.session_leader.real_user.name:
-      dashed_name: process-session-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.real_user.name
+    process.session_leader.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.session_leader.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.session_leader.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.session_leader.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.session_leader.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.session_leader.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.session_leader.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.session_leader.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.session_leader.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.session_leader.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.session_leader.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.session_leader.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.session_leader.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.session_leader.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.session_leader.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.session_leader.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.session_leader.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.session_leader.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-session-leader-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.session_leader.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.session_leader.user.full_name:
+      dashed_name: process-session-leader-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.session_leader.user.full_name
       ignore_above: 1024
-      level: core
+      level: extended
       multi_fields:
-      - flat_name: process.session_leader.real_user.name.text
+      - flat_name: process.session_leader.user.full_name.text
         name: text
         type: match_only_text
-      name: name
+      name: full_name
       normalize: []
       original_fieldset: user
-      short: Short name or login of the user.
+      short: User's full name, if available.
       type: keyword
-    process.session_leader.same_as_process:
-      dashed_name: process-session-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
+    process.session_leader.user.group.domain:
+      dashed_name: process-session-leader-user-group-domain
+      description: 'Name of the directory the group is a member of.
 
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.session_leader.same_as_process
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.session_leader.user.group.domain
+      ignore_above: 1024
       level: extended
-      name: same_as_process
+      name: domain
       normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.session_leader.saved_group.id:
-      dashed_name: process-session-leader-saved-group-id
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.session_leader.user.group.id:
+      dashed_name: process-session-leader-user-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.saved_group.id
+      flat_name: process.session_leader.user.group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -16124,10 +61636,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.saved_group.name:
-      dashed_name: process-session-leader-saved-group-name
+    process.session_leader.user.group.name:
+      dashed_name: process-session-leader-user-group-name
       description: Name of the group.
-      flat_name: process.session_leader.saved_group.name
+      flat_name: process.session_leader.user.group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -16135,11 +61647,26 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.session_leader.saved_user.id:
-      dashed_name: process-session-leader-saved-user-id
+    process.session_leader.user.hash:
+      dashed_name: process-session-leader-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.session_leader.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    process.session_leader.user.id:
+      dashed_name: process-session-leader-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.saved_user.id
+      flat_name: process.session_leader.user.id
       ignore_above: 1024
       level: core
       name: id
@@ -16147,15 +61674,15 @@ process:
       original_fieldset: user
       short: Unique identifier of the user.
       type: keyword
-    process.session_leader.saved_user.name:
-      dashed_name: process-session-leader-saved-user-name
+    process.session_leader.user.name:
+      dashed_name: process-session-leader-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.session_leader.saved_user.name
+      flat_name: process.session_leader.user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.session_leader.saved_user.name.text
+      - flat_name: process.session_leader.user.name.text
         name: text
         type: match_only_text
       name: name
@@ -16163,105 +61690,99 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.session_leader.start:
-      dashed_name: process-session-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.session_leader.supplemental_groups.id:
-      dashed_name: process-session-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.supplemental_groups.id
+    process.session_leader.user.risk.calculated_level:
+      dashed_name: process-session-leader-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.session_leader.user.risk.calculated_level
       ignore_above: 1024
       level: extended
-      name: id
+      name: calculated_level
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
       type: keyword
-    process.session_leader.supplemental_groups.name:
-      dashed_name: process-session-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.session_leader.supplemental_groups.name
-      ignore_above: 1024
+    process.session_leader.user.risk.calculated_score:
+      dashed_name: process-session-leader-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.session_leader.user.risk.calculated_score
       level: extended
-      name: name
+      name: calculated_score
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.tty:
-      dashed_name: process-session-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.session_leader.tty
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.session_leader.user.risk.calculated_score_norm:
+      dashed_name: process-session-leader-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.session_leader.user.risk.calculated_score_norm
       level: extended
-      name: tty
+      name: calculated_score_norm
       normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.session_leader.tty.char_device.major:
-      dashed_name: process-session-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.session_leader.tty.char_device.major
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.session_leader.user.risk.static_level:
+      dashed_name: process-session-leader-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.session_leader.user.risk.static_level
+      ignore_above: 1024
       level: extended
-      name: tty.char_device.major
+      name: static_level
       normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.session_leader.tty.char_device.minor:
-      dashed_name: process-session-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.session_leader.tty.char_device.minor
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.session_leader.user.risk.static_score:
+      dashed_name: process-session-leader-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.session_leader.user.risk.static_score
       level: extended
-      name: tty.char_device.minor
+      name: static_score
       normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.session_leader.user.id:
-      dashed_name: process-session-leader-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.user.id
-      ignore_above: 1024
-      level: core
-      name: id
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.session_leader.user.risk.static_score_norm:
+      dashed_name: process-session-leader-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.session_leader.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
       normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.user.name:
-      dashed_name: process-session-leader-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.user.name
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.session_leader.user.roles:
+      dashed_name: process-session-leader-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.session_leader.user.roles
       ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
+      level: extended
+      name: roles
+      normalize:
+      - array
       original_fieldset: user
-      short: Short name or login of the user.
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
       type: keyword
     process.session_leader.vpid:
       dashed_name: process-session-leader-vpid
@@ -16305,6 +61826,19 @@ process:
       normalize: []
       short: The time the process started.
       type: date
+    process.supplemental_groups.domain:
+      dashed_name: process-supplemental-groups-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.supplemental_groups.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
     process.supplemental_groups.id:
       dashed_name: process-supplemental-groups-id
       description: Unique identifier for the group on the system/platform.
@@ -16475,6 +62009,351 @@ process:
         stability: development
       short: Seconds the process has been up.
       type: long
+    process.user.domain:
+      dashed_name: process-user-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.user.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    process.user.email:
+      dashed_name: process-user-email
+      description: User email address.
+      flat_name: process.user.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    process.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: process-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: process.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    process.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: process-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    process.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: process.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    process.user.entity.id:
+      dashed_name: process-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: process.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    process.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: process-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: process.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    process.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: process-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: process.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    process.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: process-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: process.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    process.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: process-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: process.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    process.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: process-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: process.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    process.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: process-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: process.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    process.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: process-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: process.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    process.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: process-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: process.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    process.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: process-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: process.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
+    process.user.full_name:
+      dashed_name: process-user-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: process.user.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: process.user.full_name.text
+        name: text
+        type: match_only_text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    process.user.group.domain:
+      dashed_name: process-user-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: process.user.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    process.user.group.id:
+      dashed_name: process-user-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.user.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.user.group.name:
+      dashed_name: process-user-group-name
+      description: Name of the group.
+      flat_name: process.user.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.user.hash:
+      dashed_name: process-user-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: process.user.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
     process.user.id:
       dashed_name: process-user-id
       description: Unique identifier of the user.
@@ -16509,6 +62388,100 @@ process:
         stability: development
       short: Short name or login of the user.
       type: keyword
+    process.user.risk.calculated_level:
+      dashed_name: process-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: process.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    process.user.risk.calculated_score:
+      dashed_name: process-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: process.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    process.user.risk.calculated_score_norm:
+      dashed_name: process-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: process.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    process.user.risk.static_level:
+      dashed_name: process-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: process.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    process.user.risk.static_score:
+      dashed_name: process-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: process.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    process.user.risk.static_score_norm:
+      dashed_name: process-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: process.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
+    process.user.roles:
+      dashed_name: process-user-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: process.user.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      synthetic_source_keep: none
+      type: keyword
     process.vpid:
       dashed_name: process-vpid
       description: 'Virtual process id.
@@ -17527,11 +63500,266 @@ server:
       description: User email address.
       flat_name: server.user.email
       ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    server.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: server-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: server.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    server.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: server-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: server.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    server.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: server-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: server.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: server.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    server.user.entity.id:
+      dashed_name: server-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: server.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    server.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: server-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: server.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    server.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: server-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: server.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    server.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: server-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: server.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    server.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: server-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: server.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: server.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    server.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: server-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: server.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    server.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: server-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: server.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    server.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: server-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: server.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    server.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: server-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: server.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    server.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: server-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: server.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
       type: keyword
     server.user.full_name:
       dashed_name: server-user-full-name
@@ -17627,6 +63855,86 @@ server:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    server.user.risk.calculated_level:
+      dashed_name: server-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: server.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    server.user.risk.calculated_score:
+      dashed_name: server-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: server.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    server.user.risk.calculated_score_norm:
+      dashed_name: server-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: server.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    server.user.risk.static_level:
+      dashed_name: server-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: server.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    server.user.risk.static_score:
+      dashed_name: server-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: server.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    server.user.risk.static_score_norm:
+      dashed_name: server-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: server.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     server.user.roles:
       dashed_name: server-user-roles
       description: Array of user roles at the time of the event.
@@ -17681,6 +63989,261 @@ service:
       normalize: []
       short: Address of this service.
       type: keyword
+    service.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: service-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: service.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    service.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: service-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: service.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    service.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: service-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: service.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: service.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    service.entity.id:
+      dashed_name: service-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: service.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    service.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: service-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: service.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    service.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: service-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: service.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    service.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: service-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: service.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    service.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: service-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: service.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: service.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    service.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: service-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: service.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    service.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: service-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: service.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    service.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: service-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: service.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    service.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: service-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: service.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    service.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: service-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: service.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
     service.environment:
       beta: This field is beta and subject to change.
       dashed_name: service-environment
@@ -17844,6 +64407,261 @@ service:
       original_fieldset: service
       short: Address of this service.
       type: keyword
+    service.origin.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: service.origin.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    service.origin.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: service.origin.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    service.origin.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: service.origin.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: service.origin.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    service.origin.entity.id:
+      dashed_name: service-origin-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: service.origin.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    service.origin.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: service.origin.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    service.origin.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: service.origin.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    service.origin.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: service.origin.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    service.origin.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: service.origin.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: service.origin.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    service.origin.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: service.origin.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    service.origin.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: service.origin.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    service.origin.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: service.origin.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    service.origin.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: service.origin.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    service.origin.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: service-origin-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: service.origin.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
     service.origin.environment:
       beta: This field is beta and subject to change.
       dashed_name: service-origin-environment
@@ -18951,6 +65769,261 @@ source:
       original_fieldset: user
       short: User email address.
       type: keyword
+    source.user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: source-user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: source.user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    source.user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: source-user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: source.user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    source.user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: source-user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: source.user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: source.user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    source.user.entity.id:
+      dashed_name: source-user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: source.user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    source.user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: source-user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: source.user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    source.user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: source-user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: source.user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    source.user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: source-user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: source.user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    source.user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: source-user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: source.user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: source.user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    source.user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: source-user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: source.user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    source.user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: source-user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: source.user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    source.user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: source-user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: source.user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    source.user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: source-user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: source.user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    source.user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: source-user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: source.user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
     source.user.full_name:
       dashed_name: source-user-full-name
       description: User's full name, if available.
@@ -19045,6 +66118,86 @@ source:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    source.user.risk.calculated_level:
+      dashed_name: source-user-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: source.user.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    source.user.risk.calculated_score:
+      dashed_name: source-user-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: source.user.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    source.user.risk.calculated_score_norm:
+      dashed_name: source-user-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: source.user.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    source.user.risk.static_level:
+      dashed_name: source-user-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: source.user.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    source.user.risk.static_score:
+      dashed_name: source-user-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: source.user.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    source.user.risk.static_score_norm:
+      dashed_name: source-user-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: source.user.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     source.user.roles:
       dashed_name: source-user-roles
       description: Array of user roles at the time of the event.
@@ -26167,86 +73320,341 @@ url:
       level: extended
       name: subdomain
       normalize: []
-      otel:
-      - relation: match
-        stability: development
-      short: The subdomain of the domain.
+      otel:
+      - relation: match
+        stability: development
+      short: The subdomain of the domain.
+      type: keyword
+    url.top_level_domain:
+      dashed_name: url-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: url.top_level_domain
+      ignore_above: 1024
+      level: extended
+      name: top_level_domain
+      normalize: []
+      otel:
+      - relation: match
+        stability: development
+      short: The effective top level domain (com, org, net, co.uk).
+      type: keyword
+    url.username:
+      dashed_name: url-username
+      description: Username of the request.
+      flat_name: url.username
+      ignore_above: 1024
+      level: extended
+      name: username
+      normalize: []
+      short: Username of the request.
+      type: keyword
+  group: 2
+  name: url
+  prefix: url.
+  reusable:
+    expected:
+    - as: url
+      at: threat.indicator
+      full: threat.indicator.url
+    - as: url
+      at: threat.enrichments.indicator
+      full: threat.enrichments.indicator.url
+    top_level: true
+  short: Fields that let you store URLs in various forms.
+  title: URL
+  type: group
+user:
+  description: 'The user fields describe information about the user that is relevant
+    to the event.
+
+    Fields can have one entry or multiple entries. If a user has more than one id,
+    provide an array that includes all of them.'
+  fields:
+    user.changes.domain:
+      dashed_name: user-changes-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.changes.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    user.changes.email:
+      dashed_name: user-changes-email
+      description: User email address.
+      flat_name: user.changes.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    user.changes.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: user-changes-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: user.changes.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    user.changes.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: user-changes-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: user.changes.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    user.changes.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: user-changes-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: user.changes.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: user.changes.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    user.changes.entity.id:
+      dashed_name: user-changes-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: user.changes.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    user.changes.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: user-changes-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: user.changes.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    user.changes.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: user-changes-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: user.changes.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    user.changes.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: user-changes-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: user.changes.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    user.changes.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: user-changes-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: user.changes.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: user.changes.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
       type: keyword
-    url.top_level_domain:
-      dashed_name: url-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: url.top_level_domain
-      ignore_above: 1024
+    user.changes.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: user-changes-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: user.changes.entity.raw
       level: extended
-      name: top_level_domain
+      name: raw
       normalize: []
-      otel:
-      - relation: match
-        stability: development
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    url.username:
-      dashed_name: url-username
-      description: Username of the request.
-      flat_name: url.username
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    user.changes.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: user-changes-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: user.changes.entity.reference
       ignore_above: 1024
       level: extended
-      name: username
+      name: reference
       normalize: []
-      short: Username of the request.
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
       type: keyword
-  group: 2
-  name: url
-  prefix: url.
-  reusable:
-    expected:
-    - as: url
-      at: threat.indicator
-      full: threat.indicator.url
-    - as: url
-      at: threat.enrichments.indicator
-      full: threat.enrichments.indicator.url
-    top_level: true
-  short: Fields that let you store URLs in various forms.
-  title: URL
-  type: group
-user:
-  description: 'The user fields describe information about the user that is relevant
-    to the event.
-
-    Fields can have one entry or multiple entries. If a user has more than one id,
-    provide an array that includes all of them.'
-  fields:
-    user.changes.domain:
-      dashed_name: user-changes-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: user.changes.domain
+    user.changes.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: user-changes-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: user.changes.entity.source
       ignore_above: 1024
-      level: extended
-      name: domain
+      level: core
+      name: source
       normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
       type: keyword
-    user.changes.email:
-      dashed_name: user-changes-email
-      description: User email address.
-      flat_name: user.changes.email
+    user.changes.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: user-changes-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: user.changes.entity.sub_type
       ignore_above: 1024
       level: extended
-      name: email
+      name: sub_type
       normalize: []
-      original_fieldset: user
-      short: User email address.
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    user.changes.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: user-changes-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: user.changes.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
       type: keyword
     user.changes.full_name:
       dashed_name: user-changes-full-name
@@ -26342,6 +73750,86 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    user.changes.risk.calculated_level:
+      dashed_name: user-changes-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.changes.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.changes.risk.calculated_score:
+      dashed_name: user-changes-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.changes.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.changes.risk.calculated_score_norm:
+      dashed_name: user-changes-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.changes.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    user.changes.risk.static_level:
+      dashed_name: user-changes-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.changes.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.changes.risk.static_score:
+      dashed_name: user-changes-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.changes.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.changes.risk.static_score_norm:
+      dashed_name: user-changes-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.changes.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     user.changes.roles:
       dashed_name: user-changes-roles
       description: Array of user roles at the time of the event.
@@ -26392,6 +73880,261 @@ user:
       original_fieldset: user
       short: User email address.
       type: keyword
+    user.effective.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: user-effective-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: user.effective.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    user.effective.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: user-effective-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: user.effective.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    user.effective.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: user-effective-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: user.effective.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: user.effective.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    user.effective.entity.id:
+      dashed_name: user-effective-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: user.effective.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    user.effective.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: user-effective-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: user.effective.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    user.effective.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: user-effective-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: user.effective.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    user.effective.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: user-effective-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: user.effective.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    user.effective.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: user-effective-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: user.effective.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: user.effective.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    user.effective.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: user-effective-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: user.effective.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    user.effective.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: user-effective-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: user.effective.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    user.effective.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: user-effective-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: user.effective.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    user.effective.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: user-effective-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: user.effective.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    user.effective.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: user-effective-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: user.effective.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
     user.effective.full_name:
       dashed_name: user-effective-full-name
       description: User's full name, if available.
@@ -26486,6 +74229,86 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    user.effective.risk.calculated_level:
+      dashed_name: user-effective-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.effective.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.effective.risk.calculated_score:
+      dashed_name: user-effective-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.effective.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.effective.risk.calculated_score_norm:
+      dashed_name: user-effective-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.effective.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    user.effective.risk.static_level:
+      dashed_name: user-effective-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.effective.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.effective.risk.static_score:
+      dashed_name: user-effective-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.effective.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.effective.risk.static_score_norm:
+      dashed_name: user-effective-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.effective.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     user.effective.roles:
       dashed_name: user-effective-roles
       description: Array of user roles at the time of the event.
@@ -26513,6 +74336,261 @@ user:
         stability: development
       short: User email address.
       type: keyword
+    user.entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: user-entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: user.entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      original_fieldset: entity
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    user.entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: user-entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: user.entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      original_fieldset: entity
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    user.entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: user-entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: user.entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: user.entity.display_name.text
+        name: text
+        norms: false
+        type: text
+      name: display_name
+      normalize: []
+      original_fieldset: entity
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    user.entity.id:
+      dashed_name: user-entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: user.entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: entity
+      short: Unique identifier for the entity.
+      type: keyword
+    user.entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: user-entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: user.entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      original_fieldset: entity
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    user.entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: user-entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: user.entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      original_fieldset: entity
+      short: A set of temporal characteristics of the entity.
+      type: object
+    user.entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: user-entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: user.entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      original_fieldset: entity
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    user.entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: user-entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: user.entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: user.entity.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: entity
+      short: The name of the entity.
+      type: keyword
+    user.entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: user-entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: user.entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      original_fieldset: entity
+      short: Original, unmodified fields from the source system.
+      type: object
+    user.entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: user-entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: user.entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      original_fieldset: entity
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    user.entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: user-entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: user.entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      original_fieldset: entity
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    user.entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: user-entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: user.entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      original_fieldset: entity
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    user.entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: user-entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: user.entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      original_fieldset: entity
+      short: Standardized high-level classification of the entity.
+      type: keyword
     user.full_name:
       dashed_name: user-full-name
       description: User's full name, if available.
@@ -27084,6 +75162,86 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
+    user.target.risk.calculated_level:
+      dashed_name: user-target-risk-calculated-level
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      flat_name: user.target.risk.calculated_level
+      ignore_above: 1024
+      level: extended
+      name: calculated_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: keyword
+    user.target.risk.calculated_score:
+      dashed_name: user-target-risk-calculated-score
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      flat_name: user.target.risk.calculated_score
+      level: extended
+      name: calculated_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score calculated by an internal system as part
+        of entity analytics and entity risk scoring.
+      type: float
+    user.target.risk.calculated_score_norm:
+      dashed_name: user-target-risk-calculated-score-norm
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      flat_name: user.target.risk.calculated_score_norm
+      level: extended
+      name: calculated_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an internal system.
+      type: float
+    user.target.risk.static_level:
+      dashed_name: user-target-risk-static-level
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      flat_name: user.target.risk.static_level
+      ignore_above: 1024
+      level: extended
+      name: static_level
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification level obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: keyword
+    user.target.risk.static_score:
+      dashed_name: user-target-risk-static-score
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      flat_name: user.target.risk.static_score
+      level: extended
+      name: static_score
+      normalize: []
+      original_fieldset: risk
+      short: A risk classification score obtained from outside the system, such as
+        from some external Threat Intelligence Platform.
+      type: float
+    user.target.risk.static_score_norm:
+      dashed_name: user-target-risk-static-score-norm
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      flat_name: user.target.risk.static_score_norm
+      level: extended
+      name: static_score_norm
+      normalize: []
+      original_fieldset: risk
+      short: A normalized risk score calculated by an external system.
+      type: float
     user.target.roles:
       dashed_name: user-target-roles
       description: Array of user roles at the time of the event.
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index 08cadb7b8a..f9ede87ca7 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -131,6 +131,68 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "entity": {
+                  "properties": {
+                    "attributes": {
+                      "type": "object"
+                    },
+                    "behavior": {
+                      "type": "object"
+                    },
+                    "display_name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "last_seen_timestamp": {
+                      "type": "date"
+                    },
+                    "lifecycle": {
+                      "type": "object"
+                    },
+                    "metrics": {
+                      "type": "object"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw": {
+                      "type": "object"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "source": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sub_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "full_name": {
                   "fields": {
                     "text": {
@@ -173,6 +235,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index 0c7f16bc49..df3356be92 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -24,6 +24,68 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "entity": {
+              "properties": {
+                "attributes": {
+                  "type": "object"
+                },
+                "behavior": {
+                  "type": "object"
+                },
+                "display_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "last_seen_timestamp": {
+                  "type": "date"
+                },
+                "lifecycle": {
+                  "type": "object"
+                },
+                "metrics": {
+                  "type": "object"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "raw": {
+                  "type": "object"
+                },
+                "reference": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "source": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sub_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "instance": {
               "properties": {
                 "id": {
@@ -62,6 +124,68 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "entity": {
+                  "properties": {
+                    "attributes": {
+                      "type": "object"
+                    },
+                    "behavior": {
+                      "type": "object"
+                    },
+                    "display_name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "last_seen_timestamp": {
+                      "type": "date"
+                    },
+                    "lifecycle": {
+                      "type": "object"
+                    },
+                    "metrics": {
+                      "type": "object"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw": {
+                      "type": "object"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "source": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sub_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "instance": {
                   "properties": {
                     "id": {
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index 12d0c9d349..2d870fa6e9 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -131,6 +131,68 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "entity": {
+                  "properties": {
+                    "attributes": {
+                      "type": "object"
+                    },
+                    "behavior": {
+                      "type": "object"
+                    },
+                    "display_name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "last_seen_timestamp": {
+                      "type": "date"
+                    },
+                    "lifecycle": {
+                      "type": "object"
+                    },
+                    "metrics": {
+                      "type": "object"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw": {
+                      "type": "object"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "source": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sub_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "full_name": {
                   "fields": {
                     "text": {
@@ -173,6 +235,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index a2b964c83c..4819b2d16b 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -15,6 +15,167 @@
             "args_count": {
               "type": "long"
             },
+            "attested_groups": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "attested_user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entity": {
+                  "properties": {
+                    "attributes": {
+                      "type": "object"
+                    },
+                    "behavior": {
+                      "type": "object"
+                    },
+                    "display_name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "last_seen_timestamp": {
+                      "type": "date"
+                    },
+                    "lifecycle": {
+                      "type": "object"
+                    },
+                    "metrics": {
+                      "type": "object"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw": {
+                      "type": "object"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "source": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sub_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                }
+              }
+            },
             "code_signature": {
               "properties": {
                 "digest_algorithm": {
@@ -216,6 +377,9 @@
             "end": {
               "type": "date"
             },
+            "endpoint_security_client": {
+              "type": "boolean"
+            },
             "entity_id": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -231,6 +395,14 @@
                 },
                 "attested_groups": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -239,11 +411,77 @@
                 },
                 "attested_user": {
                   "properties": {
-                    "id": {
+                    "domain": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
                       "fields": {
                         "text": {
                           "type": "match_only_text"
@@ -251,303 +489,410 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
+                    },
+                    "group": {
                       "properties": {
-                        "ip": {
-                          "type": "ip"
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         }
                       }
                     },
-                    "type": {
+                    "hash": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "group": {
-                  "properties": {
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
                     "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "parent": {
-                  "properties": {
-                    "entity_id": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "pid": {
-                      "type": "long"
-                    },
-                    "session_leader": {
+                    "risk": {
                       "properties": {
-                        "entity_id": {
+                        "calculated_level": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "pid": {
-                          "type": "long"
+                        "calculated_score": {
+                          "type": "float"
                         },
-                        "start": {
-                          "type": "date"
+                        "calculated_score_norm": {
+                          "type": "float"
                         },
-                        "vpid": {
-                          "type": "long"
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
                         }
                       }
                     },
-                    "start": {
-                      "type": "date"
-                    },
-                    "vpid": {
-                      "type": "long"
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
                     }
                   }
                 },
-                "pid": {
-                  "type": "long"
-                },
-                "real_group": {
+                "code_signature": {
                   "properties": {
-                    "id": {
+                    "digest_algorithm": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "flags": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
-                    "id": {
+                    },
+                    "signing_id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                    "status": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "same_as_process": {
-                  "type": "boolean"
-                },
-                "saved_group": {
-                  "properties": {
-                    "id": {
+                    },
+                    "subject_name": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
+                    "team_id": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
                     }
                   }
                 },
-                "saved_user": {
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
                   "properties": {
-                    "id": {
+                    "architecture": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                    "byte_order": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "id": {
+                    },
+                    "cpu_type": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "tty": {
-                  "properties": {
-                    "char_device": {
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "header": {
                       "properties": {
-                        "major": {
-                          "type": "long"
+                        "abi_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
-                        "minor": {
+                        "class": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "data": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entrypoint": {
                           "type": "long"
+                        },
+                        "object_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "os_abi": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         }
                       }
-                    }
-                  },
-                  "type": "object"
-                },
-                "user": {
-                  "properties": {
-                    "id": {
+                    },
+                    "import_hash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "segments": {
+                      "properties": {
+                        "sections": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         }
                       },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "vpid": {
-                  "type": "long"
+                "end": {
+                  "type": "date"
                 },
-                "working_directory": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "env_vars": {
-              "ignore_above": 1024,
-              "synthetic_source_keep": "none",
-              "type": "keyword"
-            },
-            "executable": {
-              "fields": {
-                "text": {
-                  "type": "match_only_text"
-                }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "exit_code": {
-              "type": "long"
-            },
-            "group": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "group_leader": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
+                "endpoint_security_client": {
+                  "type": "boolean"
+                },
+                "entity_id": {
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "group": {
+                "entry_meta": {
                   "properties": {
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "source": {
+                      "properties": {
+                        "address": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "as": {
+                          "properties": {
+                            "number": {
+                              "type": "long"
+                            },
+                            "organization": {
+                              "properties": {
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "type": "match_only_text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            }
+                          }
+                        },
+                        "bytes": {
+                          "type": "long"
+                        },
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "geo": {
+                          "properties": {
+                            "city_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "location": {
+                              "type": "geo_point"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "postal_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "timezone": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "mac": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "nat": {
+                          "properties": {
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "port": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "packets": {
+                          "type": "long"
+                        },
+                        "port": {
+                          "type": "long"
+                        },
+                        "registered_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subdomain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "top_level_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
                     },
-                    "name": {
+                    "type": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "interactive": {
-                  "type": "boolean"
+                "env_vars": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
                 },
-                "name": {
+                "executable": {
                   "fields": {
                     "text": {
                       "type": "match_only_text"
@@ -556,11 +901,15 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "pid": {
+                "exit_code": {
                   "type": "long"
                 },
-                "real_group": {
+                "group": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -571,106 +920,136 @@
                     }
                   }
                 },
-                "real_user": {
+                "hash": {
                   "properties": {
-                    "id": {
+                    "cdhash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                    "md5": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "same_as_process": {
-                  "type": "boolean"
-                },
-                "saved_group": {
-                  "properties": {
-                    "id": {
+                    },
+                    "sha1": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
+                    "sha256": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
-                    "id": {
+                    },
+                    "sha384": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                    "sha512": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "id": {
+                    },
+                    "ssdeep": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
+                    "tlsh": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "tty": {
+                "interactive": {
+                  "type": "boolean"
+                },
+                "io": {
                   "properties": {
-                    "char_device": {
+                    "bytes_skipped": {
                       "properties": {
-                        "major": {
+                        "length": {
                           "type": "long"
                         },
-                        "minor": {
+                        "offset": {
                           "type": "long"
                         }
-                      }
+                      },
+                      "type": "object"
+                    },
+                    "max_bytes_per_process_exceeded": {
+                      "type": "boolean"
+                    },
+                    "text": {
+                      "type": "wildcard"
+                    },
+                    "total_bytes_captured": {
+                      "type": "long"
+                    },
+                    "total_bytes_skipped": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   },
                   "type": "object"
                 },
-                "user": {
+                "macho": {
                   "properties": {
-                    "id": {
+                    "go_import_hash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
                         }
                       },
+                      "type": "nested"
+                    },
+                    "symhash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "vpid": {
-                  "type": "long"
-                },
-                "working_directory": {
+                "name": {
                   "fields": {
                     "text": {
                       "type": "match_only_text"
@@ -678,729 +1057,14076 @@
                   },
                   "ignore_above": 1024,
                   "type": "keyword"
-                }
-              }
-            },
-            "hash": {
-              "properties": {
-                "cdhash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
                 },
-                "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha384": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha512": {
-                  "ignore_above": 1024,
+                "origin_referrer_url": {
+                  "ignore_above": 8192,
                   "type": "keyword"
                 },
-                "ssdeep": {
-                  "ignore_above": 1024,
+                "origin_url": {
+                  "ignore_above": 8192,
                   "type": "keyword"
                 },
-                "tlsh": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "interactive": {
-              "type": "boolean"
-            },
-            "io": {
-              "properties": {
-                "bytes_skipped": {
-                  "properties": {
-                    "length": {
-                      "type": "long"
-                    },
-                    "offset": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                },
-                "max_bytes_per_process_exceeded": {
-                  "type": "boolean"
-                },
-                "text": {
-                  "type": "wildcard"
-                },
-                "total_bytes_captured": {
-                  "type": "long"
-                },
-                "total_bytes_skipped": {
-                  "type": "long"
-                },
-                "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              },
-              "type": "object"
-            },
-            "macho": {
-              "properties": {
-                "go_import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "go_imports": {
-                  "type": "flattened"
-                },
-                "go_imports_names_entropy": {
-                  "type": "long"
-                },
-                "go_imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "go_stripped": {
-                  "type": "boolean"
-                },
-                "import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "imports": {
-                  "type": "flattened"
-                },
-                "imports_names_entropy": {
-                  "type": "long"
-                },
-                "imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "sections": {
-                  "properties": {
-                    "entropy": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "physical_size": {
-                      "type": "long"
-                    },
-                    "var_entropy": {
-                      "type": "long"
-                    },
-                    "virtual_size": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "nested"
-                },
-                "symhash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "name": {
-              "fields": {
-                "text": {
-                  "type": "match_only_text"
-                }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "parent": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "code_signature": {
-                  "properties": {
-                    "digest_algorithm": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "signing_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "team_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
+                "parent": {
                   "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "byte_order": {
+                    "args": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "cpu_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
+                    "args_count": {
                       "type": "long"
                     },
-                    "go_stripped": {
-                      "type": "boolean"
+                    "attested_groups": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
                     },
-                    "header": {
+                    "attested_user": {
                       "properties": {
-                        "abi_version": {
+                        "domain": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "class": {
+                        "email": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "data": {
+                        "entity": {
+                          "properties": {
+                            "attributes": {
+                              "type": "object"
+                            },
+                            "behavior": {
+                              "type": "object"
+                            },
+                            "display_name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "last_seen_timestamp": {
+                              "type": "date"
+                            },
+                            "lifecycle": {
+                              "type": "object"
+                            },
+                            "metrics": {
+                              "type": "object"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "raw": {
+                              "type": "object"
+                            },
+                            "reference": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "source": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sub_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "entrypoint": {
-                          "type": "long"
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
                         },
-                        "object_version": {
+                        "hash": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "os_abi": {
+                        "id": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "type": {
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "version": {
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
                           "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
                           "type": "keyword"
                         }
                       }
                     },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
+                    "code_signature": {
                       "properties": {
-                        "chi2": {
-                          "type": "long"
+                        "digest_algorithm": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
-                        "entropy": {
-                          "type": "long"
+                        "exists": {
+                          "type": "boolean"
                         },
                         "flags": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "name": {
+                        "signing_id": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "physical_offset": {
+                        "status": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "physical_size": {
-                          "type": "long"
+                        "subject_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
-                        "type": {
+                        "team_id": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "var_entropy": {
-                          "type": "long"
+                        "thumbprint_sha256": {
+                          "ignore_above": 64,
+                          "type": "keyword"
                         },
-                        "virtual_address": {
-                          "type": "long"
+                        "timestamp": {
+                          "type": "date"
                         },
-                        "virtual_size": {
-                          "type": "long"
+                        "trusted": {
+                          "type": "boolean"
+                        },
+                        "valid": {
+                          "type": "boolean"
+                        }
+                      }
+                    },
+                    "command_line": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
                         }
                       },
-                      "type": "nested"
+                      "type": "wildcard"
                     },
-                    "segments": {
+                    "elf": {
                       "properties": {
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "byte_order": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "cpu_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "creation_date": {
+                          "type": "date"
+                        },
+                        "exports": {
+                          "type": "flattened"
+                        },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "header": {
+                          "properties": {
+                            "abi_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "class": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "data": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entrypoint": {
+                              "type": "long"
+                            },
+                            "object_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "os_abi": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
                         "sections": {
+                          "properties": {
+                            "chi2": {
+                              "type": "long"
+                            },
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "flags": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_offset": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_address": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "segments": {
+                          "properties": {
+                            "sections": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "shared_libraries": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "type": {
+                        "telfhash": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         }
-                      },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "telfhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "end": {
-                  "type": "date"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
-                },
-                "group": {
-                  "properties": {
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "group_leader": {
-                  "properties": {
-                    "entity_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pid": {
-                      "type": "long"
+                      }
                     },
-                    "start": {
+                    "end": {
                       "type": "date"
                     },
-                    "vpid": {
-                      "type": "long"
-                    }
-                  }
-                },
-                "hash": {
-                  "properties": {
-                    "cdhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "endpoint_security_client": {
+                      "type": "boolean"
                     },
-                    "sha384": {
+                    "entity_id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "entry_meta": {
+                      "properties": {
+                        "source": {
+                          "properties": {
+                            "address": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "as": {
+                              "properties": {
+                                "number": {
+                                  "type": "long"
+                                },
+                                "organization": {
+                                  "properties": {
+                                    "name": {
+                                      "fields": {
+                                        "text": {
+                                          "type": "match_only_text"
+                                        }
+                                      },
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    }
+                                  }
+                                }
+                              }
+                            },
+                            "bytes": {
+                              "type": "long"
+                            },
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "geo": {
+                              "properties": {
+                                "city_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "continent_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "continent_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country_iso_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "location": {
+                                  "type": "geo_point"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "postal_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "region_iso_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "region_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "timezone": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "mac": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "nat": {
+                              "properties": {
+                                "ip": {
+                                  "type": "ip"
+                                },
+                                "port": {
+                                  "type": "long"
+                                }
+                              }
+                            },
+                            "packets": {
+                              "type": "long"
+                            },
+                            "port": {
+                              "type": "long"
+                            },
+                            "registered_domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "subdomain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "top_level_domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
                     },
-                    "ssdeep": {
+                    "env_vars": {
                       "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
                       "type": "keyword"
                     },
-                    "tlsh": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "macho": {
-                  "properties": {
-                    "go_import_hash": {
+                    "executable": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
+                    "exit_code": {
                       "type": "long"
                     },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
                     },
-                    "imports_names_entropy": {
-                      "type": "long"
+                    "hash": {
+                      "properties": {
+                        "cdhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "md5": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha1": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha256": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha384": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha512": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "ssdeep": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "tlsh": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
                     },
-                    "imports_names_var_entropy": {
-                      "type": "long"
+                    "interactive": {
+                      "type": "boolean"
                     },
-                    "sections": {
+                    "io": {
                       "properties": {
-                        "entropy": {
+                        "bytes_skipped": {
+                          "properties": {
+                            "length": {
+                              "type": "long"
+                            },
+                            "offset": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "max_bytes_per_process_exceeded": {
+                          "type": "boolean"
+                        },
+                        "text": {
+                          "type": "wildcard"
+                        },
+                        "total_bytes_captured": {
                           "type": "long"
                         },
-                        "name": {
+                        "total_bytes_skipped": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "macho": {
+                      "properties": {
+                        "go_import_hash": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "physical_size": {
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
                           "type": "long"
                         },
-                        "var_entropy": {
+                        "go_imports_names_var_entropy": {
                           "type": "long"
                         },
-                        "virtual_size": {
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
                           "type": "long"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "symhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         }
-                      },
-                      "type": "nested"
+                      }
                     },
-                    "symhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "original_file_name": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "pehash": {
-                      "ignore_above": 1024,
+                    "origin_referrer_url": {
+                      "ignore_above": 8192,
                       "type": "keyword"
                     },
-                    "product": {
-                      "ignore_above": 1024,
+                    "origin_url": {
+                      "ignore_above": 8192,
                       "type": "keyword"
                     },
-                    "sections": {
+                    "pe": {
                       "properties": {
-                        "entropy": {
-                          "type": "long"
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
-                        "name": {
+                        "company": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "physical_size": {
+                        "description": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "file_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
                           "type": "long"
                         },
-                        "var_entropy": {
+                        "go_imports_names_var_entropy": {
                           "type": "long"
                         },
-                        "virtual_size": {
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "imphash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
                           "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "original_file_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "pehash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "product": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
                         }
-                      },
-                      "type": "nested"
-                    }
-                  }
-                },
-                "pid": {
-                  "type": "long"
-                },
-                "real_group": {
-                  "properties": {
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "saved_group": {
-                  "properties": {
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "pid": {
+                      "type": "long"
                     },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "platform_binary": {
+                      "type": "boolean"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
+                    "real_group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "thread": {
-                  "properties": {
-                    "capabilities": {
+                    "real_user": {
                       "properties": {
-                        "effective": {
+                        "domain": {
                           "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
                           "type": "keyword"
                         },
-                        "permitted": {
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entity": {
+                          "properties": {
+                            "attributes": {
+                              "type": "object"
+                            },
+                            "behavior": {
+                              "type": "object"
+                            },
+                            "display_name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "last_seen_timestamp": {
+                              "type": "date"
+                            },
+                            "lifecycle": {
+                              "type": "object"
+                            },
+                            "metrics": {
+                              "type": "object"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "raw": {
+                              "type": "object"
+                            },
+                            "reference": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "source": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sub_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
                           "ignore_above": 1024,
                           "synthetic_source_keep": "none",
                           "type": "keyword"
                         }
                       }
                     },
-                    "id": {
-                      "type": "long"
+                    "same_as_process": {
+                      "type": "boolean"
                     },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "title": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "tty": {
-                  "properties": {
-                    "char_device": {
+                    "saved_group": {
                       "properties": {
-                        "major": {
-                          "type": "long"
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
-                        "minor": {
-                          "type": "long"
-                        }
-                      }
-                    }
-                  },
-                  "type": "object"
-                },
-                "uptime": {
-                  "type": "long"
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "saved_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entity": {
+                          "properties": {
+                            "attributes": {
+                              "type": "object"
+                            },
+                            "behavior": {
+                              "type": "object"
+                            },
+                            "display_name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "last_seen_timestamp": {
+                              "type": "date"
+                            },
+                            "lifecycle": {
+                              "type": "object"
+                            },
+                            "metrics": {
+                              "type": "object"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "raw": {
+                              "type": "object"
+                            },
+                            "reference": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "source": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sub_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "session_leader": {
+                      "properties": {
+                        "args": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "args_count": {
+                          "type": "long"
+                        },
+                        "attested_groups": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "attested_user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entity": {
+                              "properties": {
+                                "attributes": {
+                                  "type": "object"
+                                },
+                                "behavior": {
+                                  "type": "object"
+                                },
+                                "display_name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "last_seen_timestamp": {
+                                  "type": "date"
+                                },
+                                "lifecycle": {
+                                  "type": "object"
+                                },
+                                "metrics": {
+                                  "type": "object"
+                                },
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "raw": {
+                                  "type": "object"
+                                },
+                                "reference": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "source": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "sub_type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "code_signature": {
+                          "properties": {
+                            "digest_algorithm": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "exists": {
+                              "type": "boolean"
+                            },
+                            "flags": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "signing_id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "status": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "subject_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "team_id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "thumbprint_sha256": {
+                              "ignore_above": 64,
+                              "type": "keyword"
+                            },
+                            "timestamp": {
+                              "type": "date"
+                            },
+                            "trusted": {
+                              "type": "boolean"
+                            },
+                            "valid": {
+                              "type": "boolean"
+                            }
+                          }
+                        },
+                        "command_line": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "type": "wildcard"
+                        },
+                        "elf": {
+                          "properties": {
+                            "architecture": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "byte_order": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "cpu_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "creation_date": {
+                              "type": "date"
+                            },
+                            "exports": {
+                              "type": "flattened"
+                            },
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
+                            "header": {
+                              "properties": {
+                                "abi_version": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "class": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "data": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "entrypoint": {
+                                  "type": "long"
+                                },
+                                "object_version": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "os_abi": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "version": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "sections": {
+                              "properties": {
+                                "chi2": {
+                                  "type": "long"
+                                },
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "flags": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_offset": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_address": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "segments": {
+                              "properties": {
+                                "sections": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "shared_libraries": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "telfhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "end": {
+                          "type": "date"
+                        },
+                        "endpoint_security_client": {
+                          "type": "boolean"
+                        },
+                        "entity_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entry_meta": {
+                          "properties": {
+                            "source": {
+                              "properties": {
+                                "address": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "as": {
+                                  "properties": {
+                                    "number": {
+                                      "type": "long"
+                                    },
+                                    "organization": {
+                                      "properties": {
+                                        "name": {
+                                          "fields": {
+                                            "text": {
+                                              "type": "match_only_text"
+                                            }
+                                          },
+                                          "ignore_above": 1024,
+                                          "type": "keyword"
+                                        }
+                                      }
+                                    }
+                                  }
+                                },
+                                "bytes": {
+                                  "type": "long"
+                                },
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "geo": {
+                                  "properties": {
+                                    "city_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "continent_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "continent_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "country_iso_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "country_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "location": {
+                                      "type": "geo_point"
+                                    },
+                                    "name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "postal_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "region_iso_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "region_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "timezone": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    }
+                                  }
+                                },
+                                "ip": {
+                                  "type": "ip"
+                                },
+                                "mac": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "nat": {
+                                  "properties": {
+                                    "ip": {
+                                      "type": "ip"
+                                    },
+                                    "port": {
+                                      "type": "long"
+                                    }
+                                  }
+                                },
+                                "packets": {
+                                  "type": "long"
+                                },
+                                "port": {
+                                  "type": "long"
+                                },
+                                "registered_domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "subdomain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "top_level_domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "env_vars": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "executable": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "exit_code": {
+                          "type": "long"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "properties": {
+                            "cdhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "md5": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha1": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha256": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha384": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha512": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "ssdeep": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "tlsh": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "interactive": {
+                          "type": "boolean"
+                        },
+                        "io": {
+                          "properties": {
+                            "bytes_skipped": {
+                              "properties": {
+                                "length": {
+                                  "type": "long"
+                                },
+                                "offset": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "object"
+                            },
+                            "max_bytes_per_process_exceeded": {
+                              "type": "boolean"
+                            },
+                            "text": {
+                              "type": "wildcard"
+                            },
+                            "total_bytes_captured": {
+                              "type": "long"
+                            },
+                            "total_bytes_skipped": {
+                              "type": "long"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "macho": {
+                          "properties": {
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "sections": {
+                              "properties": {
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "symhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "origin_referrer_url": {
+                          "ignore_above": 8192,
+                          "type": "keyword"
+                        },
+                        "origin_url": {
+                          "ignore_above": 8192,
+                          "type": "keyword"
+                        },
+                        "pe": {
+                          "properties": {
+                            "architecture": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "company": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "description": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "file_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
+                            "imphash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "original_file_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "pehash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "product": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sections": {
+                              "properties": {
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
+                            }
+                          }
+                        },
+                        "pid": {
+                          "type": "long"
+                        },
+                        "platform_binary": {
+                          "type": "boolean"
+                        },
+                        "real_group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "real_user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entity": {
+                              "properties": {
+                                "attributes": {
+                                  "type": "object"
+                                },
+                                "behavior": {
+                                  "type": "object"
+                                },
+                                "display_name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "last_seen_timestamp": {
+                                  "type": "date"
+                                },
+                                "lifecycle": {
+                                  "type": "object"
+                                },
+                                "metrics": {
+                                  "type": "object"
+                                },
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "raw": {
+                                  "type": "object"
+                                },
+                                "reference": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "source": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "sub_type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "same_as_process": {
+                          "type": "boolean"
+                        },
+                        "saved_group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "saved_user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entity": {
+                              "properties": {
+                                "attributes": {
+                                  "type": "object"
+                                },
+                                "behavior": {
+                                  "type": "object"
+                                },
+                                "display_name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "last_seen_timestamp": {
+                                  "type": "date"
+                                },
+                                "lifecycle": {
+                                  "type": "object"
+                                },
+                                "metrics": {
+                                  "type": "object"
+                                },
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "raw": {
+                                  "type": "object"
+                                },
+                                "reference": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "source": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "sub_type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "start": {
+                          "type": "date"
+                        },
+                        "supplemental_groups": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "thread": {
+                          "properties": {
+                            "capabilities": {
+                              "properties": {
+                                "effective": {
+                                  "ignore_above": 1024,
+                                  "synthetic_source_keep": "none",
+                                  "type": "keyword"
+                                },
+                                "permitted": {
+                                  "ignore_above": 1024,
+                                  "synthetic_source_keep": "none",
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "id": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "title": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "tty": {
+                          "properties": {
+                            "char_device": {
+                              "properties": {
+                                "major": {
+                                  "type": "long"
+                                },
+                                "minor": {
+                                  "type": "long"
+                                }
+                              }
+                            },
+                            "columns": {
+                              "type": "long"
+                            },
+                            "rows": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "uptime": {
+                          "type": "long"
+                        },
+                        "user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entity": {
+                              "properties": {
+                                "attributes": {
+                                  "type": "object"
+                                },
+                                "behavior": {
+                                  "type": "object"
+                                },
+                                "display_name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "last_seen_timestamp": {
+                                  "type": "date"
+                                },
+                                "lifecycle": {
+                                  "type": "object"
+                                },
+                                "metrics": {
+                                  "type": "object"
+                                },
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "raw": {
+                                  "type": "object"
+                                },
+                                "reference": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "source": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "sub_type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "vpid": {
+                          "type": "long"
+                        },
+                        "working_directory": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "start": {
+                      "type": "date"
+                    },
+                    "supplemental_groups": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "thread": {
+                      "properties": {
+                        "capabilities": {
+                          "properties": {
+                            "effective": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            },
+                            "permitted": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "id": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "title": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tty": {
+                      "properties": {
+                        "char_device": {
+                          "properties": {
+                            "major": {
+                              "type": "long"
+                            },
+                            "minor": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "columns": {
+                          "type": "long"
+                        },
+                        "rows": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "uptime": {
+                      "type": "long"
+                    },
+                    "user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entity": {
+                          "properties": {
+                            "attributes": {
+                              "type": "object"
+                            },
+                            "behavior": {
+                              "type": "object"
+                            },
+                            "display_name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "last_seen_timestamp": {
+                              "type": "date"
+                            },
+                            "lifecycle": {
+                              "type": "object"
+                            },
+                            "metrics": {
+                              "type": "object"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "raw": {
+                              "type": "object"
+                            },
+                            "reference": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "source": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sub_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "vpid": {
+                      "type": "long"
+                    },
+                    "working_directory": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
                 },
-                "user": {
+                "pe": {
                   "properties": {
-                    "id": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "original_file_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pehash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    }
+                  }
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "platform_binary": {
+                  "type": "boolean"
+                },
+                "real_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "real_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "same_as_process": {
+                  "type": "boolean"
+                },
+                "saved_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "thread": {
+                  "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tty": {
+                  "properties": {
+                    "char_device": {
+                      "properties": {
+                        "major": {
+                          "type": "long"
+                        },
+                        "minor": {
+                          "type": "long"
+                        }
+                      }
+                    },
+                    "columns": {
+                      "type": "long"
+                    },
+                    "rows": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "object"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vpid": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "entry_meta": {
+              "properties": {
+                "source": {
+                  "properties": {
+                    "address": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "as": {
+                      "properties": {
+                        "number": {
+                          "type": "long"
+                        },
+                        "organization": {
+                          "properties": {
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        }
+                      }
+                    },
+                    "bytes": {
+                      "type": "long"
+                    },
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "geo": {
+                      "properties": {
+                        "city_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "continent_code": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "continent_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "country_iso_code": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "country_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "location": {
+                          "type": "geo_point"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "postal_code": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "region_iso_code": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "region_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "timezone": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "ip": {
+                      "type": "ip"
+                    },
+                    "mac": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "nat": {
+                      "properties": {
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "port": {
+                          "type": "long"
+                        }
+                      }
+                    },
+                    "packets": {
+                      "type": "long"
+                    },
+                    "port": {
+                      "type": "long"
+                    },
+                    "registered_domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subdomain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "top_level_domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "env_vars": {
+              "ignore_above": 1024,
+              "synthetic_source_keep": "none",
+              "type": "keyword"
+            },
+            "executable": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "exit_code": {
+              "type": "long"
+            },
+            "group": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "group_leader": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "attested_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "attested_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "code_signature": {
+                  "properties": {
+                    "digest_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "byte_order": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "cpu_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "header": {
+                      "properties": {
+                        "abi_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "class": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "data": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entrypoint": {
+                          "type": "long"
+                        },
+                        "object_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "os_abi": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "segments": {
+                      "properties": {
+                        "sections": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "end": {
+                  "type": "date"
+                },
+                "endpoint_security_client": {
+                  "type": "boolean"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entry_meta": {
+                  "properties": {
+                    "source": {
+                      "properties": {
+                        "address": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "as": {
+                          "properties": {
+                            "number": {
+                              "type": "long"
+                            },
+                            "organization": {
+                              "properties": {
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "type": "match_only_text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            }
+                          }
+                        },
+                        "bytes": {
+                          "type": "long"
+                        },
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "geo": {
+                          "properties": {
+                            "city_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "location": {
+                              "type": "geo_point"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "postal_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "timezone": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "mac": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "nat": {
+                          "properties": {
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "port": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "packets": {
+                          "type": "long"
+                        },
+                        "port": {
+                          "type": "long"
+                        },
+                        "registered_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subdomain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "top_level_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "env_vars": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha384": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tlsh": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "io": {
+                  "properties": {
+                    "bytes_skipped": {
+                      "properties": {
+                        "length": {
+                          "type": "long"
+                        },
+                        "offset": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "max_bytes_per_process_exceeded": {
+                      "type": "boolean"
+                    },
+                    "text": {
+                      "type": "wildcard"
+                    },
+                    "total_bytes_captured": {
+                      "type": "long"
+                    },
+                    "total_bytes_skipped": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "object"
+                },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "symhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "origin_referrer_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "origin_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "original_file_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pehash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    }
+                  }
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "platform_binary": {
+                  "type": "boolean"
+                },
+                "real_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "real_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "same_as_process": {
+                  "type": "boolean"
+                },
+                "saved_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "thread": {
+                  "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tty": {
+                  "properties": {
+                    "char_device": {
+                      "properties": {
+                        "major": {
+                          "type": "long"
+                        },
+                        "minor": {
+                          "type": "long"
+                        }
+                      }
+                    },
+                    "columns": {
+                      "type": "long"
+                    },
+                    "rows": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "object"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vpid": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "hash": {
+              "properties": {
+                "cdhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "md5": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha1": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha384": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "ssdeep": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tlsh": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "interactive": {
+              "type": "boolean"
+            },
+            "io": {
+              "properties": {
+                "bytes_skipped": {
+                  "properties": {
+                    "length": {
+                      "type": "long"
+                    },
+                    "offset": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "object"
+                },
+                "max_bytes_per_process_exceeded": {
+                  "type": "boolean"
+                },
+                "text": {
+                  "type": "wildcard"
+                },
+                "total_bytes_captured": {
+                  "type": "long"
+                },
+                "total_bytes_skipped": {
+                  "type": "long"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              },
+              "type": "object"
+            },
+            "macho": {
+              "properties": {
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "symhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "origin_referrer_url": {
+              "ignore_above": 8192,
+              "type": "keyword"
+            },
+            "origin_url": {
+              "ignore_above": 8192,
+              "type": "keyword"
+            },
+            "parent": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "attested_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "attested_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "code_signature": {
+                  "properties": {
+                    "digest_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "byte_order": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "cpu_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "header": {
+                      "properties": {
+                        "abi_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "class": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "data": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entrypoint": {
+                          "type": "long"
+                        },
+                        "object_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "os_abi": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "segments": {
+                      "properties": {
+                        "sections": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "end": {
+                  "type": "date"
+                },
+                "endpoint_security_client": {
+                  "type": "boolean"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entry_meta": {
+                  "properties": {
+                    "source": {
+                      "properties": {
+                        "address": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "as": {
+                          "properties": {
+                            "number": {
+                              "type": "long"
+                            },
+                            "organization": {
+                              "properties": {
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "type": "match_only_text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            }
+                          }
+                        },
+                        "bytes": {
+                          "type": "long"
+                        },
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "geo": {
+                          "properties": {
+                            "city_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "location": {
+                              "type": "geo_point"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "postal_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "timezone": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "mac": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "nat": {
+                          "properties": {
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "port": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "packets": {
+                          "type": "long"
+                        },
+                        "port": {
+                          "type": "long"
+                        },
+                        "registered_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subdomain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "top_level_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "env_vars": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "group_leader": {
+                  "properties": {
+                    "args": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "args_count": {
+                      "type": "long"
+                    },
+                    "attested_groups": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "attested_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entity": {
+                          "properties": {
+                            "attributes": {
+                              "type": "object"
+                            },
+                            "behavior": {
+                              "type": "object"
+                            },
+                            "display_name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "last_seen_timestamp": {
+                              "type": "date"
+                            },
+                            "lifecycle": {
+                              "type": "object"
+                            },
+                            "metrics": {
+                              "type": "object"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "raw": {
+                              "type": "object"
+                            },
+                            "reference": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "source": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sub_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "code_signature": {
+                      "properties": {
+                        "digest_algorithm": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "exists": {
+                          "type": "boolean"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "signing_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "status": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subject_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "team_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "thumbprint_sha256": {
+                          "ignore_above": 64,
+                          "type": "keyword"
+                        },
+                        "timestamp": {
+                          "type": "date"
+                        },
+                        "trusted": {
+                          "type": "boolean"
+                        },
+                        "valid": {
+                          "type": "boolean"
+                        }
+                      }
+                    },
+                    "command_line": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "type": "wildcard"
+                    },
+                    "elf": {
+                      "properties": {
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "byte_order": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "cpu_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "creation_date": {
+                          "type": "date"
+                        },
+                        "exports": {
+                          "type": "flattened"
+                        },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "header": {
+                          "properties": {
+                            "abi_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "class": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "data": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entrypoint": {
+                              "type": "long"
+                            },
+                            "object_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "os_abi": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "sections": {
+                          "properties": {
+                            "chi2": {
+                              "type": "long"
+                            },
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "flags": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_offset": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_address": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "segments": {
+                          "properties": {
+                            "sections": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "shared_libraries": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "telfhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "end": {
+                      "type": "date"
+                    },
+                    "endpoint_security_client": {
+                      "type": "boolean"
+                    },
+                    "entity_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entry_meta": {
+                      "properties": {
+                        "source": {
+                          "properties": {
+                            "address": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "as": {
+                              "properties": {
+                                "number": {
+                                  "type": "long"
+                                },
+                                "organization": {
+                                  "properties": {
+                                    "name": {
+                                      "fields": {
+                                        "text": {
+                                          "type": "match_only_text"
+                                        }
+                                      },
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    }
+                                  }
+                                }
+                              }
+                            },
+                            "bytes": {
+                              "type": "long"
+                            },
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "geo": {
+                              "properties": {
+                                "city_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "continent_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "continent_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country_iso_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "location": {
+                                  "type": "geo_point"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "postal_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "region_iso_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "region_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "timezone": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "mac": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "nat": {
+                              "properties": {
+                                "ip": {
+                                  "type": "ip"
+                                },
+                                "port": {
+                                  "type": "long"
+                                }
+                              }
+                            },
+                            "packets": {
+                              "type": "long"
+                            },
+                            "port": {
+                              "type": "long"
+                            },
+                            "registered_domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "subdomain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "top_level_domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "env_vars": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    },
+                    "executable": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exit_code": {
+                      "type": "long"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "properties": {
+                        "cdhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "md5": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha1": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha256": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha384": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha512": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "ssdeep": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "tlsh": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "interactive": {
+                      "type": "boolean"
+                    },
+                    "io": {
+                      "properties": {
+                        "bytes_skipped": {
+                          "properties": {
+                            "length": {
+                              "type": "long"
+                            },
+                            "offset": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "max_bytes_per_process_exceeded": {
+                          "type": "boolean"
+                        },
+                        "text": {
+                          "type": "wildcard"
+                        },
+                        "total_bytes_captured": {
+                          "type": "long"
+                        },
+                        "total_bytes_skipped": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "macho": {
+                      "properties": {
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "symhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "origin_referrer_url": {
+                      "ignore_above": 8192,
+                      "type": "keyword"
+                    },
+                    "origin_url": {
+                      "ignore_above": 8192,
+                      "type": "keyword"
+                    },
+                    "pe": {
+                      "properties": {
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "company": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "description": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "file_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "imphash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "original_file_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "pehash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "product": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        }
+                      }
+                    },
+                    "pid": {
+                      "type": "long"
+                    },
+                    "platform_binary": {
+                      "type": "boolean"
+                    },
+                    "real_group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "real_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entity": {
+                          "properties": {
+                            "attributes": {
+                              "type": "object"
+                            },
+                            "behavior": {
+                              "type": "object"
+                            },
+                            "display_name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "last_seen_timestamp": {
+                              "type": "date"
+                            },
+                            "lifecycle": {
+                              "type": "object"
+                            },
+                            "metrics": {
+                              "type": "object"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "raw": {
+                              "type": "object"
+                            },
+                            "reference": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "source": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sub_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "same_as_process": {
+                      "type": "boolean"
+                    },
+                    "saved_group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "saved_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entity": {
+                          "properties": {
+                            "attributes": {
+                              "type": "object"
+                            },
+                            "behavior": {
+                              "type": "object"
+                            },
+                            "display_name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "last_seen_timestamp": {
+                              "type": "date"
+                            },
+                            "lifecycle": {
+                              "type": "object"
+                            },
+                            "metrics": {
+                              "type": "object"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "raw": {
+                              "type": "object"
+                            },
+                            "reference": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "source": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sub_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "start": {
+                      "type": "date"
+                    },
+                    "supplemental_groups": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "thread": {
+                      "properties": {
+                        "capabilities": {
+                          "properties": {
+                            "effective": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            },
+                            "permitted": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "id": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "title": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tty": {
+                      "properties": {
+                        "char_device": {
+                          "properties": {
+                            "major": {
+                              "type": "long"
+                            },
+                            "minor": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "columns": {
+                          "type": "long"
+                        },
+                        "rows": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "uptime": {
+                      "type": "long"
+                    },
+                    "user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entity": {
+                          "properties": {
+                            "attributes": {
+                              "type": "object"
+                            },
+                            "behavior": {
+                              "type": "object"
+                            },
+                            "display_name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "last_seen_timestamp": {
+                              "type": "date"
+                            },
+                            "lifecycle": {
+                              "type": "object"
+                            },
+                            "metrics": {
+                              "type": "object"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "raw": {
+                              "type": "object"
+                            },
+                            "reference": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "source": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sub_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "vpid": {
+                      "type": "long"
+                    },
+                    "working_directory": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha384": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tlsh": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "io": {
+                  "properties": {
+                    "bytes_skipped": {
+                      "properties": {
+                        "length": {
+                          "type": "long"
+                        },
+                        "offset": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "max_bytes_per_process_exceeded": {
+                      "type": "boolean"
+                    },
+                    "text": {
+                      "type": "wildcard"
+                    },
+                    "total_bytes_captured": {
+                      "type": "long"
+                    },
+                    "total_bytes_skipped": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "object"
+                },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "symhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "origin_referrer_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "origin_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "original_file_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pehash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    }
+                  }
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "platform_binary": {
+                  "type": "boolean"
+                },
+                "real_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "real_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "same_as_process": {
+                  "type": "boolean"
+                },
+                "saved_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "thread": {
+                  "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tty": {
+                  "properties": {
+                    "char_device": {
+                      "properties": {
+                        "major": {
+                          "type": "long"
+                        },
+                        "minor": {
+                          "type": "long"
+                        }
+                      }
+                    },
+                    "columns": {
+                      "type": "long"
+                    },
+                    "rows": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "object"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vpid": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "pe": {
+              "properties": {
+                "architecture": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
+                "imphash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "original_file_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "pehash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "physical_size": {
+                      "type": "long"
+                    },
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
+                }
+              }
+            },
+            "pid": {
+              "type": "long"
+            },
+            "platform_binary": {
+              "type": "boolean"
+            },
+            "previous": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "attested_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "attested_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "code_signature": {
+                  "properties": {
+                    "digest_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "byte_order": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "cpu_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "header": {
+                      "properties": {
+                        "abi_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "class": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "data": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entrypoint": {
+                          "type": "long"
+                        },
+                        "object_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "os_abi": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "segments": {
+                      "properties": {
+                        "sections": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "end": {
+                  "type": "date"
+                },
+                "endpoint_security_client": {
+                  "type": "boolean"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entry_meta": {
+                  "properties": {
+                    "source": {
+                      "properties": {
+                        "address": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "as": {
+                          "properties": {
+                            "number": {
+                              "type": "long"
+                            },
+                            "organization": {
+                              "properties": {
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "type": "match_only_text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            }
+                          }
+                        },
+                        "bytes": {
+                          "type": "long"
+                        },
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "geo": {
+                          "properties": {
+                            "city_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "location": {
+                              "type": "geo_point"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "postal_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "timezone": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "mac": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "nat": {
+                          "properties": {
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "port": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "packets": {
+                          "type": "long"
+                        },
+                        "port": {
+                          "type": "long"
+                        },
+                        "registered_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subdomain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "top_level_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "env_vars": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha384": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tlsh": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "io": {
+                  "properties": {
+                    "bytes_skipped": {
+                      "properties": {
+                        "length": {
+                          "type": "long"
+                        },
+                        "offset": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "max_bytes_per_process_exceeded": {
+                      "type": "boolean"
+                    },
+                    "text": {
+                      "type": "wildcard"
+                    },
+                    "total_bytes_captured": {
+                      "type": "long"
+                    },
+                    "total_bytes_skipped": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "object"
+                },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "symhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "origin_referrer_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "origin_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "original_file_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pehash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    }
+                  }
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "platform_binary": {
+                  "type": "boolean"
+                },
+                "real_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "real_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "same_as_process": {
+                  "type": "boolean"
+                },
+                "saved_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "thread": {
+                  "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tty": {
+                  "properties": {
+                    "char_device": {
+                      "properties": {
+                        "major": {
+                          "type": "long"
+                        },
+                        "minor": {
+                          "type": "long"
+                        }
+                      }
+                    },
+                    "columns": {
+                      "type": "long"
+                    },
+                    "rows": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "object"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vpid": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "real_group": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "real_user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entity": {
+                  "properties": {
+                    "attributes": {
+                      "type": "object"
+                    },
+                    "behavior": {
+                      "type": "object"
+                    },
+                    "display_name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "last_seen_timestamp": {
+                      "type": "date"
+                    },
+                    "lifecycle": {
+                      "type": "object"
+                    },
+                    "metrics": {
+                      "type": "object"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw": {
+                      "type": "object"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "source": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sub_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                }
+              }
+            },
+            "responsible": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "attested_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "attested_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "code_signature": {
+                  "properties": {
+                    "digest_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "byte_order": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "cpu_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "header": {
+                      "properties": {
+                        "abi_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "class": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "data": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entrypoint": {
+                          "type": "long"
+                        },
+                        "object_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "os_abi": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "segments": {
+                      "properties": {
+                        "sections": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "end": {
+                  "type": "date"
+                },
+                "endpoint_security_client": {
+                  "type": "boolean"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entry_meta": {
+                  "properties": {
+                    "source": {
+                      "properties": {
+                        "address": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "as": {
+                          "properties": {
+                            "number": {
+                              "type": "long"
+                            },
+                            "organization": {
+                              "properties": {
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "type": "match_only_text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            }
+                          }
+                        },
+                        "bytes": {
+                          "type": "long"
+                        },
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "geo": {
+                          "properties": {
+                            "city_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "location": {
+                              "type": "geo_point"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "postal_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "timezone": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "mac": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "nat": {
+                          "properties": {
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "port": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "packets": {
+                          "type": "long"
+                        },
+                        "port": {
+                          "type": "long"
+                        },
+                        "registered_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subdomain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "top_level_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "env_vars": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha384": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tlsh": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "io": {
+                  "properties": {
+                    "bytes_skipped": {
+                      "properties": {
+                        "length": {
+                          "type": "long"
+                        },
+                        "offset": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "max_bytes_per_process_exceeded": {
+                      "type": "boolean"
+                    },
+                    "text": {
+                      "type": "wildcard"
+                    },
+                    "total_bytes_captured": {
+                      "type": "long"
+                    },
+                    "total_bytes_skipped": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "object"
+                },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "symhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "origin_referrer_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "origin_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "original_file_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pehash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    }
+                  }
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "platform_binary": {
+                  "type": "boolean"
+                },
+                "real_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "real_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "same_as_process": {
+                  "type": "boolean"
+                },
+                "saved_group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "thread": {
+                  "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "id": {
+                      "type": "long"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tty": {
+                  "properties": {
+                    "char_device": {
+                      "properties": {
+                        "major": {
+                          "type": "long"
+                        },
+                        "minor": {
+                          "type": "long"
+                        }
+                      }
+                    },
+                    "columns": {
+                      "type": "long"
+                    },
+                    "rows": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "object"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "vpid": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "same_as_process": {
+              "type": "boolean"
+            },
+            "saved_group": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "saved_user": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entity": {
+                  "properties": {
+                    "attributes": {
+                      "type": "object"
+                    },
+                    "behavior": {
+                      "type": "object"
+                    },
+                    "display_name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "last_seen_timestamp": {
+                      "type": "date"
+                    },
+                    "lifecycle": {
+                      "type": "object"
+                    },
+                    "metrics": {
+                      "type": "object"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw": {
+                      "type": "object"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "source": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sub_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                }
+              }
+            },
+            "session_leader": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "attested_groups": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "attested_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "code_signature": {
+                  "properties": {
+                    "digest_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exists": {
+                      "type": "boolean"
+                    },
+                    "flags": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "status": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "subject_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
+                    },
+                    "timestamp": {
+                      "type": "date"
+                    },
+                    "trusted": {
+                      "type": "boolean"
+                    },
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "byte_order": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "cpu_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "header": {
+                      "properties": {
+                        "abi_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "class": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "data": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entrypoint": {
+                          "type": "long"
+                        },
+                        "object_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "os_abi": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "chi2": {
+                          "type": "long"
+                        },
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_offset": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_address": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "segments": {
+                      "properties": {
+                        "sections": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "telfhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "end": {
+                  "type": "date"
+                },
+                "endpoint_security_client": {
+                  "type": "boolean"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entry_meta": {
+                  "properties": {
+                    "source": {
+                      "properties": {
+                        "address": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "as": {
+                          "properties": {
+                            "number": {
+                              "type": "long"
+                            },
+                            "organization": {
+                              "properties": {
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "type": "match_only_text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            }
+                          }
+                        },
+                        "bytes": {
+                          "type": "long"
+                        },
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "geo": {
+                          "properties": {
+                            "city_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "continent_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "country_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "location": {
+                              "type": "geo_point"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "postal_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_iso_code": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "region_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "timezone": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "ip": {
+                          "type": "ip"
+                        },
+                        "mac": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "nat": {
+                          "properties": {
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "port": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "packets": {
+                          "type": "long"
+                        },
+                        "port": {
+                          "type": "long"
+                        },
+                        "registered_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subdomain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "top_level_domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "env_vars": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha384": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tlsh": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "io": {
+                  "properties": {
+                    "bytes_skipped": {
+                      "properties": {
+                        "length": {
+                          "type": "long"
+                        },
+                        "offset": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "max_bytes_per_process_exceeded": {
+                      "type": "boolean"
+                    },
+                    "text": {
+                      "type": "wildcard"
+                    },
+                    "total_bytes_captured": {
+                      "type": "long"
+                    },
+                    "total_bytes_skipped": {
+                      "type": "long"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  },
+                  "type": "object"
+                },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
+                    },
+                    "symhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "origin_referrer_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "origin_url": {
+                  "ignore_above": 8192,
+                  "type": "keyword"
+                },
+                "parent": {
+                  "properties": {
+                    "args": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "args_count": {
+                      "type": "long"
+                    },
+                    "attested_groups": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "attested_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entity": {
+                          "properties": {
+                            "attributes": {
+                              "type": "object"
+                            },
+                            "behavior": {
+                              "type": "object"
+                            },
+                            "display_name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "last_seen_timestamp": {
+                              "type": "date"
+                            },
+                            "lifecycle": {
+                              "type": "object"
+                            },
+                            "metrics": {
+                              "type": "object"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "raw": {
+                              "type": "object"
+                            },
+                            "reference": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "source": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sub_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "code_signature": {
+                      "properties": {
+                        "digest_algorithm": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "exists": {
+                          "type": "boolean"
+                        },
+                        "flags": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "signing_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "status": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "subject_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "team_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "thumbprint_sha256": {
+                          "ignore_above": 64,
+                          "type": "keyword"
+                        },
+                        "timestamp": {
+                          "type": "date"
+                        },
+                        "trusted": {
+                          "type": "boolean"
+                        },
+                        "valid": {
+                          "type": "boolean"
+                        }
+                      }
+                    },
+                    "command_line": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "type": "wildcard"
+                    },
+                    "elf": {
+                      "properties": {
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "byte_order": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "cpu_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "creation_date": {
+                          "type": "date"
+                        },
+                        "exports": {
+                          "type": "flattened"
+                        },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "header": {
+                          "properties": {
+                            "abi_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "class": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "data": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entrypoint": {
+                              "type": "long"
+                            },
+                            "object_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "os_abi": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "sections": {
+                          "properties": {
+                            "chi2": {
+                              "type": "long"
+                            },
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "flags": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_offset": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_address": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "segments": {
+                          "properties": {
+                            "sections": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "shared_libraries": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "telfhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "end": {
+                      "type": "date"
+                    },
+                    "endpoint_security_client": {
+                      "type": "boolean"
+                    },
+                    "entity_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entry_meta": {
+                      "properties": {
+                        "source": {
+                          "properties": {
+                            "address": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "as": {
+                              "properties": {
+                                "number": {
+                                  "type": "long"
+                                },
+                                "organization": {
+                                  "properties": {
+                                    "name": {
+                                      "fields": {
+                                        "text": {
+                                          "type": "match_only_text"
+                                        }
+                                      },
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    }
+                                  }
+                                }
+                              }
+                            },
+                            "bytes": {
+                              "type": "long"
+                            },
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "geo": {
+                              "properties": {
+                                "city_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "continent_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "continent_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country_iso_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "country_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "location": {
+                                  "type": "geo_point"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "postal_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "region_iso_code": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "region_name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "timezone": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "ip": {
+                              "type": "ip"
+                            },
+                            "mac": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "nat": {
+                              "properties": {
+                                "ip": {
+                                  "type": "ip"
+                                },
+                                "port": {
+                                  "type": "long"
+                                }
+                              }
+                            },
+                            "packets": {
+                              "type": "long"
+                            },
+                            "port": {
+                              "type": "long"
+                            },
+                            "registered_domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "subdomain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "top_level_domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "env_vars": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
+                    },
+                    "executable": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "exit_code": {
+                      "type": "long"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "properties": {
+                        "cdhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "md5": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha1": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha256": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha384": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sha512": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "ssdeep": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "tlsh": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "interactive": {
+                      "type": "boolean"
+                    },
+                    "io": {
+                      "properties": {
+                        "bytes_skipped": {
+                          "properties": {
+                            "length": {
+                              "type": "long"
+                            },
+                            "offset": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "max_bytes_per_process_exceeded": {
+                          "type": "boolean"
+                        },
+                        "text": {
+                          "type": "wildcard"
+                        },
+                        "total_bytes_captured": {
+                          "type": "long"
+                        },
+                        "total_bytes_skipped": {
+                          "type": "long"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "macho": {
+                      "properties": {
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        },
+                        "symhash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "origin_referrer_url": {
+                      "ignore_above": 8192,
+                      "type": "keyword"
+                    },
+                    "origin_url": {
+                      "ignore_above": 8192,
+                      "type": "keyword"
+                    },
+                    "pe": {
+                      "properties": {
+                        "architecture": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "company": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "description": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "file_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "go_imports": {
+                          "type": "flattened"
+                        },
+                        "go_imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "go_imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "go_stripped": {
+                          "type": "boolean"
+                        },
+                        "imphash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "import_hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "imports": {
+                          "type": "flattened"
+                        },
+                        "imports_names_entropy": {
+                          "type": "long"
+                        },
+                        "imports_names_var_entropy": {
+                          "type": "long"
+                        },
+                        "original_file_name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "pehash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "product": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sections": {
+                          "properties": {
+                            "entropy": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "physical_size": {
+                              "type": "long"
+                            },
+                            "var_entropy": {
+                              "type": "long"
+                            },
+                            "virtual_size": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "nested"
+                        }
+                      }
+                    },
+                    "pid": {
+                      "type": "long"
+                    },
+                    "platform_binary": {
+                      "type": "boolean"
+                    },
+                    "real_group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "real_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entity": {
+                          "properties": {
+                            "attributes": {
+                              "type": "object"
+                            },
+                            "behavior": {
+                              "type": "object"
+                            },
+                            "display_name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "last_seen_timestamp": {
+                              "type": "date"
+                            },
+                            "lifecycle": {
+                              "type": "object"
+                            },
+                            "metrics": {
+                              "type": "object"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "raw": {
+                              "type": "object"
+                            },
+                            "reference": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "source": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sub_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "same_as_process": {
+                      "type": "boolean"
+                    },
+                    "saved_group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "saved_user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entity": {
+                          "properties": {
+                            "attributes": {
+                              "type": "object"
+                            },
+                            "behavior": {
+                              "type": "object"
+                            },
+                            "display_name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "last_seen_timestamp": {
+                              "type": "date"
+                            },
+                            "lifecycle": {
+                              "type": "object"
+                            },
+                            "metrics": {
+                              "type": "object"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "raw": {
+                              "type": "object"
+                            },
+                            "reference": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "source": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sub_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "session_leader": {
+                      "properties": {
+                        "args": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "args_count": {
+                          "type": "long"
+                        },
+                        "attested_groups": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "attested_user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entity": {
+                              "properties": {
+                                "attributes": {
+                                  "type": "object"
+                                },
+                                "behavior": {
+                                  "type": "object"
+                                },
+                                "display_name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "last_seen_timestamp": {
+                                  "type": "date"
+                                },
+                                "lifecycle": {
+                                  "type": "object"
+                                },
+                                "metrics": {
+                                  "type": "object"
+                                },
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "raw": {
+                                  "type": "object"
+                                },
+                                "reference": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "source": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "sub_type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "code_signature": {
+                          "properties": {
+                            "digest_algorithm": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "exists": {
+                              "type": "boolean"
+                            },
+                            "flags": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "signing_id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "status": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "subject_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "team_id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "thumbprint_sha256": {
+                              "ignore_above": 64,
+                              "type": "keyword"
+                            },
+                            "timestamp": {
+                              "type": "date"
+                            },
+                            "trusted": {
+                              "type": "boolean"
+                            },
+                            "valid": {
+                              "type": "boolean"
+                            }
+                          }
+                        },
+                        "command_line": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "type": "wildcard"
+                        },
+                        "elf": {
+                          "properties": {
+                            "architecture": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "byte_order": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "cpu_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "creation_date": {
+                              "type": "date"
+                            },
+                            "exports": {
+                              "type": "flattened"
+                            },
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
+                            "header": {
+                              "properties": {
+                                "abi_version": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "class": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "data": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "entrypoint": {
+                                  "type": "long"
+                                },
+                                "object_version": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "os_abi": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "version": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "sections": {
+                              "properties": {
+                                "chi2": {
+                                  "type": "long"
+                                },
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "flags": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_offset": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_address": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "segments": {
+                              "properties": {
+                                "sections": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "shared_libraries": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "telfhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "end": {
+                          "type": "date"
+                        },
+                        "endpoint_security_client": {
+                          "type": "boolean"
+                        },
+                        "entity_id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entry_meta": {
+                          "properties": {
+                            "source": {
+                              "properties": {
+                                "address": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "as": {
+                                  "properties": {
+                                    "number": {
+                                      "type": "long"
+                                    },
+                                    "organization": {
+                                      "properties": {
+                                        "name": {
+                                          "fields": {
+                                            "text": {
+                                              "type": "match_only_text"
+                                            }
+                                          },
+                                          "ignore_above": 1024,
+                                          "type": "keyword"
+                                        }
+                                      }
+                                    }
+                                  }
+                                },
+                                "bytes": {
+                                  "type": "long"
+                                },
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "geo": {
+                                  "properties": {
+                                    "city_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "continent_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "continent_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "country_iso_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "country_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "location": {
+                                      "type": "geo_point"
+                                    },
+                                    "name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "postal_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "region_iso_code": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "region_name": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    },
+                                    "timezone": {
+                                      "ignore_above": 1024,
+                                      "type": "keyword"
+                                    }
+                                  }
+                                },
+                                "ip": {
+                                  "type": "ip"
+                                },
+                                "mac": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "nat": {
+                                  "properties": {
+                                    "ip": {
+                                      "type": "ip"
+                                    },
+                                    "port": {
+                                      "type": "long"
+                                    }
+                                  }
+                                },
+                                "packets": {
+                                  "type": "long"
+                                },
+                                "port": {
+                                  "type": "long"
+                                },
+                                "registered_domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "subdomain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "top_level_domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "env_vars": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "executable": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "exit_code": {
+                          "type": "long"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "properties": {
+                            "cdhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "md5": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha1": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha256": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha384": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sha512": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "ssdeep": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "tlsh": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "interactive": {
+                          "type": "boolean"
+                        },
+                        "io": {
+                          "properties": {
+                            "bytes_skipped": {
+                              "properties": {
+                                "length": {
+                                  "type": "long"
+                                },
+                                "offset": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "object"
+                            },
+                            "max_bytes_per_process_exceeded": {
+                              "type": "boolean"
+                            },
+                            "text": {
+                              "type": "wildcard"
+                            },
+                            "total_bytes_captured": {
+                              "type": "long"
+                            },
+                            "total_bytes_skipped": {
+                              "type": "long"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "macho": {
+                          "properties": {
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "sections": {
+                              "properties": {
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
+                            },
+                            "symhash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "origin_referrer_url": {
+                          "ignore_above": 8192,
+                          "type": "keyword"
+                        },
+                        "origin_url": {
+                          "ignore_above": 8192,
+                          "type": "keyword"
+                        },
+                        "pe": {
+                          "properties": {
+                            "architecture": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "company": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "description": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "file_version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "go_imports": {
+                              "type": "flattened"
+                            },
+                            "go_imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "go_imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "go_stripped": {
+                              "type": "boolean"
+                            },
+                            "imphash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "import_hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "imports": {
+                              "type": "flattened"
+                            },
+                            "imports_names_entropy": {
+                              "type": "long"
+                            },
+                            "imports_names_var_entropy": {
+                              "type": "long"
+                            },
+                            "original_file_name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "pehash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "product": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sections": {
+                              "properties": {
+                                "entropy": {
+                                  "type": "long"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "physical_size": {
+                                  "type": "long"
+                                },
+                                "var_entropy": {
+                                  "type": "long"
+                                },
+                                "virtual_size": {
+                                  "type": "long"
+                                }
+                              },
+                              "type": "nested"
+                            }
+                          }
+                        },
+                        "pid": {
+                          "type": "long"
+                        },
+                        "platform_binary": {
+                          "type": "boolean"
+                        },
+                        "real_group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "real_user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entity": {
+                              "properties": {
+                                "attributes": {
+                                  "type": "object"
+                                },
+                                "behavior": {
+                                  "type": "object"
+                                },
+                                "display_name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "last_seen_timestamp": {
+                                  "type": "date"
+                                },
+                                "lifecycle": {
+                                  "type": "object"
+                                },
+                                "metrics": {
+                                  "type": "object"
+                                },
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "raw": {
+                                  "type": "object"
+                                },
+                                "reference": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "source": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "sub_type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "same_as_process": {
+                          "type": "boolean"
+                        },
+                        "saved_group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "saved_user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entity": {
+                              "properties": {
+                                "attributes": {
+                                  "type": "object"
+                                },
+                                "behavior": {
+                                  "type": "object"
+                                },
+                                "display_name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "last_seen_timestamp": {
+                                  "type": "date"
+                                },
+                                "lifecycle": {
+                                  "type": "object"
+                                },
+                                "metrics": {
+                                  "type": "object"
+                                },
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "raw": {
+                                  "type": "object"
+                                },
+                                "reference": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "source": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "sub_type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "start": {
+                          "type": "date"
+                        },
+                        "supplemental_groups": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "thread": {
+                          "properties": {
+                            "capabilities": {
+                              "properties": {
+                                "effective": {
+                                  "ignore_above": 1024,
+                                  "synthetic_source_keep": "none",
+                                  "type": "keyword"
+                                },
+                                "permitted": {
+                                  "ignore_above": 1024,
+                                  "synthetic_source_keep": "none",
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "id": {
+                              "type": "long"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "title": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "tty": {
+                          "properties": {
+                            "char_device": {
+                              "properties": {
+                                "major": {
+                                  "type": "long"
+                                },
+                                "minor": {
+                                  "type": "long"
+                                }
+                              }
+                            },
+                            "columns": {
+                              "type": "long"
+                            },
+                            "rows": {
+                              "type": "long"
+                            }
+                          },
+                          "type": "object"
+                        },
+                        "uptime": {
+                          "type": "long"
+                        },
+                        "user": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "email": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "entity": {
+                              "properties": {
+                                "attributes": {
+                                  "type": "object"
+                                },
+                                "behavior": {
+                                  "type": "object"
+                                },
+                                "display_name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "last_seen_timestamp": {
+                                  "type": "date"
+                                },
+                                "lifecycle": {
+                                  "type": "object"
+                                },
+                                "metrics": {
+                                  "type": "object"
+                                },
+                                "name": {
+                                  "fields": {
+                                    "text": {
+                                      "norms": false,
+                                      "type": "text"
+                                    }
+                                  },
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "raw": {
+                                  "type": "object"
+                                },
+                                "reference": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "source": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "sub_type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "type": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "full_name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "group": {
+                              "properties": {
+                                "domain": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "id": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "name": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                }
+                              }
+                            },
+                            "hash": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "type": "match_only_text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "risk": {
+                              "properties": {
+                                "calculated_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "calculated_score": {
+                                  "type": "float"
+                                },
+                                "calculated_score_norm": {
+                                  "type": "float"
+                                },
+                                "static_level": {
+                                  "ignore_above": 1024,
+                                  "type": "keyword"
+                                },
+                                "static_score": {
+                                  "type": "float"
+                                },
+                                "static_score_norm": {
+                                  "type": "float"
+                                }
+                              }
+                            },
+                            "roles": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "vpid": {
+                          "type": "long"
+                        },
+                        "working_directory": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "start": {
+                      "type": "date"
+                    },
+                    "supplemental_groups": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "thread": {
+                      "properties": {
+                        "capabilities": {
+                          "properties": {
+                            "effective": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            },
+                            "permitted": {
+                              "ignore_above": 1024,
+                              "synthetic_source_keep": "none",
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "id": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "title": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
+                    "tty": {
+                      "properties": {
+                        "char_device": {
+                          "properties": {
+                            "major": {
+                              "type": "long"
+                            },
+                            "minor": {
+                              "type": "long"
+                            }
+                          }
+                        },
+                        "columns": {
+                          "type": "long"
+                        },
+                        "rows": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "object"
+                    },
+                    "uptime": {
+                      "type": "long"
+                    },
+                    "user": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "email": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "entity": {
+                          "properties": {
+                            "attributes": {
+                              "type": "object"
+                            },
+                            "behavior": {
+                              "type": "object"
+                            },
+                            "display_name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "last_seen_timestamp": {
+                              "type": "date"
+                            },
+                            "lifecycle": {
+                              "type": "object"
+                            },
+                            "metrics": {
+                              "type": "object"
+                            },
+                            "name": {
+                              "fields": {
+                                "text": {
+                                  "norms": false,
+                                  "type": "text"
+                                }
+                              },
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "raw": {
+                              "type": "object"
+                            },
+                            "reference": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "source": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "sub_type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "type": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "full_name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "group": {
+                          "properties": {
+                            "domain": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "id": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "name": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        },
+                        "hash": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "type": "match_only_text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "risk": {
+                          "properties": {
+                            "calculated_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "calculated_score": {
+                              "type": "float"
+                            },
+                            "calculated_score_norm": {
+                              "type": "float"
+                            },
+                            "static_level": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            },
+                            "static_score": {
+                              "type": "float"
+                            },
+                            "static_score_norm": {
+                              "type": "float"
+                            }
+                          }
+                        },
+                        "roles": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "vpid": {
+                      "type": "long"
+                    },
+                    "working_directory": {
                       "fields": {
                         "text": {
                           "type": "match_only_text"
@@ -1411,219 +15137,104 @@
                     }
                   }
                 },
-                "vpid": {
-                  "type": "long"
-                },
-                "working_directory": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "pe": {
-              "properties": {
-                "architecture": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "company": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "description": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "file_version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "go_import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "go_imports": {
-                  "type": "flattened"
-                },
-                "go_imports_names_entropy": {
-                  "type": "long"
-                },
-                "go_imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "go_stripped": {
-                  "type": "boolean"
-                },
-                "imphash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "imports": {
-                  "type": "flattened"
-                },
-                "imports_names_entropy": {
-                  "type": "long"
-                },
-                "imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "original_file_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "pehash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "product": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sections": {
+                "pe": {
                   "properties": {
-                    "entropy": {
-                      "type": "long"
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "name": {
+                    "company": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "physical_size": {
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
                       "type": "long"
                     },
-                    "var_entropy": {
+                    "go_imports_names_var_entropy": {
                       "type": "long"
                     },
-                    "virtual_size": {
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
                       "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "original_file_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pehash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sections": {
+                      "properties": {
+                        "entropy": {
+                          "type": "long"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "physical_size": {
+                          "type": "long"
+                        },
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
+                        }
+                      },
+                      "type": "nested"
                     }
-                  },
-                  "type": "nested"
-                }
-              }
-            },
-            "pid": {
-              "type": "long"
-            },
-            "previous": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "real_group": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "real_user": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "saved_group": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "saved_user": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "session_leader": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                  }
                 },
-                "args_count": {
+                "pid": {
                   "type": "long"
                 },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
+                "platform_binary": {
+                  "type": "boolean"
                 },
-                "group": {
+                "real_group": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1634,57 +15245,160 @@
                     }
                   }
                 },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "parent": {
+                "real_user": {
                   "properties": {
-                    "entity_id": {
+                    "domain": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "pid": {
-                      "type": "long"
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "session_leader": {
+                    "entity": {
                       "properties": {
-                        "entity_id": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "pid": {
-                          "type": "long"
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
-                        "start": {
+                        "last_seen_timestamp": {
                           "type": "date"
                         },
-                        "vpid": {
-                          "type": "long"
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         }
                       }
                     },
-                    "start": {
-                      "type": "date"
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "vpid": {
-                      "type": "long"
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
                     }
                   }
                 },
-                "pid": {
-                  "type": "long"
+                "same_as_process": {
+                  "type": "boolean"
                 },
-                "real_group": {
+                "saved_group": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1692,11 +15406,110 @@
                     "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1709,49 +15522,75 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
                     }
                   }
                 },
-                "same_as_process": {
-                  "type": "boolean"
+                "start": {
+                  "type": "date"
                 },
-                "saved_group": {
+                "supplemental_groups": {
                   "properties": {
-                    "id": {
+                    "domain": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
                     "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
+                "thread": {
                   "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
+                          "type": "keyword"
+                        }
+                      }
+                    },
                     "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      "type": "long"
                     },
                     "name": {
                       "ignore_above": 1024,
@@ -1759,6 +15598,15 @@
                     }
                   }
                 },
+                "title": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "tty": {
                   "properties": {
                     "char_device": {
@@ -1770,12 +15618,120 @@
                           "type": "long"
                         }
                       }
+                    },
+                    "columns": {
+                      "type": "long"
+                    },
+                    "rows": {
+                      "type": "long"
                     }
                   },
                   "type": "object"
                 },
+                "uptime": {
+                  "type": "long"
+                },
                 "user": {
                   "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "email": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "entity": {
+                      "properties": {
+                        "attributes": {
+                          "type": "object"
+                        },
+                        "behavior": {
+                          "type": "object"
+                        },
+                        "display_name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "last_seen_timestamp": {
+                          "type": "date"
+                        },
+                        "lifecycle": {
+                          "type": "object"
+                        },
+                        "metrics": {
+                          "type": "object"
+                        },
+                        "name": {
+                          "fields": {
+                            "text": {
+                              "norms": false,
+                              "type": "text"
+                            }
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "raw": {
+                          "type": "object"
+                        },
+                        "reference": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "source": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "sub_type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "type": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "full_name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "group": {
+                      "properties": {
+                        "domain": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "id": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
+                    "hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -1788,6 +15744,35 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "risk": {
+                      "properties": {
+                        "calculated_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "calculated_score": {
+                          "type": "float"
+                        },
+                        "calculated_score_norm": {
+                          "type": "float"
+                        },
+                        "static_level": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "static_score": {
+                          "type": "float"
+                        },
+                        "static_score_norm": {
+                          "type": "float"
+                        }
+                      }
+                    },
+                    "roles": {
+                      "ignore_above": 1024,
+                      "synthetic_source_keep": "none",
+                      "type": "keyword"
                     }
                   }
                 },
@@ -1810,6 +15795,10 @@
             },
             "supplemental_groups": {
               "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -1880,6 +15869,105 @@
             },
             "user": {
               "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entity": {
+                  "properties": {
+                    "attributes": {
+                      "type": "object"
+                    },
+                    "behavior": {
+                      "type": "object"
+                    },
+                    "display_name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "last_seen_timestamp": {
+                      "type": "date"
+                    },
+                    "lifecycle": {
+                      "type": "object"
+                    },
+                    "metrics": {
+                      "type": "object"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw": {
+                      "type": "object"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "source": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sub_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
                 "id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -1892,6 +15980,35 @@
                   },
                   "ignore_above": 1024,
                   "type": "keyword"
+                },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "synthetic_source_keep": "none",
+                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index 76d7be670f..b9948f86cd 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -131,6 +131,68 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "entity": {
+                  "properties": {
+                    "attributes": {
+                      "type": "object"
+                    },
+                    "behavior": {
+                      "type": "object"
+                    },
+                    "display_name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "last_seen_timestamp": {
+                      "type": "date"
+                    },
+                    "lifecycle": {
+                      "type": "object"
+                    },
+                    "metrics": {
+                      "type": "object"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw": {
+                      "type": "object"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "source": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sub_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "full_name": {
                   "fields": {
                     "text": {
@@ -173,6 +235,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index 1aa2d9117c..14056a5bbb 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -12,6 +12,68 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "entity": {
+              "properties": {
+                "attributes": {
+                  "type": "object"
+                },
+                "behavior": {
+                  "type": "object"
+                },
+                "display_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "last_seen_timestamp": {
+                  "type": "date"
+                },
+                "lifecycle": {
+                  "type": "object"
+                },
+                "metrics": {
+                  "type": "object"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "raw": {
+                  "type": "object"
+                },
+                "reference": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "source": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sub_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "environment": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -51,6 +113,68 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "entity": {
+                  "properties": {
+                    "attributes": {
+                      "type": "object"
+                    },
+                    "behavior": {
+                      "type": "object"
+                    },
+                    "display_name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "last_seen_timestamp": {
+                      "type": "date"
+                    },
+                    "lifecycle": {
+                      "type": "object"
+                    },
+                    "metrics": {
+                      "type": "object"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw": {
+                      "type": "object"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "source": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sub_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "environment": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index fbdd349235..54c659611a 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -131,6 +131,68 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "entity": {
+                  "properties": {
+                    "attributes": {
+                      "type": "object"
+                    },
+                    "behavior": {
+                      "type": "object"
+                    },
+                    "display_name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "last_seen_timestamp": {
+                      "type": "date"
+                    },
+                    "lifecycle": {
+                      "type": "object"
+                    },
+                    "metrics": {
+                      "type": "object"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw": {
+                      "type": "object"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "source": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sub_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "full_name": {
                   "fields": {
                     "text": {
@@ -173,6 +235,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index affa8f0284..99363df10d 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -18,6 +18,68 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "entity": {
+                  "properties": {
+                    "attributes": {
+                      "type": "object"
+                    },
+                    "behavior": {
+                      "type": "object"
+                    },
+                    "display_name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "last_seen_timestamp": {
+                      "type": "date"
+                    },
+                    "lifecycle": {
+                      "type": "object"
+                    },
+                    "metrics": {
+                      "type": "object"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw": {
+                      "type": "object"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "source": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sub_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "full_name": {
                   "fields": {
                     "text": {
@@ -60,6 +122,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
@@ -81,6 +167,68 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "entity": {
+                  "properties": {
+                    "attributes": {
+                      "type": "object"
+                    },
+                    "behavior": {
+                      "type": "object"
+                    },
+                    "display_name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "last_seen_timestamp": {
+                      "type": "date"
+                    },
+                    "lifecycle": {
+                      "type": "object"
+                    },
+                    "metrics": {
+                      "type": "object"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "norms": false,
+                          "type": "text"
+                        }
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "raw": {
+                      "type": "object"
+                    },
+                    "reference": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "source": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sub_type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "full_name": {
                   "fields": {
                     "text": {
@@ -123,6 +271,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
@@ -134,6 +306,68 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "entity": {
+              "properties": {
+                "attributes": {
+                  "type": "object"
+                },
+                "behavior": {
+                  "type": "object"
+                },
+                "display_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "last_seen_timestamp": {
+                  "type": "date"
+                },
+                "lifecycle": {
+                  "type": "object"
+                },
+                "metrics": {
+                  "type": "object"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "raw": {
+                  "type": "object"
+                },
+                "reference": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "source": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sub_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "full_name": {
               "fields": {
                 "text": {
@@ -319,6 +553,30 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
+                "risk": {
+                  "properties": {
+                    "calculated_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "calculated_score": {
+                      "type": "float"
+                    },
+                    "calculated_score_norm": {
+                      "type": "float"
+                    },
+                    "static_level": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "static_score": {
+                      "type": "float"
+                    },
+                    "static_score_norm": {
+                      "type": "float"
+                    }
+                  }
+                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index ce90e997d0..93c5b4aae8 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -4,8 +4,8 @@
     "ecs_version": "9.3.0-dev"
   },
   "composed_of": [
-    "ecs_9.3.0-dev_base",
     "ecs_9.3.0-dev_agent",
+    "ecs_9.3.0-dev_base",
     "ecs_9.3.0-dev_client",
     "ecs_9.3.0-dev_cloud",
     "ecs_9.3.0-dev_container",
@@ -16,6 +16,7 @@
     "ecs_9.3.0-dev_dns",
     "ecs_9.3.0-dev_ecs",
     "ecs_9.3.0-dev_email",
+    "ecs_9.3.0-dev_entity",
     "ecs_9.3.0-dev_error",
     "ecs_9.3.0-dev_event",
     "ecs_9.3.0-dev_faas",
@@ -41,8 +42,8 @@
     "ecs_9.3.0-dev_tls",
     "ecs_9.3.0-dev_tracing",
     "ecs_9.3.0-dev_url",
-    "ecs_9.3.0-dev_user_agent",
     "ecs_9.3.0-dev_user",
+    "ecs_9.3.0-dev_user_agent",
     "ecs_9.3.0-dev_volume",
     "ecs_9.3.0-dev_vulnerability"
   ],
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index cb2dbd54ed..faa937942c 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -179,6 +179,68 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "entity": {
+                "properties": {
+                  "attributes": {
+                    "type": "object"
+                  },
+                  "behavior": {
+                    "type": "object"
+                  },
+                  "display_name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "last_seen_timestamp": {
+                    "type": "date"
+                  },
+                  "lifecycle": {
+                    "type": "object"
+                  },
+                  "metrics": {
+                    "type": "object"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "raw": {
+                    "type": "object"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "source": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sub_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "full_name": {
                 "fields": {
                   "text": {
@@ -221,6 +283,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -248,6 +334,68 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "entity": {
+            "properties": {
+              "attributes": {
+                "type": "object"
+              },
+              "behavior": {
+                "type": "object"
+              },
+              "display_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "last_seen_timestamp": {
+                "type": "date"
+              },
+              "lifecycle": {
+                "type": "object"
+              },
+              "metrics": {
+                "type": "object"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "raw": {
+                "type": "object"
+              },
+              "reference": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "source": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sub_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "instance": {
             "properties": {
               "id": {
@@ -286,6 +434,68 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "entity": {
+                "properties": {
+                  "attributes": {
+                    "type": "object"
+                  },
+                  "behavior": {
+                    "type": "object"
+                  },
+                  "display_name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "last_seen_timestamp": {
+                    "type": "date"
+                  },
+                  "lifecycle": {
+                    "type": "object"
+                  },
+                  "metrics": {
+                    "type": "object"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "raw": {
+                    "type": "object"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "source": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sub_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "instance": {
                 "properties": {
                   "id": {
@@ -733,18 +943,21 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
+              "entity": {
                 "properties": {
-                  "domain": {
+                  "attributes": {
+                    "type": "object"
+                  },
+                  "behavior": {
+                    "type": "object"
+                  },
+                  "display_name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
@@ -752,29 +965,112 @@
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "last_seen_timestamp": {
+                    "type": "date"
+                  },
+                  "lifecycle": {
+                    "type": "object"
+                  },
+                  "metrics": {
+                    "type": "object"
+                  },
                   "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
+                  },
+                  "raw": {
+                    "type": "object"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "source": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sub_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -1266,6 +1562,68 @@
           }
         }
       },
+      "entity": {
+        "properties": {
+          "attributes": {
+            "type": "object"
+          },
+          "behavior": {
+            "type": "object"
+          },
+          "display_name": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "last_seen_timestamp": {
+            "type": "date"
+          },
+          "lifecycle": {
+            "type": "object"
+          },
+          "metrics": {
+            "type": "object"
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "norms": false,
+                "type": "text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "raw": {
+            "type": "object"
+          },
+          "reference": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "source": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "sub_type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
       "error": {
         "properties": {
           "code": {
@@ -3047,138 +3405,299 @@
           "args_count": {
             "type": "long"
           },
-          "code_signature": {
+          "attested_groups": {
             "properties": {
-              "digest_algorithm": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exists": {
-                "type": "boolean"
-              },
-              "flags": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "signing_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "status": {
+              "domain": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "subject_name": {
+              "id": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "team_id": {
+              "name": {
                 "ignore_above": 1024,
                 "type": "keyword"
-              },
-              "thumbprint_sha256": {
-                "ignore_above": 64,
-                "type": "keyword"
-              },
-              "timestamp": {
-                "type": "date"
-              },
-              "trusted": {
-                "type": "boolean"
-              },
-              "valid": {
-                "type": "boolean"
               }
             }
           },
-          "command_line": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "type": "wildcard"
-          },
-          "elf": {
+          "attested_user": {
             "properties": {
-              "architecture": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "byte_order": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "cpu_type": {
+              "domain": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "creation_date": {
-                "type": "date"
-              },
-              "exports": {
-                "type": "flattened"
-              },
-              "go_import_hash": {
+              "email": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "go_imports": {
-                "type": "flattened"
-              },
-              "go_imports_names_entropy": {
-                "type": "long"
-              },
-              "go_imports_names_var_entropy": {
-                "type": "long"
-              },
-              "go_stripped": {
-                "type": "boolean"
-              },
-              "header": {
+              "entity": {
                 "properties": {
-                  "abi_version": {
+                  "attributes": {
+                    "type": "object"
+                  },
+                  "behavior": {
+                    "type": "object"
+                  },
+                  "display_name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "class": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "data": {
+                  "last_seen_timestamp": {
+                    "type": "date"
+                  },
+                  "lifecycle": {
+                    "type": "object"
+                  },
+                  "metrics": {
+                    "type": "object"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "entrypoint": {
-                    "type": "long"
+                  "raw": {
+                    "type": "object"
                   },
-                  "object_version": {
+                  "reference": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "os_abi": {
+                  "source": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "type": {
+                  "sub_type": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "version": {
+                  "type": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "import_hash": {
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "imports": {
-                "type": "flattened"
-              },
-              "imports_names_entropy": {
-                "type": "long"
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              }
+            }
+          },
+          "code_signature": {
+            "properties": {
+              "digest_algorithm": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exists": {
+                "type": "boolean"
+              },
+              "flags": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "signing_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "status": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "subject_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "team_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "thumbprint_sha256": {
+                "ignore_above": 64,
+                "type": "keyword"
+              },
+              "timestamp": {
+                "type": "date"
+              },
+              "trusted": {
+                "type": "boolean"
+              },
+              "valid": {
+                "type": "boolean"
+              }
+            }
+          },
+          "command_line": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "type": "wildcard"
+          },
+          "elf": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "byte_order": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "cpu_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "creation_date": {
+                "type": "date"
+              },
+              "exports": {
+                "type": "flattened"
+              },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
+              "header": {
+                "properties": {
+                  "abi_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "class": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "data": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entrypoint": {
+                    "type": "long"
+                  },
+                  "object_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "os_abi": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
               },
               "imports_names_var_entropy": {
                 "type": "long"
@@ -3248,6 +3767,9 @@
           "end": {
             "type": "date"
           },
+          "endpoint_security_client": {
+            "type": "boolean"
+          },
           "entity_id": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -3263,140 +3785,121 @@
               },
               "attested_groups": {
                 "properties": {
-                  "name": {
+                  "domain": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "attested_user": {
-                "properties": {
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
                   "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entry_meta": {
-                "properties": {
-                  "source": {
-                    "properties": {
-                      "ip": {
-                        "type": "ip"
-                      }
-                    }
-                  },
-                  "type": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
+              "attested_user": {
                 "properties": {
-                  "id": {
+                  "domain": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
+                  "email": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "parent": {
-                "properties": {
-                  "entity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pid": {
-                    "type": "long"
                   },
-                  "session_leader": {
+                  "entity": {
                     "properties": {
-                      "entity_id": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "pid": {
-                        "type": "long"
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
-                      "start": {
+                      "last_seen_timestamp": {
                         "type": "date"
                       },
-                      "vpid": {
-                        "type": "long"
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
                     }
                   },
-                  "start": {
-                    "type": "date"
-                  },
-                  "vpid": {
-                    "type": "long"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "real_group": {
-                "properties": {
-                  "id": {
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -3409,140 +3912,82 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
                   },
-                  "name": {
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
                     "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
                     "type": "keyword"
                   }
                 }
               },
-              "saved_user": {
+              "code_signature": {
                 "properties": {
-                  "id": {
+                  "digest_algorithm": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "flags": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "id": {
+                  },
+                  "signing_id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
+                  "status": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  }
-                },
-                "type": "object"
-              },
-              "user": {
-                "properties": {
-                  "id": {
+                  },
+                  "subject_name": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "team_id": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
                   }
                 }
               },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "env_vars": {
-            "ignore_above": 1024,
-            "synthetic_source_keep": "none",
-            "type": "keyword"
-          },
-          "executable": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "exit_code": {
-            "type": "long"
-          },
-          "group": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "group_leader": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
               "command_line": {
                 "fields": {
                   "text": {
@@ -3551,599 +3996,390 @@
                 },
                 "type": "wildcard"
               },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
+              "elf": {
                 "properties": {
-                  "id": {
+                  "architecture": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "pid": {
-                "type": "long"
-              },
-              "real_group": {
-                "properties": {
-                  "id": {
+                  "byte_order": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "id": {
+                  "cpu_type": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                  "creation_date": {
+                    "type": "date"
                   },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "id": {
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
+                    "properties": {
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    }
                   },
-                  "name": {
+                  "import_hash": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
                     "properties": {
-                      "major": {
+                      "chi2": {
                         "type": "long"
                       },
-                      "minor": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
                         "type": "long"
                       }
-                    }
-                  }
-                },
-                "type": "object"
-              },
-              "user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    },
+                    "type": "nested"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
                     },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "hash": {
-            "properties": {
-              "cdhash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "md5": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha1": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha256": {
-                "ignore_above": 1024,
-                "type": "keyword"
+              "end": {
+                "type": "date"
               },
-              "sha384": {
-                "ignore_above": 1024,
-                "type": "keyword"
+              "endpoint_security_client": {
+                "type": "boolean"
               },
-              "sha512": {
+              "entity_id": {
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "ssdeep": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tlsh": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "interactive": {
-            "type": "boolean"
-          },
-          "io": {
-            "properties": {
-              "bytes_skipped": {
+              "entry_meta": {
                 "properties": {
-                  "length": {
-                    "type": "long"
+                  "source": {
+                    "properties": {
+                      "address": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "as": {
+                        "properties": {
+                          "number": {
+                            "type": "long"
+                          },
+                          "organization": {
+                            "properties": {
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "type": "match_only_text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "bytes": {
+                        "type": "long"
+                      },
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "geo": {
+                        "properties": {
+                          "city_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "location": {
+                            "type": "geo_point"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "postal_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "timezone": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "mac": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "nat": {
+                        "properties": {
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "port": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "packets": {
+                        "type": "long"
+                      },
+                      "port": {
+                        "type": "long"
+                      },
+                      "registered_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subdomain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "top_level_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
                   },
-                  "offset": {
-                    "type": "long"
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
-                },
-                "type": "object"
-              },
-              "max_bytes_per_process_exceeded": {
-                "type": "boolean"
-              },
-              "text": {
-                "type": "wildcard"
-              },
-              "total_bytes_captured": {
-                "type": "long"
-              },
-              "total_bytes_skipped": {
-                "type": "long"
+                }
               },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            },
-            "type": "object"
-          },
-          "macho": {
-            "properties": {
-              "go_import_hash": {
+              "env_vars": {
                 "ignore_above": 1024,
+                "synthetic_source_keep": "none",
                 "type": "keyword"
               },
-              "go_imports": {
-                "type": "flattened"
-              },
-              "go_imports_names_entropy": {
-                "type": "long"
-              },
-              "go_imports_names_var_entropy": {
-                "type": "long"
-              },
-              "go_stripped": {
-                "type": "boolean"
-              },
-              "import_hash": {
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "imports": {
-                "type": "flattened"
-              },
-              "imports_names_entropy": {
-                "type": "long"
-              },
-              "imports_names_var_entropy": {
+              "exit_code": {
                 "type": "long"
               },
-              "sections": {
+              "group": {
                 "properties": {
-                  "entropy": {
-                    "type": "long"
-                  },
-                  "name": {
+                  "domain": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "physical_size": {
-                    "type": "long"
-                  },
-                  "var_entropy": {
-                    "type": "long"
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "virtual_size": {
-                    "type": "long"
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
-                },
-                "type": "nested"
-              },
-              "symhash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "name": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "parent": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
+                }
               },
-              "code_signature": {
+              "hash": {
                 "properties": {
-                  "digest_algorithm": {
+                  "cdhash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
+                  "md5": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "signing_id": {
+                  "sha1": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "status": {
+                  "sha256": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "subject_name": {
+                  "sha384": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "team_id": {
+                  "sha512": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
+                  "ssdeep": {
+                    "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
                 }
               },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
+              "interactive": {
+                "type": "boolean"
               },
-              "elf": {
+              "io": {
                 "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
+                  "bytes_skipped": {
                     "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "var_entropy": {
+                      "length": {
                         "type": "long"
                       },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
+                      "offset": {
                         "type": "long"
                       }
                     },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
+                    "type": "object"
                   },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                  "max_bytes_per_process_exceeded": {
+                    "type": "boolean"
                   },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
                   "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "group_leader": {
-                "properties": {
-                  "entity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "wildcard"
                   },
-                  "pid": {
+                  "total_bytes_captured": {
                     "type": "long"
                   },
-                  "start": {
-                    "type": "date"
-                  },
-                  "vpid": {
+                  "total_bytes_skipped": {
                     "type": "long"
-                  }
-                }
-              },
-              "hash": {
-                "properties": {
-                  "cdhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
                   },
-                  "tlsh": {
+                  "type": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
+                },
+                "type": "object"
               },
               "macho": {
                 "properties": {
@@ -4212,450 +4448,14183 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "pe": {
+              "origin_referrer_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "origin_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "parent": {
                 "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_import_hash": {
+                  "args": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
+                  "args_count": {
                     "type": "long"
                   },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sections": {
+                  "attested_groups": {
                     "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
+                      "domain": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "real_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_group": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    }
                   },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "thread": {
-                "properties": {
-                  "capabilities": {
+                  "attested_user": {
                     "properties": {
-                      "effective": {
+                      "domain": {
                         "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
                         "type": "keyword"
                       },
-                      "permitted": {
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entity": {
+                        "properties": {
+                          "attributes": {
+                            "type": "object"
+                          },
+                          "behavior": {
+                            "type": "object"
+                          },
+                          "display_name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "last_seen_timestamp": {
+                            "type": "date"
+                          },
+                          "lifecycle": {
+                            "type": "object"
+                          },
+                          "metrics": {
+                            "type": "object"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "raw": {
+                            "type": "object"
+                          },
+                          "reference": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "source": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sub_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
                         "ignore_above": 1024,
                         "synthetic_source_keep": "none",
                         "type": "keyword"
                       }
                     }
                   },
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
+                  "code_signature": {
                     "properties": {
-                      "major": {
-                        "type": "long"
+                      "digest_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
+                      "exists": {
+                        "type": "boolean"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "signing_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "status": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subject_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "team_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "thumbprint_sha256": {
+                        "ignore_above": 64,
+                        "type": "keyword"
+                      },
+                      "timestamp": {
+                        "type": "date"
+                      },
+                      "trusted": {
+                        "type": "boolean"
+                      },
+                      "valid": {
+                        "type": "boolean"
+                      }
+                    }
+                  },
+                  "command_line": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "type": "wildcard"
+                  },
+                  "elf": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "byte_order": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "cpu_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "creation_date": {
+                        "type": "date"
+                      },
+                      "exports": {
+                        "type": "flattened"
+                      },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "header": {
+                        "properties": {
+                          "abi_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "class": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "data": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entrypoint": {
+                            "type": "long"
+                          },
+                          "object_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "os_abi": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "sections": {
+                        "properties": {
+                          "chi2": {
+                            "type": "long"
+                          },
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "flags": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_offset": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_address": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "segments": {
+                        "properties": {
+                          "sections": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "shared_libraries": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "telfhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "end": {
+                    "type": "date"
+                  },
+                  "endpoint_security_client": {
+                    "type": "boolean"
+                  },
+                  "entity_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entry_meta": {
+                    "properties": {
+                      "source": {
+                        "properties": {
+                          "address": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "as": {
+                            "properties": {
+                              "number": {
+                                "type": "long"
+                              },
+                              "organization": {
+                                "properties": {
+                                  "name": {
+                                    "fields": {
+                                      "text": {
+                                        "type": "match_only_text"
+                                      }
+                                    },
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  }
+                                }
+                              }
+                            }
+                          },
+                          "bytes": {
+                            "type": "long"
+                          },
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "geo": {
+                            "properties": {
+                              "city_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "continent_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "continent_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country_iso_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "location": {
+                                "type": "geo_point"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "postal_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "region_iso_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "region_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "timezone": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "mac": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "nat": {
+                            "properties": {
+                              "ip": {
+                                "type": "ip"
+                              },
+                              "port": {
+                                "type": "long"
+                              }
+                            }
+                          },
+                          "packets": {
+                            "type": "long"
+                          },
+                          "port": {
+                            "type": "long"
+                          },
+                          "registered_domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subdomain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "top_level_domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "env_vars": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  },
+                  "executable": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exit_code": {
+                    "type": "long"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "properties": {
+                      "cdhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "md5": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha1": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha256": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha384": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha512": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "ssdeep": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tlsh": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "interactive": {
+                    "type": "boolean"
+                  },
+                  "io": {
+                    "properties": {
+                      "bytes_skipped": {
+                        "properties": {
+                          "length": {
+                            "type": "long"
+                          },
+                          "offset": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "max_bytes_per_process_exceeded": {
+                        "type": "boolean"
+                      },
+                      "text": {
+                        "type": "wildcard"
+                      },
+                      "total_bytes_captured": {
+                        "type": "long"
+                      },
+                      "total_bytes_skipped": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "macho": {
+                    "properties": {
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "symhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "origin_referrer_url": {
+                    "ignore_above": 8192,
+                    "type": "keyword"
+                  },
+                  "origin_url": {
+                    "ignore_above": 8192,
+                    "type": "keyword"
+                  },
+                  "pe": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "company": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "description": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "file_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "imphash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "original_file_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "pehash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "product": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      }
+                    }
+                  },
+                  "pid": {
+                    "type": "long"
+                  },
+                  "platform_binary": {
+                    "type": "boolean"
+                  },
+                  "real_group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "real_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entity": {
+                        "properties": {
+                          "attributes": {
+                            "type": "object"
+                          },
+                          "behavior": {
+                            "type": "object"
+                          },
+                          "display_name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "last_seen_timestamp": {
+                            "type": "date"
+                          },
+                          "lifecycle": {
+                            "type": "object"
+                          },
+                          "metrics": {
+                            "type": "object"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "raw": {
+                            "type": "object"
+                          },
+                          "reference": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "source": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sub_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "same_as_process": {
+                    "type": "boolean"
+                  },
+                  "saved_group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "saved_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entity": {
+                        "properties": {
+                          "attributes": {
+                            "type": "object"
+                          },
+                          "behavior": {
+                            "type": "object"
+                          },
+                          "display_name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "last_seen_timestamp": {
+                            "type": "date"
+                          },
+                          "lifecycle": {
+                            "type": "object"
+                          },
+                          "metrics": {
+                            "type": "object"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "raw": {
+                            "type": "object"
+                          },
+                          "reference": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "source": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sub_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "session_leader": {
+                    "properties": {
+                      "args": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "args_count": {
+                        "type": "long"
+                      },
+                      "attested_groups": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "attested_user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entity": {
+                            "properties": {
+                              "attributes": {
+                                "type": "object"
+                              },
+                              "behavior": {
+                                "type": "object"
+                              },
+                              "display_name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "last_seen_timestamp": {
+                                "type": "date"
+                              },
+                              "lifecycle": {
+                                "type": "object"
+                              },
+                              "metrics": {
+                                "type": "object"
+                              },
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "raw": {
+                                "type": "object"
+                              },
+                              "reference": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "source": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "sub_type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "code_signature": {
+                        "properties": {
+                          "digest_algorithm": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "exists": {
+                            "type": "boolean"
+                          },
+                          "flags": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "signing_id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "status": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subject_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "team_id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "thumbprint_sha256": {
+                            "ignore_above": 64,
+                            "type": "keyword"
+                          },
+                          "timestamp": {
+                            "type": "date"
+                          },
+                          "trusted": {
+                            "type": "boolean"
+                          },
+                          "valid": {
+                            "type": "boolean"
+                          }
+                        }
+                      },
+                      "command_line": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "type": "wildcard"
+                      },
+                      "elf": {
+                        "properties": {
+                          "architecture": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "byte_order": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "cpu_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "creation_date": {
+                            "type": "date"
+                          },
+                          "exports": {
+                            "type": "flattened"
+                          },
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
+                          "header": {
+                            "properties": {
+                              "abi_version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "class": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "data": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "entrypoint": {
+                                "type": "long"
+                              },
+                              "object_version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "os_abi": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "sections": {
+                            "properties": {
+                              "chi2": {
+                                "type": "long"
+                              },
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "flags": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_offset": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_address": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "segments": {
+                            "properties": {
+                              "sections": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "shared_libraries": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "telfhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "end": {
+                        "type": "date"
+                      },
+                      "endpoint_security_client": {
+                        "type": "boolean"
+                      },
+                      "entity_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entry_meta": {
+                        "properties": {
+                          "source": {
+                            "properties": {
+                              "address": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "as": {
+                                "properties": {
+                                  "number": {
+                                    "type": "long"
+                                  },
+                                  "organization": {
+                                    "properties": {
+                                      "name": {
+                                        "fields": {
+                                          "text": {
+                                            "type": "match_only_text"
+                                          }
+                                        },
+                                        "ignore_above": 1024,
+                                        "type": "keyword"
+                                      }
+                                    }
+                                  }
+                                }
+                              },
+                              "bytes": {
+                                "type": "long"
+                              },
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "geo": {
+                                "properties": {
+                                  "city_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "continent_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "continent_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "country_iso_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "country_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "location": {
+                                    "type": "geo_point"
+                                  },
+                                  "name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "postal_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "region_iso_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "region_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "timezone": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  }
+                                }
+                              },
+                              "ip": {
+                                "type": "ip"
+                              },
+                              "mac": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "nat": {
+                                "properties": {
+                                  "ip": {
+                                    "type": "ip"
+                                  },
+                                  "port": {
+                                    "type": "long"
+                                  }
+                                }
+                              },
+                              "packets": {
+                                "type": "long"
+                              },
+                              "port": {
+                                "type": "long"
+                              },
+                              "registered_domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "subdomain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "top_level_domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "env_vars": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "executable": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "exit_code": {
+                        "type": "long"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "properties": {
+                          "cdhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "md5": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha1": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha256": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha384": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha512": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "ssdeep": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "tlsh": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "interactive": {
+                        "type": "boolean"
+                      },
+                      "io": {
+                        "properties": {
+                          "bytes_skipped": {
+                            "properties": {
+                              "length": {
+                                "type": "long"
+                              },
+                              "offset": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "object"
+                          },
+                          "max_bytes_per_process_exceeded": {
+                            "type": "boolean"
+                          },
+                          "text": {
+                            "type": "wildcard"
+                          },
+                          "total_bytes_captured": {
+                            "type": "long"
+                          },
+                          "total_bytes_skipped": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "macho": {
+                        "properties": {
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "sections": {
+                            "properties": {
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "symhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "origin_referrer_url": {
+                        "ignore_above": 8192,
+                        "type": "keyword"
+                      },
+                      "origin_url": {
+                        "ignore_above": 8192,
+                        "type": "keyword"
+                      },
+                      "pe": {
+                        "properties": {
+                          "architecture": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "company": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "description": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "file_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
+                          "imphash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "original_file_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "pehash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "product": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sections": {
+                            "properties": {
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          }
+                        }
+                      },
+                      "pid": {
+                        "type": "long"
+                      },
+                      "platform_binary": {
+                        "type": "boolean"
+                      },
+                      "real_group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "real_user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entity": {
+                            "properties": {
+                              "attributes": {
+                                "type": "object"
+                              },
+                              "behavior": {
+                                "type": "object"
+                              },
+                              "display_name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "last_seen_timestamp": {
+                                "type": "date"
+                              },
+                              "lifecycle": {
+                                "type": "object"
+                              },
+                              "metrics": {
+                                "type": "object"
+                              },
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "raw": {
+                                "type": "object"
+                              },
+                              "reference": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "source": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "sub_type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "same_as_process": {
+                        "type": "boolean"
+                      },
+                      "saved_group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "saved_user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entity": {
+                            "properties": {
+                              "attributes": {
+                                "type": "object"
+                              },
+                              "behavior": {
+                                "type": "object"
+                              },
+                              "display_name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "last_seen_timestamp": {
+                                "type": "date"
+                              },
+                              "lifecycle": {
+                                "type": "object"
+                              },
+                              "metrics": {
+                                "type": "object"
+                              },
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "raw": {
+                                "type": "object"
+                              },
+                              "reference": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "source": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "sub_type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "start": {
+                        "type": "date"
+                      },
+                      "supplemental_groups": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "thread": {
+                        "properties": {
+                          "capabilities": {
+                            "properties": {
+                              "effective": {
+                                "ignore_above": 1024,
+                                "synthetic_source_keep": "none",
+                                "type": "keyword"
+                              },
+                              "permitted": {
+                                "ignore_above": 1024,
+                                "synthetic_source_keep": "none",
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "id": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "title": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tty": {
+                        "properties": {
+                          "char_device": {
+                            "properties": {
+                              "major": {
+                                "type": "long"
+                              },
+                              "minor": {
+                                "type": "long"
+                              }
+                            }
+                          },
+                          "columns": {
+                            "type": "long"
+                          },
+                          "rows": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "uptime": {
+                        "type": "long"
+                      },
+                      "user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entity": {
+                            "properties": {
+                              "attributes": {
+                                "type": "object"
+                              },
+                              "behavior": {
+                                "type": "object"
+                              },
+                              "display_name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "last_seen_timestamp": {
+                                "type": "date"
+                              },
+                              "lifecycle": {
+                                "type": "object"
+                              },
+                              "metrics": {
+                                "type": "object"
+                              },
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "raw": {
+                                "type": "object"
+                              },
+                              "reference": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "source": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "sub_type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "vpid": {
+                        "type": "long"
+                      },
+                      "working_directory": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "start": {
+                    "type": "date"
+                  },
+                  "supplemental_groups": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "thread": {
+                    "properties": {
+                      "capabilities": {
+                        "properties": {
+                          "effective": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          },
+                          "permitted": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "id": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "title": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tty": {
+                    "properties": {
+                      "char_device": {
+                        "properties": {
+                          "major": {
+                            "type": "long"
+                          },
+                          "minor": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "columns": {
+                        "type": "long"
+                      },
+                      "rows": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "uptime": {
+                    "type": "long"
+                  },
+                  "user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entity": {
+                        "properties": {
+                          "attributes": {
+                            "type": "object"
+                          },
+                          "behavior": {
+                            "type": "object"
+                          },
+                          "display_name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "last_seen_timestamp": {
+                            "type": "date"
+                          },
+                          "lifecycle": {
+                            "type": "object"
+                          },
+                          "metrics": {
+                            "type": "object"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "raw": {
+                            "type": "object"
+                          },
+                          "reference": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "source": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sub_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "vpid": {
+                    "type": "long"
+                  },
+                  "working_directory": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "platform_binary": {
+                "type": "boolean"
+              },
+              "real_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "thread": {
+                "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  },
+                  "columns": {
+                    "type": "long"
+                  },
+                  "rows": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "entry_meta": {
+            "properties": {
+              "source": {
+                "properties": {
+                  "address": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "as": {
+                    "properties": {
+                      "number": {
+                        "type": "long"
+                      },
+                      "organization": {
+                        "properties": {
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    }
+                  },
+                  "bytes": {
+                    "type": "long"
+                  },
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "geo": {
+                    "properties": {
+                      "city_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "continent_code": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "continent_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country_iso_code": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "country_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "location": {
+                        "type": "geo_point"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "postal_code": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "region_iso_code": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "region_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "timezone": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "ip": {
+                    "type": "ip"
+                  },
+                  "mac": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "nat": {
+                    "properties": {
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "port": {
+                        "type": "long"
+                      }
+                    }
+                  },
+                  "packets": {
+                    "type": "long"
+                  },
+                  "port": {
+                    "type": "long"
+                  },
+                  "registered_domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subdomain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "top_level_domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "env_vars": {
+            "ignore_above": 1024,
+            "synthetic_source_keep": "none",
+            "type": "keyword"
+          },
+          "executable": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "exit_code": {
+            "type": "long"
+          },
+          "group": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "group_leader": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "attested_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "attested_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "code_signature": {
+                "properties": {
+                  "digest_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "byte_order": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
+                    "properties": {
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "end": {
+                "type": "date"
+              },
+              "endpoint_security_client": {
+                "type": "boolean"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entry_meta": {
+                "properties": {
+                  "source": {
+                    "properties": {
+                      "address": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "as": {
+                        "properties": {
+                          "number": {
+                            "type": "long"
+                          },
+                          "organization": {
+                            "properties": {
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "type": "match_only_text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "bytes": {
+                        "type": "long"
+                      },
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "geo": {
+                        "properties": {
+                          "city_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "location": {
+                            "type": "geo_point"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "postal_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "timezone": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "mac": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "nat": {
+                        "properties": {
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "port": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "packets": {
+                        "type": "long"
+                      },
+                      "port": {
+                        "type": "long"
+                      },
+                      "registered_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subdomain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "top_level_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "env_vars": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha384": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "io": {
+                "properties": {
+                  "bytes_skipped": {
+                    "properties": {
+                      "length": {
+                        "type": "long"
+                      },
+                      "offset": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "max_bytes_per_process_exceeded": {
+                    "type": "boolean"
+                  },
+                  "text": {
+                    "type": "wildcard"
+                  },
+                  "total_bytes_captured": {
+                    "type": "long"
+                  },
+                  "total_bytes_skipped": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "object"
+              },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "symhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "origin_referrer_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "origin_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "platform_binary": {
+                "type": "boolean"
+              },
+              "real_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "thread": {
+                "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  },
+                  "columns": {
+                    "type": "long"
+                  },
+                  "rows": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "hash": {
+            "properties": {
+              "cdhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "md5": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha1": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha256": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha384": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha512": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ssdeep": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tlsh": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "interactive": {
+            "type": "boolean"
+          },
+          "io": {
+            "properties": {
+              "bytes_skipped": {
+                "properties": {
+                  "length": {
+                    "type": "long"
+                  },
+                  "offset": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "max_bytes_per_process_exceeded": {
+                "type": "boolean"
+              },
+              "text": {
+                "type": "wildcard"
+              },
+              "total_bytes_captured": {
+                "type": "long"
+              },
+              "total_bytes_skipped": {
+                "type": "long"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "object"
+          },
+          "macho": {
+            "properties": {
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              },
+              "symhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "origin_referrer_url": {
+            "ignore_above": 8192,
+            "type": "keyword"
+          },
+          "origin_url": {
+            "ignore_above": 8192,
+            "type": "keyword"
+          },
+          "parent": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "attested_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "attested_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "code_signature": {
+                "properties": {
+                  "digest_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "byte_order": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
+                    "properties": {
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "end": {
+                "type": "date"
+              },
+              "endpoint_security_client": {
+                "type": "boolean"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entry_meta": {
+                "properties": {
+                  "source": {
+                    "properties": {
+                      "address": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "as": {
+                        "properties": {
+                          "number": {
+                            "type": "long"
+                          },
+                          "organization": {
+                            "properties": {
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "type": "match_only_text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "bytes": {
+                        "type": "long"
+                      },
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "geo": {
+                        "properties": {
+                          "city_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "location": {
+                            "type": "geo_point"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "postal_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "timezone": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "mac": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "nat": {
+                        "properties": {
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "port": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "packets": {
+                        "type": "long"
+                      },
+                      "port": {
+                        "type": "long"
+                      },
+                      "registered_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subdomain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "top_level_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "env_vars": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "group_leader": {
+                "properties": {
+                  "args": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "args_count": {
+                    "type": "long"
+                  },
+                  "attested_groups": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "attested_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entity": {
+                        "properties": {
+                          "attributes": {
+                            "type": "object"
+                          },
+                          "behavior": {
+                            "type": "object"
+                          },
+                          "display_name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "last_seen_timestamp": {
+                            "type": "date"
+                          },
+                          "lifecycle": {
+                            "type": "object"
+                          },
+                          "metrics": {
+                            "type": "object"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "raw": {
+                            "type": "object"
+                          },
+                          "reference": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "source": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sub_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "code_signature": {
+                    "properties": {
+                      "digest_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "exists": {
+                        "type": "boolean"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "signing_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "status": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subject_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "team_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "thumbprint_sha256": {
+                        "ignore_above": 64,
+                        "type": "keyword"
+                      },
+                      "timestamp": {
+                        "type": "date"
+                      },
+                      "trusted": {
+                        "type": "boolean"
+                      },
+                      "valid": {
+                        "type": "boolean"
+                      }
+                    }
+                  },
+                  "command_line": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "type": "wildcard"
+                  },
+                  "elf": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "byte_order": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "cpu_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "creation_date": {
+                        "type": "date"
+                      },
+                      "exports": {
+                        "type": "flattened"
+                      },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "header": {
+                        "properties": {
+                          "abi_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "class": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "data": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entrypoint": {
+                            "type": "long"
+                          },
+                          "object_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "os_abi": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "sections": {
+                        "properties": {
+                          "chi2": {
+                            "type": "long"
+                          },
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "flags": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_offset": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_address": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "segments": {
+                        "properties": {
+                          "sections": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "shared_libraries": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "telfhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "end": {
+                    "type": "date"
+                  },
+                  "endpoint_security_client": {
+                    "type": "boolean"
+                  },
+                  "entity_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entry_meta": {
+                    "properties": {
+                      "source": {
+                        "properties": {
+                          "address": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "as": {
+                            "properties": {
+                              "number": {
+                                "type": "long"
+                              },
+                              "organization": {
+                                "properties": {
+                                  "name": {
+                                    "fields": {
+                                      "text": {
+                                        "type": "match_only_text"
+                                      }
+                                    },
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  }
+                                }
+                              }
+                            }
+                          },
+                          "bytes": {
+                            "type": "long"
+                          },
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "geo": {
+                            "properties": {
+                              "city_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "continent_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "continent_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country_iso_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "location": {
+                                "type": "geo_point"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "postal_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "region_iso_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "region_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "timezone": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "mac": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "nat": {
+                            "properties": {
+                              "ip": {
+                                "type": "ip"
+                              },
+                              "port": {
+                                "type": "long"
+                              }
+                            }
+                          },
+                          "packets": {
+                            "type": "long"
+                          },
+                          "port": {
+                            "type": "long"
+                          },
+                          "registered_domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subdomain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "top_level_domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "env_vars": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  },
+                  "executable": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exit_code": {
+                    "type": "long"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "properties": {
+                      "cdhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "md5": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha1": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha256": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha384": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha512": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "ssdeep": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tlsh": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "interactive": {
+                    "type": "boolean"
+                  },
+                  "io": {
+                    "properties": {
+                      "bytes_skipped": {
+                        "properties": {
+                          "length": {
+                            "type": "long"
+                          },
+                          "offset": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "max_bytes_per_process_exceeded": {
+                        "type": "boolean"
+                      },
+                      "text": {
+                        "type": "wildcard"
+                      },
+                      "total_bytes_captured": {
+                        "type": "long"
+                      },
+                      "total_bytes_skipped": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "macho": {
+                    "properties": {
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "symhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "origin_referrer_url": {
+                    "ignore_above": 8192,
+                    "type": "keyword"
+                  },
+                  "origin_url": {
+                    "ignore_above": 8192,
+                    "type": "keyword"
+                  },
+                  "pe": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "company": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "description": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "file_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "imphash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "original_file_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "pehash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "product": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      }
+                    }
+                  },
+                  "pid": {
+                    "type": "long"
+                  },
+                  "platform_binary": {
+                    "type": "boolean"
+                  },
+                  "real_group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "real_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entity": {
+                        "properties": {
+                          "attributes": {
+                            "type": "object"
+                          },
+                          "behavior": {
+                            "type": "object"
+                          },
+                          "display_name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "last_seen_timestamp": {
+                            "type": "date"
+                          },
+                          "lifecycle": {
+                            "type": "object"
+                          },
+                          "metrics": {
+                            "type": "object"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "raw": {
+                            "type": "object"
+                          },
+                          "reference": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "source": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sub_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "same_as_process": {
+                    "type": "boolean"
+                  },
+                  "saved_group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "saved_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entity": {
+                        "properties": {
+                          "attributes": {
+                            "type": "object"
+                          },
+                          "behavior": {
+                            "type": "object"
+                          },
+                          "display_name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "last_seen_timestamp": {
+                            "type": "date"
+                          },
+                          "lifecycle": {
+                            "type": "object"
+                          },
+                          "metrics": {
+                            "type": "object"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "raw": {
+                            "type": "object"
+                          },
+                          "reference": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "source": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sub_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "start": {
+                    "type": "date"
+                  },
+                  "supplemental_groups": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "thread": {
+                    "properties": {
+                      "capabilities": {
+                        "properties": {
+                          "effective": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          },
+                          "permitted": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "id": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "title": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tty": {
+                    "properties": {
+                      "char_device": {
+                        "properties": {
+                          "major": {
+                            "type": "long"
+                          },
+                          "minor": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "columns": {
+                        "type": "long"
+                      },
+                      "rows": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "uptime": {
+                    "type": "long"
+                  },
+                  "user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entity": {
+                        "properties": {
+                          "attributes": {
+                            "type": "object"
+                          },
+                          "behavior": {
+                            "type": "object"
+                          },
+                          "display_name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "last_seen_timestamp": {
+                            "type": "date"
+                          },
+                          "lifecycle": {
+                            "type": "object"
+                          },
+                          "metrics": {
+                            "type": "object"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "raw": {
+                            "type": "object"
+                          },
+                          "reference": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "source": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sub_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "vpid": {
+                    "type": "long"
+                  },
+                  "working_directory": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha384": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "io": {
+                "properties": {
+                  "bytes_skipped": {
+                    "properties": {
+                      "length": {
+                        "type": "long"
+                      },
+                      "offset": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "max_bytes_per_process_exceeded": {
+                    "type": "boolean"
+                  },
+                  "text": {
+                    "type": "wildcard"
+                  },
+                  "total_bytes_captured": {
+                    "type": "long"
+                  },
+                  "total_bytes_skipped": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "object"
+              },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "symhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "origin_referrer_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "origin_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "platform_binary": {
+                "type": "boolean"
+              },
+              "real_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "thread": {
+                "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  },
+                  "columns": {
+                    "type": "long"
+                  },
+                  "rows": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "pe": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "company": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "description": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "file_version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
+              "imphash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
+              "original_file_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "pehash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "product": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              }
+            }
+          },
+          "pid": {
+            "type": "long"
+          },
+          "platform_binary": {
+            "type": "boolean"
+          },
+          "previous": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "attested_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "attested_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "code_signature": {
+                "properties": {
+                  "digest_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "byte_order": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
+                    "properties": {
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "end": {
+                "type": "date"
+              },
+              "endpoint_security_client": {
+                "type": "boolean"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entry_meta": {
+                "properties": {
+                  "source": {
+                    "properties": {
+                      "address": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "as": {
+                        "properties": {
+                          "number": {
+                            "type": "long"
+                          },
+                          "organization": {
+                            "properties": {
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "type": "match_only_text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "bytes": {
+                        "type": "long"
+                      },
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "geo": {
+                        "properties": {
+                          "city_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "location": {
+                            "type": "geo_point"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "postal_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "timezone": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "mac": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "nat": {
+                        "properties": {
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "port": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "packets": {
+                        "type": "long"
+                      },
+                      "port": {
+                        "type": "long"
+                      },
+                      "registered_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subdomain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "top_level_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "env_vars": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha384": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "io": {
+                "properties": {
+                  "bytes_skipped": {
+                    "properties": {
+                      "length": {
+                        "type": "long"
+                      },
+                      "offset": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "max_bytes_per_process_exceeded": {
+                    "type": "boolean"
+                  },
+                  "text": {
+                    "type": "wildcard"
+                  },
+                  "total_bytes_captured": {
+                    "type": "long"
+                  },
+                  "total_bytes_skipped": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "object"
+              },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "symhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "origin_referrer_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "origin_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "platform_binary": {
+                "type": "boolean"
+              },
+              "real_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "thread": {
+                "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  },
+                  "columns": {
+                    "type": "long"
+                  },
+                  "rows": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "real_group": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "real_user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entity": {
+                "properties": {
+                  "attributes": {
+                    "type": "object"
+                  },
+                  "behavior": {
+                    "type": "object"
+                  },
+                  "display_name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "last_seen_timestamp": {
+                    "type": "date"
+                  },
+                  "lifecycle": {
+                    "type": "object"
+                  },
+                  "metrics": {
+                    "type": "object"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "raw": {
+                    "type": "object"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "source": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sub_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              }
+            }
+          },
+          "responsible": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "attested_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "attested_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "code_signature": {
+                "properties": {
+                  "digest_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "byte_order": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
+                    "properties": {
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "end": {
+                "type": "date"
+              },
+              "endpoint_security_client": {
+                "type": "boolean"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entry_meta": {
+                "properties": {
+                  "source": {
+                    "properties": {
+                      "address": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "as": {
+                        "properties": {
+                          "number": {
+                            "type": "long"
+                          },
+                          "organization": {
+                            "properties": {
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "type": "match_only_text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "bytes": {
+                        "type": "long"
+                      },
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "geo": {
+                        "properties": {
+                          "city_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "location": {
+                            "type": "geo_point"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "postal_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "timezone": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "mac": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "nat": {
+                        "properties": {
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "port": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "packets": {
+                        "type": "long"
+                      },
+                      "port": {
+                        "type": "long"
+                      },
+                      "registered_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subdomain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "top_level_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "env_vars": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha384": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "io": {
+                "properties": {
+                  "bytes_skipped": {
+                    "properties": {
+                      "length": {
+                        "type": "long"
+                      },
+                      "offset": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "max_bytes_per_process_exceeded": {
+                    "type": "boolean"
+                  },
+                  "text": {
+                    "type": "wildcard"
+                  },
+                  "total_bytes_captured": {
+                    "type": "long"
+                  },
+                  "total_bytes_skipped": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "object"
+              },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "symhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "origin_referrer_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "origin_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "pe": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "file_version": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "platform_binary": {
+                "type": "boolean"
+              },
+              "real_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "thread": {
+                "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
+                  },
+                  "columns": {
+                    "type": "long"
+                  },
+                  "rows": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "same_as_process": {
+            "type": "boolean"
+          },
+          "saved_group": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "saved_user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entity": {
+                "properties": {
+                  "attributes": {
+                    "type": "object"
+                  },
+                  "behavior": {
+                    "type": "object"
+                  },
+                  "display_name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "last_seen_timestamp": {
+                    "type": "date"
+                  },
+                  "lifecycle": {
+                    "type": "object"
+                  },
+                  "metrics": {
+                    "type": "object"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "raw": {
+                    "type": "object"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "source": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sub_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              }
+            }
+          },
+          "session_leader": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "attested_groups": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "attested_user": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  }
+                }
+              },
+              "code_signature": {
+                "properties": {
+                  "digest_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exists": {
+                    "type": "boolean"
+                  },
+                  "flags": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "signing_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "status": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "subject_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "team_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
+                    "type": "keyword"
+                  },
+                  "timestamp": {
+                    "type": "date"
+                  },
+                  "trusted": {
+                    "type": "boolean"
+                  },
+                  "valid": {
+                    "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "byte_order": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
+                    "type": "date"
+                  },
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
+                    "properties": {
+                      "abi_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "class": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "data": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entrypoint": {
+                        "type": "long"
+                      },
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_address": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "end": {
+                "type": "date"
+              },
+              "endpoint_security_client": {
+                "type": "boolean"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entry_meta": {
+                "properties": {
+                  "source": {
+                    "properties": {
+                      "address": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "as": {
+                        "properties": {
+                          "number": {
+                            "type": "long"
+                          },
+                          "organization": {
+                            "properties": {
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "type": "match_only_text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          }
+                        }
+                      },
+                      "bytes": {
+                        "type": "long"
+                      },
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "geo": {
+                        "properties": {
+                          "city_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "continent_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "country_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "location": {
+                            "type": "geo_point"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "postal_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_iso_code": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "region_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "timezone": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "ip": {
+                        "type": "ip"
+                      },
+                      "mac": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "nat": {
+                        "properties": {
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "port": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "packets": {
+                        "type": "long"
+                      },
+                      "port": {
+                        "type": "long"
+                      },
+                      "registered_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subdomain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "top_level_domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "env_vars": {
+                "ignore_above": 1024,
+                "synthetic_source_keep": "none",
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha384": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "io": {
+                "properties": {
+                  "bytes_skipped": {
+                    "properties": {
+                      "length": {
+                        "type": "long"
+                      },
+                      "offset": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "max_bytes_per_process_exceeded": {
+                    "type": "boolean"
+                  },
+                  "text": {
+                    "type": "wildcard"
+                  },
+                  "total_bytes_captured": {
+                    "type": "long"
+                  },
+                  "total_bytes_skipped": {
+                    "type": "long"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                },
+                "type": "object"
+              },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "symhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "origin_referrer_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "origin_url": {
+                "ignore_above": 8192,
+                "type": "keyword"
+              },
+              "parent": {
+                "properties": {
+                  "args": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "args_count": {
+                    "type": "long"
+                  },
+                  "attested_groups": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "attested_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entity": {
+                        "properties": {
+                          "attributes": {
+                            "type": "object"
+                          },
+                          "behavior": {
+                            "type": "object"
+                          },
+                          "display_name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "last_seen_timestamp": {
+                            "type": "date"
+                          },
+                          "lifecycle": {
+                            "type": "object"
+                          },
+                          "metrics": {
+                            "type": "object"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "raw": {
+                            "type": "object"
+                          },
+                          "reference": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "source": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sub_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "code_signature": {
+                    "properties": {
+                      "digest_algorithm": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "exists": {
+                        "type": "boolean"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "signing_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "status": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "subject_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "team_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "thumbprint_sha256": {
+                        "ignore_above": 64,
+                        "type": "keyword"
+                      },
+                      "timestamp": {
+                        "type": "date"
+                      },
+                      "trusted": {
+                        "type": "boolean"
+                      },
+                      "valid": {
+                        "type": "boolean"
+                      }
+                    }
+                  },
+                  "command_line": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "type": "wildcard"
+                  },
+                  "elf": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "byte_order": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "cpu_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "creation_date": {
+                        "type": "date"
+                      },
+                      "exports": {
+                        "type": "flattened"
+                      },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "header": {
+                        "properties": {
+                          "abi_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "class": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "data": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entrypoint": {
+                            "type": "long"
+                          },
+                          "object_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "os_abi": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "sections": {
+                        "properties": {
+                          "chi2": {
+                            "type": "long"
+                          },
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "flags": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_offset": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_address": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "segments": {
+                        "properties": {
+                          "sections": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "shared_libraries": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "telfhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "end": {
+                    "type": "date"
+                  },
+                  "endpoint_security_client": {
+                    "type": "boolean"
+                  },
+                  "entity_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entry_meta": {
+                    "properties": {
+                      "source": {
+                        "properties": {
+                          "address": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "as": {
+                            "properties": {
+                              "number": {
+                                "type": "long"
+                              },
+                              "organization": {
+                                "properties": {
+                                  "name": {
+                                    "fields": {
+                                      "text": {
+                                        "type": "match_only_text"
+                                      }
+                                    },
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  }
+                                }
+                              }
+                            }
+                          },
+                          "bytes": {
+                            "type": "long"
+                          },
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "geo": {
+                            "properties": {
+                              "city_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "continent_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "continent_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country_iso_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "country_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "location": {
+                                "type": "geo_point"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "postal_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "region_iso_code": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "region_name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "timezone": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "ip": {
+                            "type": "ip"
+                          },
+                          "mac": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "nat": {
+                            "properties": {
+                              "ip": {
+                                "type": "ip"
+                              },
+                              "port": {
+                                "type": "long"
+                              }
+                            }
+                          },
+                          "packets": {
+                            "type": "long"
+                          },
+                          "port": {
+                            "type": "long"
+                          },
+                          "registered_domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subdomain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "top_level_domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "env_vars": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
+                  },
+                  "executable": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "exit_code": {
+                    "type": "long"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "properties": {
+                      "cdhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "md5": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha1": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha256": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha384": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sha512": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "ssdeep": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tlsh": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "interactive": {
+                    "type": "boolean"
+                  },
+                  "io": {
+                    "properties": {
+                      "bytes_skipped": {
+                        "properties": {
+                          "length": {
+                            "type": "long"
+                          },
+                          "offset": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "max_bytes_per_process_exceeded": {
+                        "type": "boolean"
+                      },
+                      "text": {
+                        "type": "wildcard"
+                      },
+                      "total_bytes_captured": {
+                        "type": "long"
+                      },
+                      "total_bytes_skipped": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "macho": {
+                    "properties": {
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      },
+                      "symhash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "origin_referrer_url": {
+                    "ignore_above": 8192,
+                    "type": "keyword"
+                  },
+                  "origin_url": {
+                    "ignore_above": 8192,
+                    "type": "keyword"
+                  },
+                  "pe": {
+                    "properties": {
+                      "architecture": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "company": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "description": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "file_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "go_imports": {
+                        "type": "flattened"
+                      },
+                      "go_imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "go_imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "go_stripped": {
+                        "type": "boolean"
+                      },
+                      "imphash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "import_hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "imports": {
+                        "type": "flattened"
+                      },
+                      "imports_names_entropy": {
+                        "type": "long"
+                      },
+                      "imports_names_var_entropy": {
+                        "type": "long"
+                      },
+                      "original_file_name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "pehash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "product": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sections": {
+                        "properties": {
+                          "entropy": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "physical_size": {
+                            "type": "long"
+                          },
+                          "var_entropy": {
+                            "type": "long"
+                          },
+                          "virtual_size": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "nested"
+                      }
+                    }
+                  },
+                  "pid": {
+                    "type": "long"
+                  },
+                  "platform_binary": {
+                    "type": "boolean"
+                  },
+                  "real_group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "real_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entity": {
+                        "properties": {
+                          "attributes": {
+                            "type": "object"
+                          },
+                          "behavior": {
+                            "type": "object"
+                          },
+                          "display_name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "last_seen_timestamp": {
+                            "type": "date"
+                          },
+                          "lifecycle": {
+                            "type": "object"
+                          },
+                          "metrics": {
+                            "type": "object"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "raw": {
+                            "type": "object"
+                          },
+                          "reference": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "source": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sub_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "same_as_process": {
+                    "type": "boolean"
+                  },
+                  "saved_group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "saved_user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entity": {
+                        "properties": {
+                          "attributes": {
+                            "type": "object"
+                          },
+                          "behavior": {
+                            "type": "object"
+                          },
+                          "display_name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "last_seen_timestamp": {
+                            "type": "date"
+                          },
+                          "lifecycle": {
+                            "type": "object"
+                          },
+                          "metrics": {
+                            "type": "object"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "raw": {
+                            "type": "object"
+                          },
+                          "reference": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "source": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sub_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "session_leader": {
+                    "properties": {
+                      "args": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "args_count": {
+                        "type": "long"
+                      },
+                      "attested_groups": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "attested_user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entity": {
+                            "properties": {
+                              "attributes": {
+                                "type": "object"
+                              },
+                              "behavior": {
+                                "type": "object"
+                              },
+                              "display_name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "last_seen_timestamp": {
+                                "type": "date"
+                              },
+                              "lifecycle": {
+                                "type": "object"
+                              },
+                              "metrics": {
+                                "type": "object"
+                              },
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "raw": {
+                                "type": "object"
+                              },
+                              "reference": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "source": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "sub_type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "code_signature": {
+                        "properties": {
+                          "digest_algorithm": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "exists": {
+                            "type": "boolean"
+                          },
+                          "flags": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "signing_id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "status": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "subject_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "team_id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "thumbprint_sha256": {
+                            "ignore_above": 64,
+                            "type": "keyword"
+                          },
+                          "timestamp": {
+                            "type": "date"
+                          },
+                          "trusted": {
+                            "type": "boolean"
+                          },
+                          "valid": {
+                            "type": "boolean"
+                          }
+                        }
+                      },
+                      "command_line": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "type": "wildcard"
+                      },
+                      "elf": {
+                        "properties": {
+                          "architecture": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "byte_order": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "cpu_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "creation_date": {
+                            "type": "date"
+                          },
+                          "exports": {
+                            "type": "flattened"
+                          },
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
+                          "header": {
+                            "properties": {
+                              "abi_version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "class": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "data": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "entrypoint": {
+                                "type": "long"
+                              },
+                              "object_version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "os_abi": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "version": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "sections": {
+                            "properties": {
+                              "chi2": {
+                                "type": "long"
+                              },
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "flags": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_offset": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_address": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "segments": {
+                            "properties": {
+                              "sections": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "shared_libraries": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "telfhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "end": {
+                        "type": "date"
+                      },
+                      "endpoint_security_client": {
+                        "type": "boolean"
+                      },
+                      "entity_id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entry_meta": {
+                        "properties": {
+                          "source": {
+                            "properties": {
+                              "address": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "as": {
+                                "properties": {
+                                  "number": {
+                                    "type": "long"
+                                  },
+                                  "organization": {
+                                    "properties": {
+                                      "name": {
+                                        "fields": {
+                                          "text": {
+                                            "type": "match_only_text"
+                                          }
+                                        },
+                                        "ignore_above": 1024,
+                                        "type": "keyword"
+                                      }
+                                    }
+                                  }
+                                }
+                              },
+                              "bytes": {
+                                "type": "long"
+                              },
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "geo": {
+                                "properties": {
+                                  "city_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "continent_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "continent_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "country_iso_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "country_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "location": {
+                                    "type": "geo_point"
+                                  },
+                                  "name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "postal_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "region_iso_code": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "region_name": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  },
+                                  "timezone": {
+                                    "ignore_above": 1024,
+                                    "type": "keyword"
+                                  }
+                                }
+                              },
+                              "ip": {
+                                "type": "ip"
+                              },
+                              "mac": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "nat": {
+                                "properties": {
+                                  "ip": {
+                                    "type": "ip"
+                                  },
+                                  "port": {
+                                    "type": "long"
+                                  }
+                                }
+                              },
+                              "packets": {
+                                "type": "long"
+                              },
+                              "port": {
+                                "type": "long"
+                              },
+                              "registered_domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "subdomain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "top_level_domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "env_vars": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "executable": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "exit_code": {
+                        "type": "long"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "properties": {
+                          "cdhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "md5": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha1": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha256": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha384": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sha512": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "ssdeep": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "tlsh": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "interactive": {
+                        "type": "boolean"
+                      },
+                      "io": {
+                        "properties": {
+                          "bytes_skipped": {
+                            "properties": {
+                              "length": {
+                                "type": "long"
+                              },
+                              "offset": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "object"
+                          },
+                          "max_bytes_per_process_exceeded": {
+                            "type": "boolean"
+                          },
+                          "text": {
+                            "type": "wildcard"
+                          },
+                          "total_bytes_captured": {
+                            "type": "long"
+                          },
+                          "total_bytes_skipped": {
+                            "type": "long"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "macho": {
+                        "properties": {
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "sections": {
+                            "properties": {
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          },
+                          "symhash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "origin_referrer_url": {
+                        "ignore_above": 8192,
+                        "type": "keyword"
+                      },
+                      "origin_url": {
+                        "ignore_above": 8192,
+                        "type": "keyword"
+                      },
+                      "pe": {
+                        "properties": {
+                          "architecture": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "company": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "description": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "file_version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "go_imports": {
+                            "type": "flattened"
+                          },
+                          "go_imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "go_imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "go_stripped": {
+                            "type": "boolean"
+                          },
+                          "imphash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "import_hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "imports": {
+                            "type": "flattened"
+                          },
+                          "imports_names_entropy": {
+                            "type": "long"
+                          },
+                          "imports_names_var_entropy": {
+                            "type": "long"
+                          },
+                          "original_file_name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "pehash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "product": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sections": {
+                            "properties": {
+                              "entropy": {
+                                "type": "long"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "physical_size": {
+                                "type": "long"
+                              },
+                              "var_entropy": {
+                                "type": "long"
+                              },
+                              "virtual_size": {
+                                "type": "long"
+                              }
+                            },
+                            "type": "nested"
+                          }
+                        }
+                      },
+                      "pid": {
+                        "type": "long"
+                      },
+                      "platform_binary": {
+                        "type": "boolean"
+                      },
+                      "real_group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "real_user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entity": {
+                            "properties": {
+                              "attributes": {
+                                "type": "object"
+                              },
+                              "behavior": {
+                                "type": "object"
+                              },
+                              "display_name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "last_seen_timestamp": {
+                                "type": "date"
+                              },
+                              "lifecycle": {
+                                "type": "object"
+                              },
+                              "metrics": {
+                                "type": "object"
+                              },
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "raw": {
+                                "type": "object"
+                              },
+                              "reference": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "source": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "sub_type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "same_as_process": {
+                        "type": "boolean"
+                      },
+                      "saved_group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "saved_user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entity": {
+                            "properties": {
+                              "attributes": {
+                                "type": "object"
+                              },
+                              "behavior": {
+                                "type": "object"
+                              },
+                              "display_name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "last_seen_timestamp": {
+                                "type": "date"
+                              },
+                              "lifecycle": {
+                                "type": "object"
+                              },
+                              "metrics": {
+                                "type": "object"
+                              },
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "raw": {
+                                "type": "object"
+                              },
+                              "reference": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "source": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "sub_type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "start": {
+                        "type": "date"
+                      },
+                      "supplemental_groups": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "thread": {
+                        "properties": {
+                          "capabilities": {
+                            "properties": {
+                              "effective": {
+                                "ignore_above": 1024,
+                                "synthetic_source_keep": "none",
+                                "type": "keyword"
+                              },
+                              "permitted": {
+                                "ignore_above": 1024,
+                                "synthetic_source_keep": "none",
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "id": {
+                            "type": "long"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "title": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "tty": {
+                        "properties": {
+                          "char_device": {
+                            "properties": {
+                              "major": {
+                                "type": "long"
+                              },
+                              "minor": {
+                                "type": "long"
+                              }
+                            }
+                          },
+                          "columns": {
+                            "type": "long"
+                          },
+                          "rows": {
+                            "type": "long"
+                          }
+                        },
+                        "type": "object"
+                      },
+                      "uptime": {
+                        "type": "long"
+                      },
+                      "user": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "email": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "entity": {
+                            "properties": {
+                              "attributes": {
+                                "type": "object"
+                              },
+                              "behavior": {
+                                "type": "object"
+                              },
+                              "display_name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "last_seen_timestamp": {
+                                "type": "date"
+                              },
+                              "lifecycle": {
+                                "type": "object"
+                              },
+                              "metrics": {
+                                "type": "object"
+                              },
+                              "name": {
+                                "fields": {
+                                  "text": {
+                                    "norms": false,
+                                    "type": "text"
+                                  }
+                                },
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "raw": {
+                                "type": "object"
+                              },
+                              "reference": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "source": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "sub_type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "type": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "full_name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "group": {
+                            "properties": {
+                              "domain": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "id": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "name": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              }
+                            }
+                          },
+                          "hash": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "type": "match_only_text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "risk": {
+                            "properties": {
+                              "calculated_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "calculated_score": {
+                                "type": "float"
+                              },
+                              "calculated_score_norm": {
+                                "type": "float"
+                              },
+                              "static_level": {
+                                "ignore_above": 1024,
+                                "type": "keyword"
+                              },
+                              "static_score": {
+                                "type": "float"
+                              },
+                              "static_score_norm": {
+                                "type": "float"
+                              }
+                            }
+                          },
+                          "roles": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "vpid": {
+                        "type": "long"
+                      },
+                      "working_directory": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "start": {
+                    "type": "date"
+                  },
+                  "supplemental_groups": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "thread": {
+                    "properties": {
+                      "capabilities": {
+                        "properties": {
+                          "effective": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          },
+                          "permitted": {
+                            "ignore_above": 1024,
+                            "synthetic_source_keep": "none",
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "id": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "title": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tty": {
+                    "properties": {
+                      "char_device": {
+                        "properties": {
+                          "major": {
+                            "type": "long"
+                          },
+                          "minor": {
+                            "type": "long"
+                          }
+                        }
+                      },
+                      "columns": {
+                        "type": "long"
+                      },
+                      "rows": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "object"
+                  },
+                  "uptime": {
+                    "type": "long"
+                  },
+                  "user": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "email": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "entity": {
+                        "properties": {
+                          "attributes": {
+                            "type": "object"
+                          },
+                          "behavior": {
+                            "type": "object"
+                          },
+                          "display_name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "last_seen_timestamp": {
+                            "type": "date"
+                          },
+                          "lifecycle": {
+                            "type": "object"
+                          },
+                          "metrics": {
+                            "type": "object"
+                          },
+                          "name": {
+                            "fields": {
+                              "text": {
+                                "norms": false,
+                                "type": "text"
+                              }
+                            },
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "raw": {
+                            "type": "object"
+                          },
+                          "reference": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "source": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "sub_type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "type": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "full_name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "group": {
+                        "properties": {
+                          "domain": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "id": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "name": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      },
+                      "hash": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "type": "match_only_text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "risk": {
+                        "properties": {
+                          "calculated_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "calculated_score": {
+                            "type": "float"
+                          },
+                          "calculated_score_norm": {
+                            "type": "float"
+                          },
+                          "static_level": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          },
+                          "static_score": {
+                            "type": "float"
+                          },
+                          "static_score_norm": {
+                            "type": "float"
+                          }
+                        }
+                      },
+                      "roles": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "vpid": {
+                    "type": "long"
+                  },
+                  "working_directory": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
+                }
               },
-              "user": {
+              "pe": {
                 "properties": {
-                  "id": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "company": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "description": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "file_version": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  }
-                }
-              },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "pe": {
-            "properties": {
-              "architecture": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "company": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "description": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "file_version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "go_import_hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "go_imports": {
-                "type": "flattened"
-              },
-              "go_imports_names_entropy": {
-                "type": "long"
-              },
-              "go_imports_names_var_entropy": {
-                "type": "long"
-              },
-              "go_stripped": {
-                "type": "boolean"
-              },
-              "imphash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "import_hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "imports": {
-                "type": "flattened"
-              },
-              "imports_names_entropy": {
-                "type": "long"
-              },
-              "imports_names_var_entropy": {
-                "type": "long"
-              },
-              "original_file_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "pehash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "product": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sections": {
-                "properties": {
-                  "entropy": {
-                    "type": "long"
                   },
-                  "name": {
+                  "go_import_hash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "physical_size": {
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
                     "type": "long"
                   },
-                  "var_entropy": {
+                  "go_imports_names_var_entropy": {
                     "type": "long"
                   },
-                  "virtual_size": {
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "imphash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
                     "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "original_file_name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pehash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "product": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sections": {
+                    "properties": {
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
+                      }
+                    },
+                    "type": "nested"
                   }
-                },
-                "type": "nested"
-              }
-            }
-          },
-          "pid": {
-            "type": "long"
-          },
-          "previous": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "real_group": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "real_user": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "saved_group": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "saved_user": {
-            "properties": {
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "session_leader": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
+                }
               },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
+              "pid": {
+                "type": "long"
               },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
+              "platform_binary": {
+                "type": "boolean"
               },
-              "group": {
+              "real_group": {
                 "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -4666,57 +18635,160 @@
                   }
                 }
               },
-              "interactive": {
-                "type": "boolean"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "parent": {
+              "real_user": {
                 "properties": {
-                  "entity_id": {
+                  "domain": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "pid": {
-                    "type": "long"
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "session_leader": {
+                  "entity": {
                     "properties": {
-                      "entity_id": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "pid": {
-                        "type": "long"
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       },
-                      "start": {
+                      "last_seen_timestamp": {
                         "type": "date"
                       },
-                      "vpid": {
-                        "type": "long"
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
                       }
                     }
                   },
-                  "start": {
-                    "type": "date"
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "vpid": {
-                    "type": "long"
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
                   }
                 }
               },
-              "pid": {
-                "type": "long"
+              "same_as_process": {
+                "type": "boolean"
               },
-              "real_group": {
+              "saved_group": {
                 "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -4727,8 +18799,107 @@
                   }
                 }
               },
-              "real_user": {
+              "saved_user": {
                 "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -4741,49 +18912,75 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
                   }
                 }
               },
-              "same_as_process": {
-                "type": "boolean"
+              "start": {
+                "type": "date"
               },
-              "saved_group": {
+              "supplemental_groups": {
                 "properties": {
-                  "id": {
+                  "domain": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
                   "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
+              "thread": {
                 "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
+                        "type": "keyword"
+                      }
+                    }
+                  },
                   "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    "type": "long"
                   },
                   "name": {
                     "ignore_above": 1024,
@@ -4791,6 +18988,15 @@
                   }
                 }
               },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "tty": {
                 "properties": {
                   "char_device": {
@@ -4802,12 +19008,120 @@
                         "type": "long"
                       }
                     }
+                  },
+                  "columns": {
+                    "type": "long"
+                  },
+                  "rows": {
+                    "type": "long"
                   }
                 },
                 "type": "object"
               },
+              "uptime": {
+                "type": "long"
+              },
               "user": {
                 "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "email": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "entity": {
+                    "properties": {
+                      "attributes": {
+                        "type": "object"
+                      },
+                      "behavior": {
+                        "type": "object"
+                      },
+                      "display_name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "last_seen_timestamp": {
+                        "type": "date"
+                      },
+                      "lifecycle": {
+                        "type": "object"
+                      },
+                      "metrics": {
+                        "type": "object"
+                      },
+                      "name": {
+                        "fields": {
+                          "text": {
+                            "norms": false,
+                            "type": "text"
+                          }
+                        },
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "raw": {
+                        "type": "object"
+                      },
+                      "reference": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "source": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "sub_type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "full_name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "group": {
+                    "properties": {
+                      "domain": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "id": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
+                  "hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -4820,6 +19134,35 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "risk": {
+                    "properties": {
+                      "calculated_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "calculated_score": {
+                        "type": "float"
+                      },
+                      "calculated_score_norm": {
+                        "type": "float"
+                      },
+                      "static_level": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "static_score": {
+                        "type": "float"
+                      },
+                      "static_score_norm": {
+                        "type": "float"
+                      }
+                    }
+                  },
+                  "roles": {
+                    "ignore_above": 1024,
+                    "synthetic_source_keep": "none",
+                    "type": "keyword"
                   }
                 }
               },
@@ -4842,6 +19185,10 @@
           },
           "supplemental_groups": {
             "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -4912,6 +19259,105 @@
           },
           "user": {
             "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entity": {
+                "properties": {
+                  "attributes": {
+                    "type": "object"
+                  },
+                  "behavior": {
+                    "type": "object"
+                  },
+                  "display_name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "last_seen_timestamp": {
+                    "type": "date"
+                  },
+                  "lifecycle": {
+                    "type": "object"
+                  },
+                  "metrics": {
+                    "type": "object"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "raw": {
+                    "type": "object"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "source": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sub_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -4921,8 +19367,37 @@
                   "text": {
                     "type": "match_only_text"
                   }
-                },
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
+              "roles": {
                 "ignore_above": 1024,
+                "synthetic_source_keep": "none",
                 "type": "keyword"
               }
             }
@@ -5168,6 +19643,68 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "entity": {
+                "properties": {
+                  "attributes": {
+                    "type": "object"
+                  },
+                  "behavior": {
+                    "type": "object"
+                  },
+                  "display_name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "last_seen_timestamp": {
+                    "type": "date"
+                  },
+                  "lifecycle": {
+                    "type": "object"
+                  },
+                  "metrics": {
+                    "type": "object"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "raw": {
+                    "type": "object"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "source": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sub_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "full_name": {
                 "fields": {
                   "text": {
@@ -5210,6 +19747,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -5225,6 +19786,68 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "entity": {
+            "properties": {
+              "attributes": {
+                "type": "object"
+              },
+              "behavior": {
+                "type": "object"
+              },
+              "display_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "last_seen_timestamp": {
+                "type": "date"
+              },
+              "lifecycle": {
+                "type": "object"
+              },
+              "metrics": {
+                "type": "object"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "raw": {
+                "type": "object"
+              },
+              "reference": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "source": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sub_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "environment": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -5264,6 +19887,68 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "entity": {
+                "properties": {
+                  "attributes": {
+                    "type": "object"
+                  },
+                  "behavior": {
+                    "type": "object"
+                  },
+                  "display_name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "last_seen_timestamp": {
+                    "type": "date"
+                  },
+                  "lifecycle": {
+                    "type": "object"
+                  },
+                  "metrics": {
+                    "type": "object"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "raw": {
+                    "type": "object"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "source": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sub_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "environment": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -5565,6 +20250,68 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "entity": {
+                "properties": {
+                  "attributes": {
+                    "type": "object"
+                  },
+                  "behavior": {
+                    "type": "object"
+                  },
+                  "display_name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "last_seen_timestamp": {
+                    "type": "date"
+                  },
+                  "lifecycle": {
+                    "type": "object"
+                  },
+                  "metrics": {
+                    "type": "object"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "raw": {
+                    "type": "object"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "source": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sub_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "full_name": {
                 "fields": {
                   "text": {
@@ -5607,6 +20354,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -7974,6 +22745,68 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "entity": {
+                "properties": {
+                  "attributes": {
+                    "type": "object"
+                  },
+                  "behavior": {
+                    "type": "object"
+                  },
+                  "display_name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "last_seen_timestamp": {
+                    "type": "date"
+                  },
+                  "lifecycle": {
+                    "type": "object"
+                  },
+                  "metrics": {
+                    "type": "object"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "raw": {
+                    "type": "object"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "source": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sub_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "full_name": {
                 "fields": {
                   "text": {
@@ -8016,6 +22849,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -8037,6 +22894,68 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "entity": {
+                "properties": {
+                  "attributes": {
+                    "type": "object"
+                  },
+                  "behavior": {
+                    "type": "object"
+                  },
+                  "display_name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "last_seen_timestamp": {
+                    "type": "date"
+                  },
+                  "lifecycle": {
+                    "type": "object"
+                  },
+                  "metrics": {
+                    "type": "object"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "norms": false,
+                        "type": "text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "raw": {
+                    "type": "object"
+                  },
+                  "reference": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "source": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sub_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "full_name": {
                 "fields": {
                   "text": {
@@ -8079,6 +22998,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -8090,6 +23033,68 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "entity": {
+            "properties": {
+              "attributes": {
+                "type": "object"
+              },
+              "behavior": {
+                "type": "object"
+              },
+              "display_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "last_seen_timestamp": {
+                "type": "date"
+              },
+              "lifecycle": {
+                "type": "object"
+              },
+              "metrics": {
+                "type": "object"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "raw": {
+                "type": "object"
+              },
+              "reference": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "source": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sub_type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "full_name": {
             "fields": {
               "text": {
@@ -8275,6 +23280,30 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
+              "risk": {
+                "properties": {
+                  "calculated_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "calculated_score": {
+                    "type": "float"
+                  },
+                  "calculated_score_norm": {
+                    "type": "float"
+                  },
+                  "static_level": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "static_score": {
+                    "type": "float"
+                  },
+                  "static_score_norm": {
+                    "type": "float"
+                  }
+                }
+              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",

From 2b1011a33d4cdc55efacf298d7fa1dc30f689b35 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Thu, 2 Oct 2025 14:51:05 -0700
Subject: [PATCH 08/20] Rebuild generated files

---
 docs/reference/ecs-field-reference.md         |     1 -
 docs/reference/ecs-otel-alignment-details.md  |    10 +-
 docs/reference/ecs-otel-alignment-overview.md |     3 +-
 docs/reference/ecs-process.md                 |     6 -
 generated/beats/fields.ecs.yml                | 36791 ++---------
 generated/csv/fields.csv                      |  3560 --
 generated/ecs/ecs_flat.yml                    | 52584 +--------------
 generated/ecs/ecs_nested.yml                  | 53020 +---------------
 .../composable/component/client.json          |    86 -
 .../composable/component/cloud.json           |   124 -
 .../composable/component/destination.json     |    86 -
 .../composable/component/entity.json          |    74 -
 .../composable/component/process.json         | 16311 +----
 .../composable/component/server.json          |    86 -
 .../composable/component/service.json         |   124 -
 .../composable/component/source.json          |    86 -
 .../composable/component/user.json            |   258 -
 .../elasticsearch/composable/template.json    |     5 +-
 generated/elasticsearch/legacy/template.json  | 17367 +----
 19 files changed, 12241 insertions(+), 168341 deletions(-)
 delete mode 100644 generated/elasticsearch/composable/component/entity.json

diff --git a/docs/reference/ecs-field-reference.md b/docs/reference/ecs-field-reference.md
index e7422a011a..af78a1b854 100644
--- a/docs/reference/ecs-field-reference.md
+++ b/docs/reference/ecs-field-reference.md
@@ -38,7 +38,6 @@ For a single page representation of all fields, please see the [generated CSV of
 | [ECS](/reference/ecs-ecs.md) | Meta-information specific to ECS. |
 | [ELF Header](/reference/ecs-elf.md) | These fields contain Linux Executable Linkable Format (ELF) metadata. |
 | [Email](/reference/ecs-email.md) | Describes an email transaction. |
-| [Entity](/reference/ecs-entity.md) | Fields to describe various types of entities across IT environments. |
 | [Error](/reference/ecs-error.md) | Fields about errors of any kind. |
 | [Event](/reference/ecs-event.md) | Fields breaking down the event details. |
 | [FaaS](/reference/ecs-faas.md) | Fields describing functions as a service. |
diff --git a/docs/reference/ecs-otel-alignment-details.md b/docs/reference/ecs-otel-alignment-details.md
index 910be29ea5..579643a85d 100644
--- a/docs/reference/ecs-otel-alignment-details.md
+++ b/docs/reference/ecs-otel-alignment-details.md
@@ -158,16 +158,16 @@ The following table gives an overview of mappings between individual ECS fields
 | $$$otel-mapping-for-process-args-count$$$ [process.args_count](/reference/ecs-process.md#field-process-args-count) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.args_count](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-args-count) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-command-line$$$ [process.command_line](/reference/ecs-process.md#field-process-command-line) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.command_line](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-command-line) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-executable$$$ [process.executable](/reference/ecs-process.md#field-process-executable) | [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.executable.path](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-executable-path) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-user-id$$$ process.user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-saved-user-id$$$ process.saved_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-real-user-id$$$ process.real_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-saved-user-id$$$ process.saved_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-user-id$$$ process.user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-interactive$$$ [process.interactive](/reference/ecs-process.md#field-process-interactive) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.interactive](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-interactive) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-user-name$$$ process.user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-saved-user-name$$$ process.saved_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-real-user-name$$$ process.real_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-saved-user-name$$$ process.saved_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-user-name$$$ process.user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-group-leader-pid$$$ process.group_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.group_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-group-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-pid$$$ [process.pid](/reference/ecs-process.md#field-process-pid) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-session-leader-pid$$$ process.session_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.session_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-session-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-group-leader-pid$$$ process.group_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.group_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-group-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-title$$$ [process.title](/reference/ecs-process.md#field-process-title) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.title](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-title) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-uptime$$$ [process.uptime](/reference/ecs-process.md#field-process-uptime) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.uptime](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.process.uptime+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-vpid$$$ [process.vpid](/reference/ecs-process.md#field-process-vpid) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.vpid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-vpid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
diff --git a/docs/reference/ecs-otel-alignment-overview.md b/docs/reference/ecs-otel-alignment-overview.md
index 0343832935..886c26b816 100644
--- a/docs/reference/ecs-otel-alignment-overview.md
+++ b/docs/reference/ecs-otel-alignment-overview.md
@@ -48,7 +48,6 @@ The following table summarizes the alignment status by namespaces between ECS in
 | ELF Header | [38](/reference/ecs-elf.md) | · | · | · | · | · | · | · | · |
 | Email | [19](/reference/ecs-email.md) | · | · | · | · | · | · | · | · |
 | End User | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/enduser) | · | · | · | · | · | · |  |
-| Entity | [13](/reference/ecs-entity.md) | · | · | · | · | · | · | · | · |
 | Error | [5](/reference/ecs-error.md) | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/error) | 1 | 2 | · | · | · | · | · |
 | Event | [26](/reference/ecs-event.md) | · | · | · | · | · | · | · | · |
 | Exception | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/exception) | · | · | · | · | · | · |  |
@@ -86,7 +85,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | Package | [13](/reference/ecs-package.md) | · | · | · | · | · | · | · | · |
 | PE Header | [23](/reference/ecs-pe.md) | · | · | · | · | · | · | · | · |
 | Peer | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/peer) | · | · | · | · | · | · |  |
-| Process | [40](/reference/ecs-process.md) | [34](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process) | 15 | 2 | · | · | 1 | · | · |
+| Process | [34](/reference/ecs-process.md) | [34](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process) | 15 | 2 | · | · | 1 | · | · |
 | Profile Frame | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/profile) | · | · | · | · | · | · |  |
 | Registry | [7](/reference/ecs-registry.md) | · | · | · | · | · | · | · | · |
 | Related | [4](/reference/ecs-related.md) | · | · | · | · | · | · | · | 4 |
diff --git a/docs/reference/ecs-process.md b/docs/reference/ecs-process.md
index 8438ca3433..1fc7c77613 100644
--- a/docs/reference/ecs-process.md
+++ b/docs/reference/ecs-process.md
@@ -21,9 +21,7 @@ These fields can help you correlate metrics information with a process id/name f
 | $$$field-process-args-count$$$ [process.args_count](#field-process-args-count) | Length of the process.args array.<br><br>This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.<br><br>type: long<br><br>example: `4`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.args_count](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-args-count) | extended |
 | $$$field-process-command-line$$$ [process.command_line](#field-process-command-line) | Full command line that started the process, including the absolute path to the executable, and all arguments.<br><br>Some arguments may be filtered to protect sensitive information.<br><br>type: wildcard<br><br>Multi-fields:<br><br>* process.command_line.text (type: match_only_text)<br><br>example: `/usr/bin/ssh -l user 10.0.0.16`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.command_line](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-command-line) | extended |
 | $$$field-process-end$$$ [process.end](#field-process-end) | The time the process ended.<br><br>type: date<br><br>example: `2016-05-23T08:05:34.853Z` | extended |
-| $$$field-process-endpoint-security-client$$$ [process.endpoint_security_client](#field-process-endpoint-security-client) | _This field is beta and subject to change._ Processes that have an endpoint security client must have the com.apple.endpointsecurity entitlement and the value is set to true in the message.<br><br>type: boolean | extended |
 | $$$field-process-entity-id$$$ [process.entity_id](#field-process-entity-id) | Unique identifier for the process.<br><br>The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.<br><br>Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.<br><br>type: keyword<br><br>example: `c2c455d9f99375d` | extended |
-| $$$field-process-entry-meta-type$$$ [process.entry_meta.type](#field-process-entry-meta-type) | The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console<br><br>Note: This field is only set on process.session_leader.<br><br>type: keyword | extended |
 | $$$field-process-env-vars$$$ [process.env_vars](#field-process-env-vars) | Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.<br><br>May be filtered to protect sensitive information.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]` | extended |
 | $$$field-process-executable$$$ [process.executable](#field-process-executable) | Absolute path to the process executable.<br><br>type: keyword<br><br>Multi-fields:<br><br>* process.executable.text (type: match_only_text)<br><br>example: `/usr/bin/ssh`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.executable.path](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-executable-path) | extended |
 | $$$field-process-exit-code$$$ [process.exit_code](#field-process-exit-code) | The exit code of the process, if this is a termination event.<br><br>The field should be absent if there is no exit code for the event (e.g. process start).<br><br>type: long<br><br>example: `137` | extended |
@@ -38,11 +36,7 @@ These fields can help you correlate metrics information with a process id/name f
 | $$$field-process-io-total-bytes-skipped$$$ [process.io.total_bytes_skipped](#field-process-io-total-bytes-skipped) | The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero<br><br>type: long | extended |
 | $$$field-process-io-type$$$ [process.io.type](#field-process-io-type) | The type of object on which the IO action (read or write) was taken.<br><br>Currently only 'tty' is supported. Other types may be added in the future for 'file' and 'socket' support.<br><br>type: keyword | extended |
 | $$$field-process-name$$$ [process.name](#field-process-name) | Process name.<br><br>Sometimes called program name or similar.<br><br>type: keyword<br><br>Multi-fields:<br><br>* process.name.text (type: match_only_text)<br><br>example: `ssh` | extended |
-| $$$field-process-origin-referrer-url$$$ [process.origin_referrer_url](#field-process-origin-referrer-url) | _This field is beta and subject to change._ The URL of the webpage that linked to the process's executable file.<br><br>type: keyword<br><br>example: `http://example.com/article1.html` | extended |
-| $$$field-process-origin-url$$$ [process.origin_url](#field-process-origin-url) | _This field is beta and subject to change._ The URL where the process's executable file is hosted.<br><br>type: keyword<br><br>example: `http://example.com/files/example.exe` | extended |
 | $$$field-process-pid$$$ [process.pid](#field-process-pid) | Process id.<br><br>type: long<br><br>example: `4242`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-pid) | core |
-| $$$field-process-platform-binary$$$ [process.platform_binary](#field-process-platform-binary) | _This field is beta and subject to change._ Binaries that are shipped by the operating system are defined as platform binaries, this value is then set to true.<br><br>type: boolean | extended |
-| $$$field-process-same-as-process$$$ [process.same_as_process](#field-process-same-as-process) | This boolean is used to identify if a leader process is the same as the top level process.<br><br>For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.<br><br>This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)<br><br>Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`<br><br>Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.<br><br>type: boolean<br><br>example: `True` | extended |
 | $$$field-process-start$$$ [process.start](#field-process-start) | The time the process started.<br><br>type: date<br><br>example: `2016-05-23T08:05:34.853Z` | extended |
 | $$$field-process-thread-capabilities-effective$$$ [process.thread.capabilities.effective](#field-process-thread-capabilities-effective) | This is the set of capabilities used by the kernel to perform permission checks for the thread.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["CAP_BPF", "CAP_SYS_ADMIN"]` | extended |
 | $$$field-process-thread-capabilities-permitted$$$ [process.thread.capabilities.permitted](#field-process-thread-capabilities-permitted) | This is a limiting superset for the effective capabilities that the thread may assume.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["CAP_BPF", "CAP_SYS_ADMIN"]` | extended |
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 2c068b190a..4826341eee 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -353,126 +353,6 @@
       type: keyword
       ignore_above: 1024
       description: User email address.
-    - name: user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
     - name: user.full_name
       level: extended
       type: keyword
@@ -525,52 +405,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -626,304 +460,64 @@
       ignore_above: 1024
       description: Availability zone in which this host, resource, or service is located.
       example: us-east-1c
-    - name: entity.attributes
+    - name: instance.id
       level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: entity.behavior
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
       level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entity.display_name
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: entity.id
-      level: core
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: origin.account.id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
+      description: 'The cloud account or organization id used to identify different
+        entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
       default_field: false
-    - name: entity.last_seen_timestamp
+    - name: origin.account.name
       level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account name or alias used to identify different entities
+        in a multi-tenant environment.
+
+        Examples: AWS account name, Google Cloud ORG display name.'
+      example: elastic-dev
       default_field: false
-    - name: entity.lifecycle
+    - name: origin.availability_zone
       level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host, resource, or service is located.
+      example: us-east-1c
       default_field: false
-    - name: entity.metrics
+    - name: origin.instance.id
       level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entity.name
-      level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
       default_field: false
-    - name: entity.raw
+    - name: origin.instance.name
       level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
       default_field: false
-    - name: entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: instance.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Instance ID of the host machine.
-      example: i-1234567890abcdef0
-    - name: instance.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Instance name of the host machine.
-    - name: machine.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine type of the host machine.
-      example: t2.medium
-    - name: origin.account.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The cloud account or organization id used to identify different
-        entities in a multi-tenant environment.
-
-        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
-      example: 666777888999
-      default_field: false
-    - name: origin.account.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The cloud account name or alias used to identify different entities
-        in a multi-tenant environment.
-
-        Examples: AWS account name, Google Cloud ORG display name.'
-      example: elastic-dev
-      default_field: false
-    - name: origin.availability_zone
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Availability zone in which this host, resource, or service is located.
-      example: us-east-1c
-      default_field: false
-    - name: origin.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: origin.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: origin.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: origin.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: origin.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: origin.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: origin.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: origin.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: origin.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: origin.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: origin.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: origin.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: origin.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: origin.instance.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Instance ID of the host machine.
-      example: i-1234567890abcdef0
-      default_field: false
-    - name: origin.instance.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Instance name of the host machine.
-      default_field: false
-    - name: origin.machine.type
+    - name: origin.machine.type
       level: extended
       type: keyword
       ignore_above: 1024
@@ -1598,149 +1192,29 @@
       type: keyword
       ignore_above: 1024
       description: User email address.
-    - name: user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: user.entity.display_name
+    - name: user.full_name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: user.entity.id
-      level: core
+        type: match_only_text
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: user.group.domain
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: user.entity.lifecycle
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.group.id
       level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: User's full name, if available.
-      example: Albert Einstein
-    - name: user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-    - name: user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-    - name: user.group.name
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+    - name: user.group.name
       level: extended
       type: keyword
       ignore_above: 1024
@@ -1770,52 +1244,6 @@
         default_field: false
       description: Short name or login of the user.
       example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: user.roles
       level: extended
       type: keyword
@@ -2710,137 +2138,6 @@
         original email message.
       example: Spambot v2.5
       default_field: false
-  - name: entity
-    title: Entity
-    group: 2
-    description: The entity fields provide a standardized way to represent and categorize
-      different types of components within an IT environment, including those that
-      don't have dedicated field sets in ECS. An entity represents a discrete, identifiable
-      component that can be described by a set of attributes and maintains its identity
-      over time.
-    type: group
-    default_field: true
-    fields:
-    - name: attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
   - name: error
     title: Error
     group: 2
@@ -5976,294 +5273,30 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
-    - name: attested_groups.domain
+    - name: code_signature.digest_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      description: 'The hashing algorithm used to sign the process.
 
-        For example, an LDAP or Active Directory domain name.'
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
       default_field: false
-    - name: attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+    - name: code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
       default_field: false
-    - name: attested_groups.name
+    - name: code_signature.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: The flags used to sign the process.
+      example: 570522385
       default_field: false
-    - name: attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: attested_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: attested_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: attested_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: attested_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: attested_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: attested_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: attested_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: attested_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: attested_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: attested_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: attested_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: attested_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: attested_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: code_signature.signing_id
+    - name: code_signature.signing_id
       level: extended
       type: keyword
       ignore_above: 1024
@@ -6597,12 +5630,6 @@
       description: The time the process ended.
       example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
     - name: entity_id
       level: extended
       type: keyword
@@ -6638,208 +5665,225 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
-    - name: entry_leader.attested_groups.domain
+    - name: entry_leader.attested_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.attested_groups.id
-      level: extended
+    - name: entry_leader.attested_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.attested_groups.name
-      level: extended
-      type: keyword
+    - name: entry_leader.attested_user.name
+      level: core
+      type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entry_leader.attested_user.domain
+    - name: entry_leader.command_line
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
 
-        For example, an LDAP or Active Directory domain name.'
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
       default_field: false
-    - name: entry_leader.attested_user.email
+    - name: entry_leader.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: User email address.
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: entry_leader.attested_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
+    - name: entry_leader.entry_meta.source.ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
       default_field: false
-    - name: entry_leader.attested_user.entity.behavior
+    - name: entry_leader.entry_meta.type
       level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
+      type: keyword
+      ignore_above: 1024
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
       default_field: false
-    - name: entry_leader.attested_user.entity.display_name
+    - name: entry_leader.executable
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
       default_field: false
-    - name: entry_leader.attested_user.entity.id
-      level: core
+    - name: entry_leader.group.id
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.attested_user.entity.last_seen_timestamp
+    - name: entry_leader.group.name
       level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.attested_user.entity.lifecycle
+    - name: entry_leader.interactive
       level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
       default_field: false
-    - name: entry_leader.attested_user.entity.metrics
+    - name: entry_leader.name
       level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entry_leader.attested_user.entity.name
-      level: core
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: entry_leader.attested_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
       default_field: false
-    - name: entry_leader.attested_user.entity.reference
+    - name: entry_leader.parent.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: entry_leader.attested_user.entity.source
+    - name: entry_leader.parent.pid
       level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: entry_leader.attested_user.entity.sub_type
+    - name: entry_leader.parent.session_leader.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: entry_leader.attested_user.entity.type
+    - name: entry_leader.parent.session_leader.pid
       level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: entry_leader.attested_user.full_name
+    - name: entry_leader.parent.session_leader.start
       level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: entry_leader.attested_user.group.domain
+    - name: entry_leader.parent.session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: entry_leader.parent.start
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: entry_leader.parent.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
 
-        For example, an LDAP or Active Directory domain name.'
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: entry_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: entry_leader.attested_user.group.id
+    - name: entry_leader.real_group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.attested_user.group.name
+    - name: entry_leader.real_group.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: entry_leader.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.attested_user.id
+    - name: entry_leader.real_user.id
       level: core
       type: keyword
       ignore_above: 1024
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.attested_user.name
+    - name: entry_leader.real_user.name
       level: core
       type: keyword
       ignore_above: 1024
@@ -6849,153 +5893,201 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: entry_leader.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.attested_user.risk.calculated_score
+    - name: entry_leader.same_as_process
       level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
       default_field: false
-    - name: entry_leader.attested_user.risk.static_level
+    - name: entry_leader.saved_group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.attested_user.risk.static_score
+    - name: entry_leader.saved_group.name
       level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: entry_leader.saved_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: entry_leader.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entry_leader.attested_user.risk.static_score_norm
+    - name: entry_leader.start
       level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: entry_leader.attested_user.roles
+    - name: entry_leader.supplemental_groups.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.code_signature.digest_algorithm
+    - name: entry_leader.supplemental_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
+    - name: entry_leader.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: entry_leader.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
       default_field: false
-    - name: entry_leader.code_signature.flags
+    - name: entry_leader.tty.char_device.minor
       level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: entry_leader.user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.code_signature.signing_id
-      level: extended
+    - name: entry_leader.user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'The identifier used to sign the process.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: entry_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
 
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
       default_field: false
-    - name: entry_leader.code_signature.status
+    - name: entry_leader.working_directory
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
       default_field: false
-    - name: entry_leader.code_signature.subject_name
-      level: core
+    - name: env_vars
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
+
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       default_field: false
-    - name: entry_leader.code_signature.team_id
+    - name: executable
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The team identifier used to sign the process.
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+    - name: exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
 
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
       default_field: false
-    - name: entry_leader.code_signature.thumbprint_sha256
+    - name: group.id
       level: extended
       type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.code_signature.timestamp
+    - name: group.name
       level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.code_signature.trusted
+    - name: group_leader.args
       level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
 
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
       default_field: false
-    - name: entry_leader.code_signature.valid
+    - name: group_leader.args_count
       level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
+      type: long
+      description: 'Length of the process.args array.
 
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
       default_field: false
-    - name: entry_leader.command_line
+    - name: group_leader.command_line
       level: extended
       type: wildcard
       multi_fields:
@@ -7007,690 +6099,655 @@
         Some arguments may be filtered to protect sensitive information.'
       example: /usr/bin/ssh -l user 10.0.0.16
       default_field: false
-    - name: entry_leader.elf.architecture
+    - name: group_leader.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: entry_leader.elf.byte_order
+    - name: group_leader.executable
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
       default_field: false
-    - name: entry_leader.elf.cpu_type
+    - name: group_leader.group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: entry_leader.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: entry_leader.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.elf.go_import_hash
+    - name: group_leader.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.elf.go_imports
+    - name: group_leader.interactive
       level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
       default_field: false
-    - name: entry_leader.elf.go_imports_names_entropy
+    - name: group_leader.name
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
       default_field: false
-    - name: entry_leader.elf.go_imports_names_var_entropy
-      level: extended
+    - name: group_leader.pid
+      level: core
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: entry_leader.elf.go_stripped
+    - name: group_leader.real_group.id
       level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.elf.header.abi_version
+    - name: group_leader.real_group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.elf.header.class
-      level: extended
+    - name: group_leader.real_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Header class of the ELF file.
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.elf.header.data
-      level: extended
+    - name: group_leader.real_user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Data table of the ELF header.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entry_leader.elf.header.entrypoint
+    - name: group_leader.same_as_process
       level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
       default_field: false
-    - name: entry_leader.elf.header.object_version
+    - name: group_leader.saved_group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: '"0x1" for original ELF files.'
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.elf.header.os_abi
+    - name: group_leader.saved_group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.elf.header.type
-      level: extended
+    - name: group_leader.saved_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Header type of the ELF file.
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: group_leader.saved_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: group_leader.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: entry_leader.elf.header.version
+    - name: group_leader.supplemental_groups.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.elf.import_hash
+    - name: group_leader.supplemental_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.elf.imports
+    - name: group_leader.tty
       level: extended
-      type: flattened
-      description: List of imported element names and types.
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
       default_field: false
-    - name: entry_leader.elf.imports_names_entropy
+    - name: group_leader.tty.char_device.major
       level: extended
       type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
       default_field: false
-    - name: entry_leader.elf.imports_names_var_entropy
+    - name: group_leader.tty.char_device.minor
       level: extended
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
       default_field: false
-    - name: entry_leader.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
+    - name: group_leader.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
+    - name: group_leader.user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entry_leader.elf.sections.entropy
-      level: extended
+    - name: group_leader.vpid
+      level: core
       type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
       default_field: false
-    - name: entry_leader.elf.sections.flags
+    - name: group_leader.working_directory
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List flags.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
       default_field: false
-    - name: entry_leader.elf.sections.name
+    - name: hash.cdhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List name.
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
       default_field: false
-    - name: entry_leader.elf.sections.physical_offset
+    - name: hash.md5
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: entry_leader.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: entry_leader.elf.sections.type
+      description: MD5 hash.
+    - name: hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: entry_leader.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: entry_leader.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: entry_leader.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: entry_leader.elf.segments.sections
+      description: SHA1 hash.
+    - name: hash.sha256
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: entry_leader.elf.segments.type
+      description: SHA256 hash.
+    - name: hash.sha384
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
+      description: SHA384 hash.
       default_field: false
-    - name: entry_leader.elf.shared_libraries
+    - name: hash.sha512
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: entry_leader.elf.telfhash
+      description: SHA512 hash.
+    - name: hash.ssdeep
       level: extended
       type: keyword
       ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
+      description: SSDEEP hash.
       default_field: false
-    - name: entry_leader.end
+    - name: hash.tlsh
       level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
+      type: keyword
+      ignore_above: 1024
+      description: TLSH hash.
       default_field: false
-    - name: entry_leader.endpoint_security_client
+    - name: interactive
       level: extended
       type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: entry_leader.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
+      description: 'Whether the process is connected to an interactive shell.
 
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
 
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
       default_field: false
-    - name: entry_leader.entry_meta.source.address
+    - name: io
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
+      type: object
+      description: 'A chunk of input or output (IO) from a single process.
 
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
+        This field only appears on the top level process object, which is the process
+        that wrote the output or read the input.'
       default_field: false
-    - name: entry_leader.entry_meta.source.as.number
+    - name: io.bytes_skipped
       level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
+      type: object
+      description: An array of byte offsets and lengths denoting where IO data has
+        been skipped.
       default_field: false
-    - name: entry_leader.entry_meta.source.as.organization.name
+    - name: io.bytes_skipped.length
       level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: entry_leader.entry_meta.source.bytes
-      level: core
       type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: entry_leader.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: entry_leader.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
+      description: The length of bytes skipped.
       default_field: false
-    - name: entry_leader.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
+    - name: io.bytes_skipped.offset
+      level: extended
+      type: long
+      description: The byte offset into this event's io.text (or io.bytes in the future)
+        where length bytes were skipped.
       default_field: false
-    - name: entry_leader.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
+    - name: io.max_bytes_per_process_exceeded
+      level: extended
+      type: boolean
+      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
+        configuration setting.
       default_field: false
-    - name: entry_leader.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
+    - name: io.text
+      level: extended
+      type: wildcard
+      description: 'A chunk of output or input sanitized to UTF-8.
+
+        Best efforts are made to ensure complete lines are captured in these events.
+        Assumptions should NOT be made that multiple lines will appear in the same
+        event. TTY output may contain terminal control codes such as for cursor movement,
+        so some string queries may not match due to terminal codes inserted between
+        characters of a word.'
       default_field: false
-    - name: entry_leader.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
+    - name: io.total_bytes_captured
+      level: extended
+      type: long
+      description: The total number of bytes captured in this event.
       default_field: false
-    - name: entry_leader.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: io.total_bytes_skipped
+      level: extended
+      type: long
+      description: The total number of bytes that were not captured due to implementation
+        restrictions such as buffer size limits. Implementors should strive to ensure
+        this value is always zero
       default_field: false
-    - name: entry_leader.entry_meta.source.geo.name
+    - name: io.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
+      description: 'The type of object on which the IO action (read or write) was
+        taken.
 
-        Not typically used in automated geolocation.'
-      example: boston-dc
+        Currently only ''tty'' is supported. Other types may be added in the future
+        for ''file'' and ''socket'' support.'
       default_field: false
-    - name: entry_leader.entry_meta.source.geo.postal_code
-      level: core
+    - name: macho.go_import_hash
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Postal code associated with the location.
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
 
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: entry_leader.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
+    - name: macho.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
       default_field: false
-    - name: entry_leader.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
+    - name: macho.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: entry_leader.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
+    - name: macho.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: entry_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
+    - name: macho.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: entry_leader.entry_meta.source.mac
-      level: core
+    - name: macho.import_hash
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'MAC address of the source.
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
 
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: entry_leader.entry_meta.source.nat.ip
+    - name: macho.imports
       level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: entry_leader.entry_meta.source.nat.port
+    - name: macho.imports_names_entropy
       level: extended
       type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: entry_leader.entry_meta.source.packets
-      level: core
+    - name: macho.imports_names_var_entropy
+      level: extended
       type: long
-      description: Packets sent from the source to the destination.
-      example: 12
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: entry_leader.entry_meta.source.port
-      level: core
+    - name: macho.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
+      default_field: false
+    - name: macho.sections.entropy
+      level: extended
       type: long
-      format: string
-      description: Port of the source.
+      format: number
+      description: Shannon entropy calculation from the section.
       default_field: false
-    - name: entry_leader.entry_meta.source.registered_domain
+    - name: macho.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
+      description: Mach-O Section List name.
       default_field: false
-    - name: entry_leader.entry_meta.source.subdomain
+    - name: macho.sections.physical_size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
       default_field: false
-    - name: entry_leader.entry_meta.source.top_level_domain
+    - name: macho.sections.var_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: entry_leader.entry_meta.type
+    - name: macho.sections.virtual_size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: entry_leader.env_vars
+    - name: macho.symhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
 
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
       default_field: false
-    - name: entry_leader.executable
+    - name: name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: entry_leader.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
+        default_field: false
+      description: 'Process name.
 
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: entry_leader.group.domain
+        Sometimes called program name or similar.'
+      example: ssh
+    - name: parent.args
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
 
-        For example, an LDAP or Active Directory domain name.'
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
       default_field: false
-    - name: entry_leader.group.id
+    - name: parent.args_count
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
       default_field: false
-    - name: entry_leader.group.name
+    - name: parent.code_signature.digest_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
       default_field: false
-    - name: entry_leader.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+    - name: parent.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
       default_field: false
-    - name: entry_leader.hash.md5
+    - name: parent.code_signature.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: MD5 hash.
+      description: The flags used to sign the process.
+      example: 570522385
       default_field: false
-    - name: entry_leader.hash.sha1
+    - name: parent.code_signature.signing_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA1 hash.
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
       default_field: false
-    - name: entry_leader.hash.sha256
+    - name: parent.code_signature.status
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA256 hash.
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
       default_field: false
-    - name: entry_leader.hash.sha384
-      level: extended
+    - name: parent.code_signature.subject_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SHA384 hash.
+      description: Subject name of the code signer
+      example: Microsoft Corporation
       default_field: false
-    - name: entry_leader.hash.sha512
+    - name: parent.code_signature.team_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA512 hash.
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
       default_field: false
-    - name: entry_leader.hash.ssdeep
+    - name: parent.code_signature.thumbprint_sha256
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
       default_field: false
-    - name: entry_leader.hash.tlsh
+    - name: parent.code_signature.timestamp
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
       default_field: false
-    - name: entry_leader.interactive
+    - name: parent.code_signature.trusted
       level: extended
       type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: entry_leader.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
+      description: 'Stores the trust status of the certificate chain.
 
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: entry_leader.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: entry_leader.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: entry_leader.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
       default_field: false
-    - name: entry_leader.io.max_bytes_per_process_exceeded
+    - name: parent.code_signature.valid
       level: extended
       type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
       default_field: false
-    - name: entry_leader.io.text
+    - name: parent.command_line
       level: extended
       type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
 
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
       default_field: false
-    - name: entry_leader.io.total_bytes_captured
+    - name: parent.elf.architecture
       level: extended
-      type: long
-      description: The total number of bytes captured in this event.
+      type: keyword
+      ignore_above: 1024
+      description: Machine architecture of the ELF file.
+      example: x86-64
       default_field: false
-    - name: entry_leader.io.total_bytes_skipped
+    - name: parent.elf.byte_order
       level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
+      type: keyword
+      ignore_above: 1024
+      description: Byte sequence of ELF file.
+      example: Little Endian
       default_field: false
-    - name: entry_leader.io.type
+    - name: parent.elf.cpu_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
+      description: CPU type of the ELF file.
+      example: Intel
+      default_field: false
+    - name: parent.elf.creation_date
+      level: extended
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
+      default_field: false
+    - name: parent.elf.exports
+      level: extended
+      type: flattened
+      description: List of exported element names and types.
       default_field: false
-    - name: entry_leader.macho.go_import_hash
+    - name: parent.elf.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+      description: 'A hash of the Go language imports in an ELF file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
         change more traditional hash values.
@@ -7699,561 +6756,524 @@
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: entry_leader.macho.go_imports
+    - name: parent.elf.go_imports
       level: extended
       type: flattened
       description: List of imported Go language element names and types.
       default_field: false
-    - name: entry_leader.macho.go_imports_names_entropy
+    - name: parent.elf.go_imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: entry_leader.macho.go_imports_names_var_entropy
+    - name: parent.elf.go_imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: entry_leader.macho.go_stripped
+    - name: parent.elf.go_stripped
       level: extended
       type: boolean
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: entry_leader.macho.import_hash
+    - name: parent.elf.header.abi_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
+      description: Version of the ELF Application Binary Interface (ABI).
+      default_field: false
+    - name: parent.elf.header.class
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header class of the ELF file.
+      default_field: false
+    - name: parent.elf.header.data
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Data table of the ELF header.
+      default_field: false
+    - name: parent.elf.header.entrypoint
+      level: extended
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
+      default_field: false
+    - name: parent.elf.header.object_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: '"0x1" for original ELF files.'
+      default_field: false
+    - name: parent.elf.header.os_abi
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Application Binary Interface (ABI) of the Linux OS.
+      default_field: false
+    - name: parent.elf.header.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Header type of the ELF file.
+      default_field: false
+    - name: parent.elf.header.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the ELF header.
+      default_field: false
+    - name: parent.elf.import_hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: entry_leader.macho.imports
+    - name: parent.elf.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
-    - name: entry_leader.macho.imports_names_entropy
+    - name: parent.elf.imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of imported element names
         and types.
       default_field: false
-    - name: entry_leader.macho.imports_names_var_entropy
+    - name: parent.elf.imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
       default_field: false
-    - name: entry_leader.macho.sections
+    - name: parent.elf.sections
       level: extended
       type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
+      description: 'An array containing an object for each section of the ELF file.
 
         The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: parent.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
       default_field: false
-    - name: entry_leader.macho.sections.entropy
+    - name: parent.elf.sections.entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the section.
       default_field: false
-    - name: entry_leader.macho.sections.name
+    - name: parent.elf.sections.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Mach-O Section List name.
+      description: ELF Section List flags.
+      default_field: false
+    - name: parent.elf.sections.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List name.
+      default_field: false
+    - name: parent.elf.sections.physical_offset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
       default_field: false
-    - name: entry_leader.macho.sections.physical_size
+    - name: parent.elf.sections.physical_size
       level: extended
       type: long
       format: bytes
-      description: Mach-O Section List physical size.
+      description: ELF Section List physical size.
+      default_field: false
+    - name: parent.elf.sections.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List type.
       default_field: false
-    - name: entry_leader.macho.sections.var_entropy
+    - name: parent.elf.sections.var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: entry_leader.macho.sections.virtual_size
+    - name: parent.elf.sections.virtual_address
       level: extended
       type: long
       format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      description: ELF Section List virtual address.
       default_field: false
-    - name: entry_leader.macho.symhash
+    - name: parent.elf.sections.virtual_size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: parent.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
 
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
       default_field: false
-    - name: entry_leader.name
+    - name: parent.elf.segments.sections
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
+      description: ELF object segment sections.
       default_field: false
-    - name: entry_leader.origin_referrer_url
+    - name: parent.elf.segments.type
       level: extended
       type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
+      ignore_above: 1024
+      description: ELF object segment type.
       default_field: false
-    - name: entry_leader.origin_url
+    - name: parent.elf.shared_libraries
       level: extended
       type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
+      ignore_above: 1024
+      description: List of shared libraries used by this ELF object.
       default_field: false
-    - name: entry_leader.parent.args
+    - name: parent.elf.telfhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      description: telfhash symbol hash for ELF file.
       default_field: false
-    - name: entry_leader.parent.args_count
+    - name: parent.end
       level: extended
-      type: long
-      description: 'Length of the process.args array.
+      type: date
+      description: The time the process ended.
+      example: '2016-05-23T08:05:34.853Z'
+      default_field: false
+    - name: parent.entity_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
 
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: entry_leader.parent.attested_groups.domain
+    - name: parent.executable
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      default_field: false
+    - name: parent.exit_code
+      level: extended
+      type: long
+      description: 'The exit code of the process, if this is a termination event.
 
-        For example, an LDAP or Active Directory domain name.'
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
       default_field: false
-    - name: entry_leader.parent.attested_groups.id
+    - name: parent.group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.parent.attested_groups.name
+    - name: parent.group.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: entry_leader.parent.attested_user.domain
+    - name: parent.group_leader.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
+      description: 'Unique identifier for the process.
 
-        For example, an LDAP or Active Directory domain name.'
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      default_field: false
+    - name: parent.group_leader.pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+      default_field: false
+    - name: parent.group_leader.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: entry_leader.parent.attested_user.email
+    - name: parent.group_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      default_field: false
+    - name: parent.hash.cdhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: User email address.
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
       default_field: false
-    - name: entry_leader.parent.attested_user.entity.attributes
+    - name: parent.hash.md5
       level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
       default_field: false
-    - name: entry_leader.parent.attested_user.entity.behavior
+    - name: parent.hash.sha1
       level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
       default_field: false
-    - name: entry_leader.parent.attested_user.entity.display_name
+    - name: parent.hash.sha256
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
+      description: SHA256 hash.
       default_field: false
-    - name: entry_leader.parent.attested_user.entity.id
-      level: core
+    - name: parent.hash.sha384
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: entry_leader.parent.attested_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: entry_leader.parent.attested_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
+      description: SHA384 hash.
       default_field: false
-    - name: entry_leader.parent.attested_user.entity.metrics
+    - name: parent.hash.sha512
       level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entry_leader.parent.attested_user.entity.name
-      level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: entry_leader.parent.attested_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
+      description: SHA512 hash.
       default_field: false
-    - name: entry_leader.parent.attested_user.entity.reference
+    - name: parent.hash.ssdeep
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
+      description: SSDEEP hash.
       default_field: false
-    - name: entry_leader.parent.attested_user.entity.source
-      level: core
+    - name: parent.hash.tlsh
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
+      description: TLSH hash.
       default_field: false
-    - name: entry_leader.parent.attested_user.entity.sub_type
+    - name: parent.interactive
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
+      type: boolean
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
       default_field: false
-    - name: entry_leader.parent.attested_user.entity.type
-      level: core
+    - name: parent.macho.go_import_hash
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: entry_leader.parent.attested_user.full_name
+    - name: parent.macho.go_imports
       level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
+      type: flattened
+      description: List of imported Go language element names and types.
       default_field: false
-    - name: entry_leader.parent.attested_user.group.domain
+    - name: parent.macho.go_imports_names_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: entry_leader.parent.attested_user.group.id
+    - name: parent.macho.go_imports_names_var_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: entry_leader.parent.attested_user.group.name
+    - name: parent.macho.go_stripped
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: entry_leader.parent.attested_user.hash
+    - name: parent.macho.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
 
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
+        This is a synonym for symhash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: entry_leader.parent.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: parent.macho.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: entry_leader.parent.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+    - name: parent.macho.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: entry_leader.parent.attested_user.risk.calculated_level
+    - name: parent.macho.imports_names_var_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: entry_leader.parent.attested_user.risk.calculated_score
+    - name: parent.macho.sections
       level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
+      type: nested
+      description: 'An array containing an object for each section of the Mach-O file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `macho.sections.*`.'
       default_field: false
-    - name: entry_leader.parent.attested_user.risk.calculated_score_norm
+    - name: parent.macho.sections.entropy
       level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
       default_field: false
-    - name: entry_leader.parent.attested_user.risk.static_level
+    - name: parent.macho.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
+      description: Mach-O Section List name.
       default_field: false
-    - name: entry_leader.parent.attested_user.risk.static_score
+    - name: parent.macho.sections.physical_size
       level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
+      type: long
+      format: bytes
+      description: Mach-O Section List physical size.
       default_field: false
-    - name: entry_leader.parent.attested_user.risk.static_score_norm
+    - name: parent.macho.sections.var_entropy
       level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: parent.macho.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: entry_leader.parent.attested_user.roles
+    - name: parent.macho.symhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      description: 'A hash of the imports in a Mach-O file. An import hash can be
+        used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        This is a Mach-O implementation of the Windows PE imphash'
+      example: d3ccf195b62a9279c3c19af1080497ec
       default_field: false
-    - name: entry_leader.parent.code_signature.digest_algorithm
+    - name: parent.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
 
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: entry_leader.parent.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
+        Sometimes called program name or similar.'
+      example: ssh
       default_field: false
-    - name: entry_leader.parent.code_signature.flags
+    - name: parent.pe.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
+      description: CPU architecture target for the file.
+      example: x64
       default_field: false
-    - name: entry_leader.parent.code_signature.signing_id
+    - name: parent.pe.company
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
       default_field: false
-    - name: entry_leader.parent.code_signature.status
+    - name: parent.pe.description
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: entry_leader.parent.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: entry_leader.parent.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: entry_leader.parent.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: entry_leader.parent.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: entry_leader.parent.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: entry_leader.parent.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: entry_leader.parent.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: entry_leader.parent.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: entry_leader.parent.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
       default_field: false
-    - name: entry_leader.parent.elf.cpu_type
+    - name: parent.pe.file_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: entry_leader.parent.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: entry_leader.parent.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
       default_field: false
-    - name: entry_leader.parent.elf.go_import_hash
+    - name: parent.pe.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
+      description: 'A hash of the Go language imports in a PE file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
         change more traditional hash values.
@@ -8262,472 +7282,523 @@
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: entry_leader.parent.elf.go_imports
+    - name: parent.pe.go_imports
       level: extended
       type: flattened
       description: List of imported Go language element names and types.
       default_field: false
-    - name: entry_leader.parent.elf.go_imports_names_entropy
+    - name: parent.pe.go_imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: entry_leader.parent.elf.go_imports_names_var_entropy
+    - name: parent.pe.go_imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: entry_leader.parent.elf.go_stripped
+    - name: parent.pe.go_stripped
       level: extended
       type: boolean
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: entry_leader.parent.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: entry_leader.parent.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: entry_leader.parent.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: entry_leader.parent.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: entry_leader.parent.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: entry_leader.parent.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: entry_leader.parent.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: entry_leader.parent.elf.header.version
+    - name: parent.pe.imphash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
-    - name: entry_leader.parent.elf.import_hash
+    - name: parent.pe.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
+      description: 'A hash of the imports in a PE file. An import hash can be used
         to fingerprint binaries even after recompilation or other code-level transformations
         have occurred, which would change more traditional hash values.
 
-        This is an ELF implementation of the Windows PE imphash.'
+        This is a synonym for imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: entry_leader.parent.elf.imports
+    - name: parent.pe.imports
       level: extended
       type: flattened
       description: List of imported element names and types.
       default_field: false
-    - name: entry_leader.parent.elf.imports_names_entropy
+    - name: parent.pe.imports_names_entropy
       level: extended
       type: long
       format: number
       description: Shannon entropy calculation from the list of imported element names
         and types.
       default_field: false
-    - name: entry_leader.parent.elf.imports_names_var_entropy
+    - name: parent.pe.imports_names_var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
       default_field: false
-    - name: entry_leader.parent.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: entry_leader.parent.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: entry_leader.parent.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.elf.sections.flags
+    - name: parent.pe.original_file_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List flags.
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
       default_field: false
-    - name: entry_leader.parent.elf.sections.name
+    - name: parent.pe.pehash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List name.
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
       default_field: false
-    - name: entry_leader.parent.elf.sections.physical_offset
+    - name: parent.pe.product
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List offset.
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: parent.pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
       default_field: false
-    - name: entry_leader.parent.elf.sections.physical_size
+    - name: parent.pe.sections.entropy
       level: extended
       type: long
-      format: bytes
-      description: ELF Section List physical size.
+      format: number
+      description: Shannon entropy calculation from the section.
       default_field: false
-    - name: entry_leader.parent.elf.sections.type
+    - name: parent.pe.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List type.
+      description: PE Section List name.
+      default_field: false
+    - name: parent.pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
       default_field: false
-    - name: entry_leader.parent.elf.sections.var_entropy
+    - name: parent.pe.sections.var_entropy
       level: extended
       type: long
       format: number
       description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: entry_leader.parent.elf.sections.virtual_address
+    - name: parent.pe.sections.virtual_size
       level: extended
       type: long
       format: string
-      description: ELF Section List virtual address.
+      description: PE Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: entry_leader.parent.elf.sections.virtual_size
-      level: extended
+    - name: parent.pid
+      level: core
       type: long
       format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: entry_leader.parent.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: entry_leader.parent.elf.segments.sections
+    - name: parent.real_group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment sections.
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.parent.elf.segments.type
+    - name: parent.real_group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.parent.elf.shared_libraries
-      level: extended
+    - name: parent.real_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.parent.elf.telfhash
-      level: extended
+    - name: parent.real_user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entry_leader.parent.end
+    - name: parent.saved_group.id
       level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.parent.endpoint_security_client
+    - name: parent.saved_group.name
       level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.parent.entity_id
-      level: extended
+    - name: parent.saved_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.address
-      level: extended
+    - name: parent.saved_user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.as.number
+    - name: parent.start
       level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.as.organization.name
+    - name: parent.supplemental_groups.id
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
+    - name: parent.supplemental_groups.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.domain
-      level: core
+    - name: parent.thread.capabilities.effective
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.city_name
-      level: core
+    - name: parent.thread.capabilities.permitted
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: City name.
-      example: Montreal
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.continent_code
-      level: core
+    - name: parent.thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+      default_field: false
+    - name: parent.thread.name
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
+      description: Thread name.
+      example: thread-0
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.continent_name
-      level: core
+    - name: parent.title
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the continent.
-      example: North America
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.country_iso_code
+    - name: parent.tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      default_field: false
+    - name: parent.tty.char_device.major
+      level: extended
+      type: long
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      default_field: false
+    - name: parent.tty.char_device.minor
+      level: extended
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      default_field: false
+    - name: parent.uptime
+      level: extended
+      type: long
+      description: Seconds the process has been up.
+      example: 1325
+      default_field: false
+    - name: parent.user.id
       level: core
       type: keyword
       ignore_above: 1024
-      description: Country ISO code.
-      example: CA
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.country_name
+    - name: parent.user.name
       level: core
       type: keyword
       ignore_above: 1024
-      description: Country name.
-      example: Canada
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.location
+    - name: parent.vpid
       level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      type: long
+      format: string
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.name
+    - name: parent.working_directory
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.postal_code
-      level: core
+    - name: pe.architecture
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
+      description: CPU architecture target for the file.
+      example: x64
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.region_iso_code
-      level: core
+    - name: pe.company
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.region_name
-      level: core
+    - name: pe.description
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Region name.
-      example: Quebec
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.geo.timezone
-      level: core
+    - name: pe.file_version
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: entry_leader.parent.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.mac
-      level: core
+    - name: pe.go_import_hash
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'MAC address of the source.
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
 
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.nat.ip
+    - name: pe.go_imports
       level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
+      type: flattened
+      description: List of imported Go language element names and types.
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.nat.port
+    - name: pe.go_imports_names_entropy
       level: extended
       type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.packets
-      level: core
+    - name: pe.go_imports_names_var_entropy
+      level: extended
       type: long
-      description: Packets sent from the source to the destination.
-      example: 12
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
+    - name: pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.registered_domain
+    - name: pe.imphash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
 
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.subdomain
+    - name: pe.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
 
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      default_field: false
+    - name: pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: entry_leader.parent.entry_meta.source.top_level_domain
+    - name: pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: pe.original_file_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: pe.pehash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
 
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
       default_field: false
-    - name: entry_leader.parent.entry_meta.type
+    - name: pe.product
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      default_field: false
+    - name: pe.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
 
-        Note: This field is only set on process.session_leader.'
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
       default_field: false
-    - name: entry_leader.parent.env_vars
+    - name: pe.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
+      description: PE Section List name.
+      default_field: false
+    - name: pe.sections.physical_size
+      level: extended
+      type: long
+      format: bytes
+      description: PE Section List physical size.
+      default_field: false
+    - name: pe.sections.var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
+      default_field: false
+    - name: pe.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      default_field: false
+    - name: pid
+      level: core
+      type: long
+      format: string
+      description: Process id.
+      example: 4242
+    - name: previous.args
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
 
         May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      default_field: false
+    - name: previous.args_count
+      level: extended
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
       default_field: false
-    - name: entry_leader.parent.executable
+    - name: previous.executable
       level: extended
       type: keyword
       ignore_above: 1024
@@ -8737,86 +7808,134 @@
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
       default_field: false
-    - name: entry_leader.parent.exit_code
+    - name: real_group.id
       level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.parent.group.domain
+    - name: real_group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: Name of the group.
+      default_field: false
+    - name: real_user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      default_field: false
+    - name: real_user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entry_leader.parent.group.id
+    - name: saved_group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.parent.group.name
+    - name: saved_group.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: entry_leader.parent.hash.cdhash
-      level: extended
+    - name: saved_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.parent.hash.md5
-      level: extended
+    - name: saved_user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: MD5 hash.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entry_leader.parent.hash.sha1
+    - name: session_leader.args
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA1 hash.
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
       default_field: false
-    - name: entry_leader.parent.hash.sha256
+    - name: session_leader.args_count
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
+      type: long
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      default_field: false
+    - name: session_leader.command_line
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
       default_field: false
-    - name: entry_leader.parent.hash.sha384
+    - name: session_leader.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA384 hash.
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: entry_leader.parent.hash.sha512
+    - name: session_leader.executable
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA512 hash.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
       default_field: false
-    - name: entry_leader.parent.hash.ssdeep
+    - name: session_leader.group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SSDEEP hash.
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.parent.hash.tlsh
+    - name: session_leader.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: TLSH hash.
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.parent.interactive
+    - name: session_leader.interactive
       level: extended
       type: boolean
       description: 'Whether the process is connected to an interactive shell.
@@ -8832,1000 +7951,1193 @@
         connected to the controlling TTY.'
       example: true
       default_field: false
-    - name: entry_leader.parent.io
+    - name: session_leader.name
       level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Process name.
 
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: entry_leader.parent.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: entry_leader.parent.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
+        Sometimes called program name or similar.'
+      example: ssh
       default_field: false
-    - name: entry_leader.parent.io.bytes_skipped.offset
+    - name: session_leader.parent.entity_id
       level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: entry_leader.parent.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: entry_leader.parent.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier for the process.
 
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: entry_leader.parent.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: entry_leader.parent.io.total_bytes_skipped
-      level: extended
+    - name: session_leader.parent.pid
+      level: core
       type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: entry_leader.parent.io.type
+    - name: session_leader.parent.session_leader.entity_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
+      description: 'Unique identifier for the process.
 
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: entry_leader.parent.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
 
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.parent.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.parent.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
       default_field: false
-    - name: entry_leader.parent.macho.go_imports_names_var_entropy
-      level: extended
+    - name: session_leader.parent.session_leader.pid
+      level: core
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: entry_leader.parent.macho.go_stripped
+    - name: session_leader.parent.session_leader.start
       level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: entry_leader.parent.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+    - name: session_leader.parent.session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
 
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.parent.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
       default_field: false
-    - name: entry_leader.parent.macho.imports_names_entropy
+    - name: session_leader.parent.start
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: entry_leader.parent.macho.imports_names_var_entropy
-      level: extended
+    - name: session_leader.parent.vpid
+      level: core
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.parent.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
+      format: string
+      description: 'Virtual process id.
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
       default_field: false
-    - name: entry_leader.parent.macho.sections.entropy
-      level: extended
+    - name: session_leader.pid
+      level: core
       type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      format: string
+      description: Process id.
+      example: 4242
       default_field: false
-    - name: entry_leader.parent.macho.sections.name
+    - name: session_leader.real_group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: entry_leader.parent.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: entry_leader.parent.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.parent.macho.sections.virtual_size
+    - name: session_leader.real_group.name
       level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.parent.macho.symhash
-      level: extended
+    - name: session_leader.real_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.parent.name
-      level: extended
+    - name: session_leader.real_user.name
+      level: core
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entry_leader.parent.origin_referrer_url
+    - name: session_leader.same_as_process
       level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
+      type: boolean
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
       default_field: false
-    - name: entry_leader.parent.origin_url
+    - name: session_leader.saved_group.id
       level: extended
       type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.parent.pe.architecture
+    - name: session_leader.saved_group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.parent.pe.company
-      level: extended
+    - name: session_leader.saved_user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.parent.pe.description
-      level: extended
+    - name: session_leader.saved_user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.start
+      level: extended
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
       default_field: false
-    - name: entry_leader.parent.pe.file_version
+    - name: session_leader.supplemental_groups.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.parent.pe.go_import_hash
+    - name: session_leader.supplemental_groups.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.parent.pe.go_imports
+    - name: session_leader.tty
       level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
       default_field: false
-    - name: entry_leader.parent.pe.go_imports_names_entropy
+    - name: session_leader.tty.char_device.major
       level: extended
       type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
       default_field: false
-    - name: entry_leader.parent.pe.go_imports_names_var_entropy
+    - name: session_leader.tty.char_device.minor
       level: extended
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
       default_field: false
-    - name: entry_leader.parent.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+    - name: session_leader.user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.parent.pe.imphash
-      level: extended
+    - name: session_leader.user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: session_leader.vpid
+      level: core
+      type: long
+      format: string
+      description: 'Virtual process id.
 
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
       default_field: false
-    - name: entry_leader.parent.pe.import_hash
+    - name: session_leader.working_directory
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The working directory of the process.
+      example: /home/alice
       default_field: false
-    - name: entry_leader.parent.pe.imports
+    - name: start
       level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.parent.pe.imports_names_entropy
+      type: date
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+    - name: supplemental_groups.id
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entry_leader.parent.pe.imports_names_var_entropy
+    - name: supplemental_groups.name
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
       default_field: false
-    - name: entry_leader.parent.pe.original_file_name
+    - name: thread.capabilities.effective
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
       default_field: false
-    - name: entry_leader.parent.pe.pehash
+    - name: thread.capabilities.permitted
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
       default_field: false
-    - name: entry_leader.parent.pe.product
+    - name: thread.id
+      level: extended
+      type: long
+      format: string
+      description: Thread ID.
+      example: 4242
+    - name: thread.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: entry_leader.parent.pe.sections
+      description: Thread name.
+      example: thread-0
+    - name: title
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: 'Process title.
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+    - name: tty
+      level: extended
+      type: object
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
       default_field: false
-    - name: entry_leader.parent.pe.sections.entropy
+    - name: tty.char_device.major
       level: extended
       type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
       default_field: false
-    - name: entry_leader.parent.pe.sections.name
+    - name: tty.char_device.minor
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
+      type: long
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
       default_field: false
-    - name: entry_leader.parent.pe.sections.physical_size
+    - name: tty.columns
       level: extended
       type: long
-      format: bytes
-      description: PE Section List physical size.
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
       default_field: false
-    - name: entry_leader.parent.pe.sections.var_entropy
+    - name: tty.rows
       level: extended
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
       default_field: false
-    - name: entry_leader.parent.pe.sections.virtual_size
+    - name: uptime
       level: extended
       type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
+      description: Seconds the process has been up.
+      example: 1325
+    - name: user.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entry_leader.parent.pid
+    - name: user.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
+      default_field: false
+    - name: vpid
       level: core
       type: long
       format: string
-      description: Process id.
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
       example: 4242
       default_field: false
-    - name: entry_leader.parent.platform_binary
+    - name: working_directory
       level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: entry_leader.parent.real_group.domain
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: The working directory of the process.
+      example: /home/alice
+  - name: registry
+    title: Registry
+    group: 2
+    description: Fields related to Windows Registry operations.
+    type: group
+    default_field: true
+    fields:
+    - name: data.bytes
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      description: 'Original bytes written with base64 encoding.
 
-        For example, an LDAP or Active Directory domain name.'
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
       default_field: false
-    - name: entry_leader.parent.real_group.id
-      level: extended
+    - name: data.strings
+      level: core
+      type: wildcard
+      description: 'Content when writing string types.
+
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+      default_field: false
+    - name: data.type
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: Standard registry type for encoding contents
+      example: REG_SZ
       default_field: false
-    - name: entry_leader.parent.real_group.name
-      level: extended
+    - name: hive
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: Abbreviated name for the hive.
+      example: HKLM
       default_field: false
-    - name: entry_leader.parent.real_user.domain
-      level: extended
+    - name: key
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: Hive-relative path of keys.
+      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
       default_field: false
-    - name: entry_leader.parent.real_user.email
-      level: extended
+    - name: path
+      level: core
       type: keyword
       ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.parent.real_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: entry_leader.parent.real_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
+      description: Full path, including hive, key and value
+      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+        Options\winword.exe\Debugger
       default_field: false
-    - name: entry_leader.parent.real_user.entity.display_name
-      level: extended
+    - name: value
+      level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
+      description: Name of the value written.
+      example: Debugger
       default_field: false
-    - name: entry_leader.parent.real_user.entity.id
-      level: core
+  - name: related
+    title: Related
+    group: 2
+    description: 'This field set is meant to facilitate pivoting around a piece of
+      data.
+
+      Some pieces of information can be seen in many places in an ECS event. To facilitate
+      searching for them, store an array of all seen values to their corresponding
+      field in `related.`.
+
+      A concrete example is IP addresses, which can be under host, observer, source,
+      destination, client, server, and network.forwarded_ip. If you append all IPs
+      to `related.ip`, you can then search for a given IP trivially, no matter where
+      it appeared, by querying `related.ip:192.0.2.15`.'
+    type: group
+    default_field: true
+    fields:
+    - name: hash
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
+      description: All the hashes seen on your event. Populating this field, then
+        using it to search for hashes can help in situations where you're unsure what
+        the hash algorithm is (and therefore which key name to search).
       default_field: false
-    - name: entry_leader.parent.real_user.entity.last_seen_timestamp
+    - name: hosts
       level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
+      type: keyword
+      ignore_above: 1024
+      description: All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
       default_field: false
-    - name: entry_leader.parent.real_user.entity.lifecycle
+    - name: ip
       level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.parent.real_user.entity.metrics
+      type: ip
+      description: All of the IPs seen on your event.
+    - name: user
       level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entry_leader.parent.real_user.entity.name
-      level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
+      description: All the user names or other user identifiers seen on the event.
       default_field: false
-    - name: entry_leader.parent.real_user.entity.raw
+  - name: rule
+    title: Rule
+    group: 2
+    description: 'Rule fields are used to capture the specifics of any observer or
+      agent rules that generate alerts or other notable events.
+
+      Examples of data sources that would populate the rule fields include: network
+      admission control platforms, network or host IDS/IPS, network firewalls, web
+      application firewalls, url filters, endpoint detection and response (EDR) systems,
+      etc.'
+    type: group
+    default_field: true
+    fields:
+    - name: author
       level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
+      type: keyword
+      ignore_above: 1024
+      description: Name, organization, or pseudonym of the author or authors who created
+        the rule used to generate this event.
+      example: '["Star-Lord"]'
       default_field: false
-    - name: entry_leader.parent.real_user.entity.reference
+    - name: category
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
+      description: A categorization value keyword used by the entity using the rule
+        for detection of this event.
+      example: Attempted Information Leak
       default_field: false
-    - name: entry_leader.parent.real_user.entity.source
-      level: core
+    - name: description
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
+      description: The description of the rule generating the event.
+      example: Block requests to public DNS over HTTPS / TLS protocols
       default_field: false
-    - name: entry_leader.parent.real_user.entity.sub_type
+    - name: id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
+      description: A rule ID that is unique within the scope of an agent, observer,
+        or other entity using the rule for detection of this event.
+      example: 101
       default_field: false
-    - name: entry_leader.parent.real_user.entity.type
-      level: core
+    - name: license
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
+      description: Name of the license under which the rule used to generate this
+        event is made available.
+      example: Apache 2.0
       default_field: false
-    - name: entry_leader.parent.real_user.full_name
+    - name: name
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
+      description: The name of the rule or signature generating the event.
+      example: BLOCK_DNS_over_TLS
       default_field: false
-    - name: entry_leader.parent.real_user.group.domain
+    - name: reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      description: 'Reference URL to additional information about the rule used to
+        generate this event.
 
-        For example, an LDAP or Active Directory domain name.'
+        The URL can point to the vendor''s documentation about the rule. If that''s
+        not available, it can also be a link to a more general page describing this
+        type of alert.'
+      example: https://en.wikipedia.org/wiki/DNS_over_TLS
       default_field: false
-    - name: entry_leader.parent.real_user.group.id
+    - name: ruleset
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: Name of the ruleset, policy, group, or parent category in which
+        the rule used to generate this event is a member.
+      example: Standard_Protocol_Filters
       default_field: false
-    - name: entry_leader.parent.real_user.group.name
+    - name: uuid
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: A rule ID that is unique within the scope of a set or group of
+        agents, observers, or other entities using the rule for detection of this
+        event.
+      example: 1100110011
       default_field: false
-    - name: entry_leader.parent.real_user.hash
+    - name: version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
+      description: The version / revision of the rule being used for analysis.
+      example: 1.1
       default_field: false
-    - name: entry_leader.parent.real_user.id
-      level: core
+  - name: server
+    title: Server
+    group: 2
+    description: 'A Server is defined as the responder in a network connection for
+      events regarding sessions, connections, or bidirectional flow records.
+
+      For TCP events, the server is the receiver of the initial SYN packet(s) of the
+      TCP connection. For other protocols, the server is generally the responder in
+      the network transaction. Some systems actually use the term "responder" to refer
+      the server in TCP connections. The server fields describe details about the
+      system acting as the server in the network event. Server fields are usually
+      populated in conjunction with client fields. Server fields are generally not
+      populated for packet-level events.
+
+      Client / server representations can add semantic context to an exchange, which
+      is helpful to visualize the data in certain situations. If your context falls
+      in that category, you should still ensure that source and destination are filled
+      appropriately.'
+    type: group
+    default_field: true
+    fields:
+    - name: address
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.real_user.name
-      level: core
+      description: 'Some event server addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+    - name: as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
+      level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.real_user.risk.calculated_level
-      level: extended
+        default_field: false
+      description: Organization name.
+      example: Google LLC
+    - name: bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the server to the client.
+      example: 184
+    - name: domain
+      level: core
       type: keyword
       ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.real_user.risk.static_level
-      level: extended
+      description: 'The domain name of the server system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+    - name: geo.city_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
+      description: City name.
+      example: Montreal
+    - name: geo.continent_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Two-letter code representing continent's name.
+      example: NA
       default_field: false
-    - name: entry_leader.parent.real_user.risk.static_score_norm
+    - name: geo.continent_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Name of the continent.
+      example: North America
+    - name: geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+    - name: geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+    - name: geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: geo.name
       level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
+      type: keyword
+      ignore_above: 1024
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: geo.postal_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
       default_field: false
-    - name: entry_leader.parent.real_user.roles
-      level: extended
+    - name: geo.region_iso_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      description: Region ISO code.
+      example: CA-QC
+    - name: geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+    - name: geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
       default_field: false
-    - name: entry_leader.parent.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
+    - name: ip
+      level: core
+      type: ip
+      description: IP address of the server (IPv4 or IPv6).
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'MAC address of the server.
 
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+    - name: nat.ip
+      level: extended
+      type: ip
+      description: 'Translated ip of destination based NAT sessions (e.g. internet
+        to private DMZ)
 
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
+        Typically used with load balancers, firewalls, or routers.'
+    - name: nat.port
+      level: extended
+      type: long
+      format: string
+      description: 'Translated port of destination based NAT sessions (e.g. internet
+        to private DMZ)
 
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: entry_leader.parent.saved_group.domain
+        Typically used with load balancers, firewalls, or routers.'
+    - name: packets
+      level: core
+      type: long
+      description: Packets sent from the server to the client.
+      example: 12
+    - name: port
+      level: core
+      type: long
+      format: string
+      description: Port of the server.
+    - name: registered_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      description: 'The highest registered server domain, stripped of the subdomain.
 
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.saved_group.id
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
       default_field: false
-    - name: entry_leader.parent.saved_group.name
+    - name: top_level_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.saved_user.domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: user.domain
       level: extended
       type: keyword
       ignore_above: 1024
       description: 'Name of the directory the user is a member of.
 
         For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.saved_user.email
+    - name: user.email
       level: extended
       type: keyword
       ignore_above: 1024
       description: User email address.
-      default_field: false
-    - name: entry_leader.parent.saved_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: entry_leader.parent.saved_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.parent.saved_user.entity.display_name
+    - name: user.full_name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: entry_leader.parent.saved_user.entity.id
-      level: core
+        type: match_only_text
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: user.group.domain
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: entry_leader.parent.saved_user.entity.last_seen_timestamp
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.group.id
       level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: entry_leader.parent.saved_user.entity.lifecycle
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+    - name: user.group.name
       level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.parent.saved_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entry_leader.parent.saved_user.entity.name
-      level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: entry_leader.parent.saved_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: entry_leader.parent.saved_user.entity.reference
+      description: Name of the group.
+    - name: user.hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: entry_leader.parent.saved_user.entity.source
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+    - name: user.id
       level: core
       type: keyword
       ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: entry_leader.parent.saved_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: entry_leader.parent.saved_user.entity.type
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: user.name
       level: core
       type: keyword
       ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: entry_leader.parent.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
       multi_fields:
       - name: text
         type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.parent.saved_user.group.domain
+        default_field: false
+      description: Short name or login of the user.
+      example: a.einstein
+    - name: user.roles
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: entry_leader.parent.saved_user.group.id
+  - name: service
+    title: Service
+    group: 2
+    description: 'The service fields describe the service for or from which the data
+      was collected.
+
+      These fields help you find and correlate logs for a specific service and version.'
+    footnote: The service fields may be self-nested under service.origin.* and service.target.*
+      to describe origin or target services in the context of incoming or outgoing
+      requests, respectively. However, the fieldsets service.origin.* and service.target.*
+      must not be confused with the root service fieldset that is used to describe
+      the actual service under observation. The fieldset service.origin.* may only
+      be used in the context of incoming requests or events to describe the originating
+      service of the request. The fieldset service.target.* may only be used in the
+      context of outgoing requests or events to describe the target service of the
+      request.
+    type: group
+    default_field: true
+    fields:
+    - name: address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: 'Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
       default_field: false
-    - name: entry_leader.parent.saved_user.group.name
+    - name: environment
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: 'Identifies the environment where the service is running.
+
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
       default_field: false
-    - name: entry_leader.parent.saved_user.hash
+    - name: ephemeral_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
+      description: 'Ephemeral identifier of this service (if one exists).
 
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.parent.saved_user.id
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+    - name: id
       level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.saved_user.name
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+    - name: name
       level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.saved_user.risk.static_level
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
+    - name: node.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.saved_user.roles
+      description: 'Name of a service node.
+
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
+    - name: node.role
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data`.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: background_tasks
       default_field: false
-    - name: entry_leader.parent.session_leader.args
+    - name: node.roles
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
+      description: 'Roles of a service node.
 
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: entry_leader.parent.session_leader.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
+        This allows for distinction between different running roles of the same service.
 
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_groups.domain
+    - name: origin.address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      description: 'Address where data about this service was collected from.
 
-        For example, an LDAP or Active Directory domain name.'
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_groups.id
+    - name: origin.environment
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: 'Identifies the environment where the service is running.
+
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_groups.name
+    - name: origin.ephemeral_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: 'Ephemeral identifier of this service (if one exists).
+
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
+      default_field: false
+    - name: origin.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+      default_field: false
+    - name: origin.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.domain
+    - name: origin.node.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
+      description: 'Name of a service node.
 
-        For example, an LDAP or Active Directory domain name.'
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.email
+    - name: origin.node.role
       level: extended
       type: keyword
       ignore_above: 1024
-      description: User email address.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
+
+        Role of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data`.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: background_tasks
+      default_field: false
+    - name: origin.node.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
+      default_field: false
+    - name: origin.state
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Current state of the service.
+      default_field: false
+    - name: origin.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+      default_field: false
+    - name: origin.version
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+      default_field: false
+    - name: state
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Current state of the service.
+    - name: target.address
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Address where data about this service was collected from.
+
+        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
+        path (sockets).'
+      example: 172.26.0.2:5432
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.entity.attributes
+    - name: target.entity.attributes
       level: extended
       type: object
       description: A set of static or semi-static attributes of the entity. Usually
@@ -9834,7 +9146,7 @@
         and correlation of normalized values across different providers/sources and
         entity types.
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.entity.behavior
+    - name: target.entity.behavior
       level: extended
       type: object
       description: A set of ephemeral characteristics of the entity, derived from
@@ -9843,7 +9155,7 @@
         of an entity for advanced searching, correlation of normalized values across
         different providers/sources and entity types.
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.entity.display_name
+    - name: target.entity.display_name
       level: extended
       type: keyword
       ignore_above: 1024
@@ -9855,7 +9167,7 @@
         operations. This field should not be used for correlation with `*.name` fields
         for entities with dedicated field sets (e.g., `host`).
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.entity.id
+    - name: target.entity.id
       level: core
       type: keyword
       ignore_above: 1024
@@ -9868,13 +9180,13 @@
         field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
         in the raw field.'
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp
+    - name: target.entity.last_seen_timestamp
       level: extended
       type: date
       description: Indicates the date/time when this entity was last "seen," usually
         based upon the last event/log that is initiated by this entity.
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.entity.lifecycle
+    - name: target.entity.lifecycle
       level: extended
       type: object
       description: A set of temporal characteristics of the entity. Usually date field
@@ -9882,13 +9194,13 @@
         of an entity for advanced searching and correlation of normalized values across
         different providers/sources and entity types.
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.entity.metrics
+    - name: target.entity.metrics
       level: extended
       type: object
       description: Field set for any fields containing numeric entity metrics. These
         use dynamic field data type mapping.
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.entity.name
+    - name: target.entity.name
       level: core
       type: keyword
       ignore_above: 1024
@@ -9901,7 +9213,7 @@
         For entities with dedicated field sets (e.g., `host`), this field should mirrors
         the corresponding *.name value.
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.entity.raw
+    - name: target.entity.raw
       level: extended
       type: object
       description: Original, unmodified fields from the source system. Usually flattened
@@ -9909,7 +9221,7 @@
         fields requiring advanced queries, this field preserves all source metadata
         with basic search capabilities.
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.entity.reference
+    - name: target.entity.reference
       level: extended
       type: keyword
       ignore_above: 1024
@@ -9917,14 +9229,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.entity.source
+    - name: target.entity.source
       level: core
       type: keyword
       ignore_above: 1024
       description: The module or integration that provided this entity data (similar
         to event.module).
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.entity.sub_type
+    - name: target.entity.sub_type
       level: extended
       type: keyword
       ignore_above: 1024
@@ -9935,7 +9247,7 @@
         , `node` , `cloud_instance` would all map to entity type `host`.'
       example: aws_s3_bucket
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.entity.type
+    - name: target.entity.type
       level: core
       type: keyword
       ignore_above: 1024
@@ -9945,27213 +9257,1267 @@
         `user`, `application`, `session`, etc.'
       example: host
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.full_name
+    - name: target.environment
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
+      description: 'Identifies the environment where the service is running.
+
+        If the same service runs in different environments (production, staging, QA,
+        development, etc.), the environment can identify other instances of the same
+        service. Can also group services and applications from the same environment.'
+      example: production
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.group.domain
+    - name: target.ephemeral_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
+      description: 'Ephemeral identifier of this service (if one exists).
 
-        For example, an LDAP or Active Directory domain name.'
+        This id normally changes across restarts, but `service.id` does not.'
+      example: 8a4f500f
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.group.id
-      level: extended
+    - name: target.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: 'Unique identifier of the running service. If the service is comprised
+        of many nodes, the `service.id` should be the same for all nodes.
+
+        This id should uniquely identify the service. This makes it possible to correlate
+        logs and metrics for one specific service, no matter which particular node
+        emitted the event.
+
+        Note that if you need to see the events from one specific host of the service,
+        you should filter on that `host.name` or `host.id` instead.'
+      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
+      default_field: false
+    - name: target.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the service data is collected from.
+
+        The name of the service is normally user given. This allows for distributed
+        services that run on multiple hosts to correlate the related instances based
+        on the name.
+
+        In the case of Elasticsearch the `service.name` could contain the cluster
+        name. For Beats the `service.name` is by default a copy of the `service.type`
+        field if no name is specified.'
+      example: elasticsearch-metrics
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.group.name
+    - name: target.node.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: 'Name of a service node.
+
+        This allows for two nodes of the same service running on the same host to
+        be differentiated. Therefore, `service.node.name` should typically be unique
+        across nodes of a given service.
+
+        In the case of Elasticsearch, the `service.node.name` could contain the unique
+        node name within the Elasticsearch cluster. In cases where the service doesn''t
+        have the concept of a node name, the host name or container name can be used
+        to distinguish running instances that make up this service. If those do not
+        provide uniqueness (e.g. multiple instances of the service running on the
+        same host) - the node name can be manually set.'
+      example: instance-0000000016
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.hash
+    - name: target.node.role
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
+      description: 'Deprecated for removal in next major version release. This field
+        will be superseded by `node.roles`.
 
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
+        Role of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data`.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: background_tasks
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.id
-      level: core
+    - name: target.node.roles
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: 'Roles of a service node.
+
+        This allows for distinction between different running roles of the same service.
+
+        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
+        or both.
+
+        In the case of Elasticsearch, the `service.node.role` could be `master` or
+        `data` or both.
+
+        Other services could use this to distinguish between a `web` and `worker`
+        role running as part of the service.'
+      example: '["ui", "background_tasks"]'
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.name
+    - name: target.state
       level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: Current state of the service.
       default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.risk.calculated_level
-      level: extended
+    - name: target.type
+      level: core
       type: keyword
       ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: entry_leader.parent.session_leader.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: entry_leader.parent.session_leader.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: entry_leader.parent.session_leader.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: entry_leader.parent.session_leader.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: entry_leader.parent.session_leader.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: entry_leader.parent.session_leader.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: entry_leader.parent.session_leader.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: entry_leader.parent.session_leader.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: entry_leader.parent.session_leader.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: entry_leader.parent.session_leader.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: entry_leader.parent.session_leader.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: entry_leader.parent.session_leader.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: entry_leader.parent.session_leader.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: entry_leader.parent.session_leader.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: entry_leader.parent.session_leader.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: entry_leader.parent.session_leader.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: entry_leader.parent.session_leader.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: entry_leader.parent.session_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: entry_leader.parent.session_leader.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.parent.session_leader.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.parent.session_leader.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: entry_leader.parent.session_leader.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: entry_leader.parent.session_leader.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: entry_leader.parent.session_leader.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: entry_leader.parent.session_leader.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: entry_leader.parent.session_leader.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: entry_leader.parent.session_leader.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: entry_leader.parent.session_leader.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: entry_leader.parent.session_leader.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: entry_leader.parent.session_leader.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: entry_leader.parent.session_leader.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.session_leader.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.parent.session_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: entry_leader.parent.session_leader.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: entry_leader.parent.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: entry_leader.parent.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: entry_leader.parent.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: entry_leader.parent.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: entry_leader.parent.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: entry_leader.parent.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: entry_leader.parent.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: entry_leader.parent.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: entry_leader.parent.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: entry_leader.parent.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: entry_leader.parent.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: entry_leader.parent.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: entry_leader.parent.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.parent.user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: entry_leader.parent.user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.parent.user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: entry_leader.parent.user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: entry_leader.parent.user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: entry_leader.parent.user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.parent.user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entry_leader.parent.user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: entry_leader.parent.user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: entry_leader.parent.user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: entry_leader.parent.user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: entry_leader.parent.user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: entry_leader.parent.user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: entry_leader.parent.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.parent.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.parent.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.parent.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.parent.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.parent.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.parent.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.parent.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.parent.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.parent.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.parent.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.parent.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.parent.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.parent.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: entry_leader.parent.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: entry_leader.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: entry_leader.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: entry_leader.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: entry_leader.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: entry_leader.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: entry_leader.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: entry_leader.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: entry_leader.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: entry_leader.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: entry_leader.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: entry_leader.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: entry_leader.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: entry_leader.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: entry_leader.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: entry_leader.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: entry_leader.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: entry_leader.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: entry_leader.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: entry_leader.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: entry_leader.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: entry_leader.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: entry_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: entry_leader.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: entry_leader.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.real_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: entry_leader.real_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.real_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: entry_leader.real_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: entry_leader.real_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: entry_leader.real_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.real_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entry_leader.real_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: entry_leader.real_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: entry_leader.real_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: entry_leader.real_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: entry_leader.real_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: entry_leader.real_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: entry_leader.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: entry_leader.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.saved_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: entry_leader.saved_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.saved_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: entry_leader.saved_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: entry_leader.saved_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: entry_leader.saved_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.saved_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entry_leader.saved_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: entry_leader.saved_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: entry_leader.saved_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: entry_leader.saved_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: entry_leader.saved_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: entry_leader.saved_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: entry_leader.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: entry_leader.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: entry_leader.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: entry_leader.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: entry_leader.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: entry_leader.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: entry_leader.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: entry_leader.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: entry_leader.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: entry_leader.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: entry_leader.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: entry_leader.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: entry_leader.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: entry_leader.user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: entry_leader.user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: entry_leader.user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: entry_leader.user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: entry_leader.user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entry_leader.user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entry_leader.user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: entry_leader.user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: entry_leader.user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: entry_leader.user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: entry_leader.user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: entry_leader.user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: entry_leader.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: entry_leader.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: entry_leader.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: entry_leader.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: entry_leader.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: entry_leader.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: entry_leader.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: entry_leader.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: entry_leader.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: entry_leader.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: entry_leader.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: entry_leader.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: entry_leader.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: entry_leader.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: entry_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: entry_leader.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-    - name: exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: group_leader.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: group_leader.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: group_leader.attested_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: group_leader.attested_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: group_leader.attested_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: group_leader.attested_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: group_leader.attested_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: group_leader.attested_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: group_leader.attested_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: group_leader.attested_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: group_leader.attested_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: group_leader.attested_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: group_leader.attested_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: group_leader.attested_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: group_leader.attested_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: group_leader.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: group_leader.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: group_leader.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: group_leader.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: group_leader.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: group_leader.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: group_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: group_leader.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: group_leader.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: group_leader.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: group_leader.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: group_leader.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: group_leader.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: group_leader.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: group_leader.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: group_leader.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: group_leader.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: group_leader.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: group_leader.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: group_leader.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: group_leader.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: group_leader.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: group_leader.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: group_leader.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: group_leader.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: group_leader.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: group_leader.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: group_leader.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: group_leader.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: group_leader.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: group_leader.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: group_leader.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: group_leader.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: group_leader.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: group_leader.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: group_leader.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: group_leader.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: group_leader.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: group_leader.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: group_leader.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: group_leader.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: group_leader.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: group_leader.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: group_leader.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: group_leader.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: group_leader.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: group_leader.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: group_leader.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: group_leader.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: group_leader.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: group_leader.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: group_leader.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: group_leader.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: group_leader.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: group_leader.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: group_leader.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: group_leader.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: group_leader.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: group_leader.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: group_leader.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: group_leader.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: group_leader.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: group_leader.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: group_leader.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: group_leader.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: group_leader.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: group_leader.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: group_leader.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: group_leader.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: group_leader.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: group_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: group_leader.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: group_leader.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: group_leader.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: group_leader.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: group_leader.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: group_leader.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: group_leader.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: group_leader.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: group_leader.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: group_leader.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: group_leader.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: group_leader.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: group_leader.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: group_leader.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: group_leader.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: group_leader.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: group_leader.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: group_leader.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: group_leader.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: group_leader.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: group_leader.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: group_leader.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: group_leader.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: group_leader.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: group_leader.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: group_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: group_leader.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: group_leader.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: group_leader.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: group_leader.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: group_leader.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: group_leader.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: group_leader.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: group_leader.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: group_leader.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: group_leader.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: group_leader.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: group_leader.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: group_leader.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: group_leader.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: group_leader.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: group_leader.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: group_leader.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: group_leader.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: group_leader.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: group_leader.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: group_leader.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: group_leader.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: group_leader.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: group_leader.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: group_leader.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: group_leader.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: group_leader.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: group_leader.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: group_leader.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: group_leader.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: group_leader.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: group_leader.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: group_leader.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: group_leader.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: group_leader.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: group_leader.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: group_leader.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: group_leader.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: group_leader.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: group_leader.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: group_leader.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: group_leader.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: group_leader.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: group_leader.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: group_leader.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: group_leader.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: group_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: group_leader.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: group_leader.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: group_leader.real_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: group_leader.real_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: group_leader.real_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: group_leader.real_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: group_leader.real_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: group_leader.real_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: group_leader.real_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: group_leader.real_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: group_leader.real_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: group_leader.real_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: group_leader.real_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: group_leader.real_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: group_leader.real_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: group_leader.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: group_leader.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: group_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: group_leader.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: group_leader.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: group_leader.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: group_leader.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: group_leader.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: group_leader.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: group_leader.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: group_leader.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: group_leader.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: group_leader.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: group_leader.saved_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: group_leader.saved_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: group_leader.saved_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: group_leader.saved_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: group_leader.saved_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: group_leader.saved_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: group_leader.saved_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: group_leader.saved_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: group_leader.saved_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: group_leader.saved_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: group_leader.saved_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: group_leader.saved_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: group_leader.saved_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: group_leader.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: group_leader.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: group_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: group_leader.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: group_leader.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: group_leader.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: group_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: group_leader.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: group_leader.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: group_leader.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: group_leader.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: group_leader.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: group_leader.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: group_leader.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: group_leader.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: group_leader.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: group_leader.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: group_leader.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: group_leader.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: group_leader.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: group_leader.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: group_leader.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: group_leader.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: group_leader.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: group_leader.user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: group_leader.user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: group_leader.user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: group_leader.user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: group_leader.user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: group_leader.user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: group_leader.user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: group_leader.user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: group_leader.user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: group_leader.user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: group_leader.user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: group_leader.user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: group_leader.user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: group_leader.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: group_leader.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: group_leader.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: group_leader.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: group_leader.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: group_leader.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: group_leader.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: group_leader.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: group_leader.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: group_leader.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: group_leader.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: group_leader.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: group_leader.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: group_leader.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: group_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: group_leader.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-    - name: hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-    - name: hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-    - name: hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-    - name: hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-    - name: origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: parent.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: parent.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: parent.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.attested_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: parent.attested_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.attested_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: parent.attested_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: parent.attested_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: parent.attested_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.attested_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: parent.attested_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: parent.attested_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: parent.attested_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: parent.attested_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: parent.attested_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: parent.attested_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: parent.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: parent.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: parent.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: parent.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: parent.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: parent.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: parent.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: parent.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: parent.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: parent.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: parent.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: parent.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: parent.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: parent.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: parent.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: parent.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: parent.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: parent.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: parent.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: parent.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: parent.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: parent.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: parent.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: parent.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: parent.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: parent.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: parent.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: parent.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: parent.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: parent.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: parent.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: parent.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: parent.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: parent.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: parent.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: parent.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: parent.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: parent.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: parent.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: parent.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: parent.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: parent.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: parent.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: parent.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: parent.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: parent.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: parent.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: parent.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: parent.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: parent.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: parent.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: parent.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: parent.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: parent.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: parent.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: parent.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: parent.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: parent.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: parent.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: parent.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: parent.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: parent.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: parent.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: parent.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: parent.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: parent.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: parent.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: parent.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: parent.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: parent.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: parent.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: parent.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: parent.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: parent.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: parent.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: parent.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: parent.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: parent.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: parent.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: parent.group_leader.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: parent.group_leader.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.group_leader.attested_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: parent.group_leader.attested_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.group_leader.attested_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: parent.group_leader.attested_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: parent.group_leader.attested_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: parent.group_leader.attested_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.group_leader.attested_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: parent.group_leader.attested_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: parent.group_leader.attested_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: parent.group_leader.attested_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: parent.group_leader.attested_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: parent.group_leader.attested_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: parent.group_leader.attested_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: parent.group_leader.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.group_leader.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.group_leader.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.group_leader.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.group_leader.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.group_leader.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.group_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.group_leader.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.group_leader.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.group_leader.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.group_leader.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.group_leader.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: parent.group_leader.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: parent.group_leader.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: parent.group_leader.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: parent.group_leader.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: parent.group_leader.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: parent.group_leader.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: parent.group_leader.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: parent.group_leader.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: parent.group_leader.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: parent.group_leader.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: parent.group_leader.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: parent.group_leader.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: parent.group_leader.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: parent.group_leader.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: parent.group_leader.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: parent.group_leader.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: parent.group_leader.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: parent.group_leader.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: parent.group_leader.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.group_leader.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.group_leader.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: parent.group_leader.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: parent.group_leader.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: parent.group_leader.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: parent.group_leader.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: parent.group_leader.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: parent.group_leader.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: parent.group_leader.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: parent.group_leader.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: parent.group_leader.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: parent.group_leader.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: parent.group_leader.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: parent.group_leader.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: parent.group_leader.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: parent.group_leader.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: parent.group_leader.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.group_leader.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: parent.group_leader.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: parent.group_leader.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: parent.group_leader.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: parent.group_leader.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: parent.group_leader.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.group_leader.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: parent.group_leader.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: parent.group_leader.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: parent.group_leader.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: parent.group_leader.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: parent.group_leader.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: parent.group_leader.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: parent.group_leader.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: parent.group_leader.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: parent.group_leader.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: parent.group_leader.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: parent.group_leader.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: parent.group_leader.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: parent.group_leader.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: parent.group_leader.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: parent.group_leader.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: parent.group_leader.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: parent.group_leader.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: parent.group_leader.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: parent.group_leader.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: parent.group_leader.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: parent.group_leader.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: parent.group_leader.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: parent.group_leader.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: parent.group_leader.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: parent.group_leader.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: parent.group_leader.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: parent.group_leader.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: parent.group_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: parent.group_leader.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: parent.group_leader.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: parent.group_leader.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: parent.group_leader.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: parent.group_leader.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: parent.group_leader.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: parent.group_leader.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.group_leader.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.group_leader.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: parent.group_leader.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: parent.group_leader.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: parent.group_leader.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: parent.group_leader.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: parent.group_leader.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: parent.group_leader.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.group_leader.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: parent.group_leader.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: parent.group_leader.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.group_leader.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: parent.group_leader.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: parent.group_leader.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: parent.group_leader.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: parent.group_leader.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: parent.group_leader.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: parent.group_leader.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: parent.group_leader.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: parent.group_leader.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: parent.group_leader.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: parent.group_leader.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: parent.group_leader.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.group_leader.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.group_leader.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: parent.group_leader.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: parent.group_leader.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: parent.group_leader.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: parent.group_leader.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: parent.group_leader.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: parent.group_leader.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: parent.group_leader.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: parent.group_leader.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: parent.group_leader.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: parent.group_leader.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.group_leader.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: parent.group_leader.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: parent.group_leader.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.group_leader.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: parent.group_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: parent.group_leader.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: parent.group_leader.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.group_leader.real_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: parent.group_leader.real_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.group_leader.real_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: parent.group_leader.real_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: parent.group_leader.real_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: parent.group_leader.real_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.group_leader.real_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: parent.group_leader.real_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: parent.group_leader.real_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: parent.group_leader.real_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: parent.group_leader.real_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: parent.group_leader.real_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: parent.group_leader.real_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: parent.group_leader.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.group_leader.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.group_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.group_leader.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.group_leader.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.group_leader.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.group_leader.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.group_leader.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.group_leader.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.group_leader.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.group_leader.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.group_leader.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: parent.group_leader.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.group_leader.saved_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: parent.group_leader.saved_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.group_leader.saved_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: parent.group_leader.saved_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: parent.group_leader.saved_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: parent.group_leader.saved_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.group_leader.saved_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: parent.group_leader.saved_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: parent.group_leader.saved_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: parent.group_leader.saved_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: parent.group_leader.saved_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: parent.group_leader.saved_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: parent.group_leader.saved_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: parent.group_leader.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.group_leader.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.group_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.group_leader.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.group_leader.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.group_leader.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.group_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.group_leader.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.group_leader.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.group_leader.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.group_leader.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.group_leader.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: parent.group_leader.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: parent.group_leader.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: parent.group_leader.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: parent.group_leader.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: parent.group_leader.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: parent.group_leader.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: parent.group_leader.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: parent.group_leader.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: parent.group_leader.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: parent.group_leader.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: parent.group_leader.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: parent.group_leader.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.group_leader.user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: parent.group_leader.user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.group_leader.user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: parent.group_leader.user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: parent.group_leader.user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: parent.group_leader.user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.group_leader.user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: parent.group_leader.user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: parent.group_leader.user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: parent.group_leader.user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: parent.group_leader.user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: parent.group_leader.user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: parent.group_leader.user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: parent.group_leader.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.group_leader.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.group_leader.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.group_leader.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.group_leader.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.group_leader.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.group_leader.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.group_leader.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.group_leader.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.group_leader.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.group_leader.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.group_leader.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.group_leader.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.group_leader.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.group_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: parent.group_leader.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: parent.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: parent.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: parent.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: parent.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: parent.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: parent.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: parent.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: parent.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: parent.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: parent.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: parent.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: parent.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: parent.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: parent.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: parent.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: parent.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: parent.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: parent.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: parent.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: parent.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: parent.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: parent.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: parent.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: parent.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: parent.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: parent.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: parent.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: parent.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: parent.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: parent.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: parent.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: parent.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: parent.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: parent.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: parent.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: parent.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: parent.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: parent.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: parent.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: parent.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: parent.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: parent.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: parent.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: parent.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: parent.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: parent.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: parent.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: parent.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: parent.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: parent.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: parent.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: parent.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: parent.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: parent.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: parent.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: parent.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: parent.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.real_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: parent.real_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.real_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: parent.real_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: parent.real_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: parent.real_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.real_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: parent.real_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: parent.real_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: parent.real_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: parent.real_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: parent.real_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: parent.real_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: parent.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: parent.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.saved_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: parent.saved_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.saved_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: parent.saved_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: parent.saved_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: parent.saved_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.saved_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: parent.saved_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: parent.saved_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: parent.saved_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: parent.saved_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: parent.saved_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: parent.saved_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: parent.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: parent.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: parent.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: parent.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: parent.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: parent.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: parent.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: parent.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: parent.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: parent.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: parent.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: parent.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: parent.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: parent.user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: parent.user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: parent.user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: parent.user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: parent.user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: parent.user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: parent.user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: parent.user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: parent.user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: parent.user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: parent.user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: parent.user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: parent.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: parent.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: parent.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: parent.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: parent.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: parent.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: parent.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: parent.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: parent.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: parent.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: parent.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: parent.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: parent.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: parent.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: parent.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: parent.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-    - name: platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: previous.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: previous.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: previous.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: previous.attested_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: previous.attested_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: previous.attested_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: previous.attested_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: previous.attested_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: previous.attested_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: previous.attested_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: previous.attested_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: previous.attested_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: previous.attested_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: previous.attested_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: previous.attested_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: previous.attested_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: previous.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: previous.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: previous.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: previous.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: previous.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: previous.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: previous.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: previous.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: previous.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: previous.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: previous.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: previous.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: previous.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: previous.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: previous.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: previous.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: previous.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: previous.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: previous.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: previous.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: previous.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: previous.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: previous.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: previous.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: previous.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: previous.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: previous.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: previous.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: previous.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: previous.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: previous.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: previous.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: previous.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: previous.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: previous.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: previous.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: previous.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: previous.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: previous.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: previous.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: previous.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: previous.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: previous.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: previous.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: previous.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: previous.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: previous.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: previous.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: previous.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: previous.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: previous.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: previous.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: previous.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: previous.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: previous.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: previous.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: previous.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: previous.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: previous.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: previous.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: previous.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: previous.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: previous.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: previous.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: previous.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: previous.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: previous.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: previous.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: previous.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: previous.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: previous.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: previous.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: previous.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: previous.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: previous.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: previous.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: previous.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: previous.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: previous.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: previous.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: previous.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: previous.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: previous.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: previous.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: previous.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: previous.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: previous.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: previous.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: previous.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: previous.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: previous.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: previous.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: previous.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: previous.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: previous.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: previous.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: previous.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: previous.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: previous.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: previous.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: previous.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: previous.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: previous.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: previous.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: previous.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: previous.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: previous.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: previous.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: previous.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: previous.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: previous.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: previous.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: previous.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: previous.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: previous.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: previous.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: previous.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: previous.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: previous.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: previous.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: previous.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: previous.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: previous.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: previous.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: previous.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: previous.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: previous.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: previous.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: previous.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: previous.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: previous.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: previous.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: previous.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: previous.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: previous.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: previous.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: previous.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: previous.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: previous.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: previous.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: previous.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: previous.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: previous.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: previous.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: previous.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: previous.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: previous.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: previous.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: previous.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: previous.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: previous.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: previous.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: previous.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: previous.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: previous.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: previous.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: previous.real_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: previous.real_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: previous.real_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: previous.real_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: previous.real_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: previous.real_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: previous.real_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: previous.real_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: previous.real_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: previous.real_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: previous.real_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: previous.real_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: previous.real_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: previous.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: previous.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: previous.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: previous.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: previous.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: previous.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: previous.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: previous.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: previous.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: previous.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: previous.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: previous.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: previous.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: previous.saved_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: previous.saved_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: previous.saved_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: previous.saved_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: previous.saved_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: previous.saved_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: previous.saved_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: previous.saved_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: previous.saved_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: previous.saved_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: previous.saved_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: previous.saved_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: previous.saved_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: previous.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: previous.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: previous.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: previous.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: previous.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: previous.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: previous.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: previous.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: previous.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: previous.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: previous.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: previous.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: previous.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: previous.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: previous.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: previous.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: previous.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: previous.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: previous.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: previous.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: previous.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: previous.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: previous.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: previous.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: previous.user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: previous.user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: previous.user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: previous.user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: previous.user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: previous.user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: previous.user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: previous.user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: previous.user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: previous.user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: previous.user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: previous.user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: previous.user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: previous.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: previous.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: previous.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: previous.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: previous.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: previous.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: previous.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: previous.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: previous.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: previous.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: previous.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: previous.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: previous.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: previous.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: previous.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: previous.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: real_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: real_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: real_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: real_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: real_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: real_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: real_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: real_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: real_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: real_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: real_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: real_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: real_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: responsible.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: responsible.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: responsible.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: responsible.attested_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: responsible.attested_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: responsible.attested_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: responsible.attested_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: responsible.attested_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: responsible.attested_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: responsible.attested_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: responsible.attested_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: responsible.attested_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: responsible.attested_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: responsible.attested_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: responsible.attested_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: responsible.attested_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: responsible.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: responsible.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: responsible.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: responsible.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: responsible.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: responsible.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: responsible.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: responsible.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: responsible.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: responsible.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: responsible.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: responsible.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: responsible.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: responsible.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: responsible.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: responsible.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: responsible.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: responsible.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: responsible.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: responsible.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: responsible.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: responsible.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: responsible.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: responsible.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: responsible.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: responsible.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: responsible.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: responsible.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: responsible.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: responsible.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: responsible.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: responsible.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: responsible.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: responsible.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: responsible.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: responsible.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: responsible.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: responsible.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: responsible.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: responsible.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: responsible.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: responsible.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: responsible.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: responsible.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: responsible.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: responsible.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: responsible.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: responsible.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: responsible.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: responsible.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: responsible.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: responsible.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: responsible.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: responsible.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: responsible.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: responsible.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: responsible.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: responsible.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: responsible.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: responsible.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: responsible.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: responsible.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: responsible.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: responsible.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: responsible.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: responsible.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: responsible.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: responsible.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: responsible.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: responsible.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: responsible.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: responsible.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: responsible.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: responsible.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: responsible.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: responsible.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: responsible.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: responsible.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: responsible.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: responsible.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: responsible.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: responsible.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: responsible.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: responsible.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: responsible.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: responsible.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: responsible.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: responsible.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: responsible.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: responsible.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: responsible.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: responsible.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: responsible.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: responsible.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: responsible.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: responsible.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: responsible.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: responsible.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: responsible.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: responsible.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: responsible.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: responsible.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: responsible.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: responsible.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: responsible.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: responsible.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: responsible.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: responsible.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: responsible.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: responsible.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: responsible.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: responsible.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: responsible.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: responsible.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: responsible.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: responsible.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: responsible.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: responsible.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: responsible.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: responsible.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: responsible.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: responsible.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: responsible.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: responsible.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: responsible.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: responsible.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: responsible.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: responsible.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: responsible.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: responsible.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: responsible.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: responsible.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: responsible.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: responsible.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: responsible.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: responsible.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: responsible.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: responsible.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: responsible.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: responsible.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: responsible.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: responsible.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: responsible.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: responsible.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: responsible.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: responsible.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: responsible.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: responsible.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: responsible.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: responsible.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: responsible.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: responsible.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: responsible.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: responsible.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: responsible.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: responsible.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: responsible.real_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: responsible.real_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: responsible.real_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: responsible.real_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: responsible.real_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: responsible.real_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: responsible.real_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: responsible.real_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: responsible.real_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: responsible.real_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: responsible.real_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: responsible.real_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: responsible.real_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: responsible.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: responsible.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: responsible.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: responsible.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: responsible.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: responsible.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: responsible.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: responsible.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: responsible.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: responsible.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: responsible.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: responsible.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: responsible.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: responsible.saved_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: responsible.saved_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: responsible.saved_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: responsible.saved_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: responsible.saved_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: responsible.saved_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: responsible.saved_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: responsible.saved_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: responsible.saved_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: responsible.saved_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: responsible.saved_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: responsible.saved_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: responsible.saved_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: responsible.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: responsible.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: responsible.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: responsible.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: responsible.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: responsible.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: responsible.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: responsible.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: responsible.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: responsible.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: responsible.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: responsible.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: responsible.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: responsible.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: responsible.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: responsible.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: responsible.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: responsible.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: responsible.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: responsible.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: responsible.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: responsible.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: responsible.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: responsible.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: responsible.user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: responsible.user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: responsible.user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: responsible.user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: responsible.user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: responsible.user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: responsible.user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: responsible.user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: responsible.user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: responsible.user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: responsible.user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: responsible.user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: responsible.user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: responsible.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: responsible.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: responsible.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: responsible.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: responsible.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: responsible.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: responsible.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: responsible.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: responsible.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: responsible.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: responsible.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: responsible.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: responsible.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: responsible.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: responsible.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: responsible.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: saved_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: saved_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: saved_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: saved_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: saved_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: saved_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: saved_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: saved_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: saved_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: saved_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: saved_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: saved_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: saved_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: session_leader.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: session_leader.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.attested_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: session_leader.attested_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.attested_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: session_leader.attested_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: session_leader.attested_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: session_leader.attested_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.attested_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: session_leader.attested_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: session_leader.attested_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: session_leader.attested_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: session_leader.attested_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: session_leader.attested_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: session_leader.attested_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: session_leader.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: session_leader.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: session_leader.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: session_leader.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: session_leader.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: session_leader.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: session_leader.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: session_leader.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: session_leader.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: session_leader.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: session_leader.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: session_leader.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: session_leader.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: session_leader.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: session_leader.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: session_leader.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: session_leader.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: session_leader.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: session_leader.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: session_leader.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: session_leader.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: session_leader.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: session_leader.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: session_leader.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: session_leader.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: session_leader.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: session_leader.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: session_leader.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: session_leader.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: session_leader.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: session_leader.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: session_leader.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: session_leader.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: session_leader.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: session_leader.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: session_leader.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: session_leader.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: session_leader.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: session_leader.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: session_leader.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: session_leader.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: session_leader.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: session_leader.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: session_leader.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: session_leader.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: session_leader.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: session_leader.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: session_leader.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: session_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: session_leader.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: session_leader.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: session_leader.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: session_leader.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: session_leader.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: session_leader.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: session_leader.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: session_leader.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: session_leader.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: session_leader.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: session_leader.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: session_leader.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: session_leader.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: session_leader.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: session_leader.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: session_leader.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: session_leader.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: session_leader.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: session_leader.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: session_leader.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: session_leader.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: session_leader.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: session_leader.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: session_leader.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: session_leader.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: session_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: session_leader.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: session_leader.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: session_leader.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: session_leader.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: session_leader.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: session_leader.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: session_leader.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: session_leader.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: session_leader.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: session_leader.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: session_leader.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: session_leader.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: session_leader.parent.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: session_leader.parent.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: session_leader.parent.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.parent.attested_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: session_leader.parent.attested_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.attested_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: session_leader.parent.attested_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: session_leader.parent.attested_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: session_leader.parent.attested_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.attested_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: session_leader.parent.attested_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: session_leader.parent.attested_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: session_leader.parent.attested_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: session_leader.parent.attested_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: session_leader.parent.attested_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: session_leader.parent.attested_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: session_leader.parent.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.parent.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.parent.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.parent.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.parent.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.parent.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: session_leader.parent.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: session_leader.parent.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: session_leader.parent.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: session_leader.parent.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: session_leader.parent.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: session_leader.parent.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: session_leader.parent.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: session_leader.parent.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: session_leader.parent.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: session_leader.parent.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: session_leader.parent.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: session_leader.parent.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: session_leader.parent.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: session_leader.parent.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: session_leader.parent.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: session_leader.parent.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: session_leader.parent.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.parent.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.parent.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.parent.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: session_leader.parent.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: session_leader.parent.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: session_leader.parent.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: session_leader.parent.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: session_leader.parent.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: session_leader.parent.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: session_leader.parent.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: session_leader.parent.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.parent.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.parent.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.parent.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.parent.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: session_leader.parent.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: session_leader.parent.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: session_leader.parent.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: session_leader.parent.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: session_leader.parent.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: session_leader.parent.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: session_leader.parent.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: session_leader.parent.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: session_leader.parent.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: session_leader.parent.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: session_leader.parent.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: session_leader.parent.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: session_leader.parent.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: session_leader.parent.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: session_leader.parent.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: session_leader.parent.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: session_leader.parent.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: session_leader.parent.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: session_leader.parent.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: session_leader.parent.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: session_leader.parent.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: session_leader.parent.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: session_leader.parent.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: session_leader.parent.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: session_leader.parent.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: session_leader.parent.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: session_leader.parent.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: session_leader.parent.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: session_leader.parent.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: session_leader.parent.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: session_leader.parent.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: session_leader.parent.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: session_leader.parent.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: session_leader.parent.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: session_leader.parent.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: session_leader.parent.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: session_leader.parent.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: session_leader.parent.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: session_leader.parent.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: session_leader.parent.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.parent.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.parent.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.parent.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.parent.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.parent.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.parent.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.parent.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: session_leader.parent.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: session_leader.parent.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: session_leader.parent.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: session_leader.parent.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: session_leader.parent.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: session_leader.parent.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: session_leader.parent.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: session_leader.parent.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: session_leader.parent.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: session_leader.parent.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: session_leader.parent.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: session_leader.parent.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.parent.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.parent.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.parent.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: session_leader.parent.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.parent.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.parent.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.parent.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.parent.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: session_leader.parent.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: session_leader.parent.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: session_leader.parent.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: session_leader.parent.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: session_leader.parent.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: session_leader.parent.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: session_leader.parent.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: session_leader.parent.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: session_leader.parent.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.parent.real_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: session_leader.parent.real_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.real_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: session_leader.parent.real_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: session_leader.parent.real_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: session_leader.parent.real_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.real_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: session_leader.parent.real_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: session_leader.parent.real_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: session_leader.parent.real_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: session_leader.parent.real_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: session_leader.parent.real_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: session_leader.parent.real_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: session_leader.parent.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.parent.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.parent.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.parent.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.parent.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.parent.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: session_leader.parent.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.parent.saved_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: session_leader.parent.saved_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.saved_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: session_leader.parent.saved_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: session_leader.parent.saved_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: session_leader.parent.saved_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.saved_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: session_leader.parent.saved_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: session_leader.parent.saved_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: session_leader.parent.saved_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: session_leader.parent.saved_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: session_leader.parent.saved_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: session_leader.parent.saved_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: session_leader.parent.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.parent.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.parent.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.parent.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.parent.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.parent.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.session_leader.args
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      default_field: false
-    - name: session_leader.parent.session_leader.args_count
-      level: extended
-      type: long
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.parent.session_leader.attested_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: session_leader.parent.session_leader.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: session_leader.parent.session_leader.command_line
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.byte_order
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.cpu_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.header.abi_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.header.class
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.header.data
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.header.object_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: '"0x1" for original ELF files.'
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.header.os_abi
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.header.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.header.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List flags.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.physical_offset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.virtual_address
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.segments.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.shared_libraries
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
-      default_field: false
-    - name: session_leader.parent.session_leader.elf.telfhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: session_leader.parent.session_leader.end
-      level: extended
-      type: date
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: session_leader.parent.session_leader.endpoint_security_client
-      level: extended
-      type: boolean
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      default_field: false
-    - name: session_leader.parent.session_leader.entity_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.source.top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      default_field: false
-    - name: session_leader.parent.session_leader.entry_meta.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      default_field: false
-    - name: session_leader.parent.session_leader.env_vars
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      default_field: false
-    - name: session_leader.parent.session_leader.executable
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      default_field: false
-    - name: session_leader.parent.session_leader.exit_code
-      level: extended
-      type: long
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      default_field: false
-    - name: session_leader.parent.session_leader.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.session_leader.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.session_leader.hash.cdhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: session_leader.parent.session_leader.hash.md5
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: session_leader.parent.session_leader.hash.sha1
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: session_leader.parent.session_leader.hash.sha256
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: session_leader.parent.session_leader.hash.sha384
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: session_leader.parent.session_leader.hash.sha512
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SHA512 hash.
-      default_field: false
-    - name: session_leader.parent.session_leader.hash.ssdeep
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
-      default_field: false
-    - name: session_leader.parent.session_leader.hash.tlsh
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
-      default_field: false
-    - name: session_leader.parent.session_leader.interactive
-      level: extended
-      type: boolean
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      default_field: false
-    - name: session_leader.parent.session_leader.io
-      level: extended
-      type: object
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      default_field: false
-    - name: session_leader.parent.session_leader.io.bytes_skipped
-      level: extended
-      type: object
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      default_field: false
-    - name: session_leader.parent.session_leader.io.bytes_skipped.length
-      level: extended
-      type: long
-      description: The length of bytes skipped.
-      default_field: false
-    - name: session_leader.parent.session_leader.io.bytes_skipped.offset
-      level: extended
-      type: long
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      default_field: false
-    - name: session_leader.parent.session_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      type: boolean
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      default_field: false
-    - name: session_leader.parent.session_leader.io.text
-      level: extended
-      type: wildcard
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      default_field: false
-    - name: session_leader.parent.session_leader.io.total_bytes_captured
-      level: extended
-      type: long
-      description: The total number of bytes captured in this event.
-      default_field: false
-    - name: session_leader.parent.session_leader.io.total_bytes_skipped
-      level: extended
-      type: long
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      default_field: false
-    - name: session_leader.parent.session_leader.io.type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Mach-O Section List name.
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: Mach-O Section List physical size.
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: session_leader.parent.session_leader.macho.symhash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      default_field: false
-    - name: session_leader.parent.session_leader.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      default_field: false
-    - name: session_leader.parent.session_leader.origin_referrer_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      default_field: false
-    - name: session_leader.parent.session_leader.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.parent.session_leader.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: session_leader.parent.session_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: session_leader.parent.session_leader.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.parent.session_leader.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.session_leader.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.parent.session_leader.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.session_leader.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: session_leader.parent.session_leader.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.session_leader.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.session_leader.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: session_leader.parent.session_leader.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: session_leader.parent.session_leader.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: session_leader.parent.session_leader.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: session_leader.parent.session_leader.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: session_leader.parent.session_leader.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: session_leader.parent.session_leader.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: session_leader.parent.session_leader.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: session_leader.parent.session_leader.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: session_leader.parent.session_leader.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: session_leader.parent.session_leader.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: session_leader.parent.session_leader.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.parent.session_leader.user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: session_leader.parent.session_leader.user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.session_leader.user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: session_leader.parent.session_leader.user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: session_leader.parent.session_leader.user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: session_leader.parent.session_leader.user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.session_leader.user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: session_leader.parent.session_leader.user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: session_leader.parent.session_leader.user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: session_leader.parent.session_leader.user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: session_leader.parent.session_leader.user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: session_leader.parent.session_leader.user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: session_leader.parent.session_leader.user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: session_leader.parent.session_leader.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.parent.session_leader.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.session_leader.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.session_leader.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.session_leader.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.parent.session_leader.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.parent.session_leader.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.parent.session_leader.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.session_leader.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.session_leader.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.session_leader.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.session_leader.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.session_leader.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.parent.session_leader.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.session_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: session_leader.parent.session_leader.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: session_leader.parent.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: session_leader.parent.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: session_leader.parent.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: session_leader.parent.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: session_leader.parent.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: session_leader.parent.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: session_leader.parent.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: session_leader.parent.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: session_leader.parent.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: session_leader.parent.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: session_leader.parent.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: session_leader.parent.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: session_leader.parent.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.parent.user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: session_leader.parent.user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: session_leader.parent.user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: session_leader.parent.user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: session_leader.parent.user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.parent.user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: session_leader.parent.user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: session_leader.parent.user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: session_leader.parent.user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: session_leader.parent.user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: session_leader.parent.user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: session_leader.parent.user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: session_leader.parent.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.parent.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.parent.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.parent.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.parent.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.parent.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.parent.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.parent.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.parent.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.parent.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.parent.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.parent.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.parent.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.parent.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.parent.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: session_leader.parent.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: session_leader.pe.architecture
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
-      default_field: false
-    - name: session_leader.pe.company
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      default_field: false
-    - name: session_leader.pe.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      default_field: false
-    - name: session_leader.pe.file_version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      default_field: false
-    - name: session_leader.pe.go_import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: session_leader.pe.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: session_leader.pe.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.pe.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: session_leader.pe.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: session_leader.pe.imphash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      default_field: false
-    - name: session_leader.pe.import_hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: session_leader.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: session_leader.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: session_leader.pe.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: session_leader.pe.original_file_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      default_field: false
-    - name: session_leader.pe.pehash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      default_field: false
-    - name: session_leader.pe.product
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      default_field: false
-    - name: session_leader.pe.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      default_field: false
-    - name: session_leader.pe.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.pe.sections.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PE Section List name.
-      default_field: false
-    - name: session_leader.pe.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
-      default_field: false
-    - name: session_leader.pe.sections.var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: session_leader.pe.sections.virtual_size
-      level: extended
-      type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      default_field: false
-    - name: session_leader.pid
-      level: core
-      type: long
-      format: string
-      description: Process id.
-      example: 4242
-      default_field: false
-    - name: session_leader.platform_binary
-      level: extended
-      type: boolean
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      default_field: false
-    - name: session_leader.real_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.real_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.real_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.real_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.real_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.real_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: session_leader.real_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.real_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: session_leader.real_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: session_leader.real_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: session_leader.real_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.real_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: session_leader.real_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: session_leader.real_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: session_leader.real_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: session_leader.real_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: session_leader.real_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: session_leader.real_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: session_leader.real_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.real_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.real_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.real_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.real_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.real_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.real_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.real_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.real_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.real_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.real_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.real_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.real_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.real_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.same_as_process
-      level: extended
-      type: boolean
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      default_field: false
-    - name: session_leader.saved_group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.saved_group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.saved_group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.saved_user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.saved_user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.saved_user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: session_leader.saved_user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.saved_user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: session_leader.saved_user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: session_leader.saved_user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: session_leader.saved_user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.saved_user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: session_leader.saved_user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: session_leader.saved_user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: session_leader.saved_user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: session_leader.saved_user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: session_leader.saved_user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: session_leader.saved_user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: session_leader.saved_user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.saved_user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.saved_user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.saved_user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.saved_user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.saved_user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.saved_user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.saved_user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.saved_user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.saved_user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.saved_user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.saved_user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.saved_user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      default_field: false
-    - name: session_leader.supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: session_leader.thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: session_leader.thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-      default_field: false
-    - name: session_leader.thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-      default_field: false
-    - name: session_leader.title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      default_field: false
-    - name: session_leader.tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: session_leader.tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: session_leader.tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: session_leader.tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: session_leader.tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: session_leader.uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-      default_field: false
-    - name: session_leader.user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: session_leader.user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: session_leader.user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: session_leader.user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: session_leader.user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: session_leader.user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: session_leader.user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: session_leader.user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: session_leader.user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: session_leader.user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: session_leader.user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: session_leader.user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: session_leader.user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: session_leader.user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: session_leader.user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: session_leader.user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: session_leader.user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: session_leader.user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: session_leader.user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: session_leader.user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: session_leader.user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: session_leader.user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: session_leader.user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: session_leader.user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: session_leader.user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: session_leader.user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: session_leader.user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: session_leader.vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: session_leader.working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The working directory of the process.
-      example: /home/alice
-      default_field: false
-    - name: start
-      level: extended
-      type: date
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-    - name: supplemental_groups.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: supplemental_groups.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: supplemental_groups.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: thread.capabilities.effective
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: thread.capabilities.permitted
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      default_field: false
-    - name: thread.id
-      level: extended
-      type: long
-      format: string
-      description: Thread ID.
-      example: 4242
-    - name: thread.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Thread name.
-      example: thread-0
-    - name: title
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-    - name: tty
-      level: extended
-      type: object
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      default_field: false
-    - name: tty.char_device.major
-      level: extended
-      type: long
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      default_field: false
-    - name: tty.char_device.minor
-      level: extended
-      type: long
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      default_field: false
-    - name: tty.columns
-      level: extended
-      type: long
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      default_field: false
-    - name: tty.rows
-      level: extended
-      type: long
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      default_field: false
-    - name: uptime
-      level: extended
-      type: long
-      description: Seconds the process has been up.
-      example: 1325
-    - name: user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
-      default_field: false
-    - name: user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-      default_field: false
-    - name: user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-      default_field: false
-    - name: user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      default_field: false
-    - name: user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      default_field: false
-    - name: user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
-      default_field: false
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-    - name: vpid
-      level: core
-      type: long
-      format: string
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      default_field: false
-    - name: working_directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: The working directory of the process.
-      example: /home/alice
-  - name: registry
-    title: Registry
-    group: 2
-    description: Fields related to Windows Registry operations.
-    type: group
-    default_field: true
-    fields:
-    - name: data.bytes
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Original bytes written with base64 encoding.
-
-        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
-        corresponds to the data pointed by `lp_data`. This is optional but provides
-        better recoverability and should be populated for REG_BINARY encoded values.'
-      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-      default_field: false
-    - name: data.strings
-      level: core
-      type: wildcard
-      description: 'Content when writing string types.
-
-        Populated as an array when writing string data to the registry. For single
-        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
-        one string. For sequences of string with REG_MULTI_SZ, this array will be
-        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
-        be populated with the decimal representation (e.g `"1"`).'
-      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
-      default_field: false
-    - name: data.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Standard registry type for encoding contents
-      example: REG_SZ
-      default_field: false
-    - name: hive
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Abbreviated name for the hive.
-      example: HKLM
-      default_field: false
-    - name: key
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Hive-relative path of keys.
-      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
-      default_field: false
-    - name: path
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Full path, including hive, key and value
-      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
-        Options\winword.exe\Debugger
-      default_field: false
-    - name: value
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the value written.
-      example: Debugger
-      default_field: false
-  - name: related
-    title: Related
-    group: 2
-    description: 'This field set is meant to facilitate pivoting around a piece of
-      data.
-
-      Some pieces of information can be seen in many places in an ECS event. To facilitate
-      searching for them, store an array of all seen values to their corresponding
-      field in `related.`.
-
-      A concrete example is IP addresses, which can be under host, observer, source,
-      destination, client, server, and network.forwarded_ip. If you append all IPs
-      to `related.ip`, you can then search for a given IP trivially, no matter where
-      it appeared, by querying `related.ip:192.0.2.15`.'
-    type: group
-    default_field: true
-    fields:
-    - name: hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: All the hashes seen on your event. Populating this field, then
-        using it to search for hashes can help in situations where you're unsure what
-        the hash algorithm is (and therefore which key name to search).
-      default_field: false
-    - name: hosts
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: All hostnames or other host identifiers seen on your event. Example
-        identifiers include FQDNs, domain names, workstation names, or aliases.
-      default_field: false
-    - name: ip
-      level: extended
-      type: ip
-      description: All of the IPs seen on your event.
-    - name: user
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: All the user names or other user identifiers seen on the event.
-      default_field: false
-  - name: rule
-    title: Rule
-    group: 2
-    description: 'Rule fields are used to capture the specifics of any observer or
-      agent rules that generate alerts or other notable events.
-
-      Examples of data sources that would populate the rule fields include: network
-      admission control platforms, network or host IDS/IPS, network firewalls, web
-      application firewalls, url filters, endpoint detection and response (EDR) systems,
-      etc.'
-    type: group
-    default_field: true
-    fields:
-    - name: author
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name, organization, or pseudonym of the author or authors who created
-        the rule used to generate this event.
-      example: '["Star-Lord"]'
-      default_field: false
-    - name: category
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A categorization value keyword used by the entity using the rule
-        for detection of this event.
-      example: Attempted Information Leak
-      default_field: false
-    - name: description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The description of the rule generating the event.
-      example: Block requests to public DNS over HTTPS / TLS protocols
-      default_field: false
-    - name: id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A rule ID that is unique within the scope of an agent, observer,
-        or other entity using the rule for detection of this event.
-      example: 101
-      default_field: false
-    - name: license
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the license under which the rule used to generate this
-        event is made available.
-      example: Apache 2.0
-      default_field: false
-    - name: name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The name of the rule or signature generating the event.
-      example: BLOCK_DNS_over_TLS
-      default_field: false
-    - name: reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Reference URL to additional information about the rule used to
-        generate this event.
-
-        The URL can point to the vendor''s documentation about the rule. If that''s
-        not available, it can also be a link to a more general page describing this
-        type of alert.'
-      example: https://en.wikipedia.org/wiki/DNS_over_TLS
-      default_field: false
-    - name: ruleset
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the ruleset, policy, group, or parent category in which
-        the rule used to generate this event is a member.
-      example: Standard_Protocol_Filters
-      default_field: false
-    - name: uuid
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A rule ID that is unique within the scope of a set or group of
-        agents, observers, or other entities using the rule for detection of this
-        event.
-      example: 1100110011
-      default_field: false
-    - name: version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The version / revision of the rule being used for analysis.
-      example: 1.1
-      default_field: false
-  - name: server
-    title: Server
-    group: 2
-    description: 'A Server is defined as the responder in a network connection for
-      events regarding sessions, connections, or bidirectional flow records.
-
-      For TCP events, the server is the receiver of the initial SYN packet(s) of the
-      TCP connection. For other protocols, the server is generally the responder in
-      the network transaction. Some systems actually use the term "responder" to refer
-      the server in TCP connections. The server fields describe details about the
-      system acting as the server in the network event. Server fields are usually
-      populated in conjunction with client fields. Server fields are generally not
-      populated for packet-level events.
-
-      Client / server representations can add semantic context to an exchange, which
-      is helpful to visualize the data in certain situations. If your context falls
-      in that category, you should still ensure that source and destination are filled
-      appropriately.'
-    type: group
-    default_field: true
-    fields:
-    - name: address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event server addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-    - name: as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-    - name: as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Organization name.
-      example: Google LLC
-    - name: bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the server to the client.
-      example: 184
-    - name: domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the server system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-    - name: geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-    - name: geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-    - name: geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-    - name: geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-    - name: geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-    - name: geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-    - name: geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-    - name: geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-    - name: geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: ip
-      level: core
-      type: ip
-      description: IP address of the server (IPv4 or IPv6).
-    - name: mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the server.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-    - name: nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of destination based NAT sessions (e.g. internet
-        to private DMZ)
-
-        Typically used with load balancers, firewalls, or routers.'
-    - name: nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of destination based NAT sessions (e.g. internet
-        to private DMZ)
-
-        Typically used with load balancers, firewalls, or routers.'
-    - name: packets
-      level: core
-      type: long
-      description: Packets sent from the server to the client.
-      example: 12
-    - name: port
-      level: core
-      type: long
-      format: string
-      description: Port of the server.
-    - name: registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered server domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-    - name: subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-    - name: user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-    - name: user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-    - name: user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: User's full name, if available.
-      example: Albert Einstein
-    - name: user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-    - name: user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-    - name: user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-    - name: user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-    - name: user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-    - name: user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Short name or login of the user.
-      example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-  - name: service
-    title: Service
-    group: 2
-    description: 'The service fields describe the service for or from which the data
-      was collected.
-
-      These fields help you find and correlate logs for a specific service and version.'
-    footnote: The service fields may be self-nested under service.origin.* and service.target.*
-      to describe origin or target services in the context of incoming or outgoing
-      requests, respectively. However, the fieldsets service.origin.* and service.target.*
-      must not be confused with the root service fieldset that is used to describe
-      the actual service under observation. The fieldset service.origin.* may only
-      be used in the context of incoming requests or events to describe the originating
-      service of the request. The fieldset service.target.* may only be used in the
-      context of outgoing requests or events to describe the target service of the
-      request.
-    type: group
-    default_field: true
-    fields:
-    - name: address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Address where data about this service was collected from.
-
-        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
-        path (sockets).'
-      example: 172.26.0.2:5432
-      default_field: false
-    - name: entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: environment
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Identifies the environment where the service is running.
-
-        If the same service runs in different environments (production, staging, QA,
-        development, etc.), the environment can identify other instances of the same
-        service. Can also group services and applications from the same environment.'
-      example: production
-      default_field: false
-    - name: ephemeral_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Ephemeral identifier of this service (if one exists).
-
-        This id normally changes across restarts, but `service.id` does not.'
-      example: 8a4f500f
-    - name: id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier of the running service. If the service is comprised
-        of many nodes, the `service.id` should be the same for all nodes.
-
-        This id should uniquely identify the service. This makes it possible to correlate
-        logs and metrics for one specific service, no matter which particular node
-        emitted the event.
-
-        Note that if you need to see the events from one specific host of the service,
-        you should filter on that `host.name` or `host.id` instead.'
-      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-    - name: name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the service data is collected from.
-
-        The name of the service is normally user given. This allows for distributed
-        services that run on multiple hosts to correlate the related instances based
-        on the name.
-
-        In the case of Elasticsearch the `service.name` could contain the cluster
-        name. For Beats the `service.name` is by default a copy of the `service.type`
-        field if no name is specified.'
-      example: elasticsearch-metrics
-    - name: node.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of a service node.
-
-        This allows for two nodes of the same service running on the same host to
-        be differentiated. Therefore, `service.node.name` should typically be unique
-        across nodes of a given service.
-
-        In the case of Elasticsearch, the `service.node.name` could contain the unique
-        node name within the Elasticsearch cluster. In cases where the service doesn''t
-        have the concept of a node name, the host name or container name can be used
-        to distinguish running instances that make up this service. If those do not
-        provide uniqueness (e.g. multiple instances of the service running on the
-        same host) - the node name can be manually set.'
-      example: instance-0000000016
-    - name: node.role
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Deprecated for removal in next major version release. This field
-        will be superseded by `node.roles`.
-
-        Role of a service node.
-
-        This allows for distinction between different running roles of the same service.
-
-        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
-
-        In the case of Elasticsearch, the `service.node.role` could be `master` or
-        `data`.
-
-        Other services could use this to distinguish between a `web` and `worker`
-        role running as part of the service.'
-      example: background_tasks
-      default_field: false
-    - name: node.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Roles of a service node.
-
-        This allows for distinction between different running roles of the same service.
-
-        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
-        or both.
-
-        In the case of Elasticsearch, the `service.node.role` could be `master` or
-        `data` or both.
-
-        Other services could use this to distinguish between a `web` and `worker`
-        role running as part of the service.'
-      example: '["ui", "background_tasks"]'
-      default_field: false
-    - name: origin.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Address where data about this service was collected from.
-
-        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
-        path (sockets).'
-      example: 172.26.0.2:5432
-      default_field: false
-    - name: origin.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: origin.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: origin.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: origin.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: origin.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: origin.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: origin.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: origin.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: origin.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: origin.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: origin.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: origin.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: origin.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: origin.environment
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Identifies the environment where the service is running.
-
-        If the same service runs in different environments (production, staging, QA,
-        development, etc.), the environment can identify other instances of the same
-        service. Can also group services and applications from the same environment.'
-      example: production
-      default_field: false
-    - name: origin.ephemeral_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Ephemeral identifier of this service (if one exists).
-
-        This id normally changes across restarts, but `service.id` does not.'
-      example: 8a4f500f
-      default_field: false
-    - name: origin.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier of the running service. If the service is comprised
-        of many nodes, the `service.id` should be the same for all nodes.
-
-        This id should uniquely identify the service. This makes it possible to correlate
-        logs and metrics for one specific service, no matter which particular node
-        emitted the event.
-
-        Note that if you need to see the events from one specific host of the service,
-        you should filter on that `host.name` or `host.id` instead.'
-      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-      default_field: false
-    - name: origin.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the service data is collected from.
-
-        The name of the service is normally user given. This allows for distributed
-        services that run on multiple hosts to correlate the related instances based
-        on the name.
-
-        In the case of Elasticsearch the `service.name` could contain the cluster
-        name. For Beats the `service.name` is by default a copy of the `service.type`
-        field if no name is specified.'
-      example: elasticsearch-metrics
-      default_field: false
-    - name: origin.node.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of a service node.
-
-        This allows for two nodes of the same service running on the same host to
-        be differentiated. Therefore, `service.node.name` should typically be unique
-        across nodes of a given service.
-
-        In the case of Elasticsearch, the `service.node.name` could contain the unique
-        node name within the Elasticsearch cluster. In cases where the service doesn''t
-        have the concept of a node name, the host name or container name can be used
-        to distinguish running instances that make up this service. If those do not
-        provide uniqueness (e.g. multiple instances of the service running on the
-        same host) - the node name can be manually set.'
-      example: instance-0000000016
-      default_field: false
-    - name: origin.node.role
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Deprecated for removal in next major version release. This field
-        will be superseded by `node.roles`.
-
-        Role of a service node.
-
-        This allows for distinction between different running roles of the same service.
-
-        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
-
-        In the case of Elasticsearch, the `service.node.role` could be `master` or
-        `data`.
-
-        Other services could use this to distinguish between a `web` and `worker`
-        role running as part of the service.'
-      example: background_tasks
-      default_field: false
-    - name: origin.node.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Roles of a service node.
-
-        This allows for distinction between different running roles of the same service.
-
-        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
-        or both.
-
-        In the case of Elasticsearch, the `service.node.role` could be `master` or
-        `data` or both.
-
-        Other services could use this to distinguish between a `web` and `worker`
-        role running as part of the service.'
-      example: '["ui", "background_tasks"]'
-      default_field: false
-    - name: origin.state
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Current state of the service.
-      default_field: false
-    - name: origin.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of the service data is collected from.
-
-        The type can be used to group and correlate logs and metrics from one service
-        type.
-
-        Example: If logs or metrics are collected from Elasticsearch, `service.type`
-        would be `elasticsearch`.'
-      example: elasticsearch
-      default_field: false
-    - name: origin.version
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Version of the service the data was collected from.
-
-        This allows to look at a data set only for a specific version of a service.'
-      example: 3.2.4
-      default_field: false
-    - name: state
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Current state of the service.
-    - name: target.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Address where data about this service was collected from.
-
-        This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
-        path (sockets).'
-      example: 172.26.0.2:5432
-      default_field: false
-    - name: target.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: target.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: target.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: target.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: target.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: target.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: target.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: target.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: target.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: target.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: target.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: target.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: target.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: target.environment
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Identifies the environment where the service is running.
-
-        If the same service runs in different environments (production, staging, QA,
-        development, etc.), the environment can identify other instances of the same
-        service. Can also group services and applications from the same environment.'
-      example: production
-      default_field: false
-    - name: target.ephemeral_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Ephemeral identifier of this service (if one exists).
-
-        This id normally changes across restarts, but `service.id` does not.'
-      example: 8a4f500f
-      default_field: false
-    - name: target.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique identifier of the running service. If the service is comprised
-        of many nodes, the `service.id` should be the same for all nodes.
-
-        This id should uniquely identify the service. This makes it possible to correlate
-        logs and metrics for one specific service, no matter which particular node
-        emitted the event.
-
-        Note that if you need to see the events from one specific host of the service,
-        you should filter on that `host.name` or `host.id` instead.'
-      example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
-      default_field: false
-    - name: target.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the service data is collected from.
-
-        The name of the service is normally user given. This allows for distributed
-        services that run on multiple hosts to correlate the related instances based
-        on the name.
-
-        In the case of Elasticsearch the `service.name` could contain the cluster
-        name. For Beats the `service.name` is by default a copy of the `service.type`
-        field if no name is specified.'
-      example: elasticsearch-metrics
-      default_field: false
-    - name: target.node.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of a service node.
-
-        This allows for two nodes of the same service running on the same host to
-        be differentiated. Therefore, `service.node.name` should typically be unique
-        across nodes of a given service.
-
-        In the case of Elasticsearch, the `service.node.name` could contain the unique
-        node name within the Elasticsearch cluster. In cases where the service doesn''t
-        have the concept of a node name, the host name or container name can be used
-        to distinguish running instances that make up this service. If those do not
-        provide uniqueness (e.g. multiple instances of the service running on the
-        same host) - the node name can be manually set.'
-      example: instance-0000000016
-      default_field: false
-    - name: target.node.role
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Deprecated for removal in next major version release. This field
-        will be superseded by `node.roles`.
-
-        Role of a service node.
-
-        This allows for distinction between different running roles of the same service.
-
-        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`.
-
-        In the case of Elasticsearch, the `service.node.role` could be `master` or
-        `data`.
-
-        Other services could use this to distinguish between a `web` and `worker`
-        role running as part of the service.'
-      example: background_tasks
-      default_field: false
-    - name: target.node.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Roles of a service node.
-
-        This allows for distinction between different running roles of the same service.
-
-        In the case of Kibana, the `service.node.role` could be `ui` or `background_tasks`
-        or both.
-
-        In the case of Elasticsearch, the `service.node.role` could be `master` or
-        `data` or both.
-
-        Other services could use this to distinguish between a `web` and `worker`
-        role running as part of the service.'
-      example: '["ui", "background_tasks"]'
-      default_field: false
-    - name: target.state
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Current state of the service.
-      default_field: false
-    - name: target.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of the service data is collected from.
-
-        The type can be used to group and correlate logs and metrics from one service
-        type.
-
-        Example: If logs or metrics are collected from Elasticsearch, `service.type`
-        would be `elasticsearch`.'
-      example: elasticsearch
-      default_field: false
-    - name: target.version
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Version of the service the data was collected from.
-
-        This allows to look at a data set only for a specific version of a service.'
-      example: 3.2.4
-      default_field: false
-    - name: type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The type of the service data is collected from.
-
-        The type can be used to group and correlate logs and metrics from one service
-        type.
-
-        Example: If logs or metrics are collected from Elasticsearch, `service.type`
-        would be `elasticsearch`.'
-      example: elasticsearch
-    - name: version
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Version of the service the data was collected from.
-
-        This allows to look at a data set only for a specific version of a service.'
-      example: 3.2.4
-  - name: source
-    title: Source
-    group: 2
-    description: 'Source fields capture details about the sender of a network exchange/packet.
-      These fields are populated from a network event, packet, or other event containing
-      details of a network transaction.
-
-      Source fields are usually populated in conjunction with destination fields.
-      The source and destination fields are considered the baseline and should always
-      be filled if an event contains source and destination details from a network
-      transaction. If the event also contains identification of the client and server
-      roles, then the client and server fields should also be populated.'
-    type: group
-    default_field: true
-    fields:
-    - name: address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-    - name: as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-    - name: as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Organization name.
-      example: Google LLC
-    - name: bytes
-      level: core
-      type: long
-      format: bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-    - name: domain
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-    - name: geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-    - name: geo.continent_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
-      default_field: false
-    - name: geo.continent_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Name of the continent.
-      example: North America
-    - name: geo.country_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country ISO code.
-      example: CA
-    - name: geo.country_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Country name.
-      example: Canada
-    - name: geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-    - name: geo.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-    - name: geo.postal_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      default_field: false
-    - name: geo.region_iso_code
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
-    - name: geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
-    - name: geo.timezone
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      default_field: false
-    - name: ip
-      level: core
-      type: ip
-      description: IP address of the source (IPv4 or IPv6).
-    - name: mac
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-    - name: nat.ip
-      level: extended
-      type: ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-    - name: nat.port
-      level: extended
-      type: long
-      format: string
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-    - name: packets
-      level: core
-      type: long
-      description: Packets sent from the source to the destination.
-      example: 12
-    - name: port
-      level: core
-      type: long
-      format: string
-      description: Port of the source.
-    - name: registered_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-    - name: subdomain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      default_field: false
-    - name: top_level_domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-    - name: user.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-    - name: user.email
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: User email address.
-    - name: user.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: user.entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: user.entity.display_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: user.entity.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: user.entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: user.entity.lifecycle
-      level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: user.entity.metrics
-      level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: user.entity.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: user.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: user.entity.reference
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      default_field: false
-    - name: user.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: user.entity.sub_type
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      default_field: false
-    - name: user.entity.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
-    - name: user.full_name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: User's full name, if available.
-      example: Albert Einstein
-    - name: user.group.domain
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-    - name: user.group.id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
-    - name: user.group.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the group.
-    - name: user.hash
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-    - name: user.id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-    - name: user.name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: Short name or login of the user.
-      example: a.einstein
-    - name: user.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: user.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: user.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: user.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: user.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: user.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: user.roles
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      default_field: false
-  - name: threat
-    title: Threat
-    group: 2
-    description: 'Fields to classify events and alerts according to a threat taxonomy
-      such as the MITRE ATT&CK® framework.
-
-      These fields are for users to classify alerts from all of their sources (e.g.
-      IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant
-      to capture the high level category of the threat (e.g. "impact"). The threat.technique.*
-      fields are meant to capture which kind of approach is used by this detected
-      threat, to accomplish the goal (e.g. "endpoint denial of service").'
-    type: group
-    default_field: true
-    fields:
-    - name: enrichments
-      level: extended
-      type: nested
-      description: A list of associated indicators objects enriching the event, and
-        the context of that association/enrichment.
-      default_field: false
-    - name: enrichments.indicator
-      level: extended
-      type: object
-      description: Object containing associated indicators enriching the event.
-      default_field: false
-    - name: enrichments.indicator.as.number
-      level: extended
-      type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      default_field: false
-    - name: enrichments.indicator.as.organization.name
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
-      default_field: false
-    - name: enrichments.indicator.confidence
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High
-        scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence
-        scales may be added as custom fields.
-      example: Medium
-      default_field: false
-    - name: enrichments.indicator.description
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Describes the type of action conducted by the threat.
-      example: IP x.x.x.x was observed delivering the Angler EK.
-      default_field: false
-    - name: enrichments.indicator.email.address
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Identifies a threat indicator as an email address (irrespective
-        of direction).
-      example: phish@example.com
-      default_field: false
-    - name: enrichments.indicator.file.accessed
-      level: extended
-      type: date
-      description: 'Last time the file was accessed.
-
-        Note that not all filesystems keep track of access time.'
-      default_field: false
-    - name: enrichments.indicator.file.attributes
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Array of file attributes.
-
-        Attributes names will vary by platform. Here''s a non-exhaustive list of values
-        that are expected in this field: archive, compressed, directory, encrypted,
-        execute, hidden, read, readonly, system, write.'
-      example: '["readonly", "system"]'
-      default_field: false
-    - name: enrichments.indicator.file.code_signature.digest_algorithm
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      default_field: false
-    - name: enrichments.indicator.file.code_signature.exists
-      level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      default_field: false
-    - name: enrichments.indicator.file.code_signature.flags
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
-      default_field: false
-    - name: enrichments.indicator.file.code_signature.signing_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      default_field: false
-    - name: enrichments.indicator.file.code_signature.status
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      default_field: false
-    - name: enrichments.indicator.file.code_signature.subject_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      default_field: false
-    - name: enrichments.indicator.file.code_signature.team_id
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      default_field: false
-    - name: enrichments.indicator.file.code_signature.thumbprint_sha256
-      level: extended
-      type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: enrichments.indicator.file.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: enrichments.indicator.file.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      default_field: false
-    - name: enrichments.indicator.file.code_signature.valid
-      level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      default_field: false
-    - name: enrichments.indicator.file.created
-      level: extended
-      type: date
-      description: 'File creation time.
-
-        Note that not all filesystems store the creation time.'
-      default_field: false
-    - name: enrichments.indicator.file.ctime
-      level: extended
-      type: date
-      description: 'Last time the file attributes or metadata changed.
-
-        Note that changes to the file content will update `mtime`. This implies `ctime`
-        will be adjusted at the same time, since `mtime` is an attribute of the file.'
-      default_field: false
-    - name: enrichments.indicator.file.device
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Device that is the source of the file.
-      example: sda
-      default_field: false
-    - name: enrichments.indicator.file.directory
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Directory where the file is located. It should include the drive
-        letter, when appropriate.
-      example: /home/alice
-      default_field: false
-    - name: enrichments.indicator.file.drive_letter
-      level: extended
-      type: keyword
-      ignore_above: 1
-      description: 'Drive letter where the file is located. This field is only relevant
-        on Windows.
+      description: 'The type of the service data is collected from.
 
-        The value should be uppercase, and not include the colon.'
-      example: C
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
       default_field: false
-    - name: enrichments.indicator.file.elf.architecture
-      level: extended
+    - name: target.version
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
       default_field: false
-    - name: enrichments.indicator.file.elf.byte_order
-      level: extended
+    - name: type
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      default_field: false
-    - name: enrichments.indicator.file.elf.cpu_type
-      level: extended
+      description: 'The type of the service data is collected from.
+
+        The type can be used to group and correlate logs and metrics from one service
+        type.
+
+        Example: If logs or metrics are collected from Elasticsearch, `service.type`
+        would be `elasticsearch`.'
+      example: elasticsearch
+    - name: version
+      level: core
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: enrichments.indicator.file.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: enrichments.indicator.file.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
-      default_field: false
-    - name: enrichments.indicator.file.elf.go_import_hash
+      description: 'Version of the service the data was collected from.
+
+        This allows to look at a data set only for a specific version of a service.'
+      example: 3.2.4
+  - name: source
+    title: Source
+    group: 2
+    description: 'Source fields capture details about the sender of a network exchange/packet.
+      These fields are populated from a network event, packet, or other event containing
+      details of a network transaction.
+
+      Source fields are usually populated in conjunction with destination fields.
+      The source and destination fields are considered the baseline and should always
+      be filled if an event contains source and destination details from a network
+      transaction. If the event also contains identification of the client and server
+      roles, then the client and server fields should also be populated.'
+    type: group
+    default_field: true
+    fields:
+    - name: address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
+      description: 'Some event source addresses are defined ambiguously. The event
+        will sometimes list an IP, a domain or a unix socket.  You should always store
+        the raw address in the `.address` field.
 
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: enrichments.indicator.file.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: enrichments.indicator.file.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: enrichments.indicator.file.elf.go_imports_names_var_entropy
+        Then it should be duplicated to `.ip` or `.domain`, depending on which one
+        it is.'
+    - name: as.number
       level: extended
       type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: enrichments.indicator.file.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      default_field: false
-    - name: enrichments.indicator.file.elf.header.abi_version
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+    - name: as.organization.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
-      default_field: false
-    - name: enrichments.indicator.file.elf.header.class
-      level: extended
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Organization name.
+      example: Google LLC
+    - name: bytes
+      level: core
+      type: long
+      format: bytes
+      description: Bytes sent from the source to the destination.
+      example: 184
+    - name: domain
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Header class of the ELF file.
-      default_field: false
-    - name: enrichments.indicator.file.elf.header.data
-      level: extended
+      description: 'The domain name of the source system.
+
+        This value may be a host name, a fully qualified domain name, or another host
+        naming format. The value may derive from the original event or be added from
+        enrichment.'
+      example: foo.example.com
+    - name: geo.city_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Data table of the ELF header.
-      default_field: false
-    - name: enrichments.indicator.file.elf.header.entrypoint
-      level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
-      default_field: false
-    - name: enrichments.indicator.file.elf.header.object_version
-      level: extended
+      description: City name.
+      example: Montreal
+    - name: geo.continent_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: '"0x1" for original ELF files.'
+      description: Two-letter code representing continent's name.
+      example: NA
       default_field: false
-    - name: enrichments.indicator.file.elf.header.os_abi
-      level: extended
+    - name: geo.continent_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
-      default_field: false
-    - name: enrichments.indicator.file.elf.header.type
-      level: extended
+      description: Name of the continent.
+      example: North America
+    - name: geo.country_iso_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Header type of the ELF file.
-      default_field: false
-    - name: enrichments.indicator.file.elf.header.version
-      level: extended
+      description: Country ISO code.
+      example: CA
+    - name: geo.country_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
-      default_field: false
-    - name: enrichments.indicator.file.elf.import_hash
+      description: Country name.
+      example: Canada
+    - name: geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+    - name: geo.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
 
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: enrichments.indicator.file.elf.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: enrichments.indicator.file.elf.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      default_field: false
-    - name: enrichments.indicator.file.elf.imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      default_field: false
-    - name: enrichments.indicator.file.elf.sections
-      level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      default_field: false
-    - name: enrichments.indicator.file.elf.sections.chi2
-      level: extended
-      type: long
-      format: number
-      description: Chi-square probability distribution of the section.
-      default_field: false
-    - name: enrichments.indicator.file.elf.sections.entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
-      default_field: false
-    - name: enrichments.indicator.file.elf.sections.flags
-      level: extended
+        Not typically used in automated geolocation.'
+      example: boston-dc
+    - name: geo.postal_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: ELF Section List flags.
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.name
-      level: extended
+    - name: geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+    - name: geo.region_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: ELF Section List name.
-      default_field: false
-    - name: enrichments.indicator.file.elf.sections.physical_offset
-      level: extended
+      description: Region name.
+      example: Quebec
+    - name: geo.timezone
+      level: core
       type: keyword
       ignore_above: 1024
-      description: ELF Section List offset.
-      default_field: false
-    - name: enrichments.indicator.file.elf.sections.physical_size
-      level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
       default_field: false
-    - name: enrichments.indicator.file.elf.sections.type
-      level: extended
+    - name: ip
+      level: core
+      type: ip
+      description: IP address of the source (IPv4 or IPv6).
+    - name: mac
+      level: core
       type: keyword
       ignore_above: 1024
-      description: ELF Section List type.
-      default_field: false
-    - name: enrichments.indicator.file.elf.sections.var_entropy
+      description: 'MAC address of the source.
+
+        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
+        byte) is represented by two [uppercase] hexadecimal digits giving the value
+        of the octet as an unsigned integer. Successive octets are separated by a
+        hyphen.'
+      example: 00-00-5E-00-53-23
+      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
+    - name: nat.ip
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
-      default_field: false
-    - name: enrichments.indicator.file.elf.sections.virtual_address
+      type: ip
+      description: 'Translated ip of source based NAT sessions (e.g. internal client
+        to internet)
+
+        Typically connections traversing load balancers, firewalls, or routers.'
+    - name: nat.port
       level: extended
       type: long
       format: string
-      description: ELF Section List virtual address.
-      default_field: false
-    - name: enrichments.indicator.file.elf.sections.virtual_size
-      level: extended
+      description: 'Translated port of source based NAT sessions. (e.g. internal client
+        to internet)
+
+        Typically used with load balancers, firewalls, or routers.'
+    - name: packets
+      level: core
+      type: long
+      description: Packets sent from the source to the destination.
+      example: 12
+    - name: port
+      level: core
       type: long
       format: string
-      description: ELF Section List virtual size.
-      default_field: false
-    - name: enrichments.indicator.file.elf.segments
-      level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      default_field: false
-    - name: enrichments.indicator.file.elf.segments.sections
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: ELF object segment sections.
-      default_field: false
-    - name: enrichments.indicator.file.elf.segments.type
+      description: Port of the source.
+    - name: registered_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
-      default_field: false
-    - name: enrichments.indicator.file.elf.shared_libraries
+      description: 'The highest registered source domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
       default_field: false
-    - name: enrichments.indicator.file.elf.telfhash
+    - name: top_level_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
-      default_field: false
-    - name: enrichments.indicator.file.extension
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: user.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'File extension, excluding the leading dot.
+      description: 'Name of the directory the user is a member of.
 
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
-      default_field: false
-    - name: enrichments.indicator.file.fork_name
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.email
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A fork is additional data associated with a filesystem object.
-
-        On Linux, a resource fork is used to store additional data with a filesystem
-        object. A file always has at least one fork for the data portion, and additional
-        forks may exist.
-
-        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
-        data stream for a file is just called $DATA. Zone.Identifier is commonly used
-        by Windows to track contents downloaded from the Internet. An ADS is typically
-        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
-        is the value that should populate `fork_name`. `filename.extension` should
-        populate `file.name`, and `extension` should populate `file.extension`. The
-        full path, `file.path`, will include the fork name.'
-      example: Zone.Identifer
-      default_field: false
-    - name: enrichments.indicator.file.gid
+      description: User email address.
+    - name: user.full_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group ID (GID) of the file.
-      example: '1001'
-      default_field: false
-    - name: enrichments.indicator.file.group
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: User's full name, if available.
+      example: Albert Einstein
+    - name: user.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group name of the file.
-      example: alice
-      default_field: false
-    - name: enrichments.indicator.file.hash.cdhash
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: user.group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      default_field: false
-    - name: enrichments.indicator.file.hash.md5
+      description: Unique identifier for the group on the system/platform.
+    - name: user.group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: MD5 hash.
-      default_field: false
-    - name: enrichments.indicator.file.hash.sha1
+      description: Name of the group.
+    - name: user.hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: enrichments.indicator.file.hash.sha256
-      level: extended
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+    - name: user.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SHA256 hash.
-      default_field: false
-    - name: enrichments.indicator.file.hash.sha384
-      level: extended
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+    - name: user.name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: SHA384 hash.
-      default_field: false
-    - name: enrichments.indicator.file.hash.sha512
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: Short name or login of the user.
+      example: a.einstein
+    - name: user.roles
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA512 hash.
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: enrichments.indicator.file.hash.ssdeep
+  - name: threat
+    title: Threat
+    group: 2
+    description: 'Fields to classify events and alerts according to a threat taxonomy
+      such as the MITRE ATT&CK® framework.
+
+      These fields are for users to classify alerts from all of their sources (e.g.
+      IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant
+      to capture the high level category of the threat (e.g. "impact"). The threat.technique.*
+      fields are meant to capture which kind of approach is used by this detected
+      threat, to accomplish the goal (e.g. "endpoint denial of service").'
+    type: group
+    default_field: true
+    fields:
+    - name: enrichments
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: SSDEEP hash.
+      type: nested
+      description: A list of associated indicators objects enriching the event, and
+        the context of that association/enrichment.
       default_field: false
-    - name: enrichments.indicator.file.hash.tlsh
+    - name: enrichments.indicator
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: TLSH hash.
+      type: object
+      description: Object containing associated indicators enriching the event.
       default_field: false
-    - name: enrichments.indicator.file.inode
+    - name: enrichments.indicator.as.number
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Inode representing the file in the filesystem.
-      example: '256383'
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
       default_field: false
-    - name: enrichments.indicator.file.mime_type
+    - name: enrichments.indicator.as.organization.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'MIME type should identify the format of the file or stream of
-        bytes using IANA official types: https://www.iana.org/assignments/media-types/media-types.xhtml,
-        where possible. When more than one type is applicable, the most specific type
-        should be used.'
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
       default_field: false
-    - name: enrichments.indicator.file.mode
+    - name: enrichments.indicator.confidence
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Mode of the file in octal representation.
-      example: '0640'
-      default_field: false
-    - name: enrichments.indicator.file.mtime
-      level: extended
-      type: date
-      description: Last time the file content was modified.
+      description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High
+        scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence
+        scales may be added as custom fields.
+      example: Medium
       default_field: false
-    - name: enrichments.indicator.file.name
+    - name: enrichments.indicator.description
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the file including the extension, without the directory.
-      example: example.png
+      description: Describes the type of action conducted by the threat.
+      example: IP x.x.x.x was observed delivering the Angler EK.
       default_field: false
-    - name: enrichments.indicator.file.origin_referrer_url
+    - name: enrichments.indicator.email.address
       level: extended
       type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the file.
-      example: http://example.com/article1.html
+      ignore_above: 1024
+      description: Identifies a threat indicator as an email address (irrespective
+        of direction).
+      example: phish@example.com
       default_field: false
-    - name: enrichments.indicator.file.origin_url
+    - name: enrichments.indicator.file.accessed
       level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the file is hosted.
-      example: http://example.com/imgs/article1_img1.jpg
+      type: date
+      description: 'Last time the file was accessed.
+
+        Note that not all filesystems keep track of access time.'
       default_field: false
-    - name: enrichments.indicator.file.owner
+    - name: enrichments.indicator.file.attributes
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File owner's username.
-      example: alice
+      description: 'Array of file attributes.
+
+        Attributes names will vary by platform. Here''s a non-exhaustive list of values
+        that are expected in this field: archive, compressed, directory, encrypted,
+        execute, hidden, read, readonly, system, write.'
+      example: '["readonly", "system"]'
       default_field: false
-    - name: enrichments.indicator.file.path
+    - name: enrichments.indicator.file.code_signature.digest_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Full path to the file, including the file name. It should include
-        the drive letter, when appropriate.
-      example: /home/alice/example.png
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
       default_field: false
-    - name: enrichments.indicator.file.pe.architecture
+    - name: enrichments.indicator.file.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      default_field: false
+    - name: enrichments.indicator.file.code_signature.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
+      description: The flags used to sign the process.
+      example: 570522385
       default_field: false
-    - name: enrichments.indicator.file.pe.company
+    - name: enrichments.indicator.file.code_signature.signing_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
       default_field: false
-    - name: enrichments.indicator.file.pe.description
+    - name: enrichments.indicator.file.code_signature.status
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
       default_field: false
-    - name: enrichments.indicator.file.pe.file_version
-      level: extended
+    - name: enrichments.indicator.file.code_signature.subject_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      description: Subject name of the code signer
+      example: Microsoft Corporation
       default_field: false
-    - name: enrichments.indicator.file.pe.go_import_hash
+    - name: enrichments.indicator.file.code_signature.team_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
+      description: 'The team identifier used to sign the process.
 
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
       default_field: false
-    - name: enrichments.indicator.file.pe.go_imports
+    - name: enrichments.indicator.file.code_signature.thumbprint_sha256
       level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
       default_field: false
-    - name: enrichments.indicator.file.pe.go_imports_names_entropy
+    - name: enrichments.indicator.file.code_signature.timestamp
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
       default_field: false
-    - name: enrichments.indicator.file.pe.go_imports_names_var_entropy
+    - name: enrichments.indicator.file.code_signature.trusted
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
       default_field: false
-    - name: enrichments.indicator.file.pe.go_stripped
+    - name: enrichments.indicator.file.code_signature.valid
       level: extended
       type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
       default_field: false
-    - name: enrichments.indicator.file.pe.imphash
+    - name: enrichments.indicator.file.created
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
+      type: date
+      description: 'File creation time.
 
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
+        Note that not all filesystems store the creation time.'
       default_field: false
-    - name: enrichments.indicator.file.pe.import_hash
+    - name: enrichments.indicator.file.ctime
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
+      type: date
+      description: 'Last time the file attributes or metadata changed.
 
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
+        Note that changes to the file content will update `mtime`. This implies `ctime`
+        will be adjusted at the same time, since `mtime` is an attribute of the file.'
       default_field: false
-    - name: enrichments.indicator.file.pe.imports
+    - name: enrichments.indicator.file.device
       level: extended
-      type: flattened
-      description: List of imported element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: Device that is the source of the file.
+      example: sda
       default_field: false
-    - name: enrichments.indicator.file.pe.imports_names_entropy
+    - name: enrichments.indicator.file.directory
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+      type: keyword
+      ignore_above: 1024
+      description: Directory where the file is located. It should include the drive
+        letter, when appropriate.
+      example: /home/alice
       default_field: false
-    - name: enrichments.indicator.file.pe.imports_names_var_entropy
+    - name: enrichments.indicator.file.drive_letter
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+      type: keyword
+      ignore_above: 1
+      description: 'Drive letter where the file is located. This field is only relevant
+        on Windows.
+
+        The value should be uppercase, and not include the colon.'
+      example: C
       default_field: false
-    - name: enrichments.indicator.file.pe.original_file_name
+    - name: enrichments.indicator.file.elf.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
+      description: Machine architecture of the ELF file.
+      example: x86-64
       default_field: false
-    - name: enrichments.indicator.file.pe.pehash
+    - name: enrichments.indicator.file.elf.byte_order
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      description: Byte sequence of ELF file.
+      example: Little Endian
       default_field: false
-    - name: enrichments.indicator.file.pe.product
+    - name: enrichments.indicator.file.elf.cpu_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
+      description: CPU type of the ELF file.
+      example: Intel
       default_field: false
-    - name: enrichments.indicator.file.pe.sections
+    - name: enrichments.indicator.file.elf.creation_date
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
       default_field: false
-    - name: enrichments.indicator.file.pe.sections.entropy
+    - name: enrichments.indicator.file.elf.exports
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      type: flattened
+      description: List of exported element names and types.
       default_field: false
-    - name: enrichments.indicator.file.pe.sections.name
+    - name: enrichments.indicator.file.elf.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: PE Section List name.
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: enrichments.indicator.file.pe.sections.physical_size
+    - name: enrichments.indicator.file.elf.go_imports
       level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
+      type: flattened
+      description: List of imported Go language element names and types.
       default_field: false
-    - name: enrichments.indicator.file.pe.sections.var_entropy
+    - name: enrichments.indicator.file.elf.go_imports_names_entropy
       level: extended
       type: long
       format: number
-      description: Variance for Shannon entropy calculation from the section.
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: enrichments.indicator.file.pe.sections.virtual_size
+    - name: enrichments.indicator.file.elf.go_imports_names_var_entropy
       level: extended
       type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: enrichments.indicator.file.size
+    - name: enrichments.indicator.file.elf.go_stripped
       level: extended
-      type: long
-      description: 'File size in bytes.
-
-        Only relevant when `file.type` is "file".'
-      example: 16384
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: enrichments.indicator.file.target_path
+    - name: enrichments.indicator.file.elf.header.abi_version
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Target path for symlinks.
+      description: Version of the ELF Application Binary Interface (ABI).
       default_field: false
-    - name: enrichments.indicator.file.type
+    - name: enrichments.indicator.file.elf.header.class
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File type (file, dir, or symlink).
-      example: file
+      description: Header class of the ELF file.
       default_field: false
-    - name: enrichments.indicator.file.uid
+    - name: enrichments.indicator.file.elf.header.data
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The user ID (UID) or security identifier (SID) of the file owner.
-      example: '1001'
+      description: Data table of the ELF header.
       default_field: false
-    - name: enrichments.indicator.file.x509.alternative_names
+    - name: enrichments.indicator.file.elf.header.entrypoint
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of subject alternative names (SAN). Name types vary by certificate
-        authority and certificate type but commonly contain IP addresses, DNS names
-        (and wildcards), and email addresses.
-      example: '*.elastic.co'
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.common_name
+    - name: enrichments.indicator.file.elf.header.object_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of common name (CN) of issuing certificate authority.
-      example: Example SHA2 High Assurance Server CA
+      description: '"0x1" for original ELF files.'
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.country
+    - name: enrichments.indicator.file.elf.header.os_abi
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of country \(C) codes
-      example: US
+      description: Application Binary Interface (ABI) of the Linux OS.
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.distinguished_name
+    - name: enrichments.indicator.file.elf.header.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Distinguished name (DN) of issuing certificate authority.
-      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
-        Server CA
+      description: Header type of the ELF file.
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.locality
+    - name: enrichments.indicator.file.elf.header.version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of locality names (L)
-      example: Mountain View
+      description: Version of the ELF header.
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.organization
+    - name: enrichments.indicator.file.elf.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizations (O) of issuing certificate authority.
-      example: Example Inc
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.organizational_unit
+    - name: enrichments.indicator.file.elf.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: enrichments.indicator.file.elf.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: enrichments.indicator.file.elf.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections
+      level: extended
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: enrichments.indicator.file.elf.sections.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizational units (OU) of issuing certificate authority.
-      example: www.example.com
+      description: ELF Section List flags.
       default_field: false
-    - name: enrichments.indicator.file.x509.issuer.state_or_province
+    - name: enrichments.indicator.file.elf.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
+      description: ELF Section List name.
       default_field: false
-    - name: enrichments.indicator.file.x509.not_after
+    - name: enrichments.indicator.file.elf.sections.physical_offset
       level: extended
-      type: date
-      description: Time at which the certificate is no longer considered valid.
-      example: '2020-07-16T03:15:39Z'
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
       default_field: false
-    - name: enrichments.indicator.file.x509.not_before
+    - name: enrichments.indicator.file.elf.sections.physical_size
       level: extended
-      type: date
-      description: Time at which the certificate is first considered valid.
-      example: '2019-08-16T01:40:25Z'
+      type: long
+      format: bytes
+      description: ELF Section List physical size.
       default_field: false
-    - name: enrichments.indicator.file.x509.public_key_algorithm
+    - name: enrichments.indicator.file.elf.sections.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Algorithm used to generate the public key.
-      example: RSA
+      description: ELF Section List type.
       default_field: false
-    - name: enrichments.indicator.file.x509.public_key_curve
+    - name: enrichments.indicator.file.elf.sections.var_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: The curve used by the elliptic curve public key algorithm. This
-        is algorithm specific.
-      example: nistp521
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: enrichments.indicator.file.x509.public_key_exponent
+    - name: enrichments.indicator.file.elf.sections.virtual_address
       level: extended
       type: long
-      description: Exponent used to derive the public key. This is algorithm specific.
-      example: 65537
-      index: false
-      doc_values: false
+      format: string
+      description: ELF Section List virtual address.
       default_field: false
-    - name: enrichments.indicator.file.x509.public_key_size
+    - name: enrichments.indicator.file.elf.sections.virtual_size
       level: extended
       type: long
-      description: The size of the public key space in bits.
-      example: 2048
+      format: string
+      description: ELF Section List virtual size.
       default_field: false
-    - name: enrichments.indicator.file.x509.serial_number
+    - name: enrichments.indicator.file.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
+      default_field: false
+    - name: enrichments.indicator.file.elf.segments.sections
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique serial number issued by the certificate authority. For consistency,
-        this must be encoded in base 16 and formatted without colons and uppercase
-        characters.
-      example: 55FBB9C7DEBF09809D12CCAA
+      description: ELF object segment sections.
       default_field: false
-    - name: enrichments.indicator.file.x509.signature_algorithm
+    - name: enrichments.indicator.file.elf.segments.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifier for certificate signature algorithm. We recommend using
-        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-      example: SHA256-RSA
+      description: ELF object segment type.
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.common_name
+    - name: enrichments.indicator.file.elf.shared_libraries
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of common names (CN) of subject.
-      example: shared.global.example.net
+      description: List of shared libraries used by this ELF object.
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.country
+    - name: enrichments.indicator.file.elf.telfhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of country \(C) code
-      example: US
+      description: telfhash symbol hash for ELF file.
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.distinguished_name
+    - name: enrichments.indicator.file.extension
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Distinguished name (DN) of the certificate subject entity.
-      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      description: 'File extension, excluding the leading dot.
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.locality
+    - name: enrichments.indicator.file.fork_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of locality names (L)
-      example: San Francisco
+      description: 'A fork is additional data associated with a filesystem object.
+
+        On Linux, a resource fork is used to store additional data with a filesystem
+        object. A file always has at least one fork for the data portion, and additional
+        forks may exist.
+
+        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+        data stream for a file is just called $DATA. Zone.Identifier is commonly used
+        by Windows to track contents downloaded from the Internet. An ADS is typically
+        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+        is the value that should populate `fork_name`. `filename.extension` should
+        populate `file.name`, and `extension` should populate `file.extension`. The
+        full path, `file.path`, will include the fork name.'
+      example: Zone.Identifer
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.organization
+    - name: enrichments.indicator.file.gid
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizations (O) of subject.
-      example: Example, Inc.
+      description: Primary group ID (GID) of the file.
+      example: '1001'
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.organizational_unit
+    - name: enrichments.indicator.file.group
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Primary group name of the file.
+      example: alice
+      default_field: false
+    - name: enrichments.indicator.file.hash.cdhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizational units (OU) of subject.
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
       default_field: false
-    - name: enrichments.indicator.file.x509.subject.state_or_province
+    - name: enrichments.indicator.file.hash.md5
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
+      description: MD5 hash.
       default_field: false
-    - name: enrichments.indicator.file.x509.version_number
+    - name: enrichments.indicator.file.hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of x509 format.
-      example: 3
+      description: SHA1 hash.
       default_field: false
-    - name: enrichments.indicator.first_seen
+    - name: enrichments.indicator.file.hash.sha256
       level: extended
-      type: date
-      description: The date and time when intelligence source first reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: enrichments.indicator.geo.city_name
-      level: core
       type: keyword
       ignore_above: 1024
-      description: City name.
-      example: Montreal
+      description: SHA256 hash.
       default_field: false
-    - name: enrichments.indicator.geo.continent_code
-      level: core
+    - name: enrichments.indicator.file.hash.sha384
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
+      description: SHA384 hash.
       default_field: false
-    - name: enrichments.indicator.geo.continent_name
-      level: core
+    - name: enrichments.indicator.file.hash.sha512
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the continent.
-      example: North America
+      description: SHA512 hash.
       default_field: false
-    - name: enrichments.indicator.geo.country_iso_code
-      level: core
+    - name: enrichments.indicator.file.hash.ssdeep
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Country ISO code.
-      example: CA
+      description: SSDEEP hash.
       default_field: false
-    - name: enrichments.indicator.geo.country_name
-      level: core
+    - name: enrichments.indicator.file.hash.tlsh
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: enrichments.indicator.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      description: TLSH hash.
       default_field: false
-    - name: enrichments.indicator.geo.name
+    - name: enrichments.indicator.file.inode
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
+      description: Inode representing the file in the filesystem.
+      example: '256383'
       default_field: false
-    - name: enrichments.indicator.geo.postal_code
-      level: core
+    - name: enrichments.indicator.file.mime_type
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
+      description: 'MIME type should identify the format of the file or stream of
+        bytes using IANA official types: https://www.iana.org/assignments/media-types/media-types.xhtml,
+        where possible. When more than one type is applicable, the most specific type
+        should be used.'
       default_field: false
-    - name: enrichments.indicator.geo.region_iso_code
-      level: core
+    - name: enrichments.indicator.file.mode
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
+      description: Mode of the file in octal representation.
+      example: '0640'
       default_field: false
-    - name: enrichments.indicator.geo.region_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Region name.
-      example: Quebec
+    - name: enrichments.indicator.file.mtime
+      level: extended
+      type: date
+      description: Last time the file content was modified.
       default_field: false
-    - name: enrichments.indicator.geo.timezone
-      level: core
+    - name: enrichments.indicator.file.name
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
+      description: Name of the file including the extension, without the directory.
+      example: example.png
       default_field: false
-    - name: enrichments.indicator.ip
+    - name: enrichments.indicator.file.origin_referrer_url
       level: extended
-      type: ip
-      description: Identifies a threat indicator as an IP address (irrespective of
-        direction).
-      example: 1.2.3.4
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the file.
+      example: http://example.com/article1.html
       default_field: false
-    - name: enrichments.indicator.last_seen
+    - name: enrichments.indicator.file.origin_url
       level: extended
-      type: date
-      description: The date and time when intelligence source last reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the file is hosted.
+      example: http://example.com/imgs/article1_img1.jpg
       default_field: false
-    - name: enrichments.indicator.marking.tlp
+    - name: enrichments.indicator.file.owner
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Traffic Light Protocol sharing markings.
-      example: CLEAR
+      description: File owner's username.
+      example: alice
       default_field: false
-    - name: enrichments.indicator.marking.tlp_version
+    - name: enrichments.indicator.file.path
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Traffic Light Protocol version.
-      example: 2.0
-      default_field: false
-    - name: enrichments.indicator.modified_at
-      level: extended
-      type: date
-      description: The date and time when intelligence source last modified information
-        for this indicator.
-      example: '2020-11-05T17:25:47.000Z'
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Full path to the file, including the file name. It should include
+        the drive letter, when appropriate.
+      example: /home/alice/example.png
       default_field: false
-    - name: enrichments.indicator.name
+    - name: enrichments.indicator.file.pe.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The display name indicator in an UI friendly format
-
-        URL, IP address, email address, registry key, port number, hash value, or
-        other relevant name can serve as the display name.'
-      example: 5.2.75.227
+      description: CPU architecture target for the file.
+      example: x64
       default_field: false
-    - name: enrichments.indicator.port
+    - name: enrichments.indicator.file.pe.company
       level: extended
-      type: long
-      description: Identifies a threat indicator as a port number (irrespective of
-        direction).
-      example: 443
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
       default_field: false
-    - name: enrichments.indicator.provider
+    - name: enrichments.indicator.file.pe.description
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The name of the indicator's provider.
-      example: lrz_urlhaus
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
       default_field: false
-    - name: enrichments.indicator.reference
+    - name: enrichments.indicator.file.pe.file_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Reference URL linking to additional information about this indicator.
-      example: https://system.example.com/indicator/0001234
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
       default_field: false
-    - name: enrichments.indicator.registry.data.bytes
+    - name: enrichments.indicator.file.pe.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Original bytes written with base64 encoding.
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
 
-        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
-        corresponds to the data pointed by `lp_data`. This is optional but provides
-        better recoverability and should be populated for REG_BINARY encoded values.'
-      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: enrichments.indicator.registry.data.strings
-      level: core
-      type: wildcard
-      description: 'Content when writing string types.
-
-        Populated as an array when writing string data to the registry. For single
-        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
-        one string. For sequences of string with REG_MULTI_SZ, this array will be
-        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
-        be populated with the decimal representation (e.g `"1"`).'
-      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+    - name: enrichments.indicator.file.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
       default_field: false
-    - name: enrichments.indicator.registry.data.type
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Standard registry type for encoding contents
-      example: REG_SZ
+    - name: enrichments.indicator.file.pe.go_imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: enrichments.indicator.registry.hive
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Abbreviated name for the hive.
-      example: HKLM
+    - name: enrichments.indicator.file.pe.go_imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: enrichments.indicator.registry.key
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Hive-relative path of keys.
-      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+    - name: enrichments.indicator.file.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: enrichments.indicator.registry.path
-      level: core
+    - name: enrichments.indicator.file.pe.imphash
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Full path, including hive, key and value
-      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
-        Options\winword.exe\Debugger
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
-    - name: enrichments.indicator.registry.value
-      level: core
+    - name: enrichments.indicator.file.pe.import_hash
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the value written.
-      example: Debugger
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: enrichments.indicator.scanner_stats
+    - name: enrichments.indicator.file.pe.imports
       level: extended
-      type: long
-      description: Count of AV/EDR vendors that successfully detected malicious file
-        or URL.
-      example: 4
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: enrichments.indicator.sightings
+    - name: enrichments.indicator.file.pe.imports_names_entropy
       level: extended
       type: long
-      description: Number of times this indicator was observed conducting threat activity.
-      example: 20
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: enrichments.indicator.type
+    - name: enrichments.indicator.file.pe.imports_names_var_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Type of indicator as represented by Cyber Observable in STIX 2.0.
-      example: ipv4-addr
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: enrichments.indicator.url.domain
+    - name: enrichments.indicator.file.pe.original_file_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Domain of the url, such as "www.elastic.co".
-
-        In some cases a URL may refer to an IP and/or port directly, without a domain
-        name. In this case, the IP address would go to the `domain` field.
-
-        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
-        2732), the `[` and `]` characters should also be captured in the `domain`
-        field.'
-      example: www.elastic.co
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
       default_field: false
-    - name: enrichments.indicator.url.extension
+    - name: enrichments.indicator.file.pe.pehash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The field contains the file extension from the original request
-        url, excluding the leading dot.
-
-        The file extension is only set if it exists, as not every url has a file extension.
-
-        The leading period must not be included. For example, the value must be "png",
-        not ".png".
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
 
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
       default_field: false
-    - name: enrichments.indicator.url.fragment
+    - name: enrichments.indicator.file.pe.product
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Portion of the url after the `#`, such as "top".
-
-        The `#` is not part of the fragment.'
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
       default_field: false
-    - name: enrichments.indicator.url.full
+    - name: enrichments.indicator.file.pe.sections
       level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: If full URLs are important to your use case, they should be stored
-        in `url.full`, whether this field is reconstructed or present in the event
-        source.
-      example: https://www.elastic.co:443/search?q=elasticsearch#top
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
       default_field: false
-    - name: enrichments.indicator.url.original
+    - name: enrichments.indicator.file.pe.sections.entropy
       level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Unmodified original url as seen in the event source.
-
-        Note that in network monitoring, the observed URL may be a full URL, whereas
-        in access logs, the URL is often just represented as a path.
-
-        This field is meant to represent the URL as it was observed, complete or not.'
-      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
       default_field: false
-    - name: enrichments.indicator.url.password
+    - name: enrichments.indicator.file.pe.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Password of the request.
-      default_field: false
-    - name: enrichments.indicator.url.path
-      level: extended
-      type: wildcard
-      description: Path of the request, such as "/search".
+      description: PE Section List name.
       default_field: false
-    - name: enrichments.indicator.url.port
+    - name: enrichments.indicator.file.pe.sections.physical_size
       level: extended
       type: long
-      format: string
-      description: Port of the request, such as 443.
-      example: 443
+      format: bytes
+      description: PE Section List physical size.
       default_field: false
-    - name: enrichments.indicator.url.query
+    - name: enrichments.indicator.file.pe.sections.var_entropy
       level: extended
-      type: keyword
-      ignore_above: 2083
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
-
-        The `?` is excluded from the query string. If a URL contains no `?`, there
-        is no query field. If there is a `?` but no query, the query field exists
-        with an empty string. The `exists` query can be used to differentiate between
-        the two cases.'
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: enrichments.indicator.url.registered_domain
+    - name: enrichments.indicator.file.pe.sections.virtual_size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered url domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: enrichments.indicator.url.scheme
+    - name: enrichments.indicator.file.size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Scheme of the request, such as "https".
+      type: long
+      description: 'File size in bytes.
 
-        Note: The `:` is not part of the scheme.'
-      example: https
+        Only relevant when `file.type` is "file".'
+      example: 16384
       default_field: false
-    - name: enrichments.indicator.url.subdomain
+    - name: enrichments.indicator.file.target_path
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Target path for symlinks.
       default_field: false
-    - name: enrichments.indicator.url.top_level_domain
+    - name: enrichments.indicator.file.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
+      description: File type (file, dir, or symlink).
+      example: file
       default_field: false
-    - name: enrichments.indicator.url.username
+    - name: enrichments.indicator.file.uid
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Username of the request.
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
       default_field: false
-    - name: enrichments.indicator.x509.alternative_names
+    - name: enrichments.indicator.file.x509.alternative_names
       level: extended
       type: keyword
       ignore_above: 1024
@@ -37160,21 +10526,21 @@
         (and wildcards), and email addresses.
       example: '*.elastic.co'
       default_field: false
-    - name: enrichments.indicator.x509.issuer.common_name
+    - name: enrichments.indicator.file.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common name (CN) of issuing certificate authority.
       example: Example SHA2 High Assurance Server CA
       default_field: false
-    - name: enrichments.indicator.x509.issuer.country
+    - name: enrichments.indicator.file.x509.issuer.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) codes
       example: US
       default_field: false
-    - name: enrichments.indicator.x509.issuer.distinguished_name
+    - name: enrichments.indicator.file.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
@@ -37182,54 +10548,54 @@
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       default_field: false
-    - name: enrichments.indicator.x509.issuer.locality
+    - name: enrichments.indicator.file.x509.issuer.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: Mountain View
       default_field: false
-    - name: enrichments.indicator.x509.issuer.organization
+    - name: enrichments.indicator.file.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of issuing certificate authority.
       example: Example Inc
       default_field: false
-    - name: enrichments.indicator.x509.issuer.organizational_unit
+    - name: enrichments.indicator.file.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of issuing certificate authority.
       example: www.example.com
       default_field: false
-    - name: enrichments.indicator.x509.issuer.state_or_province
+    - name: enrichments.indicator.file.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: enrichments.indicator.x509.not_after
+    - name: enrichments.indicator.file.x509.not_after
       level: extended
       type: date
       description: Time at which the certificate is no longer considered valid.
       example: '2020-07-16T03:15:39Z'
       default_field: false
-    - name: enrichments.indicator.x509.not_before
+    - name: enrichments.indicator.file.x509.not_before
       level: extended
       type: date
       description: Time at which the certificate is first considered valid.
       example: '2019-08-16T01:40:25Z'
       default_field: false
-    - name: enrichments.indicator.x509.public_key_algorithm
+    - name: enrichments.indicator.file.x509.public_key_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
       description: Algorithm used to generate the public key.
       example: RSA
       default_field: false
-    - name: enrichments.indicator.x509.public_key_curve
+    - name: enrichments.indicator.file.x509.public_key_curve
       level: extended
       type: keyword
       ignore_above: 1024
@@ -37237,7 +10603,7 @@
         is algorithm specific.
       example: nistp521
       default_field: false
-    - name: enrichments.indicator.x509.public_key_exponent
+    - name: enrichments.indicator.file.x509.public_key_exponent
       level: extended
       type: long
       description: Exponent used to derive the public key. This is algorithm specific.
@@ -37245,13 +10611,13 @@
       index: false
       doc_values: false
       default_field: false
-    - name: enrichments.indicator.x509.public_key_size
+    - name: enrichments.indicator.file.x509.public_key_size
       level: extended
       type: long
       description: The size of the public key space in bits.
       example: 2048
       default_field: false
-    - name: enrichments.indicator.x509.serial_number
+    - name: enrichments.indicator.file.x509.serial_number
       level: extended
       type: keyword
       ignore_above: 1024
@@ -37260,7 +10626,7 @@
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: enrichments.indicator.x509.signature_algorithm
+    - name: enrichments.indicator.file.x509.signature_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
@@ -37268,1550 +10634,1538 @@
         names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
       example: SHA256-RSA
       default_field: false
-    - name: enrichments.indicator.x509.subject.common_name
+    - name: enrichments.indicator.file.x509.subject.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common names (CN) of subject.
       example: shared.global.example.net
       default_field: false
-    - name: enrichments.indicator.x509.subject.country
+    - name: enrichments.indicator.file.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) code
       example: US
       default_field: false
-    - name: enrichments.indicator.x509.subject.distinguished_name
+    - name: enrichments.indicator.file.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: enrichments.indicator.x509.subject.locality
+    - name: enrichments.indicator.file.x509.subject.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: San Francisco
       default_field: false
-    - name: enrichments.indicator.x509.subject.organization
+    - name: enrichments.indicator.file.x509.subject.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of subject.
       example: Example, Inc.
       default_field: false
-    - name: enrichments.indicator.x509.subject.organizational_unit
+    - name: enrichments.indicator.file.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of subject.
       default_field: false
-    - name: enrichments.indicator.x509.subject.state_or_province
+    - name: enrichments.indicator.file.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: enrichments.indicator.x509.version_number
+    - name: enrichments.indicator.file.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
       description: Version of x509 format.
       example: 3
       default_field: false
-    - name: enrichments.matched.atomic
-      level: extended
+    - name: enrichments.indicator.first_seen
+      level: extended
+      type: date
+      description: The date and time when intelligence source first reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: enrichments.indicator.geo.city_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: City name.
+      example: Montreal
+      default_field: false
+    - name: enrichments.indicator.geo.continent_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Identifies the atomic indicator value that matched a local environment
-        endpoint or network event.
-      example: bad-domain.com
+      description: Two-letter code representing continent's name.
+      example: NA
       default_field: false
-    - name: enrichments.matched.field
-      level: extended
+    - name: enrichments.indicator.geo.continent_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Identifies the field of the atomic indicator that matched a local
-        environment endpoint or network event.
-      example: file.hash.sha256
+      description: Name of the continent.
+      example: North America
       default_field: false
-    - name: enrichments.matched.id
-      level: extended
+    - name: enrichments.indicator.geo.country_iso_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Identifies the _id of the indicator document enriching the event.
-      example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
+      description: Country ISO code.
+      example: CA
       default_field: false
-    - name: enrichments.matched.index
-      level: extended
+    - name: enrichments.indicator.geo.country_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Identifies the _index of the indicator document enriching the event.
-      example: filebeat-8.0.0-2021.05.23-000011
+      description: Country name.
+      example: Canada
       default_field: false
-    - name: enrichments.matched.occurred
-      level: extended
-      type: date
-      description: Indicates when the indicator match was generated
-      example: '2021-10-05T17:00:58.326Z'
+    - name: enrichments.indicator.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
       default_field: false
-    - name: enrichments.matched.type
+    - name: enrichments.indicator.geo.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies the type of match that caused the event to be enriched
-        with the given indicator
-      example: indicator_match_rule
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
+
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
       default_field: false
-    - name: feed.dashboard_id
-      level: extended
+    - name: enrichments.indicator.geo.postal_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: The saved object ID of the dashboard belonging to the threat feed
-        for displaying dashboard links to threat feeds in Kibana.
-      example: 5ba16340-72e6-11eb-a3e3-b3cc7c78a70f
+      description: 'Postal code associated with the location.
+
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
       default_field: false
-    - name: feed.description
-      level: extended
+    - name: enrichments.indicator.geo.region_iso_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Description of the threat feed in a UI friendly format.
-      example: Threat feed from the AlienVault Open Threat eXchange network.
+      description: Region ISO code.
+      example: CA-QC
       default_field: false
-    - name: feed.name
-      level: extended
+    - name: enrichments.indicator.geo.region_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: The name of the threat feed in UI friendly format.
-      example: AlienVault OTX
+      description: Region name.
+      example: Quebec
       default_field: false
-    - name: feed.reference
-      level: extended
+    - name: enrichments.indicator.geo.timezone
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Reference information for the threat feed in a UI friendly format.
-      example: https://otx.alienvault.com
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
       default_field: false
-    - name: framework
+    - name: enrichments.indicator.ip
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Name of the threat framework used to further categorize and classify
-        the tactic and technique of the reported threat. Framework classification
-        can be provided by detecting systems, evaluated at ingest time, or retrospectively
-        tagged to events.
-      example: MITRE ATT&CK
-    - name: group.alias
+      type: ip
+      description: Identifies a threat indicator as an IP address (irrespective of
+        direction).
+      example: 1.2.3.4
+      default_field: false
+    - name: enrichments.indicator.last_seen
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The alias(es) of the group for a set of related intrusion activity
-        that are tracked by a common name in the security community.
-
-        While not required, you can use a MITRE ATT&CK® group alias(es).'
-      example: '[ "Magecart Group 6" ]'
+      type: date
+      description: The date and time when intelligence source last reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: group.id
+    - name: enrichments.indicator.marking.tlp
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The id of the group for a set of related intrusion activity that
-        are tracked by a common name in the security community.
-
-        While not required, you can use a MITRE ATT&CK® group id.'
-      example: G0037
+      description: Traffic Light Protocol sharing markings.
+      example: CLEAR
       default_field: false
-    - name: group.name
+    - name: enrichments.indicator.marking.tlp_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The name of the group for a set of related intrusion activity
-        that are tracked by a common name in the security community.
-
-        While not required, you can use a MITRE ATT&CK® group name.'
-      example: FIN6
+      description: Traffic Light Protocol version.
+      example: 2.0
       default_field: false
-    - name: group.reference
+    - name: enrichments.indicator.modified_at
+      level: extended
+      type: date
+      description: The date and time when intelligence source last modified information
+        for this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: enrichments.indicator.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The reference URL of the group for a set of related intrusion
-        activity that are tracked by a common name in the security community.
+      description: 'The display name indicator in an UI friendly format
 
-        While not required, you can use a MITRE ATT&CK® group reference URL.'
-      example: https://attack.mitre.org/groups/G0037/
+        URL, IP address, email address, registry key, port number, hash value, or
+        other relevant name can serve as the display name.'
+      example: 5.2.75.227
       default_field: false
-    - name: indicator.as.number
+    - name: enrichments.indicator.port
       level: extended
       type: long
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
+      description: Identifies a threat indicator as a port number (irrespective of
+        direction).
+      example: 443
       default_field: false
-    - name: indicator.as.organization.name
+    - name: enrichments.indicator.provider
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Organization name.
-      example: Google LLC
+      description: The name of the indicator's provider.
+      example: lrz_urlhaus
       default_field: false
-    - name: indicator.confidence
+    - name: enrichments.indicator.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High
-        scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence
-        scales may be added as custom fields.
-      example: Medium
+      description: Reference URL linking to additional information about this indicator.
+      example: https://system.example.com/indicator/0001234
       default_field: false
-    - name: indicator.description
+    - name: enrichments.indicator.registry.data.bytes
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Describes the type of action conducted by the threat.
-      example: IP x.x.x.x was observed delivering the Angler EK.
+      description: 'Original bytes written with base64 encoding.
+
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
       default_field: false
-    - name: indicator.email.address
-      level: extended
+    - name: enrichments.indicator.registry.data.strings
+      level: core
+      type: wildcard
+      description: 'Content when writing string types.
+
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+      default_field: false
+    - name: enrichments.indicator.registry.data.type
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Identifies a threat indicator as an email address (irrespective
-        of direction).
-      example: phish@example.com
-      default_field: false
-    - name: indicator.file.accessed
-      level: extended
-      type: date
-      description: 'Last time the file was accessed.
-
-        Note that not all filesystems keep track of access time.'
+      description: Standard registry type for encoding contents
+      example: REG_SZ
       default_field: false
-    - name: indicator.file.attributes
-      level: extended
+    - name: enrichments.indicator.registry.hive
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'Array of file attributes.
-
-        Attributes names will vary by platform. Here''s a non-exhaustive list of values
-        that are expected in this field: archive, compressed, directory, encrypted,
-        execute, hidden, read, readonly, system, write.'
-      example: '["readonly", "system"]'
+      description: Abbreviated name for the hive.
+      example: HKLM
       default_field: false
-    - name: indicator.file.code_signature.digest_algorithm
-      level: extended
+    - name: enrichments.indicator.registry.key
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
+      description: Hive-relative path of keys.
+      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
       default_field: false
-    - name: indicator.file.code_signature.exists
+    - name: enrichments.indicator.registry.path
       level: core
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: 'true'
+      type: keyword
+      ignore_above: 1024
+      description: Full path, including hive, key and value
+      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+        Options\winword.exe\Debugger
       default_field: false
-    - name: indicator.file.code_signature.flags
-      level: extended
+    - name: enrichments.indicator.registry.value
+      level: core
       type: keyword
       ignore_above: 1024
-      description: The flags used to sign the process.
-      example: 570522385
+      description: Name of the value written.
+      example: Debugger
       default_field: false
-    - name: indicator.file.code_signature.signing_id
+    - name: enrichments.indicator.scanner_stats
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
+      type: long
+      description: Count of AV/EDR vendors that successfully detected malicious file
+        or URL.
+      example: 4
       default_field: false
-    - name: indicator.file.code_signature.status
+    - name: enrichments.indicator.sightings
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
+      type: long
+      description: Number of times this indicator was observed conducting threat activity.
+      example: 20
       default_field: false
-    - name: indicator.file.code_signature.subject_name
-      level: core
+    - name: enrichments.indicator.type
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Subject name of the code signer
-      example: Microsoft Corporation
+      description: Type of indicator as represented by Cyber Observable in STIX 2.0.
+      example: ipv4-addr
       default_field: false
-    - name: indicator.file.code_signature.team_id
+    - name: enrichments.indicator.url.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The team identifier used to sign the process.
+      description: 'Domain of the url, such as "www.elastic.co".
 
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
+        In some cases a URL may refer to an IP and/or port directly, without a domain
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
+      example: www.elastic.co
       default_field: false
-    - name: indicator.file.code_signature.thumbprint_sha256
+    - name: enrichments.indicator.url.extension
       level: extended
       type: keyword
-      ignore_above: 64
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      pattern: ^[0-9a-f]{64}$
-      default_field: false
-    - name: indicator.file.code_signature.timestamp
-      level: extended
-      type: date
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      default_field: false
-    - name: indicator.file.code_signature.trusted
-      level: extended
-      type: boolean
-      description: 'Stores the trust status of the certificate chain.
+      ignore_above: 1024
+      description: 'The field contains the file extension from the original request
+        url, excluding the leading dot.
 
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
+        The file extension is only set if it exists, as not every url has a file extension.
+
+        The leading period must not be included. For example, the value must be "png",
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
       default_field: false
-    - name: indicator.file.code_signature.valid
+    - name: enrichments.indicator.url.fragment
       level: extended
-      type: boolean
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
+      type: keyword
+      ignore_above: 1024
+      description: 'Portion of the url after the `#`, such as "top".
 
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
+        The `#` is not part of the fragment.'
       default_field: false
-    - name: indicator.file.created
+    - name: enrichments.indicator.url.full
       level: extended
-      type: date
-      description: 'File creation time.
-
-        Note that not all filesystems store the creation time.'
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: If full URLs are important to your use case, they should be stored
+        in `url.full`, whether this field is reconstructed or present in the event
+        source.
+      example: https://www.elastic.co:443/search?q=elasticsearch#top
       default_field: false
-    - name: indicator.file.ctime
+    - name: enrichments.indicator.url.original
       level: extended
-      type: date
-      description: 'Last time the file attributes or metadata changed.
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Unmodified original url as seen in the event source.
 
-        Note that changes to the file content will update `mtime`. This implies `ctime`
-        will be adjusted at the same time, since `mtime` is an attribute of the file.'
+        Note that in network monitoring, the observed URL may be a full URL, whereas
+        in access logs, the URL is often just represented as a path.
+
+        This field is meant to represent the URL as it was observed, complete or not.'
+      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
       default_field: false
-    - name: indicator.file.device
+    - name: enrichments.indicator.url.password
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Device that is the source of the file.
-      example: sda
+      description: Password of the request.
       default_field: false
-    - name: indicator.file.directory
+    - name: enrichments.indicator.url.path
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Directory where the file is located. It should include the drive
-        letter, when appropriate.
-      example: /home/alice
+      type: wildcard
+      description: Path of the request, such as "/search".
       default_field: false
-    - name: indicator.file.drive_letter
+    - name: enrichments.indicator.url.port
+      level: extended
+      type: long
+      format: string
+      description: Port of the request, such as 443.
+      example: 443
+      default_field: false
+    - name: enrichments.indicator.url.query
       level: extended
       type: keyword
-      ignore_above: 1
-      description: 'Drive letter where the file is located. This field is only relevant
-        on Windows.
+      ignore_above: 2083
+      description: 'The query field describes the query string of the request, such
+        as "q=elasticsearch".
 
-        The value should be uppercase, and not include the colon.'
-      example: C
+        The `?` is excluded from the query string. If a URL contains no `?`, there
+        is no query field. If there is a `?` but no query, the query field exists
+        with an empty string. The `exists` query can be used to differentiate between
+        the two cases.'
       default_field: false
-    - name: indicator.file.elf.architecture
+    - name: enrichments.indicator.url.registered_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Machine architecture of the ELF file.
-      example: x86-64
+      description: 'The highest registered url domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
       default_field: false
-    - name: indicator.file.elf.byte_order
+    - name: enrichments.indicator.url.scheme
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Byte sequence of ELF file.
-      example: Little Endian
+      description: 'Scheme of the request, such as "https".
+
+        Note: The `:` is not part of the scheme.'
+      example: https
       default_field: false
-    - name: indicator.file.elf.cpu_type
+    - name: enrichments.indicator.url.subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU type of the ELF file.
-      example: Intel
-      default_field: false
-    - name: indicator.file.elf.creation_date
-      level: extended
-      type: date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      default_field: false
-    - name: indicator.file.elf.exports
-      level: extended
-      type: flattened
-      description: List of exported element names and types.
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
       default_field: false
-    - name: indicator.file.elf.go_import_hash
+    - name: enrichments.indicator.url.top_level_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
 
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      default_field: false
-    - name: indicator.file.elf.go_imports
-      level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
-      default_field: false
-    - name: indicator.file.elf.go_imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: indicator.file.elf.go_imports_names_var_entropy
-      level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      default_field: false
-    - name: indicator.file.elf.go_stripped
-      level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
       default_field: false
-    - name: indicator.file.elf.header.abi_version
+    - name: enrichments.indicator.url.username
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF Application Binary Interface (ABI).
+      description: Username of the request.
       default_field: false
-    - name: indicator.file.elf.header.class
+    - name: enrichments.indicator.x509.alternative_names
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header class of the ELF file.
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
       default_field: false
-    - name: indicator.file.elf.header.data
+    - name: enrichments.indicator.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Data table of the ELF header.
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
       default_field: false
-    - name: indicator.file.elf.header.entrypoint
+    - name: enrichments.indicator.x509.issuer.country
       level: extended
-      type: long
-      format: string
-      description: Header entrypoint of the ELF file.
+      type: keyword
+      ignore_above: 1024
+      description: List of country \(C) codes
+      example: US
       default_field: false
-    - name: indicator.file.elf.header.object_version
+    - name: enrichments.indicator.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: '"0x1" for original ELF files.'
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
       default_field: false
-    - name: indicator.file.elf.header.os_abi
+    - name: enrichments.indicator.x509.issuer.locality
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Application Binary Interface (ABI) of the Linux OS.
+      description: List of locality names (L)
+      example: Mountain View
       default_field: false
-    - name: indicator.file.elf.header.type
+    - name: enrichments.indicator.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Header type of the ELF file.
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
       default_field: false
-    - name: indicator.file.elf.header.version
+    - name: enrichments.indicator.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of the ELF header.
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
       default_field: false
-    - name: indicator.file.elf.import_hash
+    - name: enrichments.indicator.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: indicator.file.elf.imports
+    - name: enrichments.indicator.x509.not_after
       level: extended
-      type: flattened
-      description: List of imported element names and types.
+      type: date
+      description: Time at which the certificate is no longer considered valid.
+      example: '2020-07-16T03:15:39Z'
       default_field: false
-    - name: indicator.file.elf.imports_names_entropy
+    - name: enrichments.indicator.x509.not_before
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+      type: date
+      description: Time at which the certificate is first considered valid.
+      example: '2019-08-16T01:40:25Z'
       default_field: false
-    - name: indicator.file.elf.imports_names_var_entropy
+    - name: enrichments.indicator.x509.public_key_algorithm
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+      type: keyword
+      ignore_above: 1024
+      description: Algorithm used to generate the public key.
+      example: RSA
       default_field: false
-    - name: indicator.file.elf.sections
+    - name: enrichments.indicator.x509.public_key_curve
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
+      type: keyword
+      ignore_above: 1024
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
       default_field: false
-    - name: indicator.file.elf.sections.chi2
+    - name: enrichments.indicator.x509.public_key_exponent
       level: extended
       type: long
-      format: number
-      description: Chi-square probability distribution of the section.
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      doc_values: false
       default_field: false
-    - name: indicator.file.elf.sections.entropy
+    - name: enrichments.indicator.x509.public_key_size
       level: extended
       type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      description: The size of the public key space in bits.
+      example: 2048
       default_field: false
-    - name: indicator.file.elf.sections.flags
+    - name: enrichments.indicator.x509.serial_number
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List flags.
+      description: Unique serial number issued by the certificate authority. For consistency,
+        this must be encoded in base 16 and formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: indicator.file.elf.sections.name
+    - name: enrichments.indicator.x509.signature_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List name.
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
       default_field: false
-    - name: indicator.file.elf.sections.physical_offset
+    - name: enrichments.indicator.x509.subject.common_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List offset.
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
       default_field: false
-    - name: indicator.file.elf.sections.physical_size
+    - name: enrichments.indicator.x509.subject.country
       level: extended
-      type: long
-      format: bytes
-      description: ELF Section List physical size.
+      type: keyword
+      ignore_above: 1024
+      description: List of country \(C) code
+      example: US
       default_field: false
-    - name: indicator.file.elf.sections.type
+    - name: enrichments.indicator.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF Section List type.
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: indicator.file.elf.sections.var_entropy
+    - name: enrichments.indicator.x509.subject.locality
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the section.
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: San Francisco
       default_field: false
-    - name: indicator.file.elf.sections.virtual_address
+    - name: enrichments.indicator.x509.subject.organization
       level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual address.
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
       default_field: false
-    - name: indicator.file.elf.sections.virtual_size
+    - name: enrichments.indicator.x509.subject.organizational_unit
       level: extended
-      type: long
-      format: string
-      description: ELF Section List virtual size.
+      type: keyword
+      ignore_above: 1024
+      description: List of organizational units (OU) of subject.
       default_field: false
-    - name: indicator.file.elf.segments
+    - name: enrichments.indicator.x509.subject.state_or_province
       level: extended
-      type: nested
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
+      type: keyword
+      ignore_above: 1024
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: indicator.file.elf.segments.sections
+    - name: enrichments.indicator.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment sections.
+      description: Version of x509 format.
+      example: 3
       default_field: false
-    - name: indicator.file.elf.segments.type
+    - name: enrichments.matched.atomic
       level: extended
       type: keyword
       ignore_above: 1024
-      description: ELF object segment type.
+      description: Identifies the atomic indicator value that matched a local environment
+        endpoint or network event.
+      example: bad-domain.com
       default_field: false
-    - name: indicator.file.elf.shared_libraries
+    - name: enrichments.matched.field
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of shared libraries used by this ELF object.
+      description: Identifies the field of the atomic indicator that matched a local
+        environment endpoint or network event.
+      example: file.hash.sha256
       default_field: false
-    - name: indicator.file.elf.telfhash
+    - name: enrichments.matched.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: telfhash symbol hash for ELF file.
+      description: Identifies the _id of the indicator document enriching the event.
+      example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
       default_field: false
-    - name: indicator.file.extension
+    - name: enrichments.matched.index
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'File extension, excluding the leading dot.
-
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
+      description: Identifies the _index of the indicator document enriching the event.
+      example: filebeat-8.0.0-2021.05.23-000011
       default_field: false
-    - name: indicator.file.fork_name
+    - name: enrichments.matched.occurred
+      level: extended
+      type: date
+      description: Indicates when the indicator match was generated
+      example: '2021-10-05T17:00:58.326Z'
+      default_field: false
+    - name: enrichments.matched.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A fork is additional data associated with a filesystem object.
-
-        On Linux, a resource fork is used to store additional data with a filesystem
-        object. A file always has at least one fork for the data portion, and additional
-        forks may exist.
-
-        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
-        data stream for a file is just called $DATA. Zone.Identifier is commonly used
-        by Windows to track contents downloaded from the Internet. An ADS is typically
-        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
-        is the value that should populate `fork_name`. `filename.extension` should
-        populate `file.name`, and `extension` should populate `file.extension`. The
-        full path, `file.path`, will include the fork name.'
-      example: Zone.Identifer
+      description: Identifies the type of match that caused the event to be enriched
+        with the given indicator
+      example: indicator_match_rule
       default_field: false
-    - name: indicator.file.gid
+    - name: feed.dashboard_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group ID (GID) of the file.
-      example: '1001'
+      description: The saved object ID of the dashboard belonging to the threat feed
+        for displaying dashboard links to threat feeds in Kibana.
+      example: 5ba16340-72e6-11eb-a3e3-b3cc7c78a70f
       default_field: false
-    - name: indicator.file.group
+    - name: feed.description
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Primary group name of the file.
-      example: alice
+      description: Description of the threat feed in a UI friendly format.
+      example: Threat feed from the AlienVault Open Threat eXchange network.
       default_field: false
-    - name: indicator.file.hash.cdhash
+    - name: feed.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      description: The name of the threat feed in UI friendly format.
+      example: AlienVault OTX
       default_field: false
-    - name: indicator.file.hash.md5
+    - name: feed.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: MD5 hash.
+      description: Reference information for the threat feed in a UI friendly format.
+      example: https://otx.alienvault.com
       default_field: false
-    - name: indicator.file.hash.sha1
+    - name: framework
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA1 hash.
-      default_field: false
-    - name: indicator.file.hash.sha256
+      description: Name of the threat framework used to further categorize and classify
+        the tactic and technique of the reported threat. Framework classification
+        can be provided by detecting systems, evaluated at ingest time, or retrospectively
+        tagged to events.
+      example: MITRE ATT&CK
+    - name: group.alias
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA256 hash.
+      description: 'The alias(es) of the group for a set of related intrusion activity
+        that are tracked by a common name in the security community.
+
+        While not required, you can use a MITRE ATT&CK® group alias(es).'
+      example: '[ "Magecart Group 6" ]'
       default_field: false
-    - name: indicator.file.hash.sha384
+    - name: group.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA384 hash.
+      description: 'The id of the group for a set of related intrusion activity that
+        are tracked by a common name in the security community.
+
+        While not required, you can use a MITRE ATT&CK® group id.'
+      example: G0037
       default_field: false
-    - name: indicator.file.hash.sha512
+    - name: group.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SHA512 hash.
+      description: 'The name of the group for a set of related intrusion activity
+        that are tracked by a common name in the security community.
+
+        While not required, you can use a MITRE ATT&CK® group name.'
+      example: FIN6
       default_field: false
-    - name: indicator.file.hash.ssdeep
+    - name: group.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: SSDEEP hash.
+      description: 'The reference URL of the group for a set of related intrusion
+        activity that are tracked by a common name in the security community.
+
+        While not required, you can use a MITRE ATT&CK® group reference URL.'
+      example: https://attack.mitre.org/groups/G0037/
       default_field: false
-    - name: indicator.file.hash.tlsh
+    - name: indicator.as.number
+      level: extended
+      type: long
+      description: Unique number allocated to the autonomous system. The autonomous
+        system number (ASN) uniquely identifies each network on the Internet.
+      example: 15169
+      default_field: false
+    - name: indicator.as.organization.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: TLSH hash.
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Organization name.
+      example: Google LLC
       default_field: false
-    - name: indicator.file.inode
+    - name: indicator.confidence
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Inode representing the file in the filesystem.
-      example: '256383'
+      description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High
+        scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence
+        scales may be added as custom fields.
+      example: Medium
       default_field: false
-    - name: indicator.file.mime_type
+    - name: indicator.description
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'MIME type should identify the format of the file or stream of
-        bytes using IANA official types: https://www.iana.org/assignments/media-types/media-types.xhtml,
-        where possible. When more than one type is applicable, the most specific type
-        should be used.'
+      description: Describes the type of action conducted by the threat.
+      example: IP x.x.x.x was observed delivering the Angler EK.
       default_field: false
-    - name: indicator.file.mode
+    - name: indicator.email.address
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Mode of the file in octal representation.
-      example: '0640'
+      description: Identifies a threat indicator as an email address (irrespective
+        of direction).
+      example: phish@example.com
       default_field: false
-    - name: indicator.file.mtime
+    - name: indicator.file.accessed
       level: extended
       type: date
-      description: Last time the file content was modified.
+      description: 'Last time the file was accessed.
+
+        Note that not all filesystems keep track of access time.'
       default_field: false
-    - name: indicator.file.name
+    - name: indicator.file.attributes
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the file including the extension, without the directory.
-      example: example.png
+      description: 'Array of file attributes.
+
+        Attributes names will vary by platform. Here''s a non-exhaustive list of values
+        that are expected in this field: archive, compressed, directory, encrypted,
+        execute, hidden, read, readonly, system, write.'
+      example: '["readonly", "system"]'
       default_field: false
-    - name: indicator.file.origin_referrer_url
+    - name: indicator.file.code_signature.digest_algorithm
       level: extended
       type: keyword
-      ignore_above: 8192
-      description: The URL of the webpage that linked to the file.
-      example: http://example.com/article1.html
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
       default_field: false
-    - name: indicator.file.origin_url
-      level: extended
-      type: keyword
-      ignore_above: 8192
-      description: The URL where the file is hosted.
-      example: http://example.com/imgs/article1_img1.jpg
+    - name: indicator.file.code_signature.exists
+      level: core
+      type: boolean
+      description: Boolean to capture if a signature is present.
+      example: 'true'
       default_field: false
-    - name: indicator.file.owner
+    - name: indicator.file.code_signature.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File owner's username.
-      example: alice
+      description: The flags used to sign the process.
+      example: 570522385
       default_field: false
-    - name: indicator.file.path
+    - name: indicator.file.code_signature.signing_id
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Full path to the file, including the file name. It should include
-        the drive letter, when appropriate.
-      example: /home/alice/example.png
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
       default_field: false
-    - name: indicator.file.pe.architecture
+    - name: indicator.file.code_signature.status
       level: extended
       type: keyword
       ignore_above: 1024
-      description: CPU architecture target for the file.
-      example: x64
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
       default_field: false
-    - name: indicator.file.pe.company
-      level: extended
+    - name: indicator.file.code_signature.subject_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: Internal company name of the file, provided at compile-time.
+      description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
-    - name: indicator.file.pe.description
+    - name: indicator.file.code_signature.team_id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
       default_field: false
-    - name: indicator.file.pe.file_version
+    - name: indicator.file.code_signature.thumbprint_sha256
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
       default_field: false
-    - name: indicator.file.pe.go_import_hash
+    - name: indicator.file.code_signature.timestamp
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
       default_field: false
-    - name: indicator.file.pe.go_imports
+    - name: indicator.file.code_signature.trusted
       level: extended
-      type: flattened
-      description: List of imported Go language element names and types.
+      type: boolean
+      description: 'Stores the trust status of the certificate chain.
+
+        Validating the trust of the certificate chain may be complicated, and this
+        field should only be populated by tools that actively check the status.'
+      example: 'true'
       default_field: false
-    - name: indicator.file.pe.go_imports_names_entropy
+    - name: indicator.file.code_signature.valid
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of Go imports.
+      type: boolean
+      description: 'Boolean to capture if the digital signature is verified against
+        the binary content.
+
+        Leave unpopulated if a certificate was unchecked.'
+      example: 'true'
       default_field: false
-    - name: indicator.file.pe.go_imports_names_var_entropy
+    - name: indicator.file.created
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of Go imports.
+      type: date
+      description: 'File creation time.
+
+        Note that not all filesystems store the creation time.'
       default_field: false
-    - name: indicator.file.pe.go_stripped
+    - name: indicator.file.ctime
       level: extended
-      type: boolean
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
+      type: date
+      description: 'Last time the file attributes or metadata changed.
+
+        Note that changes to the file content will update `mtime`. This implies `ctime`
+        will be adjusted at the same time, since `mtime` is an attribute of the file.'
       default_field: false
-    - name: indicator.file.pe.imphash
+    - name: indicator.file.device
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
+      description: Device that is the source of the file.
+      example: sda
       default_field: false
-    - name: indicator.file.pe.import_hash
+    - name: indicator.file.directory
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      default_field: false
-    - name: indicator.file.pe.imports
-      level: extended
-      type: flattened
-      description: List of imported element names and types.
-      default_field: false
-    - name: indicator.file.pe.imports_names_entropy
-      level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
+      description: Directory where the file is located. It should include the drive
+        letter, when appropriate.
+      example: /home/alice
       default_field: false
-    - name: indicator.file.pe.imports_names_var_entropy
+    - name: indicator.file.drive_letter
       level: extended
-      type: long
-      format: number
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
+      type: keyword
+      ignore_above: 1
+      description: 'Drive letter where the file is located. This field is only relevant
+        on Windows.
+
+        The value should be uppercase, and not include the colon.'
+      example: C
       default_field: false
-    - name: indicator.file.pe.original_file_name
+    - name: indicator.file.elf.architecture
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
+      description: Machine architecture of the ELF file.
+      example: x86-64
       default_field: false
-    - name: indicator.file.pe.pehash
+    - name: indicator.file.elf.byte_order
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      description: Byte sequence of ELF file.
+      example: Little Endian
       default_field: false
-    - name: indicator.file.pe.product
+    - name: indicator.file.elf.cpu_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
+      description: CPU type of the ELF file.
+      example: Intel
       default_field: false
-    - name: indicator.file.pe.sections
+    - name: indicator.file.elf.creation_date
       level: extended
-      type: nested
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
+      type: date
+      description: Extracted when possible from the file's metadata. Indicates when
+        it was built or compiled. It can also be faked by malware creators.
       default_field: false
-    - name: indicator.file.pe.sections.entropy
+    - name: indicator.file.elf.exports
       level: extended
-      type: long
-      format: number
-      description: Shannon entropy calculation from the section.
+      type: flattened
+      description: List of exported element names and types.
       default_field: false
-    - name: indicator.file.pe.sections.name
+    - name: indicator.file.elf.go_import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: PE Section List name.
+      description: 'A hash of the Go language imports in an ELF file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: indicator.file.pe.sections.physical_size
+    - name: indicator.file.elf.go_imports
       level: extended
-      type: long
-      format: bytes
-      description: PE Section List physical size.
+      type: flattened
+      description: List of imported Go language element names and types.
       default_field: false
-    - name: indicator.file.pe.sections.var_entropy
+    - name: indicator.file.elf.go_imports_names_entropy
       level: extended
       type: long
       format: number
-      description: Variance for Shannon entropy calculation from the section.
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: indicator.file.pe.sections.virtual_size
+    - name: indicator.file.elf.go_imports_names_var_entropy
       level: extended
       type: long
-      format: string
-      description: PE Section List virtual size. This is always the same as `physical_size`.
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: indicator.file.size
+    - name: indicator.file.elf.go_stripped
       level: extended
-      type: long
-      description: 'File size in bytes.
-
-        Only relevant when `file.type` is "file".'
-      example: 16384
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
       default_field: false
-    - name: indicator.file.target_path
+    - name: indicator.file.elf.header.abi_version
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Target path for symlinks.
+      description: Version of the ELF Application Binary Interface (ABI).
       default_field: false
-    - name: indicator.file.type
+    - name: indicator.file.elf.header.class
       level: extended
       type: keyword
       ignore_above: 1024
-      description: File type (file, dir, or symlink).
-      example: file
+      description: Header class of the ELF file.
       default_field: false
-    - name: indicator.file.uid
+    - name: indicator.file.elf.header.data
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The user ID (UID) or security identifier (SID) of the file owner.
-      example: '1001'
+      description: Data table of the ELF header.
       default_field: false
-    - name: indicator.file.x509.alternative_names
+    - name: indicator.file.elf.header.entrypoint
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of subject alternative names (SAN). Name types vary by certificate
-        authority and certificate type but commonly contain IP addresses, DNS names
-        (and wildcards), and email addresses.
-      example: '*.elastic.co'
+      type: long
+      format: string
+      description: Header entrypoint of the ELF file.
       default_field: false
-    - name: indicator.file.x509.issuer.common_name
+    - name: indicator.file.elf.header.object_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of common name (CN) of issuing certificate authority.
-      example: Example SHA2 High Assurance Server CA
+      description: '"0x1" for original ELF files.'
       default_field: false
-    - name: indicator.file.x509.issuer.country
+    - name: indicator.file.elf.header.os_abi
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of country \(C) codes
-      example: US
+      description: Application Binary Interface (ABI) of the Linux OS.
       default_field: false
-    - name: indicator.file.x509.issuer.distinguished_name
+    - name: indicator.file.elf.header.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Distinguished name (DN) of issuing certificate authority.
-      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
-        Server CA
+      description: Header type of the ELF file.
       default_field: false
-    - name: indicator.file.x509.issuer.locality
+    - name: indicator.file.elf.header.version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of locality names (L)
-      example: Mountain View
+      description: Version of the ELF header.
       default_field: false
-    - name: indicator.file.x509.issuer.organization
+    - name: indicator.file.elf.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizations (O) of issuing certificate authority.
-      example: Example Inc
+      description: 'A hash of the imports in an ELF file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is an ELF implementation of the Windows PE imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: indicator.file.x509.issuer.organizational_unit
+    - name: indicator.file.elf.imports
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of organizational units (OU) of issuing certificate authority.
-      example: www.example.com
+      type: flattened
+      description: List of imported element names and types.
       default_field: false
-    - name: indicator.file.x509.issuer.state_or_province
+    - name: indicator.file.elf.imports_names_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
       default_field: false
-    - name: indicator.file.x509.not_after
+    - name: indicator.file.elf.imports_names_var_entropy
       level: extended
-      type: date
-      description: Time at which the certificate is no longer considered valid.
-      example: '2020-07-16T03:15:39Z'
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
       default_field: false
-    - name: indicator.file.x509.not_before
+    - name: indicator.file.elf.sections
       level: extended
-      type: date
-      description: Time at which the certificate is first considered valid.
-      example: '2019-08-16T01:40:25Z'
+      type: nested
+      description: 'An array containing an object for each section of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.sections.*`.'
       default_field: false
-    - name: indicator.file.x509.public_key_algorithm
+    - name: indicator.file.elf.sections.chi2
+      level: extended
+      type: long
+      format: number
+      description: Chi-square probability distribution of the section.
+      default_field: false
+    - name: indicator.file.elf.sections.entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
+      default_field: false
+    - name: indicator.file.elf.sections.flags
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Algorithm used to generate the public key.
-      example: RSA
+      description: ELF Section List flags.
       default_field: false
-    - name: indicator.file.x509.public_key_curve
+    - name: indicator.file.elf.sections.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The curve used by the elliptic curve public key algorithm. This
-        is algorithm specific.
-      example: nistp521
+      description: ELF Section List name.
       default_field: false
-    - name: indicator.file.x509.public_key_exponent
+    - name: indicator.file.elf.sections.physical_offset
       level: extended
-      type: long
-      description: Exponent used to derive the public key. This is algorithm specific.
-      example: 65537
-      index: false
-      doc_values: false
+      type: keyword
+      ignore_above: 1024
+      description: ELF Section List offset.
       default_field: false
-    - name: indicator.file.x509.public_key_size
+    - name: indicator.file.elf.sections.physical_size
       level: extended
       type: long
-      description: The size of the public key space in bits.
-      example: 2048
+      format: bytes
+      description: ELF Section List physical size.
       default_field: false
-    - name: indicator.file.x509.serial_number
+    - name: indicator.file.elf.sections.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique serial number issued by the certificate authority. For consistency,
-        this must be encoded in base 16 and formatted without colons and uppercase
-        characters.
-      example: 55FBB9C7DEBF09809D12CCAA
+      description: ELF Section List type.
       default_field: false
-    - name: indicator.file.x509.signature_algorithm
+    - name: indicator.file.elf.sections.var_entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Identifier for certificate signature algorithm. We recommend using
-        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
-      example: SHA256-RSA
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: indicator.file.x509.subject.common_name
+    - name: indicator.file.elf.sections.virtual_address
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: List of common names (CN) of subject.
-      example: shared.global.example.net
+      type: long
+      format: string
+      description: ELF Section List virtual address.
+      default_field: false
+    - name: indicator.file.elf.sections.virtual_size
+      level: extended
+      type: long
+      format: string
+      description: ELF Section List virtual size.
+      default_field: false
+    - name: indicator.file.elf.segments
+      level: extended
+      type: nested
+      description: 'An array containing an object for each segment of the ELF file.
+
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `elf.segments.*`.'
       default_field: false
-    - name: indicator.file.x509.subject.country
+    - name: indicator.file.elf.segments.sections
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of country \(C) code
-      example: US
+      description: ELF object segment sections.
       default_field: false
-    - name: indicator.file.x509.subject.distinguished_name
+    - name: indicator.file.elf.segments.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Distinguished name (DN) of the certificate subject entity.
-      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
+      description: ELF object segment type.
       default_field: false
-    - name: indicator.file.x509.subject.locality
+    - name: indicator.file.elf.shared_libraries
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of locality names (L)
-      example: San Francisco
+      description: List of shared libraries used by this ELF object.
       default_field: false
-    - name: indicator.file.x509.subject.organization
+    - name: indicator.file.elf.telfhash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizations (O) of subject.
-      example: Example, Inc.
+      description: telfhash symbol hash for ELF file.
       default_field: false
-    - name: indicator.file.x509.subject.organizational_unit
+    - name: indicator.file.extension
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of organizational units (OU) of subject.
+      description: 'File extension, excluding the leading dot.
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
       default_field: false
-    - name: indicator.file.x509.subject.state_or_province
+    - name: indicator.file.fork_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of state or province names (ST, S, or P)
-      example: California
+      description: 'A fork is additional data associated with a filesystem object.
+
+        On Linux, a resource fork is used to store additional data with a filesystem
+        object. A file always has at least one fork for the data portion, and additional
+        forks may exist.
+
+        On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+        data stream for a file is just called $DATA. Zone.Identifier is commonly used
+        by Windows to track contents downloaded from the Internet. An ADS is typically
+        of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+        is the value that should populate `fork_name`. `filename.extension` should
+        populate `file.name`, and `extension` should populate `file.extension`. The
+        full path, `file.path`, will include the fork name.'
+      example: Zone.Identifer
       default_field: false
-    - name: indicator.file.x509.version_number
+    - name: indicator.file.gid
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Version of x509 format.
-      example: 3
+      description: Primary group ID (GID) of the file.
+      example: '1001'
       default_field: false
-    - name: indicator.first_seen
+    - name: indicator.file.group
       level: extended
-      type: date
-      description: The date and time when intelligence source first reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
-      default_field: false
-    - name: indicator.geo.city_name
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: City name.
-      example: Montreal
-      default_field: false
-    - name: indicator.geo.continent_code
-      level: core
       type: keyword
       ignore_above: 1024
-      description: Two-letter code representing continent's name.
-      example: NA
+      description: Primary group name of the file.
+      example: alice
       default_field: false
-    - name: indicator.geo.continent_name
-      level: core
+    - name: indicator.file.hash.cdhash
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the continent.
-      example: North America
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
       default_field: false
-    - name: indicator.geo.country_iso_code
-      level: core
+    - name: indicator.file.hash.md5
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Country ISO code.
-      example: CA
+      description: MD5 hash.
       default_field: false
-    - name: indicator.geo.country_name
-      level: core
+    - name: indicator.file.hash.sha1
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Country name.
-      example: Canada
-      default_field: false
-    - name: indicator.geo.location
-      level: core
-      type: geo_point
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      description: SHA1 hash.
       default_field: false
-    - name: indicator.geo.name
+    - name: indicator.file.hash.sha256
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
+      description: SHA256 hash.
       default_field: false
-    - name: indicator.geo.postal_code
-      level: core
+    - name: indicator.file.hash.sha384
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
+      description: SHA384 hash.
       default_field: false
-    - name: indicator.geo.region_iso_code
-      level: core
+    - name: indicator.file.hash.sha512
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Region ISO code.
-      example: CA-QC
+      description: SHA512 hash.
       default_field: false
-    - name: indicator.geo.region_name
-      level: core
+    - name: indicator.file.hash.ssdeep
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Region name.
-      example: Quebec
+      description: SSDEEP hash.
       default_field: false
-    - name: indicator.geo.timezone
-      level: core
+    - name: indicator.file.hash.tlsh
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
+      description: TLSH hash.
       default_field: false
-    - name: indicator.id
+    - name: indicator.file.inode
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The ID of the indicator used by this threat to conduct behavior
-        commonly modeled using MITRE ATT&CK®. This field can have multiple values
-        to allow for the identification of the same indicator across systems that
-        use different ID formats.
-
-        While not required, a common approach is to use a STIX 2.x indicator ID.'
-      example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]'
-      default_field: false
-    - name: indicator.ip
-      level: extended
-      type: ip
-      description: Identifies a threat indicator as an IP address (irrespective of
-        direction).
-      example: 1.2.3.4
-      default_field: false
-    - name: indicator.last_seen
-      level: extended
-      type: date
-      description: The date and time when intelligence source last reported sighting
-        this indicator.
-      example: '2020-11-05T17:25:47.000Z'
+      description: Inode representing the file in the filesystem.
+      example: '256383'
       default_field: false
-    - name: indicator.marking.tlp
+    - name: indicator.file.mime_type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Traffic Light Protocol sharing markings.
-      example: CLEAR
+      description: 'MIME type should identify the format of the file or stream of
+        bytes using IANA official types: https://www.iana.org/assignments/media-types/media-types.xhtml,
+        where possible. When more than one type is applicable, the most specific type
+        should be used.'
       default_field: false
-    - name: indicator.marking.tlp_version
+    - name: indicator.file.mode
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Traffic Light Protocol version.
-      example: 2.0
+      description: Mode of the file in octal representation.
+      example: '0640'
       default_field: false
-    - name: indicator.modified_at
+    - name: indicator.file.mtime
       level: extended
       type: date
-      description: The date and time when intelligence source last modified information
-        for this indicator.
-      example: '2020-11-05T17:25:47.000Z'
+      description: Last time the file content was modified.
       default_field: false
-    - name: indicator.name
+    - name: indicator.file.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The display name indicator in an UI friendly format
-
-        URL, IP address, email address, registry key, port number, hash value, or
-        other relevant name can serve as the display name.'
-      example: 5.2.75.227
+      description: Name of the file including the extension, without the directory.
+      example: example.png
       default_field: false
-    - name: indicator.port
+    - name: indicator.file.origin_referrer_url
       level: extended
-      type: long
-      description: Identifies a threat indicator as a port number (irrespective of
-        direction).
-      example: 443
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the file.
+      example: http://example.com/article1.html
       default_field: false
-    - name: indicator.provider
+    - name: indicator.file.origin_url
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: The name of the indicator's provider.
-      example: lrz_urlhaus
+      ignore_above: 8192
+      description: The URL where the file is hosted.
+      example: http://example.com/imgs/article1_img1.jpg
       default_field: false
-    - name: indicator.reference
+    - name: indicator.file.owner
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Reference URL linking to additional information about this indicator.
-      example: https://system.example.com/indicator/0001234
+      description: File owner's username.
+      example: alice
       default_field: false
-    - name: indicator.registry.data.bytes
+    - name: indicator.file.path
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Original bytes written with base64 encoding.
-
-        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
-        corresponds to the data pointed by `lp_data`. This is optional but provides
-        better recoverability and should be populated for REG_BINARY encoded values.'
-      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
-      default_field: false
-    - name: indicator.registry.data.strings
-      level: core
-      type: wildcard
-      description: 'Content when writing string types.
-
-        Populated as an array when writing string data to the registry. For single
-        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
-        one string. For sequences of string with REG_MULTI_SZ, this array will be
-        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
-        be populated with the decimal representation (e.g `"1"`).'
-      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Full path to the file, including the file name. It should include
+        the drive letter, when appropriate.
+      example: /home/alice/example.png
       default_field: false
-    - name: indicator.registry.data.type
-      level: core
+    - name: indicator.file.pe.architecture
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Standard registry type for encoding contents
-      example: REG_SZ
+      description: CPU architecture target for the file.
+      example: x64
       default_field: false
-    - name: indicator.registry.hive
-      level: core
+    - name: indicator.file.pe.company
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Abbreviated name for the hive.
-      example: HKLM
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
       default_field: false
-    - name: indicator.registry.key
-      level: core
+    - name: indicator.file.pe.description
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Hive-relative path of keys.
-      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
       default_field: false
-    - name: indicator.registry.path
-      level: core
+    - name: indicator.file.pe.file_version
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Full path, including hive, key and value
-      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
-        Options\winword.exe\Debugger
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
       default_field: false
-    - name: indicator.registry.value
-      level: core
+    - name: indicator.file.pe.go_import_hash
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the value written.
-      example: Debugger
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
       default_field: false
-    - name: indicator.scanner_stats
+    - name: indicator.file.pe.go_imports
+      level: extended
+      type: flattened
+      description: List of imported Go language element names and types.
+      default_field: false
+    - name: indicator.file.pe.go_imports_names_entropy
       level: extended
       type: long
-      description: Count of AV/EDR vendors that successfully detected malicious file
-        or URL.
-      example: 4
+      format: number
+      description: Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: indicator.sightings
+    - name: indicator.file.pe.go_imports_names_var_entropy
       level: extended
       type: long
-      description: Number of times this indicator was observed conducting threat activity.
-      example: 20
+      format: number
+      description: Variance for Shannon entropy calculation from the list of Go imports.
       default_field: false
-    - name: indicator.type
+    - name: indicator.file.pe.go_stripped
+      level: extended
+      type: boolean
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      default_field: false
+    - name: indicator.file.pe.imphash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Type of indicator as represented by Cyber Observable in STIX 2.0.
-      example: ipv4-addr
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
+
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
       default_field: false
-    - name: indicator.url.domain
+    - name: indicator.file.pe.import_hash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Domain of the url, such as "www.elastic.co".
-
-        In some cases a URL may refer to an IP and/or port directly, without a domain
-        name. In this case, the IP address would go to the `domain` field.
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
 
-        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
-        2732), the `[` and `]` characters should also be captured in the `domain`
-        field.'
-      example: www.elastic.co
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
       default_field: false
-    - name: indicator.url.extension
+    - name: indicator.file.pe.imports
+      level: extended
+      type: flattened
+      description: List of imported element names and types.
+      default_field: false
+    - name: indicator.file.pe.imports_names_entropy
+      level: extended
+      type: long
+      format: number
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      default_field: false
+    - name: indicator.file.pe.imports_names_var_entropy
+      level: extended
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      default_field: false
+    - name: indicator.file.pe.original_file_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The field contains the file extension from the original request
-        url, excluding the leading dot.
-
-        The file extension is only set if it exists, as not every url has a file extension.
-
-        The leading period must not be included. For example, the value must be "png",
-        not ".png".
-
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
       default_field: false
-    - name: indicator.url.fragment
+    - name: indicator.file.pe.pehash
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Portion of the url after the `#`, such as "top".
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
 
-        The `#` is not part of the fragment.'
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
       default_field: false
-    - name: indicator.url.full
+    - name: indicator.file.pe.product
       level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: If full URLs are important to your use case, they should be stored
-        in `url.full`, whether this field is reconstructed or present in the event
-        source.
-      example: https://www.elastic.co:443/search?q=elasticsearch#top
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
       default_field: false
-    - name: indicator.url.original
+    - name: indicator.file.pe.sections
       level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: 'Unmodified original url as seen in the event source.
-
-        Note that in network monitoring, the observed URL may be a full URL, whereas
-        in access logs, the URL is often just represented as a path.
+      type: nested
+      description: 'An array containing an object for each section of the PE file.
 
-        This field is meant to represent the URL as it was observed, complete or not.'
-      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
       default_field: false
-    - name: indicator.url.password
+    - name: indicator.file.pe.sections.entropy
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Password of the request.
+      type: long
+      format: number
+      description: Shannon entropy calculation from the section.
       default_field: false
-    - name: indicator.url.path
+    - name: indicator.file.pe.sections.name
       level: extended
-      type: wildcard
-      description: Path of the request, such as "/search".
+      type: keyword
+      ignore_above: 1024
+      description: PE Section List name.
       default_field: false
-    - name: indicator.url.port
+    - name: indicator.file.pe.sections.physical_size
       level: extended
       type: long
-      format: string
-      description: Port of the request, such as 443.
-      example: 443
+      format: bytes
+      description: PE Section List physical size.
       default_field: false
-    - name: indicator.url.query
+    - name: indicator.file.pe.sections.var_entropy
       level: extended
-      type: keyword
-      ignore_above: 2083
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
-
-        The `?` is excluded from the query string. If a URL contains no `?`, there
-        is no query field. If there is a `?` but no query, the query field exists
-        with an empty string. The `exists` query can be used to differentiate between
-        the two cases.'
+      type: long
+      format: number
+      description: Variance for Shannon entropy calculation from the section.
       default_field: false
-    - name: indicator.url.registered_domain
+    - name: indicator.file.pe.sections.virtual_size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The highest registered url domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
+      type: long
+      format: string
+      description: PE Section List virtual size. This is always the same as `physical_size`.
       default_field: false
-    - name: indicator.url.scheme
+    - name: indicator.file.size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'Scheme of the request, such as "https".
+      type: long
+      description: 'File size in bytes.
 
-        Note: The `:` is not part of the scheme.'
-      example: https
+        Only relevant when `file.type` is "file".'
+      example: 16384
       default_field: false
-    - name: indicator.url.subdomain
+    - name: indicator.file.target_path
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Target path for symlinks.
       default_field: false
-    - name: indicator.url.top_level_domain
+    - name: indicator.file.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
+      description: File type (file, dir, or symlink).
+      example: file
       default_field: false
-    - name: indicator.url.username
+    - name: indicator.file.uid
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Username of the request.
+      description: The user ID (UID) or security identifier (SID) of the file owner.
+      example: '1001'
       default_field: false
-    - name: indicator.x509.alternative_names
+    - name: indicator.file.x509.alternative_names
       level: extended
       type: keyword
       ignore_above: 1024
@@ -38820,21 +12174,21 @@
         (and wildcards), and email addresses.
       example: '*.elastic.co'
       default_field: false
-    - name: indicator.x509.issuer.common_name
+    - name: indicator.file.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common name (CN) of issuing certificate authority.
       example: Example SHA2 High Assurance Server CA
       default_field: false
-    - name: indicator.x509.issuer.country
+    - name: indicator.file.x509.issuer.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) codes
       example: US
       default_field: false
-    - name: indicator.x509.issuer.distinguished_name
+    - name: indicator.file.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
@@ -38842,54 +12196,54 @@
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       default_field: false
-    - name: indicator.x509.issuer.locality
+    - name: indicator.file.x509.issuer.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: Mountain View
       default_field: false
-    - name: indicator.x509.issuer.organization
+    - name: indicator.file.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of issuing certificate authority.
       example: Example Inc
       default_field: false
-    - name: indicator.x509.issuer.organizational_unit
+    - name: indicator.file.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of issuing certificate authority.
       example: www.example.com
       default_field: false
-    - name: indicator.x509.issuer.state_or_province
+    - name: indicator.file.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: indicator.x509.not_after
+    - name: indicator.file.x509.not_after
       level: extended
       type: date
       description: Time at which the certificate is no longer considered valid.
       example: '2020-07-16T03:15:39Z'
       default_field: false
-    - name: indicator.x509.not_before
+    - name: indicator.file.x509.not_before
       level: extended
       type: date
       description: Time at which the certificate is first considered valid.
       example: '2019-08-16T01:40:25Z'
       default_field: false
-    - name: indicator.x509.public_key_algorithm
+    - name: indicator.file.x509.public_key_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
       description: Algorithm used to generate the public key.
       example: RSA
       default_field: false
-    - name: indicator.x509.public_key_curve
+    - name: indicator.file.x509.public_key_curve
       level: extended
       type: keyword
       ignore_above: 1024
@@ -38897,7 +12251,7 @@
         is algorithm specific.
       example: nistp521
       default_field: false
-    - name: indicator.x509.public_key_exponent
+    - name: indicator.file.x509.public_key_exponent
       level: extended
       type: long
       description: Exponent used to derive the public key. This is algorithm specific.
@@ -38905,13 +12259,13 @@
       index: false
       doc_values: false
       default_field: false
-    - name: indicator.x509.public_key_size
+    - name: indicator.file.x509.public_key_size
       level: extended
       type: long
       description: The size of the public key space in bits.
       example: 2048
       default_field: false
-    - name: indicator.x509.serial_number
+    - name: indicator.file.x509.serial_number
       level: extended
       type: keyword
       ignore_above: 1024
@@ -38920,7 +12274,7 @@
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: indicator.x509.signature_algorithm
+    - name: indicator.file.x509.signature_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
@@ -38928,312 +12282,459 @@
         names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
       example: SHA256-RSA
       default_field: false
-    - name: indicator.x509.subject.common_name
+    - name: indicator.file.x509.subject.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common names (CN) of subject.
       example: shared.global.example.net
       default_field: false
-    - name: indicator.x509.subject.country
+    - name: indicator.file.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) code
       example: US
       default_field: false
-    - name: indicator.x509.subject.distinguished_name
+    - name: indicator.file.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: indicator.x509.subject.locality
+    - name: indicator.file.x509.subject.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: San Francisco
       default_field: false
-    - name: indicator.x509.subject.organization
+    - name: indicator.file.x509.subject.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of subject.
       example: Example, Inc.
       default_field: false
-    - name: indicator.x509.subject.organizational_unit
+    - name: indicator.file.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of subject.
       default_field: false
-    - name: indicator.x509.subject.state_or_province
+    - name: indicator.file.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: indicator.x509.version_number
+    - name: indicator.file.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
       description: Version of x509 format.
       example: 3
       default_field: false
-    - name: software.alias
+    - name: indicator.first_seen
       level: extended
+      type: date
+      description: The date and time when intelligence source first reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: indicator.geo.city_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'The alias(es) of the software for a set of related intrusion activity
-        that are tracked by a common name in the security community.
-
-        While not required, you can use a MITRE ATT&CK® associated software description.'
-      example: '[ "X-Agent" ]'
+      description: City name.
+      example: Montreal
       default_field: false
-    - name: software.id
-      level: extended
+    - name: indicator.geo.continent_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'The id of the software used by this threat to conduct behavior
-        commonly modeled using MITRE ATT&CK®.
-
-        While not required, you can use a MITRE ATT&CK® software id.'
-      example: S0552
+      description: Two-letter code representing continent's name.
+      example: NA
       default_field: false
-    - name: software.name
-      level: extended
+    - name: indicator.geo.continent_name
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'The name of the software used by this threat to conduct behavior
-        commonly modeled using MITRE ATT&CK®.
-
-        While not required, you can use a MITRE ATT&CK® software name.'
-      example: AdFind
+      description: Name of the continent.
+      example: North America
       default_field: false
-    - name: software.platforms
+    - name: indicator.geo.country_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country ISO code.
+      example: CA
+      default_field: false
+    - name: indicator.geo.country_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Country name.
+      example: Canada
+      default_field: false
+    - name: indicator.geo.location
+      level: core
+      type: geo_point
+      description: Longitude and latitude.
+      example: '{ "lon": -73.614830, "lat": 45.505918 }'
+      default_field: false
+    - name: indicator.geo.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The platforms of the software used by this threat to conduct behavior
-        commonly modeled using MITRE ATT&CK®.
+      description: 'User-defined description of a location, at the level of granularity
+        they care about.
 
-        While not required, you can use MITRE ATT&CK® software platform values.'
-      example: '[ "Windows" ]'
+        Could be the name of their data centers, the floor number, if this describes
+        a local physical entity, city names.
+
+        Not typically used in automated geolocation.'
+      example: boston-dc
       default_field: false
-    - name: software.reference
-      level: extended
+    - name: indicator.geo.postal_code
+      level: core
       type: keyword
       ignore_above: 1024
-      description: 'The reference URL of the software used by this threat to conduct
-        behavior commonly modeled using MITRE ATT&CK®.
+      description: 'Postal code associated with the location.
 
-        While not required, you can use a MITRE ATT&CK® software reference URL.'
-      example: https://attack.mitre.org/software/S0552/
+        Values appropriate for this field may also be known as a postcode or ZIP code
+        and will vary widely from country to country.'
+      example: 94040
       default_field: false
-    - name: software.type
+    - name: indicator.geo.region_iso_code
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region ISO code.
+      example: CA-QC
+      default_field: false
+    - name: indicator.geo.region_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Region name.
+      example: Quebec
+      default_field: false
+    - name: indicator.geo.timezone
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The time zone of the location, such as IANA time zone name.
+      example: America/Argentina/Buenos_Aires
+      default_field: false
+    - name: indicator.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The type of software used by this threat to conduct behavior commonly
-        modeled using MITRE ATT&CK®.
+      description: 'The ID of the indicator used by this threat to conduct behavior
+        commonly modeled using MITRE ATT&CK®. This field can have multiple values
+        to allow for the identification of the same indicator across systems that
+        use different ID formats.
 
-        While not required, you can use a MITRE ATT&CK® software type.'
-      example: Tool
+        While not required, a common approach is to use a STIX 2.x indicator ID.'
+      example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]'
       default_field: false
-    - name: tactic.id
+    - name: indicator.ip
+      level: extended
+      type: ip
+      description: Identifies a threat indicator as an IP address (irrespective of
+        direction).
+      example: 1.2.3.4
+      default_field: false
+    - name: indicator.last_seen
+      level: extended
+      type: date
+      description: The date and time when intelligence source last reported sighting
+        this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: indicator.marking.tlp
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The id of tactic used by this threat. You can use a MITRE ATT&CK®
-        tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
-      example: TA0002
-    - name: tactic.name
+      description: Traffic Light Protocol sharing markings.
+      example: CLEAR
+      default_field: false
+    - name: indicator.marking.tlp_version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the type of tactic used by this threat. You can use a MITRE
-        ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
-      example: Execution
-    - name: tactic.reference
+      description: Traffic Light Protocol version.
+      example: 2.0
+      default_field: false
+    - name: indicator.modified_at
+      level: extended
+      type: date
+      description: The date and time when intelligence source last modified information
+        for this indicator.
+      example: '2020-11-05T17:25:47.000Z'
+      default_field: false
+    - name: indicator.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The reference url of tactic used by this threat. You can use a
-        MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/
-        )
-      example: https://attack.mitre.org/tactics/TA0002/
-    - name: technique.id
+      description: 'The display name indicator in an UI friendly format
+
+        URL, IP address, email address, registry key, port number, hash value, or
+        other relevant name can serve as the display name.'
+      example: 5.2.75.227
+      default_field: false
+    - name: indicator.port
+      level: extended
+      type: long
+      description: Identifies a threat indicator as a port number (irrespective of
+        direction).
+      example: 443
+      default_field: false
+    - name: indicator.provider
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The id of technique used by this threat. You can use a MITRE ATT&CK®
-        technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-      example: T1059
-    - name: technique.name
+      description: The name of the indicator's provider.
+      example: lrz_urlhaus
+      default_field: false
+    - name: indicator.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: The name of technique used by this threat. You can use a MITRE
-        ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-      example: Command and Scripting Interpreter
-    - name: technique.reference
+      description: Reference URL linking to additional information about this indicator.
+      example: https://system.example.com/indicator/0001234
+      default_field: false
+    - name: indicator.registry.data.bytes
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The reference url of technique used by this threat. You can use
-        a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
-      example: https://attack.mitre.org/techniques/T1059/
-    - name: technique.subtechnique.id
-      level: extended
+      description: 'Original bytes written with base64 encoding.
+
+        For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
+        corresponds to the data pointed by `lp_data`. This is optional but provides
+        better recoverability and should be populated for REG_BINARY encoded values.'
+      example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
+      default_field: false
+    - name: indicator.registry.data.strings
+      level: core
+      type: wildcard
+      description: 'Content when writing string types.
+
+        Populated as an array when writing string data to the registry. For single
+        string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
+        one string. For sequences of string with REG_MULTI_SZ, this array will be
+        variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
+        be populated with the decimal representation (e.g `"1"`).'
+      example: '["C:\rta\red_ttp\bin\myapp.exe"]'
+      default_field: false
+    - name: indicator.registry.data.type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Standard registry type for encoding contents
+      example: REG_SZ
+      default_field: false
+    - name: indicator.registry.hive
+      level: core
       type: keyword
       ignore_above: 1024
-      description: The full id of subtechnique used by this threat. You can use a
-        MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-      example: T1059.001
+      description: Abbreviated name for the hive.
+      example: HKLM
       default_field: false
-    - name: technique.subtechnique.name
-      level: extended
+    - name: indicator.registry.key
+      level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: The name of subtechnique used by this threat. You can use a MITRE
-        ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-      example: PowerShell
+      description: Hive-relative path of keys.
+      example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
       default_field: false
-    - name: technique.subtechnique.reference
-      level: extended
+    - name: indicator.registry.path
+      level: core
       type: keyword
       ignore_above: 1024
-      description: The reference url of subtechnique used by this threat. You can
-        use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
-      example: https://attack.mitre.org/techniques/T1059/001/
+      description: Full path, including hive, key and value
+      example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
+        Options\winword.exe\Debugger
       default_field: false
-  - name: tls
-    title: TLS
-    group: 2
-    description: Fields related to a TLS connection. These fields focus on the TLS
-      protocol itself and intentionally avoids in-depth analysis of the related x.509
-      certificate files.
-    type: group
-    default_field: true
-    fields:
-    - name: cipher
-      level: extended
+    - name: indicator.registry.value
+      level: core
       type: keyword
       ignore_above: 1024
-      description: String indicating the cipher used during the current connection.
-      example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+      description: Name of the value written.
+      example: Debugger
       default_field: false
-    - name: client.certificate
+    - name: indicator.scanner_stats
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: PEM-encoded stand-alone certificate offered by the client. This
-        is usually mutually-exclusive of `client.certificate_chain` since this value
-        also exists in that list.
-      example: MII...
+      type: long
+      description: Count of AV/EDR vendors that successfully detected malicious file
+        or URL.
+      example: 4
       default_field: false
-    - name: client.certificate_chain
+    - name: indicator.sightings
+      level: extended
+      type: long
+      description: Number of times this indicator was observed conducting threat activity.
+      example: 20
+      default_field: false
+    - name: indicator.type
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of PEM-encoded certificates that make up the certificate
-        chain offered by the client. This is usually mutually-exclusive of `client.certificate`
-        since that value should be the first certificate in the chain.
-      example: '["MII...", "MII..."]'
+      description: Type of indicator as represented by Cyber Observable in STIX 2.0.
+      example: ipv4-addr
       default_field: false
-    - name: client.hash.md5
+    - name: indicator.url.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Certificate fingerprint using the MD5 digest of DER-encoded version
-        of certificate offered by the client. For consistency with other hash values,
-        this value should be formatted as an uppercase hash.
-      example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+      description: 'Domain of the url, such as "www.elastic.co".
+
+        In some cases a URL may refer to an IP and/or port directly, without a domain
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
+      example: www.elastic.co
       default_field: false
-    - name: client.hash.sha1
+    - name: indicator.url.extension
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Certificate fingerprint using the SHA1 digest of DER-encoded version
-        of certificate offered by the client. For consistency with other hash values,
-        this value should be formatted as an uppercase hash.
-      example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+      description: 'The field contains the file extension from the original request
+        url, excluding the leading dot.
+
+        The file extension is only set if it exists, as not every url has a file extension.
+
+        The leading period must not be included. For example, the value must be "png",
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
       default_field: false
-    - name: client.hash.sha256
+    - name: indicator.url.fragment
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Certificate fingerprint using the SHA256 digest of DER-encoded
-        version of certificate offered by the client. For consistency with other hash
-        values, this value should be formatted as an uppercase hash.
-      example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+      description: 'Portion of the url after the `#`, such as "top".
+
+        The `#` is not part of the fragment.'
       default_field: false
-    - name: client.issuer
+    - name: indicator.url.full
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: If full URLs are important to your use case, they should be stored
+        in `url.full`, whether this field is reconstructed or present in the event
+        source.
+      example: https://www.elastic.co:443/search?q=elasticsearch#top
+      default_field: false
+    - name: indicator.url.original
+      level: extended
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: 'Unmodified original url as seen in the event source.
+
+        Note that in network monitoring, the observed URL may be a full URL, whereas
+        in access logs, the URL is often just represented as a path.
+
+        This field is meant to represent the URL as it was observed, complete or not.'
+      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+      default_field: false
+    - name: indicator.url.password
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Distinguished name of subject of the issuer of the x.509 certificate
-        presented by the client.
-      example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+      description: Password of the request.
       default_field: false
-    - name: client.ja3
+    - name: indicator.url.path
+      level: extended
+      type: wildcard
+      description: Path of the request, such as "/search".
+      default_field: false
+    - name: indicator.url.port
+      level: extended
+      type: long
+      format: string
+      description: Port of the request, such as 443.
+      example: 443
+      default_field: false
+    - name: indicator.url.query
       level: extended
       type: keyword
-      ignore_above: 1024
-      description: A hash that identifies clients based on how they perform an SSL/TLS
-        handshake.
-      example: d4e5b18d6b55c71272893221c96ba240
+      ignore_above: 2083
+      description: 'The query field describes the query string of the request, such
+        as "q=elasticsearch".
+
+        The `?` is excluded from the query string. If a URL contains no `?`, there
+        is no query field. If there is a `?` but no query, the query field exists
+        with an empty string. The `exists` query can be used to differentiate between
+        the two cases.'
       default_field: false
-    - name: client.not_after
+    - name: indicator.url.registered_domain
       level: extended
-      type: date
-      description: Date/Time indicating when client certificate is no longer considered
-        valid.
-      example: '2021-01-01T00:00:00.000Z'
+      type: keyword
+      ignore_above: 1024
+      description: 'The highest registered url domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
       default_field: false
-    - name: client.not_before
+    - name: indicator.url.scheme
       level: extended
-      type: date
-      description: Date/Time indicating when client certificate is first considered
-        valid.
-      example: '1970-01-01T00:00:00.000Z'
+      type: keyword
+      ignore_above: 1024
+      description: 'Scheme of the request, such as "https".
+
+        Note: The `:` is not part of the scheme.'
+      example: https
       default_field: false
-    - name: client.server_name
+    - name: indicator.url.subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Also called an SNI, this tells the server which hostname to which
-        the client is attempting to connect to. When this value is available, it should
-        get copied to `destination.domain`.
-      example: www.elastic.co
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
       default_field: false
-    - name: client.subject
+    - name: indicator.url.top_level_domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Distinguished name of subject of the x.509 certificate presented
-        by the client.
-      example: CN=myclient, OU=Documentation Team, DC=example, DC=com
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
       default_field: false
-    - name: client.supported_ciphers
+    - name: indicator.url.username
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of ciphers offered by the client during the client hello.
-      example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-        "..."]'
+      description: Username of the request.
       default_field: false
-    - name: client.x509.alternative_names
+    - name: indicator.x509.alternative_names
       level: extended
       type: keyword
       ignore_above: 1024
@@ -39242,21 +12743,21 @@
         (and wildcards), and email addresses.
       example: '*.elastic.co'
       default_field: false
-    - name: client.x509.issuer.common_name
+    - name: indicator.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common name (CN) of issuing certificate authority.
       example: Example SHA2 High Assurance Server CA
       default_field: false
-    - name: client.x509.issuer.country
+    - name: indicator.x509.issuer.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) codes
       example: US
       default_field: false
-    - name: client.x509.issuer.distinguished_name
+    - name: indicator.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
@@ -39264,54 +12765,54 @@
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       default_field: false
-    - name: client.x509.issuer.locality
+    - name: indicator.x509.issuer.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: Mountain View
       default_field: false
-    - name: client.x509.issuer.organization
+    - name: indicator.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of issuing certificate authority.
       example: Example Inc
       default_field: false
-    - name: client.x509.issuer.organizational_unit
+    - name: indicator.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of issuing certificate authority.
       example: www.example.com
       default_field: false
-    - name: client.x509.issuer.state_or_province
+    - name: indicator.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: client.x509.not_after
+    - name: indicator.x509.not_after
       level: extended
       type: date
       description: Time at which the certificate is no longer considered valid.
       example: '2020-07-16T03:15:39Z'
       default_field: false
-    - name: client.x509.not_before
+    - name: indicator.x509.not_before
       level: extended
       type: date
       description: Time at which the certificate is first considered valid.
       example: '2019-08-16T01:40:25Z'
       default_field: false
-    - name: client.x509.public_key_algorithm
+    - name: indicator.x509.public_key_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
       description: Algorithm used to generate the public key.
       example: RSA
       default_field: false
-    - name: client.x509.public_key_curve
+    - name: indicator.x509.public_key_curve
       level: extended
       type: keyword
       ignore_above: 1024
@@ -39319,7 +12820,7 @@
         is algorithm specific.
       example: nistp521
       default_field: false
-    - name: client.x509.public_key_exponent
+    - name: indicator.x509.public_key_exponent
       level: extended
       type: long
       description: Exponent used to derive the public key. This is algorithm specific.
@@ -39327,13 +12828,13 @@
       index: false
       doc_values: false
       default_field: false
-    - name: client.x509.public_key_size
+    - name: indicator.x509.public_key_size
       level: extended
       type: long
       description: The size of the public key space in bits.
       example: 2048
       default_field: false
-    - name: client.x509.serial_number
+    - name: indicator.x509.serial_number
       level: extended
       type: keyword
       ignore_above: 1024
@@ -39342,7 +12843,7 @@
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: client.x509.signature_algorithm
+    - name: indicator.x509.signature_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
@@ -39350,172 +12851,312 @@
         names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
       example: SHA256-RSA
       default_field: false
-    - name: client.x509.subject.common_name
+    - name: indicator.x509.subject.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common names (CN) of subject.
       example: shared.global.example.net
       default_field: false
-    - name: client.x509.subject.country
+    - name: indicator.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) code
       example: US
       default_field: false
-    - name: client.x509.subject.distinguished_name
+    - name: indicator.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: client.x509.subject.locality
+    - name: indicator.x509.subject.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: San Francisco
       default_field: false
-    - name: client.x509.subject.organization
+    - name: indicator.x509.subject.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of subject.
       example: Example, Inc.
       default_field: false
-    - name: client.x509.subject.organizational_unit
+    - name: indicator.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of subject.
       default_field: false
-    - name: client.x509.subject.state_or_province
+    - name: indicator.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: client.x509.version_number
+    - name: indicator.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
       description: Version of x509 format.
       example: 3
       default_field: false
-    - name: curve
+    - name: software.alias
       level: extended
       type: keyword
       ignore_above: 1024
-      description: String indicating the curve used for the given cipher, when applicable.
-      example: secp256r1
+      description: 'The alias(es) of the software for a set of related intrusion activity
+        that are tracked by a common name in the security community.
+
+        While not required, you can use a MITRE ATT&CK® associated software description.'
+      example: '[ "X-Agent" ]'
       default_field: false
-    - name: established
+    - name: software.id
       level: extended
-      type: boolean
-      description: Boolean flag indicating if the TLS negotiation was successful and
-        transitioned to an encrypted tunnel.
+      type: keyword
+      ignore_above: 1024
+      description: 'The id of the software used by this threat to conduct behavior
+        commonly modeled using MITRE ATT&CK®.
+
+        While not required, you can use a MITRE ATT&CK® software id.'
+      example: S0552
       default_field: false
-    - name: next_protocol
+    - name: software.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: String indicating the protocol being tunneled. Per the values in
-        the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
-        this string should be lower case.
-      example: http/1.1
+      description: 'The name of the software used by this threat to conduct behavior
+        commonly modeled using MITRE ATT&CK®.
+
+        While not required, you can use a MITRE ATT&CK® software name.'
+      example: AdFind
       default_field: false
-    - name: resumed
+    - name: software.platforms
       level: extended
-      type: boolean
-      description: Boolean flag indicating if this TLS connection was resumed from
-        an existing TLS negotiation.
+      type: keyword
+      ignore_above: 1024
+      description: 'The platforms of the software used by this threat to conduct behavior
+        commonly modeled using MITRE ATT&CK®.
+
+        While not required, you can use MITRE ATT&CK® software platform values.'
+      example: '[ "Windows" ]'
       default_field: false
-    - name: server.certificate
+    - name: software.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: PEM-encoded stand-alone certificate offered by the server. This
-        is usually mutually-exclusive of `server.certificate_chain` since this value
+      description: 'The reference URL of the software used by this threat to conduct
+        behavior commonly modeled using MITRE ATT&CK®.
+
+        While not required, you can use a MITRE ATT&CK® software reference URL.'
+      example: https://attack.mitre.org/software/S0552/
+      default_field: false
+    - name: software.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The type of software used by this threat to conduct behavior commonly
+        modeled using MITRE ATT&CK®.
+
+        While not required, you can use a MITRE ATT&CK® software type.'
+      example: Tool
+      default_field: false
+    - name: tactic.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The id of tactic used by this threat. You can use a MITRE ATT&CK®
+        tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
+      example: TA0002
+    - name: tactic.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the type of tactic used by this threat. You can use a MITRE
+        ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
+      example: Execution
+    - name: tactic.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The reference url of tactic used by this threat. You can use a
+        MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/
+        )
+      example: https://attack.mitre.org/tactics/TA0002/
+    - name: technique.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The id of technique used by this threat. You can use a MITRE ATT&CK®
+        technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
+      example: T1059
+    - name: technique.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: The name of technique used by this threat. You can use a MITRE
+        ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
+      example: Command and Scripting Interpreter
+    - name: technique.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The reference url of technique used by this threat. You can use
+        a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
+      example: https://attack.mitre.org/techniques/T1059/
+    - name: technique.subtechnique.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The full id of subtechnique used by this threat. You can use a
+        MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
+      example: T1059.001
+      default_field: false
+    - name: technique.subtechnique.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The name of subtechnique used by this threat. You can use a MITRE
+        ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
+      example: PowerShell
+      default_field: false
+    - name: technique.subtechnique.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The reference url of subtechnique used by this threat. You can
+        use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
+      example: https://attack.mitre.org/techniques/T1059/001/
+      default_field: false
+  - name: tls
+    title: TLS
+    group: 2
+    description: Fields related to a TLS connection. These fields focus on the TLS
+      protocol itself and intentionally avoids in-depth analysis of the related x.509
+      certificate files.
+    type: group
+    default_field: true
+    fields:
+    - name: cipher
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: String indicating the cipher used during the current connection.
+      example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+      default_field: false
+    - name: client.certificate
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: PEM-encoded stand-alone certificate offered by the client. This
+        is usually mutually-exclusive of `client.certificate_chain` since this value
         also exists in that list.
       example: MII...
       default_field: false
-    - name: server.certificate_chain
+    - name: client.certificate_chain
       level: extended
       type: keyword
       ignore_above: 1024
       description: Array of PEM-encoded certificates that make up the certificate
-        chain offered by the server. This is usually mutually-exclusive of `server.certificate`
+        chain offered by the client. This is usually mutually-exclusive of `client.certificate`
         since that value should be the first certificate in the chain.
       example: '["MII...", "MII..."]'
       default_field: false
-    - name: server.hash.md5
+    - name: client.hash.md5
       level: extended
       type: keyword
       ignore_above: 1024
       description: Certificate fingerprint using the MD5 digest of DER-encoded version
-        of certificate offered by the server. For consistency with other hash values,
+        of certificate offered by the client. For consistency with other hash values,
         this value should be formatted as an uppercase hash.
       example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
       default_field: false
-    - name: server.hash.sha1
+    - name: client.hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
       description: Certificate fingerprint using the SHA1 digest of DER-encoded version
-        of certificate offered by the server. For consistency with other hash values,
+        of certificate offered by the client. For consistency with other hash values,
         this value should be formatted as an uppercase hash.
       example: 9E393D93138888D288266C2D915214D1D1CCEB2A
       default_field: false
-    - name: server.hash.sha256
+    - name: client.hash.sha256
       level: extended
       type: keyword
       ignore_above: 1024
       description: Certificate fingerprint using the SHA256 digest of DER-encoded
-        version of certificate offered by the server. For consistency with other hash
+        version of certificate offered by the client. For consistency with other hash
         values, this value should be formatted as an uppercase hash.
       example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
       default_field: false
-    - name: server.issuer
+    - name: client.issuer
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Subject of the issuer of the x.509 certificate presented by the
-        server.
+      description: Distinguished name of subject of the issuer of the x.509 certificate
+        presented by the client.
       example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
       default_field: false
-    - name: server.ja3s
+    - name: client.ja3
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A hash that identifies servers based on how they perform an SSL/TLS
+      description: A hash that identifies clients based on how they perform an SSL/TLS
         handshake.
-      example: 394441ab65754e2207b1e1b457b3641d
+      example: d4e5b18d6b55c71272893221c96ba240
       default_field: false
-    - name: server.not_after
+    - name: client.not_after
       level: extended
       type: date
-      description: Timestamp indicating when server certificate is no longer considered
+      description: Date/Time indicating when client certificate is no longer considered
         valid.
       example: '2021-01-01T00:00:00.000Z'
       default_field: false
-    - name: server.not_before
+    - name: client.not_before
       level: extended
       type: date
-      description: Timestamp indicating when server certificate is first considered
+      description: Date/Time indicating when client certificate is first considered
         valid.
       example: '1970-01-01T00:00:00.000Z'
       default_field: false
-    - name: server.subject
+    - name: client.server_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Subject of the x.509 certificate presented by the server.
-      example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
+      description: Also called an SNI, this tells the server which hostname to which
+        the client is attempting to connect to. When this value is available, it should
+        get copied to `destination.domain`.
+      example: www.elastic.co
+      default_field: false
+    - name: client.subject
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Distinguished name of subject of the x.509 certificate presented
+        by the client.
+      example: CN=myclient, OU=Documentation Team, DC=example, DC=com
+      default_field: false
+    - name: client.supported_ciphers
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of ciphers offered by the client during the client hello.
+      example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        "..."]'
       default_field: false
-    - name: server.x509.alternative_names
+    - name: client.x509.alternative_names
       level: extended
       type: keyword
       ignore_above: 1024
@@ -39524,21 +13165,21 @@
         (and wildcards), and email addresses.
       example: '*.elastic.co'
       default_field: false
-    - name: server.x509.issuer.common_name
+    - name: client.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common name (CN) of issuing certificate authority.
       example: Example SHA2 High Assurance Server CA
       default_field: false
-    - name: server.x509.issuer.country
+    - name: client.x509.issuer.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) codes
       example: US
       default_field: false
-    - name: server.x509.issuer.distinguished_name
+    - name: client.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
@@ -39546,54 +13187,54 @@
       example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
         Server CA
       default_field: false
-    - name: server.x509.issuer.locality
+    - name: client.x509.issuer.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: Mountain View
       default_field: false
-    - name: server.x509.issuer.organization
+    - name: client.x509.issuer.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of issuing certificate authority.
       example: Example Inc
       default_field: false
-    - name: server.x509.issuer.organizational_unit
+    - name: client.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of issuing certificate authority.
       example: www.example.com
       default_field: false
-    - name: server.x509.issuer.state_or_province
+    - name: client.x509.issuer.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: server.x509.not_after
+    - name: client.x509.not_after
       level: extended
       type: date
       description: Time at which the certificate is no longer considered valid.
       example: '2020-07-16T03:15:39Z'
       default_field: false
-    - name: server.x509.not_before
+    - name: client.x509.not_before
       level: extended
       type: date
       description: Time at which the certificate is first considered valid.
       example: '2019-08-16T01:40:25Z'
       default_field: false
-    - name: server.x509.public_key_algorithm
+    - name: client.x509.public_key_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
       description: Algorithm used to generate the public key.
       example: RSA
       default_field: false
-    - name: server.x509.public_key_curve
+    - name: client.x509.public_key_curve
       level: extended
       type: keyword
       ignore_above: 1024
@@ -39601,7 +13242,7 @@
         is algorithm specific.
       example: nistp521
       default_field: false
-    - name: server.x509.public_key_exponent
+    - name: client.x509.public_key_exponent
       level: extended
       type: long
       description: Exponent used to derive the public key. This is algorithm specific.
@@ -39609,13 +13250,13 @@
       index: false
       doc_values: false
       default_field: false
-    - name: server.x509.public_key_size
+    - name: client.x509.public_key_size
       level: extended
       type: long
       description: The size of the public key space in bits.
       example: 2048
       default_field: false
-    - name: server.x509.serial_number
+    - name: client.x509.serial_number
       level: extended
       type: keyword
       ignore_above: 1024
@@ -39624,7 +13265,7 @@
         characters.
       example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: server.x509.signature_algorithm
+    - name: client.x509.signature_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
@@ -39632,646 +13273,557 @@
         names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
       example: SHA256-RSA
       default_field: false
-    - name: server.x509.subject.common_name
+    - name: client.x509.subject.common_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of common names (CN) of subject.
       example: shared.global.example.net
       default_field: false
-    - name: server.x509.subject.country
+    - name: client.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of country \(C) code
       example: US
       default_field: false
-    - name: server.x509.subject.distinguished_name
+    - name: client.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Distinguished name (DN) of the certificate subject entity.
       example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: server.x509.subject.locality
+    - name: client.x509.subject.locality
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of locality names (L)
       example: San Francisco
       default_field: false
-    - name: server.x509.subject.organization
+    - name: client.x509.subject.organization
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizations (O) of subject.
       example: Example, Inc.
       default_field: false
-    - name: server.x509.subject.organizational_unit
+    - name: client.x509.subject.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of organizational units (OU) of subject.
       default_field: false
-    - name: server.x509.subject.state_or_province
+    - name: client.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
       description: List of state or province names (ST, S, or P)
       example: California
       default_field: false
-    - name: server.x509.version_number
+    - name: client.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
       description: Version of x509 format.
       example: 3
       default_field: false
-    - name: version
+    - name: curve
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Numeric part of the version parsed from the original string.
-      example: '1.2'
+      description: String indicating the curve used for the given cipher, when applicable.
+      example: secp256r1
       default_field: false
-    - name: version_protocol
+    - name: established
+      level: extended
+      type: boolean
+      description: Boolean flag indicating if the TLS negotiation was successful and
+        transitioned to an encrypted tunnel.
+      default_field: false
+    - name: next_protocol
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Normalized lowercase protocol name parsed from original string.
-      example: tls
+      description: String indicating the protocol being tunneled. Per the values in
+        the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
+        this string should be lower case.
+      example: http/1.1
       default_field: false
-  - name: span.id
-    level: extended
-    type: keyword
-    ignore_above: 1024
-    description: 'Unique identifier of the span within the scope of its trace.
-
-      A span represents an operation within a transaction, such as a request to another
-      service, or a database query.'
-    example: 3ff9a8981b7ccd5a
-  - name: trace.id
-    level: extended
-    type: keyword
-    ignore_above: 1024
-    description: 'Unique identifier of the trace.
-
-      A trace groups multiple events like transactions that belong together. For example,
-      a user request handled by multiple inter-connected services.'
-    example: 4bf92f3577b34da6a3ce929d0e0e4736
-    default_field: true
-  - name: transaction.id
-    level: extended
-    type: keyword
-    ignore_above: 1024
-    description: 'Unique identifier of the transaction within the scope of its trace.
-
-      A transaction is the highest level of work measured within a service, such as
-      a request to a server.'
-    example: 00f067aa0ba902b7
-    default_field: true
-  - name: url
-    title: URL
-    group: 2
-    description: URL fields provide support for complete or partial URLs, and supports
-      the breaking down into scheme, domain, path, and so on.
-    type: group
-    default_field: true
-    fields:
-    - name: domain
+    - name: resumed
+      level: extended
+      type: boolean
+      description: Boolean flag indicating if this TLS connection was resumed from
+        an existing TLS negotiation.
+      default_field: false
+    - name: server.certificate
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Domain of the url, such as "www.elastic.co".
-
-        In some cases a URL may refer to an IP and/or port directly, without a domain
-        name. In this case, the IP address would go to the `domain` field.
-
-        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
-        2732), the `[` and `]` characters should also be captured in the `domain`
-        field.'
-      example: www.elastic.co
-    - name: extension
+      description: PEM-encoded stand-alone certificate offered by the server. This
+        is usually mutually-exclusive of `server.certificate_chain` since this value
+        also exists in that list.
+      example: MII...
+      default_field: false
+    - name: server.certificate_chain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The field contains the file extension from the original request
-        url, excluding the leading dot.
-
-        The file extension is only set if it exists, as not every url has a file extension.
-
-        The leading period must not be included. For example, the value must be "png",
-        not ".png".
-
-        Note that when the file name has multiple extensions (example.tar.gz), only
-        the last one should be captured ("gz", not "tar.gz").'
-      example: png
-    - name: fragment
+      description: Array of PEM-encoded certificates that make up the certificate
+        chain offered by the server. This is usually mutually-exclusive of `server.certificate`
+        since that value should be the first certificate in the chain.
+      example: '["MII...", "MII..."]'
+      default_field: false
+    - name: server.hash.md5
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Portion of the url after the `#`, such as "top".
-
-        The `#` is not part of the fragment.'
-    - name: full
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: If full URLs are important to your use case, they should be stored
-        in `url.full`, whether this field is reconstructed or present in the event
-        source.
-      example: https://www.elastic.co:443/search?q=elasticsearch#top
-    - name: original
-      level: extended
-      type: wildcard
-      multi_fields:
-      - name: text
-        type: match_only_text
-        default_field: false
-      description: 'Unmodified original url as seen in the event source.
-
-        Note that in network monitoring, the observed URL may be a full URL, whereas
-        in access logs, the URL is often just represented as a path.
-
-        This field is meant to represent the URL as it was observed, complete or not.'
-      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
-    - name: password
+      description: Certificate fingerprint using the MD5 digest of DER-encoded version
+        of certificate offered by the server. For consistency with other hash values,
+        this value should be formatted as an uppercase hash.
+      example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
+      default_field: false
+    - name: server.hash.sha1
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Password of the request.
-    - name: path
-      level: extended
-      type: wildcard
-      description: Path of the request, such as "/search".
-    - name: port
-      level: extended
-      type: long
-      format: string
-      description: Port of the request, such as 443.
-      example: 443
-    - name: query
+      description: Certificate fingerprint using the SHA1 digest of DER-encoded version
+        of certificate offered by the server. For consistency with other hash values,
+        this value should be formatted as an uppercase hash.
+      example: 9E393D93138888D288266C2D915214D1D1CCEB2A
+      default_field: false
+    - name: server.hash.sha256
       level: extended
       type: keyword
-      ignore_above: 2083
-      description: 'The query field describes the query string of the request, such
-        as "q=elasticsearch".
-
-        The `?` is excluded from the query string. If a URL contains no `?`, there
-        is no query field. If there is a `?` but no query, the query field exists
-        with an empty string. The `exists` query can be used to differentiate between
-        the two cases.'
-    - name: registered_domain
+      ignore_above: 1024
+      description: Certificate fingerprint using the SHA256 digest of DER-encoded
+        version of certificate offered by the server. For consistency with other hash
+        values, this value should be formatted as an uppercase hash.
+      example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
+      default_field: false
+    - name: server.issuer
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The highest registered url domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-    - name: scheme
+      description: Subject of the issuer of the x.509 certificate presented by the
+        server.
+      example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
+      default_field: false
+    - name: server.ja3s
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Scheme of the request, such as "https".
-
-        Note: The `:` is not part of the scheme.'
-      example: https
-    - name: subdomain
+      description: A hash that identifies servers based on how they perform an SSL/TLS
+        handshake.
+      example: 394441ab65754e2207b1e1b457b3641d
+      default_field: false
+    - name: server.not_after
+      level: extended
+      type: date
+      description: Timestamp indicating when server certificate is no longer considered
+        valid.
+      example: '2021-01-01T00:00:00.000Z'
+      default_field: false
+    - name: server.not_before
+      level: extended
+      type: date
+      description: Timestamp indicating when server certificate is first considered
+        valid.
+      example: '1970-01-01T00:00:00.000Z'
+      default_field: false
+    - name: server.subject
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
+      description: Subject of the x.509 certificate presented by the server.
+      example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
       default_field: false
-    - name: top_level_domain
+    - name: server.x509.alternative_names
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-    - name: username
+      description: List of subject alternative names (SAN). Name types vary by certificate
+        authority and certificate type but commonly contain IP addresses, DNS names
+        (and wildcards), and email addresses.
+      example: '*.elastic.co'
+      default_field: false
+    - name: server.x509.issuer.common_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Username of the request.
-  - name: user
-    title: User
-    group: 2
-    description: 'The user fields describe information about the user that is relevant
-      to the event.
-
-      Fields can have one entry or multiple entries. If a user has more than one id,
-      provide an array that includes all of them.'
-    type: group
-    default_field: true
-    fields:
-    - name: changes.domain
+      description: List of common name (CN) of issuing certificate authority.
+      example: Example SHA2 High Assurance Server CA
+      default_field: false
+    - name: server.x509.issuer.country
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: List of country \(C) codes
+      example: US
       default_field: false
-    - name: changes.email
+    - name: server.x509.issuer.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: User email address.
+      description: Distinguished name (DN) of issuing certificate authority.
+      example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
+        Server CA
       default_field: false
-    - name: changes.entity.attributes
+    - name: server.x509.issuer.locality
       level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
+      type: keyword
+      ignore_above: 1024
+      description: List of locality names (L)
+      example: Mountain View
       default_field: false
-    - name: changes.entity.behavior
+    - name: server.x509.issuer.organization
       level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
+      type: keyword
+      ignore_above: 1024
+      description: List of organizations (O) of issuing certificate authority.
+      example: Example Inc
       default_field: false
-    - name: changes.entity.display_name
+    - name: server.x509.issuer.organizational_unit
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
+      description: List of organizational units (OU) of issuing certificate authority.
+      example: www.example.com
       default_field: false
-    - name: changes.entity.id
-      level: core
+    - name: server.x509.issuer.state_or_province
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: changes.entity.last_seen_timestamp
+    - name: server.x509.not_after
       level: extended
       type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
+      description: Time at which the certificate is no longer considered valid.
+      example: '2020-07-16T03:15:39Z'
       default_field: false
-    - name: changes.entity.lifecycle
+    - name: server.x509.not_before
       level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
+      type: date
+      description: Time at which the certificate is first considered valid.
+      example: '2019-08-16T01:40:25Z'
       default_field: false
-    - name: changes.entity.metrics
+    - name: server.x509.public_key_algorithm
       level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: changes.entity.name
-      level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: changes.entity.raw
-      level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
+      description: Algorithm used to generate the public key.
+      example: RSA
       default_field: false
-    - name: changes.entity.reference
+    - name: server.x509.public_key_curve
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
+      description: The curve used by the elliptic curve public key algorithm. This
+        is algorithm specific.
+      example: nistp521
       default_field: false
-    - name: changes.entity.source
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
+    - name: server.x509.public_key_exponent
+      level: extended
+      type: long
+      description: Exponent used to derive the public key. This is algorithm specific.
+      example: 65537
+      index: false
+      doc_values: false
       default_field: false
-    - name: changes.entity.sub_type
+    - name: server.x509.public_key_size
       level: extended
-      type: keyword
-      ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
+      type: long
+      description: The size of the public key space in bits.
+      example: 2048
       default_field: false
-    - name: changes.entity.type
-      level: core
+    - name: server.x509.serial_number
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
+      description: Unique serial number issued by the certificate authority. For consistency,
+        this must be encoded in base 16 and formatted without colons and uppercase
+        characters.
+      example: 55FBB9C7DEBF09809D12CCAA
       default_field: false
-    - name: changes.full_name
+    - name: server.x509.signature_algorithm
       level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: User's full name, if available.
-      example: Albert Einstein
+      description: Identifier for certificate signature algorithm. We recommend using
+        names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
+      example: SHA256-RSA
       default_field: false
-    - name: changes.group.domain
+    - name: server.x509.subject.common_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
+      description: List of common names (CN) of subject.
+      example: shared.global.example.net
       default_field: false
-    - name: changes.group.id
+    - name: server.x509.subject.country
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier for the group on the system/platform.
+      description: List of country \(C) code
+      example: US
       default_field: false
-    - name: changes.group.name
+    - name: server.x509.subject.distinguished_name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the group.
+      description: Distinguished name (DN) of the certificate subject entity.
+      example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
       default_field: false
-    - name: changes.hash
+    - name: server.x509.subject.locality
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
+      description: List of locality names (L)
+      example: San Francisco
       default_field: false
-    - name: changes.id
-      level: core
+    - name: server.x509.subject.organization
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      description: List of organizations (O) of subject.
+      example: Example, Inc.
       default_field: false
-    - name: changes.name
-      level: core
+    - name: server.x509.subject.organizational_unit
+      level: extended
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: match_only_text
-      description: Short name or login of the user.
-      example: a.einstein
+      description: List of organizational units (OU) of subject.
       default_field: false
-    - name: changes.risk.calculated_level
+    - name: server.x509.subject.state_or_province
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: changes.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: changes.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
+      description: List of state or province names (ST, S, or P)
+      example: California
       default_field: false
-    - name: changes.risk.static_level
+    - name: server.x509.version_number
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: changes.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
+      description: Version of x509 format.
+      example: 3
       default_field: false
-    - name: changes.risk.static_score_norm
+    - name: version
       level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
+      type: keyword
+      ignore_above: 1024
+      description: Numeric part of the version parsed from the original string.
+      example: '1.2'
       default_field: false
-    - name: changes.roles
+    - name: version_protocol
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      description: Normalized lowercase protocol name parsed from original string.
+      example: tls
       default_field: false
+  - name: span.id
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Unique identifier of the span within the scope of its trace.
+
+      A span represents an operation within a transaction, such as a request to another
+      service, or a database query.'
+    example: 3ff9a8981b7ccd5a
+  - name: trace.id
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Unique identifier of the trace.
+
+      A trace groups multiple events like transactions that belong together. For example,
+      a user request handled by multiple inter-connected services.'
+    example: 4bf92f3577b34da6a3ce929d0e0e4736
+    default_field: true
+  - name: transaction.id
+    level: extended
+    type: keyword
+    ignore_above: 1024
+    description: 'Unique identifier of the transaction within the scope of its trace.
+
+      A transaction is the highest level of work measured within a service, such as
+      a request to a server.'
+    example: 00f067aa0ba902b7
+    default_field: true
+  - name: url
+    title: URL
+    group: 2
+    description: URL fields provide support for complete or partial URLs, and supports
+      the breaking down into scheme, domain, path, and so on.
+    type: group
+    default_field: true
+    fields:
     - name: domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
+      description: 'Domain of the url, such as "www.elastic.co".
 
-        For example, an LDAP or Active Directory domain name.'
-    - name: effective.domain
+        In some cases a URL may refer to an IP and/or port directly, without a domain
+        name. In this case, the IP address would go to the `domain` field.
+
+        If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
+        2732), the `[` and `]` characters should also be captured in the `domain`
+        field.'
+      example: www.elastic.co
+    - name: extension
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Name of the directory the user is a member of.
+      description: 'The field contains the file extension from the original request
+        url, excluding the leading dot.
 
-        For example, an LDAP or Active Directory domain name.'
-      default_field: false
-    - name: effective.email
+        The file extension is only set if it exists, as not every url has a file extension.
+
+        The leading period must not be included. For example, the value must be "png",
+        not ".png".
+
+        Note that when the file name has multiple extensions (example.tar.gz), only
+        the last one should be captured ("gz", not "tar.gz").'
+      example: png
+    - name: fragment
       level: extended
       type: keyword
       ignore_above: 1024
-      description: User email address.
-      default_field: false
-    - name: effective.entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      default_field: false
-    - name: effective.entity.behavior
+      description: 'Portion of the url after the `#`, such as "top".
+
+        The `#` is not part of the fragment.'
+    - name: full
       level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: effective.entity.display_name
+      type: wildcard
+      multi_fields:
+      - name: text
+        type: match_only_text
+        default_field: false
+      description: If full URLs are important to your use case, they should be stored
+        in `url.full`, whether this field is reconstructed or present in the event
+        source.
+      example: https://www.elastic.co:443/search?q=elasticsearch#top
+    - name: original
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      default_field: false
-    - name: effective.entity.id
-      level: core
+        type: match_only_text
+        default_field: false
+      description: 'Unmodified original url as seen in the event source.
+
+        Note that in network monitoring, the observed URL may be a full URL, whereas
+        in access logs, the URL is often just represented as a path.
+
+        This field is meant to represent the URL as it was observed, complete or not.'
+      example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
+    - name: password
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: effective.entity.last_seen_timestamp
+      description: Password of the request.
+    - name: path
       level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      default_field: false
-    - name: effective.entity.lifecycle
+      type: wildcard
+      description: Path of the request, such as "/search".
+    - name: port
       level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: effective.entity.metrics
+      type: long
+      format: string
+      description: Port of the request, such as 443.
+      example: 443
+    - name: query
+      level: extended
+      type: keyword
+      ignore_above: 2083
+      description: 'The query field describes the query string of the request, such
+        as "q=elasticsearch".
+
+        The `?` is excluded from the query string. If a URL contains no `?`, there
+        is no query field. If there is a `?` but no query, the query field exists
+        with an empty string. The `exists` query can be used to differentiate between
+        the two cases.'
+    - name: registered_domain
       level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: effective.entity.name
-      level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      default_field: false
-    - name: effective.entity.raw
+      description: 'The highest registered url domain, stripped of the subdomain.
+
+        For example, the registered domain for "foo.example.com" is "example.com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last two labels will not work well for TLDs such as "co.uk".'
+      example: example.com
+    - name: scheme
       level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      default_field: false
-    - name: effective.entity.reference
+      type: keyword
+      ignore_above: 1024
+      description: 'Scheme of the request, such as "https".
+
+        Note: The `:` is not part of the scheme.'
+      example: https
+    - name: subdomain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
       default_field: false
-    - name: effective.entity.source
-      level: core
+    - name: top_level_domain
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      default_field: false
-    - name: effective.entity.sub_type
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+    - name: username
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Username of the request.
+  - name: user
+    title: User
+    group: 2
+    description: 'The user fields describe information about the user that is relevant
+      to the event.
+
+      Fields can have one entry or multiple entries. If a user has more than one id,
+      provide an array that includes all of them.'
+    type: group
+    default_field: true
+    fields:
+    - name: changes.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: effective.entity.type
-      level: core
+    - name: changes.email
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
+      description: User email address.
       default_field: false
-    - name: effective.full_name
+    - name: changes.full_name
       level: extended
       type: keyword
       ignore_above: 1024
@@ -40281,7 +13833,7 @@
       description: User's full name, if available.
       example: Albert Einstein
       default_field: false
-    - name: effective.group.domain
+    - name: changes.group.domain
       level: extended
       type: keyword
       ignore_above: 1024
@@ -40289,19 +13841,19 @@
 
         For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: effective.group.id
+    - name: changes.group.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: effective.group.name
+    - name: changes.group.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: Name of the group.
       default_field: false
-    - name: effective.hash
+    - name: changes.hash
       level: extended
       type: keyword
       ignore_above: 1024
@@ -40311,14 +13863,14 @@
         Useful if `user.id` or `user.name` contain confidential information and cannot
         be used.'
       default_field: false
-    - name: effective.id
+    - name: changes.id
       level: core
       type: keyword
       ignore_above: 1024
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: effective.name
+    - name: changes.name
       level: core
       type: keyword
       ignore_above: 1024
@@ -40328,184 +13880,103 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: effective.risk.calculated_level
+    - name: changes.roles
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: effective.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: effective.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: effective.risk.static_level
+    - name: domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: effective.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: effective.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
-    - name: effective.roles
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+    - name: effective.domain
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: email
+    - name: effective.email
       level: extended
       type: keyword
       ignore_above: 1024
       description: User email address.
-    - name: entity.attributes
-      level: extended
-      type: object
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
       default_field: false
-    - name: entity.behavior
-      level: extended
-      type: object
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      default_field: false
-    - name: entity.display_name
+    - name: effective.full_name
       level: extended
       type: keyword
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
+        type: match_only_text
+      description: User's full name, if available.
+      example: Albert Einstein
       default_field: false
-    - name: entity.id
-      level: core
+    - name: effective.group.domain
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      default_field: false
-    - name: entity.last_seen_timestamp
-      level: extended
-      type: date
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
       default_field: false
-    - name: entity.lifecycle
+    - name: effective.group.id
       level: extended
-      type: object
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
       default_field: false
-    - name: entity.metrics
+    - name: effective.group.name
       level: extended
-      type: object
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      default_field: false
-    - name: entity.name
-      level: core
       type: keyword
       ignore_above: 1024
-      multi_fields:
-      - name: text
-        type: text
-        norms: false
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
+      description: Name of the group.
       default_field: false
-    - name: entity.raw
+    - name: effective.hash
       level: extended
-      type: object
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
       default_field: false
-    - name: entity.reference
-      level: extended
+    - name: effective.id
+      level: core
       type: keyword
       ignore_above: 1024
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
       default_field: false
-    - name: entity.source
+    - name: effective.name
       level: core
       type: keyword
       ignore_above: 1024
-      description: The module or integration that provided this entity data (similar
-        to event.module).
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: Short name or login of the user.
+      example: a.einstein
       default_field: false
-    - name: entity.sub_type
+    - name: effective.roles
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
       default_field: false
-    - name: entity.type
-      level: core
+    - name: email
+      level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      default_field: false
+      description: User email address.
     - name: full_name
       level: extended
       type: keyword
@@ -40802,52 +14273,6 @@
       description: Short name or login of the user.
       example: a.einstein
       default_field: false
-    - name: target.risk.calculated_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      default_field: false
-    - name: target.risk.calculated_score
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      default_field: false
-    - name: target.risk.calculated_score_norm
-      level: extended
-      type: float
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      default_field: false
-    - name: target.risk.static_level
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      default_field: false
-    - name: target.risk.static_score
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      default_field: false
-    - name: target.risk.static_score_norm
-      level: extended
-      type: float
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      default_field: false
     - name: target.roles
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 28d7a14325..3871df200a 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -37,21 +37,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 9.3.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,client,client.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,client,client.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,client,client.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,client,client.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,client,client.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,client,client.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,client,client.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,client,client.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,client,client.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,client,client.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,client,client.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,client,client.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,client,client.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,client,client.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,client,client.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,client,client.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,client,client.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -61,52 +46,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,client,client.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,client,client.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,client,client.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,client,client.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,client,client.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,client,client.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,client,client.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
 9.3.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
 9.3.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-9.3.0-dev,true,cloud,cloud.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,cloud,cloud.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,cloud,cloud.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,cloud,cloud.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,cloud,cloud.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,cloud,cloud.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,cloud,cloud.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,cloud,cloud.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,cloud,cloud.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,cloud,cloud.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,cloud,cloud.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,cloud,cloud.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,cloud,cloud.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,cloud,cloud.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,cloud,cloud.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
 9.3.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
 9.3.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
 9.3.0-dev,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
 9.3.0-dev,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
 9.3.0-dev,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
-9.3.0-dev,true,cloud,cloud.origin.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,cloud,cloud.origin.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,cloud,cloud.origin.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,cloud,cloud.origin.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,cloud,cloud.origin.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,cloud,cloud.origin.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,cloud,cloud.origin.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,cloud,cloud.origin.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,cloud,cloud.origin.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,cloud,cloud.origin.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,cloud,cloud.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,cloud,cloud.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,cloud,cloud.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,cloud,cloud.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,cloud,cloud.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
 9.3.0-dev,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
 9.3.0-dev,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
@@ -191,21 +140,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 9.3.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,destination,destination.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,destination,destination.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,destination,destination.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,destination,destination.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,destination,destination.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,destination,destination.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,destination,destination.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,destination,destination.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,destination,destination.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,destination,destination.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,destination,destination.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,destination,destination.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,destination,destination.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,destination,destination.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,destination,destination.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,destination,destination.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -215,12 +149,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,destination,destination.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,destination,destination.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,destination,destination.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,destination,destination.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,destination,destination.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,destination,destination.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
 9.3.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
@@ -325,21 +253,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
 9.3.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
 9.3.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-9.3.0-dev,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,entity,entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,entity,entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,entity,entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,entity,entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
 9.3.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
 9.3.0-dev,true,error,error.message,match_only_text,core,,,Error message.
@@ -738,42 +651,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
 9.3.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 9.3.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.attested_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.attested_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.attested_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.attested_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.attested_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 9.3.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
 9.3.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
@@ -826,1295 +703,96 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
 9.3.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
 9.3.0-dev,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
 9.3.0-dev,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 9.3.0-dev,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.entry_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.entry_leader.attested_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.entry_leader.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.entry_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.attested_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.entry_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.entry_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.entry_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.entry_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,process,process.entry_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,process,process.entry_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,process,process.entry_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,process,process.entry_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,process,process.entry_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,process,process.entry_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,process,process.entry_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,process,process.entry_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,process,process.entry_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,process,process.entry_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 9.3.0-dev,true,process,process.entry_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 9.3.0-dev,true,process,process.entry_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.entry_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,process,process.entry_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,process,process.entry_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,process,process.entry_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,process,process.entry_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.entry_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.entry_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,process,process.entry_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,process,process.entry_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,process,process.entry_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,process,process.entry_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,process,process.entry_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,process,process.entry_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,process,process.entry_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,process,process.entry_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,process,process.entry_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,process,process.entry_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,process,process.entry_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,process,process.entry_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,process,process.entry_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,process,process.entry_leader.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,process,process.entry_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,process,process.entry_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,process,process.entry_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,process,process.entry_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,process,process.entry_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.entry_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.address,keyword,extended,,,Source network address.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 9.3.0-dev,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.port,long,core,,,Port of the source.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,process,process.entry_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 9.3.0-dev,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.3.0-dev,true,process,process.entry_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 9.3.0-dev,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.entry_leader.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.entry_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,process,process.entry_leader.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,process,process.entry_leader.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,process,process.entry_leader.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,process,process.entry_leader.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,process,process.entry_leader.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,process,process.entry_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,process,process.entry_leader.hash.tlsh,keyword,extended,,,TLSH hash.
 9.3.0-dev,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.entry_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.3.0-dev,true,process,process.entry_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.3.0-dev,true,process,process.entry_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.3.0-dev,true,process,process.entry_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.3.0-dev,true,process,process.entry_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.3.0-dev,true,process,process.entry_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.3.0-dev,true,process,process.entry_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.3.0-dev,true,process,process.entry_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.3.0-dev,true,process,process.entry_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.3.0-dev,true,process,process.entry_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.3.0-dev,true,process,process.entry_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.entry_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.entry_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.entry_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.3.0-dev,true,process,process.entry_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.3.0-dev,true,process,process.entry_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.3.0-dev,true,process,process.entry_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.entry_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 9.3.0-dev,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
 9.3.0-dev,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.entry_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.3.0-dev,true,process,process.entry_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.3.0-dev,true,process,process.entry_leader.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.3.0-dev,true,process,process.entry_leader.parent.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.entry_leader.parent.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.entry_leader.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,process,process.entry_leader.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,process,process.entry_leader.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,process,process.entry_leader.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,process,process.entry_leader.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,process,process.entry_leader.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,process,process.entry_leader.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,process,process.entry_leader.parent.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,process,process.entry_leader.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,process,process.entry_leader.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,process,process.entry_leader.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.3.0-dev,true,process,process.entry_leader.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.entry_leader.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,process,process.entry_leader.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,process,process.entry_leader.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,process,process.entry_leader.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.entry_leader.parent.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.address,keyword,extended,,,Source network address.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.port,long,core,,,Port of the source.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,process,process.entry_leader.parent.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.3.0-dev,true,process,process.entry_leader.parent.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.3.0-dev,true,process,process.entry_leader.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.entry_leader.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.entry_leader.parent.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.entry_leader.parent.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,process,process.entry_leader.parent.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,process,process.entry_leader.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,process,process.entry_leader.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,process,process.entry_leader.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,process,process.entry_leader.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,process,process.entry_leader.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,process,process.entry_leader.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,process,process.entry_leader.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.entry_leader.parent.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.3.0-dev,true,process,process.entry_leader.parent.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.3.0-dev,true,process,process.entry_leader.parent.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.3.0-dev,true,process,process.entry_leader.parent.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.3.0-dev,true,process,process.entry_leader.parent.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.3.0-dev,true,process,process.entry_leader.parent.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.3.0-dev,true,process,process.entry_leader.parent.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.3.0-dev,true,process,process.entry_leader.parent.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.3.0-dev,true,process,process.entry_leader.parent.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.entry_leader.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.entry_leader.parent.name,keyword,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.entry_leader.parent.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.entry_leader.parent.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.3.0-dev,true,process,process.entry_leader.parent.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.entry_leader.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,process,process.entry_leader.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.entry_leader.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.entry_leader.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.entry_leader.parent.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.3.0-dev,true,process,process.entry_leader.parent.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.entry_leader.parent.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.entry_leader.parent.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.entry_leader.parent.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.address,keyword,extended,,,Source network address.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.port,long,core,,,Port of the source.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.name,keyword,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.thread.id,long,extended,,4242,Thread ID.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.thread.name,keyword,extended,,thread-0,Thread name.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.title,keyword,extended,,,Process title.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.title.text,match_only_text,extended,,,Process title.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.entry_leader.parent.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.entry_leader.parent.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.3.0-dev,true,process,process.entry_leader.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.3.0-dev,true,process,process.entry_leader.parent.thread.id,long,extended,,4242,Thread ID.
-9.3.0-dev,true,process,process.entry_leader.parent.thread.name,keyword,extended,,thread-0,Thread name.
-9.3.0-dev,true,process,process.entry_leader.parent.title,keyword,extended,,,Process title.
-9.3.0-dev,true,process,process.entry_leader.parent.title.text,match_only_text,extended,,,Process title.
-9.3.0-dev,true,process,process.entry_leader.parent.tty,object,extended,,,Information about the controlling TTY device.
-9.3.0-dev,true,process,process.entry_leader.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.3.0-dev,true,process,process.entry_leader.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.entry_leader.parent.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.3.0-dev,true,process,process.entry_leader.parent.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.3.0-dev,true,process,process.entry_leader.parent.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.entry_leader.parent.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.entry_leader.parent.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.entry_leader.parent.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.parent.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.parent.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.parent.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.parent.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.entry_leader.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.parent.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.parent.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.entry_leader.parent.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.parent.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.entry_leader.parent.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.entry_leader.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.entry_leader.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.entry_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,process,process.entry_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.entry_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,process,process.entry_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,process,process.entry_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,process,process.entry_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.entry_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.entry_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.entry_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.entry_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.entry_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.entry_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.entry_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,process,process.entry_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.entry_leader.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,process,process.entry_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,process,process.entry_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,process,process.entry_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.entry_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.entry_leader.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.entry_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.3.0-dev,true,process,process.entry_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.entry_leader.real_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.entry_leader.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.entry_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.real_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.entry_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.entry_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.entry_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.entry_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.entry_leader.saved_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.entry_leader.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.entry_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.saved_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.entry_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.entry_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.entry_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.entry_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.3.0-dev,true,process,process.entry_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.3.0-dev,true,process,process.entry_leader.thread.id,long,extended,,4242,Thread ID.
-9.3.0-dev,true,process,process.entry_leader.thread.name,keyword,extended,,thread-0,Thread name.
-9.3.0-dev,true,process,process.entry_leader.title,keyword,extended,,,Process title.
-9.3.0-dev,true,process,process.entry_leader.title.text,match_only_text,extended,,,Process title.
 9.3.0-dev,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
 9.3.0-dev,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
 9.3.0-dev,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.entry_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.3.0-dev,true,process,process.entry_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.3.0-dev,true,process,process.entry_leader.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.entry_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.entry_leader.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.entry_leader.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.entry_leader.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.entry_leader.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.entry_leader.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.entry_leader.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.entry_leader.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.entry_leader.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.entry_leader.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.entry_leader.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.entry_leader.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.entry_leader.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.entry_leader.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.entry_leader.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.entry_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.entry_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.entry_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.entry_leader.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.entry_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.entry_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.entry_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.entry_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.entry_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.entry_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id.
 9.3.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.entry_meta.source.address,keyword,extended,,,Source network address.
-9.3.0-dev,true,process,process.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,process,process.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.3.0-dev,true,process,process.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.3.0-dev,true,process,process.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,process,process.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,process,process.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,process,process.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,process,process.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,process,process.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,process,process.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,process,process.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,process,process.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,process,process.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,process,process.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,process,process.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,process,process.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.3.0-dev,true,process,process.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.3.0-dev,true,process,process.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.3.0-dev,true,process,process.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.3.0-dev,true,process,process.entry_meta.source.port,long,core,,,Port of the source.
-9.3.0-dev,true,process,process.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.3.0-dev,true,process,process.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,process,process.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,process,process.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
 9.3.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 9.3.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.group.name,keyword,extended,,,Name of the group.
 9.3.0-dev,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 9.3.0-dev,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.group_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.group_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.group_leader.attested_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.group_leader.attested_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.group_leader.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.group_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.group_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.group_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.group_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.group_leader.attested_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.group_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.group_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.group_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.group_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.group_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.group_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.group_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.group_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.group_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.group_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.group_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,process,process.group_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,process,process.group_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,process,process.group_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,process,process.group_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,process,process.group_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,process,process.group_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,process,process.group_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,process,process.group_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,process,process.group_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,process,process.group_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 9.3.0-dev,true,process,process.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 9.3.0-dev,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.group_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,process,process.group_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,process,process.group_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,process,process.group_leader.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,process,process.group_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,process,process.group_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,process,process.group_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.group_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.group_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.group_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.group_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,process,process.group_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,process,process.group_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,process,process.group_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,process,process.group_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,process,process.group_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,process,process.group_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,process,process.group_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,process,process.group_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,process,process.group_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.group_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.group_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.group_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,process,process.group_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,process,process.group_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.group_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,process,process.group_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,process,process.group_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,process,process.group_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,process,process.group_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,process,process.group_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.group_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,process,process.group_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,process,process.group_leader.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,process,process.group_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,process,process.group_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,process,process.group_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,process,process.group_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,process,process.group_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.group_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.address,keyword,extended,,,Source network address.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.port,long,core,,,Port of the source.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,process,process.group_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,process,process.group_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.3.0-dev,true,process,process.group_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 9.3.0-dev,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.group_leader.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.group_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,process,process.group_leader.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,process,process.group_leader.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,process,process.group_leader.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,process,process.group_leader.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,process,process.group_leader.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,process,process.group_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,process,process.group_leader.hash.tlsh,keyword,extended,,,TLSH hash.
 9.3.0-dev,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.group_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.3.0-dev,true,process,process.group_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.3.0-dev,true,process,process.group_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.3.0-dev,true,process,process.group_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.3.0-dev,true,process,process.group_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.3.0-dev,true,process,process.group_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.3.0-dev,true,process,process.group_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.3.0-dev,true,process,process.group_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.3.0-dev,true,process,process.group_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.3.0-dev,true,process,process.group_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.3.0-dev,true,process,process.group_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.group_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.group_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.group_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.group_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.group_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.group_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.group_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.group_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.3.0-dev,true,process,process.group_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.group_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.3.0-dev,true,process,process.group_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.3.0-dev,true,process,process.group_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.group_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.group_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 9.3.0-dev,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
 9.3.0-dev,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.group_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.3.0-dev,true,process,process.group_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.3.0-dev,true,process,process.group_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,process,process.group_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.group_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,process,process.group_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,process,process.group_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,process,process.group_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.group_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.group_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.group_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.group_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.group_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.group_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.group_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.group_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.group_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.group_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,process,process.group_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.group_leader.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,process,process.group_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.group_leader.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,process,process.group_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,process,process.group_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.group_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.group_leader.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.group_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.3.0-dev,true,process,process.group_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.group_leader.real_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.group_leader.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.group_leader.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.group_leader.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.group_leader.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.group_leader.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.group_leader.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.group_leader.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.group_leader.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.group_leader.real_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.group_leader.real_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.group_leader.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.group_leader.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.group_leader.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.group_leader.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.group_leader.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.group_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.group_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.group_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.group_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.group_leader.real_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.group_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.group_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.group_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.group_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.group_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.group_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.group_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.group_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.group_leader.saved_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.group_leader.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.group_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.group_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.group_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.group_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.group_leader.saved_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.group_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.group_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.group_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.group_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.group_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.group_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.group_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.group_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.3.0-dev,true,process,process.group_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.3.0-dev,true,process,process.group_leader.thread.id,long,extended,,4242,Thread ID.
-9.3.0-dev,true,process,process.group_leader.thread.name,keyword,extended,,thread-0,Thread name.
-9.3.0-dev,true,process,process.group_leader.title,keyword,extended,,,Process title.
-9.3.0-dev,true,process,process.group_leader.title.text,match_only_text,extended,,,Process title.
 9.3.0-dev,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
 9.3.0-dev,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
 9.3.0-dev,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.group_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.3.0-dev,true,process,process.group_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.3.0-dev,true,process,process.group_leader.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.group_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.group_leader.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.group_leader.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.group_leader.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.group_leader.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.group_leader.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.group_leader.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.group_leader.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.group_leader.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.group_leader.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.group_leader.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.group_leader.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.group_leader.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.group_leader.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.group_leader.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.group_leader.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.group_leader.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.group_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.group_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.group_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.group_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.group_leader.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.group_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.group_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.group_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.group_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.group_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.group_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.group_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.group_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id.
 9.3.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
@@ -2154,46 +832,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 9.3.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
 9.3.0-dev,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.3.0-dev,true,process,process.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
 9.3.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 9.3.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.parent.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.attested_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.parent.attested_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.parent.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.parent.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.parent.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.parent.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.parent.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.parent.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.parent.attested_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.attested_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.parent.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.parent.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.parent.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.parent.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.parent.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.attested_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.parent.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.parent.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.parent.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.parent.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 9.3.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
 9.3.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
@@ -2246,356 +886,16 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
 9.3.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
 9.3.0-dev,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.parent.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.parent.entry_meta.source.address,keyword,extended,,,Source network address.
-9.3.0-dev,true,process,process.parent.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,process,process.parent.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.parent.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.parent.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.3.0-dev,true,process,process.parent.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.3.0-dev,true,process,process.parent.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,process,process.parent.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,process,process.parent.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,process,process.parent.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,process,process.parent.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,process,process.parent.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,process,process.parent.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,process,process.parent.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,process,process.parent.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,process,process.parent.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,process,process.parent.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,process,process.parent.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,process,process.parent.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.3.0-dev,true,process,process.parent.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.3.0-dev,true,process,process.parent.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.3.0-dev,true,process,process.parent.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.3.0-dev,true,process,process.parent.entry_meta.source.port,long,core,,,Port of the source.
-9.3.0-dev,true,process,process.parent.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.3.0-dev,true,process,process.parent.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,process,process.parent.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,process,process.parent.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.3.0-dev,true,process,process.parent.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 9.3.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.parent.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.parent.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.3.0-dev,true,process,process.parent.group_leader.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.parent.group_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.group_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.group_leader.attested_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.parent.group_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.parent.group_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,process,process.parent.group_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,process,process.parent.group_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,process,process.parent.group_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,process,process.parent.group_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,process,process.parent.group_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,process,process.parent.group_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,process,process.parent.group_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,process,process.parent.group_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,process,process.parent.group_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,process,process.parent.group_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.3.0-dev,true,process,process.parent.group_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.parent.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.parent.group_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,process,process.parent.group_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,process,process.parent.group_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,process,process.parent.group_leader.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,process,process.parent.group_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,process,process.parent.group_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,process,process.parent.group_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.parent.group_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.parent.group_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.parent.group_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.parent.group_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,process,process.parent.group_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,process,process.parent.group_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,process,process.parent.group_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,process,process.parent.group_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,process,process.parent.group_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,process,process.parent.group_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,process,process.parent.group_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,process,process.parent.group_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,process,process.parent.group_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.parent.group_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.parent.group_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.parent.group_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,process,process.parent.group_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,process,process.parent.group_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.parent.group_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,process,process.parent.group_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,process,process.parent.group_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,process,process.parent.group_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,process,process.parent.group_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,process,process.parent.group_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.parent.group_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,process,process.parent.group_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,process,process.parent.group_leader.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,process,process.parent.group_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,process,process.parent.group_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,process,process.parent.group_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,process,process.parent.group_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,process,process.parent.group_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.parent.group_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.address,keyword,extended,,,Source network address.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.port,long,core,,,Port of the source.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,process,process.parent.group_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.3.0-dev,true,process,process.parent.group_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.3.0-dev,true,process,process.parent.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.parent.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.parent.group_leader.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.parent.group_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.group_leader.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.group_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,process,process.parent.group_leader.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,process,process.parent.group_leader.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,process,process.parent.group_leader.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,process,process.parent.group_leader.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,process,process.parent.group_leader.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,process,process.parent.group_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,process,process.parent.group_leader.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,process,process.parent.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.parent.group_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.3.0-dev,true,process,process.parent.group_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.3.0-dev,true,process,process.parent.group_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.3.0-dev,true,process,process.parent.group_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.3.0-dev,true,process,process.parent.group_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.3.0-dev,true,process,process.parent.group_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.3.0-dev,true,process,process.parent.group_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.3.0-dev,true,process,process.parent.group_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.3.0-dev,true,process,process.parent.group_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.3.0-dev,true,process,process.parent.group_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.3.0-dev,true,process,process.parent.group_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.parent.group_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.parent.group_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.parent.group_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.parent.group_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.parent.group_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.parent.group_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.parent.group_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.parent.group_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.3.0-dev,true,process,process.parent.group_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.parent.group_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.3.0-dev,true,process,process.parent.group_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.3.0-dev,true,process,process.parent.group_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.parent.group_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.parent.group_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.parent.group_leader.name,keyword,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.parent.group_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.parent.group_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.3.0-dev,true,process,process.parent.group_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.3.0-dev,true,process,process.parent.group_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,process,process.parent.group_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.parent.group_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,process,process.parent.group_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,process,process.parent.group_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,process,process.parent.group_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.parent.group_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.parent.group_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.parent.group_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.parent.group_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.parent.group_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.parent.group_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.parent.group_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.parent.group_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.parent.group_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.parent.group_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,process,process.parent.group_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.parent.group_leader.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,process,process.parent.group_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.parent.group_leader.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,process,process.parent.group_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,process,process.parent.group_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.parent.group_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.parent.group_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.3.0-dev,true,process,process.parent.group_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.group_leader.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.group_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.group_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.group_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.group_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.parent.group_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.parent.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.parent.group_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.group_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.parent.group_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.parent.group_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.group_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.3.0-dev,true,process,process.parent.group_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.3.0-dev,true,process,process.parent.group_leader.thread.id,long,extended,,4242,Thread ID.
-9.3.0-dev,true,process,process.parent.group_leader.thread.name,keyword,extended,,thread-0,Thread name.
-9.3.0-dev,true,process,process.parent.group_leader.title,keyword,extended,,,Process title.
-9.3.0-dev,true,process,process.parent.group_leader.title.text,match_only_text,extended,,,Process title.
-9.3.0-dev,true,process,process.parent.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-9.3.0-dev,true,process,process.parent.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.3.0-dev,true,process,process.parent.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.parent.group_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.3.0-dev,true,process,process.parent.group_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.3.0-dev,true,process,process.parent.group_leader.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.parent.group_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.parent.group_leader.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.parent.group_leader.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.parent.group_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.group_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.group_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.group_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.group_leader.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.group_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.parent.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.parent.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.group_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.group_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.group_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.parent.group_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.group_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.group_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.parent.group_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.parent.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.parent.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
 9.3.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash.
 9.3.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
@@ -2605,15 +905,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 9.3.0-dev,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash.
 9.3.0-dev,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.parent.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.3.0-dev,true,process,process.parent.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.3.0-dev,true,process,process.parent.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.3.0-dev,true,process,process.parent.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.3.0-dev,true,process,process.parent.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.3.0-dev,true,process,process.parent.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.3.0-dev,true,process,process.parent.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.3.0-dev,true,process,process.parent.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.3.0-dev,true,process,process.parent.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
 9.3.0-dev,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
 9.3.0-dev,true,process,process.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
 9.3.0-dev,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
@@ -2632,8 +923,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 9.3.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
 9.3.0-dev,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.parent.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.3.0-dev,true,process,process.parent.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
 9.3.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 9.3.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 9.3.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
@@ -2658,82 +947,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 9.3.0-dev,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.parent.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.3.0-dev,true,process,process.parent.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.parent.real_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.parent.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.parent.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.parent.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.parent.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.parent.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.parent.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.parent.real_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.real_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.parent.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.parent.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.parent.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.parent.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.parent.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.real_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.parent.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.parent.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.parent.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.parent.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.parent.saved_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.parent.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.parent.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.parent.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.parent.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.parent.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.parent.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.parent.saved_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.saved_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.parent.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.parent.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.parent.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.parent.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.parent.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.saved_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.parent.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.parent.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.parent.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
 9.3.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
@@ -2745,42 +969,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
 9.3.0-dev,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
 9.3.0-dev,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.parent.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.3.0-dev,true,process,process.parent.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
 9.3.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.parent.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.parent.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.parent.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.parent.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.parent.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.parent.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.parent.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.parent.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.parent.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.parent.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.parent.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.parent.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.parent.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.parent.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.parent.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.parent.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.parent.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.parent.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.parent.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.parent.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.parent.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.parent.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.parent.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.parent.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.parent.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.parent.vpid,long,core,,4242,Virtual process id.
 9.3.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
@@ -2808,1652 +1000,65 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
 9.3.0-dev,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
 9.3.0-dev,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 9.3.0-dev,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.previous.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.previous.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.previous.attested_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.previous.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.previous.attested_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.previous.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.previous.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.previous.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.previous.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.previous.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.previous.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.previous.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.previous.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.previous.attested_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.previous.attested_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.previous.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.previous.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.previous.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.previous.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.previous.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.previous.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.previous.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.previous.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.previous.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.previous.attested_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.previous.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.previous.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.previous.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.previous.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.previous.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.previous.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.previous.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.previous.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.previous.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.previous.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.previous.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.previous.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,process,process.previous.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,process,process.previous.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,process,process.previous.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,process,process.previous.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,process,process.previous.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,process,process.previous.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,process,process.previous.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,process,process.previous.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,process,process.previous.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,process,process.previous.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.3.0-dev,true,process,process.previous.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.previous.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.previous.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,process,process.previous.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,process,process.previous.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,process,process.previous.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,process,process.previous.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,process,process.previous.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,process,process.previous.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.previous.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.previous.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.previous.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.previous.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,process,process.previous.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,process,process.previous.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,process,process.previous.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,process,process.previous.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,process,process.previous.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,process,process.previous.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,process,process.previous.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,process,process.previous.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,process,process.previous.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.previous.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.previous.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.previous.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,process,process.previous.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,process,process.previous.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.previous.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,process,process.previous.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,process,process.previous.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,process,process.previous.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,process,process.previous.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,process,process.previous.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.previous.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,process,process.previous.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,process,process.previous.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,process,process.previous.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,process,process.previous.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,process,process.previous.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,process,process.previous.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,process,process.previous.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.previous.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.3.0-dev,true,process,process.previous.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.previous.entry_meta.source.address,keyword,extended,,,Source network address.
-9.3.0-dev,true,process,process.previous.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,process,process.previous.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.previous.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.previous.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.3.0-dev,true,process,process.previous.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.3.0-dev,true,process,process.previous.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,process,process.previous.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,process,process.previous.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,process,process.previous.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,process,process.previous.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,process,process.previous.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,process,process.previous.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,process,process.previous.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,process,process.previous.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,process,process.previous.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,process,process.previous.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,process,process.previous.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,process,process.previous.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.3.0-dev,true,process,process.previous.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.3.0-dev,true,process,process.previous.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.3.0-dev,true,process,process.previous.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.3.0-dev,true,process,process.previous.entry_meta.source.port,long,core,,,Port of the source.
-9.3.0-dev,true,process,process.previous.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.3.0-dev,true,process,process.previous.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,process,process.previous.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,process,process.previous.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.3.0-dev,true,process,process.previous.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 9.3.0-dev,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.previous.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.previous.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.previous.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.previous.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.previous.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,process,process.previous.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,process,process.previous.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,process,process.previous.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,process,process.previous.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,process,process.previous.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,process,process.previous.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,process,process.previous.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,process,process.previous.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.previous.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.3.0-dev,true,process,process.previous.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.3.0-dev,true,process,process.previous.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.3.0-dev,true,process,process.previous.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.3.0-dev,true,process,process.previous.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.3.0-dev,true,process,process.previous.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.3.0-dev,true,process,process.previous.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.3.0-dev,true,process,process.previous.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.3.0-dev,true,process,process.previous.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.3.0-dev,true,process,process.previous.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.3.0-dev,true,process,process.previous.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.previous.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.previous.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.previous.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.previous.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.previous.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.previous.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.previous.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.previous.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.3.0-dev,true,process,process.previous.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.previous.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.3.0-dev,true,process,process.previous.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.3.0-dev,true,process,process.previous.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.previous.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.previous.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.previous.name,keyword,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.previous.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.previous.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.3.0-dev,true,process,process.previous.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.3.0-dev,true,process,process.previous.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,process,process.previous.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.previous.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,process,process.previous.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,process,process.previous.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,process,process.previous.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.previous.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.previous.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.previous.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.previous.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.previous.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.previous.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.previous.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.previous.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.previous.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.previous.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,process,process.previous.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.previous.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,process,process.previous.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.previous.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,process,process.previous.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,process,process.previous.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.previous.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.previous.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.previous.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.3.0-dev,true,process,process.previous.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.previous.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.previous.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.previous.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.previous.real_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.previous.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.previous.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.previous.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.previous.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.previous.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.previous.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.previous.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.previous.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.previous.real_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.previous.real_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.previous.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.previous.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.previous.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.previous.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.previous.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.previous.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.previous.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.previous.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.previous.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.previous.real_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.previous.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.previous.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.previous.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.previous.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.previous.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.previous.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.previous.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.previous.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.previous.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.previous.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.previous.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.previous.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.previous.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.previous.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.previous.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.previous.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.previous.saved_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.previous.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.previous.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.previous.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.previous.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.previous.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.previous.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.previous.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.previous.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.previous.saved_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.previous.saved_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.previous.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.previous.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.previous.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.previous.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.previous.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.previous.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.previous.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.previous.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.previous.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.previous.saved_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.previous.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.previous.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.previous.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.previous.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.previous.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.previous.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.previous.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.previous.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.previous.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.previous.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.previous.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.previous.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.previous.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.previous.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.previous.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.previous.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.3.0-dev,true,process,process.previous.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.3.0-dev,true,process,process.previous.thread.id,long,extended,,4242,Thread ID.
-9.3.0-dev,true,process,process.previous.thread.name,keyword,extended,,thread-0,Thread name.
-9.3.0-dev,true,process,process.previous.title,keyword,extended,,,Process title.
-9.3.0-dev,true,process,process.previous.title.text,match_only_text,extended,,,Process title.
-9.3.0-dev,true,process,process.previous.tty,object,extended,,,Information about the controlling TTY device.
-9.3.0-dev,true,process,process.previous.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.3.0-dev,true,process,process.previous.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.previous.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.3.0-dev,true,process,process.previous.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.3.0-dev,true,process,process.previous.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.previous.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.previous.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.previous.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.previous.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.previous.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.previous.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.previous.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.previous.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.previous.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.previous.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.previous.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.previous.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.previous.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.previous.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.previous.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.previous.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.previous.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.previous.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.previous.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.previous.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.previous.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.previous.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.previous.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.previous.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.previous.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.previous.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.previous.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.previous.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.previous.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.previous.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.previous.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.previous.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.previous.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.previous.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.previous.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.previous.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.real_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.real_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.real_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.real_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.responsible.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.3.0-dev,true,process,process.responsible.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.responsible.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.responsible.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.responsible.attested_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.responsible.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.responsible.attested_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.responsible.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.responsible.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.responsible.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.responsible.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.responsible.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.responsible.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.responsible.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.responsible.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.responsible.attested_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.responsible.attested_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.responsible.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.responsible.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.responsible.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.responsible.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.responsible.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.responsible.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.responsible.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.responsible.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.responsible.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.responsible.attested_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.responsible.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.responsible.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.responsible.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.responsible.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.responsible.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.responsible.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.responsible.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.responsible.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.responsible.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.responsible.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.responsible.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.responsible.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,process,process.responsible.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,process,process.responsible.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,process,process.responsible.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,process,process.responsible.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,process,process.responsible.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,process,process.responsible.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,process,process.responsible.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,process,process.responsible.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,process,process.responsible.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,process,process.responsible.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.3.0-dev,true,process,process.responsible.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.responsible.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.responsible.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,process,process.responsible.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,process,process.responsible.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,process,process.responsible.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,process,process.responsible.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,process,process.responsible.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,process,process.responsible.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.responsible.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.responsible.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.responsible.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.responsible.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,process,process.responsible.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,process,process.responsible.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,process,process.responsible.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,process,process.responsible.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,process,process.responsible.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,process,process.responsible.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,process,process.responsible.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,process,process.responsible.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,process,process.responsible.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.responsible.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.responsible.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.responsible.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,process,process.responsible.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,process,process.responsible.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.responsible.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,process,process.responsible.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,process,process.responsible.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,process,process.responsible.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,process,process.responsible.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,process,process.responsible.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.responsible.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,process,process.responsible.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,process,process.responsible.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,process,process.responsible.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,process,process.responsible.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,process,process.responsible.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,process,process.responsible.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,process,process.responsible.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.responsible.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
-9.3.0-dev,true,process,process.responsible.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.address,keyword,extended,,,Source network address.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.3.0-dev,true,process,process.responsible.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.3.0-dev,true,process,process.responsible.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.port,long,core,,,Port of the source.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.3.0-dev,true,process,process.responsible.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,process,process.responsible.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,process,process.responsible.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.3.0-dev,true,process,process.responsible.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.3.0-dev,true,process,process.responsible.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.responsible.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.responsible.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.responsible.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.responsible.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.responsible.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.responsible.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,process,process.responsible.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,process,process.responsible.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,process,process.responsible.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,process,process.responsible.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,process,process.responsible.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,process,process.responsible.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,process,process.responsible.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,process,process.responsible.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.responsible.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.3.0-dev,true,process,process.responsible.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.3.0-dev,true,process,process.responsible.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.3.0-dev,true,process,process.responsible.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.3.0-dev,true,process,process.responsible.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.3.0-dev,true,process,process.responsible.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.3.0-dev,true,process,process.responsible.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.3.0-dev,true,process,process.responsible.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.3.0-dev,true,process,process.responsible.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.3.0-dev,true,process,process.responsible.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.3.0-dev,true,process,process.responsible.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.responsible.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.responsible.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.responsible.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.responsible.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.responsible.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.responsible.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.responsible.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.responsible.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.3.0-dev,true,process,process.responsible.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.responsible.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.3.0-dev,true,process,process.responsible.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.3.0-dev,true,process,process.responsible.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.responsible.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.responsible.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.responsible.name,keyword,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.responsible.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.responsible.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.3.0-dev,true,process,process.responsible.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.3.0-dev,true,process,process.responsible.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,process,process.responsible.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.responsible.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,process,process.responsible.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,process,process.responsible.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,process,process.responsible.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.responsible.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.responsible.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.responsible.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.responsible.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.responsible.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.responsible.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.responsible.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.responsible.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.responsible.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.responsible.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,process,process.responsible.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.responsible.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,process,process.responsible.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.responsible.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,process,process.responsible.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,process,process.responsible.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.responsible.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.responsible.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.responsible.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.3.0-dev,true,process,process.responsible.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.responsible.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.responsible.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.responsible.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.responsible.real_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.responsible.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.responsible.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.responsible.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.responsible.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.responsible.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.responsible.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.responsible.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.responsible.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.responsible.real_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.responsible.real_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.responsible.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.responsible.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.responsible.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.responsible.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.responsible.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.responsible.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.responsible.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.responsible.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.responsible.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.responsible.real_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.responsible.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.responsible.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.responsible.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.responsible.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.responsible.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.responsible.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.responsible.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.responsible.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.responsible.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.responsible.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.responsible.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.responsible.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.responsible.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.responsible.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.responsible.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.responsible.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.responsible.saved_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.responsible.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.responsible.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.responsible.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.responsible.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.responsible.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.responsible.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.responsible.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.responsible.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.responsible.saved_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.responsible.saved_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.responsible.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.responsible.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.responsible.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.responsible.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.responsible.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.responsible.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.responsible.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.responsible.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.responsible.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.responsible.saved_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.responsible.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.responsible.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.responsible.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.responsible.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.responsible.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.responsible.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.responsible.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.responsible.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.responsible.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.responsible.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.responsible.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.responsible.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.responsible.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.responsible.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.responsible.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.responsible.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.3.0-dev,true,process,process.responsible.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.3.0-dev,true,process,process.responsible.thread.id,long,extended,,4242,Thread ID.
-9.3.0-dev,true,process,process.responsible.thread.name,keyword,extended,,thread-0,Thread name.
-9.3.0-dev,true,process,process.responsible.title,keyword,extended,,,Process title.
-9.3.0-dev,true,process,process.responsible.title.text,match_only_text,extended,,,Process title.
-9.3.0-dev,true,process,process.responsible.tty,object,extended,,,Information about the controlling TTY device.
-9.3.0-dev,true,process,process.responsible.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.3.0-dev,true,process,process.responsible.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.responsible.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.3.0-dev,true,process,process.responsible.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.3.0-dev,true,process,process.responsible.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.responsible.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.responsible.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.responsible.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.responsible.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.responsible.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.responsible.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.responsible.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.responsible.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.responsible.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.responsible.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.responsible.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.responsible.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.responsible.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.responsible.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.responsible.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.responsible.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.responsible.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.responsible.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.responsible.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.responsible.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.responsible.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.responsible.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.responsible.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.responsible.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.responsible.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.responsible.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.responsible.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.responsible.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.responsible.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.responsible.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.responsible.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.responsible.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.responsible.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.responsible.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.responsible.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.responsible.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.saved_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.saved_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.saved_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.saved_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 9.3.0-dev,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.session_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.attested_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.session_leader.attested_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.session_leader.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.session_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.attested_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.session_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.session_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.session_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.session_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.session_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,process,process.session_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,process,process.session_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,process,process.session_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,process,process.session_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,process,process.session_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,process,process.session_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,process,process.session_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,process,process.session_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,process,process.session_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,process,process.session_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 9.3.0-dev,true,process,process.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 9.3.0-dev,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.session_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,process,process.session_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,process,process.session_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,process,process.session_leader.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,process,process.session_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,process,process.session_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,process,process.session_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.session_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.session_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,process,process.session_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,process,process.session_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,process,process.session_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,process,process.session_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,process,process.session_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,process,process.session_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,process,process.session_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,process,process.session_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,process,process.session_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,process,process.session_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,process,process.session_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,process,process.session_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,process,process.session_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,process,process.session_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,process,process.session_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,process,process.session_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,process,process.session_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,process,process.session_leader.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,process,process.session_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,process,process.session_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,process,process.session_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,process,process.session_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,process,process.session_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.session_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.address,keyword,extended,,,Source network address.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.port,long,core,,,Port of the source.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,process,process.session_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,process,process.session_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.3.0-dev,true,process,process.session_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 9.3.0-dev,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 9.3.0-dev,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.session_leader.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.session_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,process,process.session_leader.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,process,process.session_leader.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,process,process.session_leader.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,process,process.session_leader.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,process,process.session_leader.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,process,process.session_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,process,process.session_leader.hash.tlsh,keyword,extended,,,TLSH hash.
 9.3.0-dev,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.session_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.3.0-dev,true,process,process.session_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.3.0-dev,true,process,process.session_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.3.0-dev,true,process,process.session_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.3.0-dev,true,process,process.session_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.3.0-dev,true,process,process.session_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.3.0-dev,true,process,process.session_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.3.0-dev,true,process,process.session_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.3.0-dev,true,process,process.session_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.3.0-dev,true,process,process.session_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.3.0-dev,true,process,process.session_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.session_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.session_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.session_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.3.0-dev,true,process,process.session_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.3.0-dev,true,process,process.session_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.3.0-dev,true,process,process.session_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.session_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
 9.3.0-dev,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
 9.3.0-dev,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.session_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.3.0-dev,true,process,process.session_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.3.0-dev,true,process,process.session_leader.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.3.0-dev,true,process,process.session_leader.parent.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.session_leader.parent.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.attested_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.session_leader.parent.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.session_leader.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,process,process.session_leader.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,process,process.session_leader.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,process,process.session_leader.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,process,process.session_leader.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,process,process.session_leader.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,process,process.session_leader.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,process,process.session_leader.parent.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,process,process.session_leader.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,process,process.session_leader.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,process,process.session_leader.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.3.0-dev,true,process,process.session_leader.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.session_leader.parent.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.session_leader.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,process,process.session_leader.parent.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.session_leader.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,process,process.session_leader.parent.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,process,process.session_leader.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,process,process.session_leader.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,process,process.session_leader.parent.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,process,process.session_leader.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,process,process.session_leader.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,process,process.session_leader.parent.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,process,process.session_leader.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,process,process.session_leader.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,process,process.session_leader.parent.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,process,process.session_leader.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,process,process.session_leader.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,process,process.session_leader.parent.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,process,process.session_leader.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,process,process.session_leader.parent.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,process,process.session_leader.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,process,process.session_leader.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.session_leader.parent.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.address,keyword,extended,,,Source network address.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.port,long,core,,,Port of the source.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,process,process.session_leader.parent.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.3.0-dev,true,process,process.session_leader.parent.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.3.0-dev,true,process,process.session_leader.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.session_leader.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.session_leader.parent.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.session_leader.parent.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,process,process.session_leader.parent.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,process,process.session_leader.parent.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,process,process.session_leader.parent.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,process,process.session_leader.parent.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,process,process.session_leader.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,process,process.session_leader.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,process,process.session_leader.parent.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,process,process.session_leader.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.session_leader.parent.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.3.0-dev,true,process,process.session_leader.parent.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.3.0-dev,true,process,process.session_leader.parent.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.3.0-dev,true,process,process.session_leader.parent.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.3.0-dev,true,process,process.session_leader.parent.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.3.0-dev,true,process,process.session_leader.parent.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.3.0-dev,true,process,process.session_leader.parent.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.3.0-dev,true,process,process.session_leader.parent.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.3.0-dev,true,process,process.session_leader.parent.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.3.0-dev,true,process,process.session_leader.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.3.0-dev,true,process,process.session_leader.parent.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.session_leader.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.session_leader.parent.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.3.0-dev,true,process,process.session_leader.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.3.0-dev,true,process,process.session_leader.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.3.0-dev,true,process,process.session_leader.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.session_leader.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.session_leader.parent.name,keyword,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.session_leader.parent.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.session_leader.parent.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.3.0-dev,true,process,process.session_leader.parent.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.3.0-dev,true,process,process.session_leader.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,process,process.session_leader.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.session_leader.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,process,process.session_leader.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,process,process.session_leader.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,process,process.session_leader.parent.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.session_leader.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.session_leader.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.session_leader.parent.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.session_leader.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,process,process.session_leader.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.session_leader.parent.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,process,process.session_leader.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.parent.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,process,process.session_leader.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,process,process.session_leader.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.session_leader.parent.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.3.0-dev,true,process,process.session_leader.parent.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.session_leader.parent.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.session_leader.parent.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.session_leader.parent.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.session_leader.parent.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.args_count,long,extended,,4,Length of the process.args array.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.attested_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.creation_date,date,extended,,,Build or compile date.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.exports,flattened,extended,array,,List of exported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI).
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.class,keyword,extended,,,Header class of the ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.data,keyword,extended,,,Data table of the ELF header.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.type,keyword,extended,,,Header type of the ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.header.version,keyword,extended,,,Version of the ELF header.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections,nested,extended,array,,Section information of the ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.flags,keyword,extended,,,ELF Section List flags.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.name,keyword,extended,,,ELF Section List name.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.physical_size,long,extended,,,ELF Section List physical size.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.type,keyword,extended,,,ELF Section List type.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.segments,nested,extended,array,,ELF object segment list.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.segments.sections,keyword,extended,,,ELF object segment sections.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.segments.type,keyword,extended,,,ELF object segment type.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.endpoint_security_client,boolean,extended,,,Indicates whether this process executable is an Endpoint Security client.
 9.3.0-dev,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.address,keyword,extended,,,Source network address.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.as.organization.name,keyword,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text,match_only_text,extended,,Google LLC,Organization name.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.bytes,long,core,,184,Bytes sent from the source to the destination.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.domain,keyword,core,,foo.example.com,The domain name of the source.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.city_name,keyword,core,,Montreal,City name.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code,keyword,core,,NA,Continent code.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name,keyword,core,,North America,Name of the continent.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code,keyword,core,,CA,Country ISO code.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.country_name,keyword,core,,Canada,Country name.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.name,keyword,extended,,boston-dc,User-defined description of a location.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code,keyword,core,,94040,Postal code.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.region_name,keyword,core,,Quebec,Region name.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.nat.ip,ip,extended,,,Source NAT ip
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.nat.port,long,extended,,,Source NAT port
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.packets,long,core,,12,Packets sent from the source to the destination.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.port,long,core,,,Port of the source.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.subdomain,keyword,extended,,east,The subdomain of the domain.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.exit_code,long,extended,,137,The exit code of the process.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.md5,keyword,extended,,,MD5 hash.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha1,keyword,extended,,,SHA1 hash.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha256,keyword,extended,,,SHA256 hash.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha384,keyword,extended,,,SHA384 hash.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.sha512,keyword,extended,,,SHA512 hash.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.ssdeep,keyword,extended,,,SSDEEP hash.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.hash.tlsh,keyword,extended,,,TLSH hash.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.io,object,extended,,,A chunk of input or output (IO) from a single process.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.bytes_skipped.length,long,extended,,,The length of bytes skipped.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.text,wildcard,extended,,,A chunk of output or input sanitized to UTF-8.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections,nested,extended,array,,Section information of the Mach-O file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.name,keyword,extended,,,Mach-O Section List name.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.name,keyword,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.name.text,match_only_text,extended,,ssh,Process name.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the process's executable file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.origin_url,keyword,extended,,http://example.com/files/example.exe,The URL where the process's executable file is hosted.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.thread.id,long,extended,,4242,Thread ID.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.thread.name,keyword,extended,,thread-0,Thread name.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.title,keyword,extended,,,Process title.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.title.text,match_only_text,extended,,,Process title.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.session_leader.parent.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.session_leader.parent.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.3.0-dev,true,process,process.session_leader.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.3.0-dev,true,process,process.session_leader.parent.thread.id,long,extended,,4242,Thread ID.
-9.3.0-dev,true,process,process.session_leader.parent.thread.name,keyword,extended,,thread-0,Thread name.
-9.3.0-dev,true,process,process.session_leader.parent.title,keyword,extended,,,Process title.
-9.3.0-dev,true,process,process.session_leader.parent.title.text,match_only_text,extended,,,Process title.
-9.3.0-dev,true,process,process.session_leader.parent.tty,object,extended,,,Information about the controlling TTY device.
-9.3.0-dev,true,process,process.session_leader.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
-9.3.0-dev,true,process,process.session_leader.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.session_leader.parent.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.3.0-dev,true,process,process.session_leader.parent.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.3.0-dev,true,process,process.session_leader.parent.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.session_leader.parent.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.session_leader.parent.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.session_leader.parent.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.parent.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.parent.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.parent.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.parent.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
-9.3.0-dev,true,process,process.session_leader.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
-9.3.0-dev,true,process,process.session_leader.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.parent.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.parent.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.session_leader.parent.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.parent.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.session_leader.parent.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id.
-9.3.0-dev,true,process,process.session_leader.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.session_leader.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-9.3.0-dev,true,process,process.session_leader.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
-9.3.0-dev,true,process,process.session_leader.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.session_leader.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
-9.3.0-dev,true,process,process.session_leader.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
-9.3.0-dev,true,process,process.session_leader.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file.
-9.3.0-dev,true,process,process.session_leader.pe.go_imports,flattened,extended,,,List of imported Go language element names and types.
-9.3.0-dev,true,process,process.session_leader.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports.
-9.3.0-dev,true,process,process.session_leader.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable.
-9.3.0-dev,true,process,process.session_leader.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.session_leader.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file.
-9.3.0-dev,true,process,process.session_leader.pe.imports,flattened,extended,array,,List of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types.
-9.3.0-dev,true,process,process.session_leader.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.session_leader.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections.
-9.3.0-dev,true,process,process.session_leader.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
-9.3.0-dev,true,process,process.session_leader.pe.sections,nested,extended,array,,Section information of the PE file.
-9.3.0-dev,true,process,process.session_leader.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.pe.sections.name,keyword,extended,,,PE Section List name.
-9.3.0-dev,true,process,process.session_leader.pe.sections.physical_size,long,extended,,,PE Section List physical size.
-9.3.0-dev,true,process,process.session_leader.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section.
-9.3.0-dev,true,process,process.session_leader.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`.
 9.3.0-dev,true,process,process.session_leader.pid,long,core,,4242,Process id.
-9.3.0-dev,true,process,process.session_leader.platform_binary,boolean,extended,,,Indicates whether this process executable is a default platform binary shipped with the operating system.
-9.3.0-dev,true,process,process.session_leader.real_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.real_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.session_leader.real_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.session_leader.real_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.session_leader.real_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.session_leader.real_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.real_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.real_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.session_leader.real_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.session_leader.real_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.session_leader.real_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.session_leader.real_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.real_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.real_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.session_leader.real_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.session_leader.real_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.session_leader.real_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.session_leader.real_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.session_leader.real_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.real_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.real_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.real_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.real_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.real_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.session_leader.real_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.real_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.real_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.real_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.session_leader.real_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.real_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.real_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.session_leader.real_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process.
-9.3.0-dev,true,process,process.session_leader.saved_group.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.saved_user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.session_leader.saved_user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.session_leader.saved_user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.session_leader.saved_user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.saved_user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.saved_user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.saved_user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.saved_user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.saved_user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.session_leader.saved_user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.saved_user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.saved_user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.saved_user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.session_leader.saved_user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.saved_user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.saved_user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.session_leader.saved_user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.session_leader.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
-9.3.0-dev,true,process,process.session_leader.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
-9.3.0-dev,true,process,process.session_leader.thread.id,long,extended,,4242,Thread ID.
-9.3.0-dev,true,process,process.session_leader.thread.name,keyword,extended,,thread-0,Thread name.
-9.3.0-dev,true,process,process.session_leader.title,keyword,extended,,,Process title.
-9.3.0-dev,true,process,process.session_leader.title.text,match_only_text,extended,,,Process title.
 9.3.0-dev,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
 9.3.0-dev,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
 9.3.0-dev,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
-9.3.0-dev,true,process,process.session_leader.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
-9.3.0-dev,true,process,process.session_leader.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
-9.3.0-dev,true,process,process.session_leader.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.session_leader.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.session_leader.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.session_leader.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.session_leader.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.session_leader.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.session_leader.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.session_leader.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.session_leader.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.session_leader.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.session_leader.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.session_leader.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.session_leader.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.session_leader.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.session_leader.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.session_leader.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.session_leader.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.session_leader.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.session_leader.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.session_leader.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.session_leader.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.session_leader.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.session_leader.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.session_leader.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.session_leader.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.session_leader.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id.
 9.3.0-dev,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.session_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
-9.3.0-dev,true,process,process.supplemental_groups.domain,keyword,extended,,,Name of the directory the group is a member of.
 9.3.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 9.3.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
 9.3.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
@@ -4468,39 +1073,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
 9.3.0-dev,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
 9.3.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
-9.3.0-dev,true,process,process.user.domain,keyword,extended,,,Name of the directory the user is a member of.
-9.3.0-dev,true,process,process.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,process,process.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,process,process.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,process,process.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,process,process.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,process,process.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,process,process.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,process,process.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,process,process.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,process,process.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,process,process.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,process,process.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,process,process.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,process,process.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,process,process.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
-9.3.0-dev,true,process,process.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
-9.3.0-dev,true,process,process.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
-9.3.0-dev,true,process,process.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
-9.3.0-dev,true,process,process.user.group.name,keyword,extended,,,Name of the group.
-9.3.0-dev,true,process,process.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
 9.3.0-dev,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,process,process.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,process,process.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,process,process.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,process,process.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,process,process.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
-9.3.0-dev,true,process,process.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,process,process.vpid,long,core,,4242,Virtual process id.
 9.3.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 9.3.0-dev,true,process,process.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
@@ -4553,21 +1128,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 9.3.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,server,server.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,server,server.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,server,server.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,server,server.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,server,server.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,server,server.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,server,server.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,server,server.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,server,server.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,server,server.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,server,server.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,server,server.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,server,server.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,server,server.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,server,server.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,server,server.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,server,server.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -4577,29 +1137,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,server,server.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,server,server.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,server,server.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,server,server.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,server,server.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,server,server.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-9.3.0-dev,true,service,service.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,service,service.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,service,service.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,service,service.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,service,service.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,service,service.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,service,service.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,service,service.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,service,service.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,service,service.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,service,service.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,service,service.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,service,service.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,service,service.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,service,service.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
 9.3.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
 9.3.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
@@ -4608,21 +1147,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
 9.3.0-dev,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
 9.3.0-dev,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
-9.3.0-dev,true,service,service.origin.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,service,service.origin.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,service,service.origin.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,service,service.origin.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,service,service.origin.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,service,service.origin.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,service,service.origin.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,service,service.origin.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,service,service.origin.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,service,service.origin.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,service,service.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,service,service.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,service,service.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,service,service.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,service,service.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
 9.3.0-dev,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
 9.3.0-dev,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
@@ -4690,21 +1214,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 9.3.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,source,source.user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,source,source.user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,source,source.user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,source,source.user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,source,source.user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,source,source.user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,source,source.user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,source,source.user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,source,source.user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,source,source.user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,source,source.user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,source,source.user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,source,source.user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,source,source.user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,source,source.user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,source,source.user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,source,source.user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -4714,12 +1223,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,source,source.user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,source,source.user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,source,source.user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,source,source.user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,source,source.user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,source,source.user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
 9.3.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
@@ -5268,21 +1771,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
 9.3.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
-9.3.0-dev,true,user,user.changes.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,user,user.changes.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,user,user.changes.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,user,user.changes.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,user,user.changes.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,user,user.changes.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,user,user.changes.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,user,user.changes.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,user,user.changes.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,user,user.changes.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,user,user.changes.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,user,user.changes.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,user,user.changes.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,user,user.changes.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,user,user.changes.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -5292,31 +1780,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
 9.3.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
-9.3.0-dev,true,user,user.effective.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,user,user.effective.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,user,user.effective.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,user,user.effective.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,user,user.effective.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,user,user.effective.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,user,user.effective.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,user,user.effective.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,user,user.effective.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,user,user.effective.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,user,user.effective.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,user,user.effective.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,user,user.effective.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,user,user.effective.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,user,user.effective.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -5326,29 +1793,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,user,user.email,keyword,extended,,,User email address.
-9.3.0-dev,true,user,user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.3.0-dev,true,user,user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.3.0-dev,true,user,user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,user,user.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.3.0-dev,true,user,user.entity.id,keyword,core,,,Unique identifier for the entity.
-9.3.0-dev,true,user,user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.3.0-dev,true,user,user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.3.0-dev,true,user,user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.3.0-dev,true,user,user.entity.name,keyword,core,,,The name of the entity.
-9.3.0-dev,true,user,user.entity.name.text,text,core,,,The name of the entity.
-9.3.0-dev,true,user,user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.3.0-dev,true,user,user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.3.0-dev,true,user,user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.3.0-dev,true,user,user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.3.0-dev,true,user,user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.3.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
 9.3.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -5391,12 +1837,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 9.3.0-dev,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
 9.3.0-dev,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
-9.3.0-dev,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
-9.3.0-dev,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
-9.3.0-dev,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
-9.3.0-dev,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
 9.3.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 9.3.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
 9.3.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index b17eb8a496..68c3dd6471 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -475,256 +475,6 @@ client.user.email:
   original_fieldset: user
   short: User email address.
   type: keyword
-client.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: client-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: client.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-client.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: client-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: client.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-client.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: client-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: client.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: client.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-client.user.entity.id:
-  dashed_name: client-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: client.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-client.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: client-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: client.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-client.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: client-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: client.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-client.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: client-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: client.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-client.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: client-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: client.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: client.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-client.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: client-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: client.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-client.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: client-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: client.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-client.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: client-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: client.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-client.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: client-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: client.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-client.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: client-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: client.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
 client.user.full_name:
   dashed_name: client-user-full-name
   description: User's full name, if available.
@@ -819,86 +569,6 @@ client.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-client.user.risk.calculated_level:
-  dashed_name: client-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: client.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-client.user.risk.calculated_score:
-  dashed_name: client-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: client.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-client.user.risk.calculated_score_norm:
-  dashed_name: client-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: client.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-client.user.risk.static_level:
-  dashed_name: client-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: client.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-client.user.risk.static_score:
-  dashed_name: client-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: client.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-client.user.risk.static_score_norm:
-  dashed_name: client-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: client.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 client.user.roles:
   dashed_name: client-user-roles
   description: Array of user roles at the time of the event.
@@ -958,256 +628,6 @@ cloud.availability_zone:
     stability: development
   short: Availability zone in which this host, resource, or service is located.
   type: keyword
-cloud.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: cloud.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-cloud.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: cloud.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-cloud.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: cloud.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: cloud.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-cloud.entity.id:
-  dashed_name: cloud-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: cloud.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-cloud.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: cloud.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-cloud.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: cloud.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-cloud.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: cloud.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-cloud.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: cloud.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: cloud.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-cloud.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: cloud.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-cloud.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: cloud.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-cloud.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: cloud.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-cloud.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: cloud.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-cloud.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: cloud.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
 cloud.instance.id:
   dashed_name: cloud-instance-id
   description: Instance ID of the host machine.
@@ -1282,275 +702,25 @@ cloud.origin.availability_zone:
   original_fieldset: cloud
   short: Availability zone in which this host, resource, or service is located.
   type: keyword
-cloud.origin.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-origin-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: cloud.origin.entity.attributes
+cloud.origin.instance.id:
+  dashed_name: cloud-origin-instance-id
+  description: Instance ID of the host machine.
+  example: i-1234567890abcdef0
+  flat_name: cloud.origin.instance.id
+  ignore_above: 1024
   level: extended
-  name: attributes
+  name: instance.id
   normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-cloud.origin.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-origin-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: cloud.origin.entity.behavior
+  original_fieldset: cloud
+  short: Instance ID of the host machine.
+  type: keyword
+cloud.origin.instance.name:
+  dashed_name: cloud-origin-instance-name
+  description: Instance name of the host machine.
+  flat_name: cloud.origin.instance.name
+  ignore_above: 1024
   level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-cloud.origin.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-origin-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: cloud.origin.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: cloud.origin.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-cloud.origin.entity.id:
-  dashed_name: cloud-origin-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: cloud.origin.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-cloud.origin.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-origin-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: cloud.origin.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-cloud.origin.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-origin-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: cloud.origin.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-cloud.origin.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-origin-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: cloud.origin.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-cloud.origin.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-origin-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: cloud.origin.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: cloud.origin.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-cloud.origin.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-origin-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: cloud.origin.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-cloud.origin.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-origin-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: cloud.origin.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-cloud.origin.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-origin-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: cloud.origin.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-cloud.origin.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-origin-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: cloud.origin.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-cloud.origin.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: cloud-origin-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: cloud.origin.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-cloud.origin.instance.id:
-  dashed_name: cloud-origin-instance-id
-  description: Instance ID of the host machine.
-  example: i-1234567890abcdef0
-  flat_name: cloud.origin.instance.id
-  ignore_above: 1024
-  level: extended
-  name: instance.id
-  normalize: []
-  original_fieldset: cloud
-  short: Instance ID of the host machine.
-  type: keyword
-cloud.origin.instance.name:
-  dashed_name: cloud-origin-instance-name
-  description: Instance name of the host machine.
-  flat_name: cloud.origin.instance.name
-  ignore_above: 1024
-  level: extended
-  name: instance.name
+  name: instance.name
   normalize: []
   original_fieldset: cloud
   short: Instance name of the host machine.
@@ -2697,256 +1867,6 @@ destination.user.email:
   original_fieldset: user
   short: User email address.
   type: keyword
-destination.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: destination-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: destination.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-destination.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: destination-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: destination.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-destination.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: destination-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: destination.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: destination.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-destination.user.entity.id:
-  dashed_name: destination-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: destination.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-destination.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: destination-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: destination.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-destination.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: destination-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: destination.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-destination.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: destination-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: destination.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-destination.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: destination-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: destination.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: destination.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-destination.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: destination-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: destination.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-destination.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: destination-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: destination.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-destination.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: destination-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: destination.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-destination.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: destination-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: destination.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-destination.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: destination-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: destination.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
 destination.user.full_name:
   dashed_name: destination-user-full-name
   description: User's full name, if available.
@@ -3041,86 +1961,6 @@ destination.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-destination.user.risk.calculated_level:
-  dashed_name: destination-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: destination.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-destination.user.risk.calculated_score:
-  dashed_name: destination-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: destination.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-destination.user.risk.calculated_score_norm:
-  dashed_name: destination-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: destination.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-destination.user.risk.static_level:
-  dashed_name: destination-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: destination.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-destination.user.risk.static_score:
-  dashed_name: destination-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: destination.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-destination.user.risk.static_score_norm:
-  dashed_name: destination-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: destination.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 destination.user.roles:
   dashed_name: destination-user-roles
   description: Array of user roles at the time of the event.
@@ -4494,243 +3334,6 @@ email.x_mailer:
   normalize: []
   short: Application that drafted email.
   type: keyword
-entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-entity.id:
-  dashed_name: entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  short: Unique identifier for the entity.
-  type: keyword
-entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  short: A set of temporal characteristics of the entity.
-  type: object
-entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  short: The name of the entity.
-  type: keyword
-entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  short: Original, unmodified fields from the source system.
-  type: object
-entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  short: Source module or integration that provided the entity data.
-  type: keyword
-entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  short: Standardized high-level classification of the entity.
-  type: keyword
 error.code:
   dashed_name: error-code
   description: Error code describing the error.
@@ -10483,503 +9086,6 @@ process.args_count:
     stability: development
   short: Length of the process.args array.
   type: long
-process.attested_groups.domain:
-  dashed_name: process-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.attested_groups.id:
-  dashed_name: process-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.attested_groups.name:
-  dashed_name: process-attested-groups-name
-  description: Name of the group.
-  flat_name: process.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.attested_user.domain:
-  dashed_name: process-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.attested_user.email:
-  dashed_name: process-attested-user-email
-  description: User email address.
-  flat_name: process.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.attested_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-attested-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.attested_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.attested_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-attested-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.attested_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.attested_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-attested-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.attested_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.attested_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.attested_user.entity.id:
-  dashed_name: process-attested-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.attested_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.attested_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-attested-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.attested_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.attested_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-attested-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.attested_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.attested_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-attested-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.attested_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.attested_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-attested-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.attested_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.attested_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.attested_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-attested-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.attested_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.attested_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-attested-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.attested_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.attested_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-attested-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.attested_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.attested_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-attested-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.attested_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.attested_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-attested-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.attested_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.attested_user.full_name:
-  dashed_name: process-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.attested_user.group.domain:
-  dashed_name: process-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.attested_user.group.id:
-  dashed_name: process-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.attested_user.group.name:
-  dashed_name: process-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.attested_user.hash:
-  dashed_name: process-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.attested_user.id:
-  dashed_name: process-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.attested_user.name:
-  dashed_name: process-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.attested_user.risk.calculated_level:
-  dashed_name: process-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.attested_user.risk.calculated_score:
-  dashed_name: process-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.attested_user.risk.calculated_score_norm:
-  dashed_name: process-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.attested_user.risk.static_level:
-  dashed_name: process-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.attested_user.risk.static_score:
-  dashed_name: process-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.attested_user.risk.static_score_norm:
-  dashed_name: process-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.attested_user.roles:
-  dashed_name: process-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
 process.code_signature.digest_algorithm:
   dashed_name: process-code-signature-digest-algorithm
   description: 'The hashing algorithm used to sign the process.
@@ -11603,17 +9709,6 @@ process.end:
   normalize: []
   short: The time the process ended.
   type: date
-process.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
 process.entity_id:
   dashed_name: process-entity-id
   description: 'Unique identifier for the process.
@@ -11664,30 +9759,6 @@ process.entry_leader.args_count:
   original_fieldset: process
   short: Length of the process.args array.
   type: long
-process.entry_leader.attested_groups.domain:
-  dashed_name: process-entry-leader-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.attested_groups.id:
-  dashed_name: process-entry-leader-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
 process.entry_leader.attested_groups.name:
   dashed_name: process-entry-leader-attested-groups-name
   description: Name of the group.
@@ -11699,313 +9770,387 @@ process.entry_leader.attested_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.entry_leader.attested_user.domain:
-  dashed_name: process-entry-leader-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.attested_user.domain
+process.entry_leader.attested_user.id:
+  dashed_name: process-entry-leader-attested-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.attested_user.id
   ignore_above: 1024
-  level: extended
-  name: domain
+  level: core
+  name: id
   normalize: []
   original_fieldset: user
-  short: Name of the directory the user is a member of.
+  short: Unique identifier of the user.
   type: keyword
-process.entry_leader.attested_user.email:
-  dashed_name: process-entry-leader-attested-user-email
-  description: User email address.
-  flat_name: process.entry_leader.attested_user.email
+process.entry_leader.attested_user.name:
+  dashed_name: process-entry-leader-attested-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.attested_user.name
   ignore_above: 1024
-  level: extended
-  name: email
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.attested_user.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
   original_fieldset: user
-  short: User email address.
+  short: Short name or login of the user.
   type: keyword
-process.entry_leader.attested_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-attested-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.entry_leader.attested_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.entry_leader.attested_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-attested-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.entry_leader.attested_user.entity.behavior
+process.entry_leader.command_line:
+  dashed_name: process-entry-leader-command-line
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.entry_leader.command_line
   level: extended
-  name: behavior
+  multi_fields:
+  - flat_name: process.entry_leader.command_line.text
+    name: text
+    type: match_only_text
+  name: command_line
   normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.entry_leader.attested_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-attested-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.entry_leader.attested_user.entity.display_name
+  original_fieldset: process
+  short: Full command line that started the process.
+  type: wildcard
+process.entry_leader.entity_id:
+  dashed_name: process-entry-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.entry_leader.entity_id
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.attested_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
+  name: entity_id
   normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
+  original_fieldset: process
+  short: Unique identifier for the process.
   type: keyword
-process.entry_leader.attested_user.entity.id:
-  dashed_name: process-entry-leader-attested-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.entry_leader.attested_user.entity.id
-  ignore_above: 1024
+process.entry_leader.entry_meta.source.ip:
+  dashed_name: process-entry-leader-entry-meta-source-ip
+  description: IP address of the source (IPv4 or IPv6).
+  flat_name: process.entry_leader.entry_meta.source.ip
   level: core
-  name: id
+  name: ip
   normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
+  original_fieldset: source
+  short: IP address of the source.
+  type: ip
+process.entry_leader.entry_meta.type:
+  dashed_name: process-entry-leader-entry-meta-type
+  description: 'The entry type for the entry session leader. Values include: init(e.g
+    systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+    Note: This field is only set on process.session_leader.'
+  flat_name: process.entry_leader.entry_meta.type
+  ignore_above: 1024
+  level: extended
+  name: entry_meta.type
+  normalize: []
+  original_fieldset: process
+  short: The entry type for the entry session leader.
   type: keyword
-process.entry_leader.attested_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-attested-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.entry_leader.attested_user.entity.last_seen_timestamp
+process.entry_leader.executable:
+  dashed_name: process-entry-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.entry_leader.executable
+  ignore_above: 1024
   level: extended
-  name: last_seen_timestamp
+  multi_fields:
+  - flat_name: process.entry_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
   normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.entry_leader.attested_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-attested-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.entry_leader.attested_user.entity.lifecycle
+  original_fieldset: process
+  short: Absolute path to the process executable.
+  type: keyword
+process.entry_leader.group.id:
+  dashed_name: process-entry-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.group.id
+  ignore_above: 1024
   level: extended
-  name: lifecycle
+  name: id
   normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.entry_leader.attested_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-attested-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.entry_leader.attested_user.entity.metrics
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.entry_leader.group.name:
+  dashed_name: process-entry-leader-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.group.name
+  ignore_above: 1024
   level: extended
-  name: metrics
+  name: name
   normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.entry_leader.attested_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-attested-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.entry_leader.attested_user.entity.name
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.interactive:
+  dashed_name: process-entry-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.entry_leader.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.entry_leader.name:
+  dashed_name: process-entry-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.entry_leader.name
   ignore_above: 1024
-  level: core
+  level: extended
   multi_fields:
-  - flat_name: process.entry_leader.attested_user.entity.name.text
+  - flat_name: process.entry_leader.name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: name
   normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
+  original_fieldset: process
+  short: Process name.
   type: keyword
-process.entry_leader.attested_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-attested-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.entry_leader.attested_user.entity.raw
+process.entry_leader.parent.entity_id:
+  dashed_name: process-entry-leader-parent-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.entry_leader.parent.entity_id
+  ignore_above: 1024
   level: extended
-  name: raw
+  name: entity_id
   normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.entry_leader.attested_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-attested-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.entry_leader.attested_user.entity.reference
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.entry_leader.parent.pid:
+  dashed_name: process-entry-leader-parent-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.entry_leader.parent.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.entry_leader.parent.session_leader.entity_id:
+  dashed_name: process-entry-leader-parent-session-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.entry_leader.parent.session_leader.entity_id
   ignore_above: 1024
   level: extended
-  name: reference
+  name: entity_id
   normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
+  original_fieldset: process
+  short: Unique identifier for the process.
   type: keyword
-process.entry_leader.attested_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-attested-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.entry_leader.attested_user.entity.source
-  ignore_above: 1024
+process.entry_leader.parent.session_leader.pid:
+  dashed_name: process-entry-leader-parent-session-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.entry_leader.parent.session_leader.pid
+  format: string
   level: core
-  name: source
+  name: pid
   normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.entry_leader.parent.session_leader.start:
+  dashed_name: process-entry-leader-parent-session-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.parent.session_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.entry_leader.parent.session_leader.vpid:
+  dashed_name: process-entry-leader-parent-session-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.parent.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.entry_leader.parent.start:
+  dashed_name: process-entry-leader-parent-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.parent.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.entry_leader.parent.vpid:
+  dashed_name: process-entry-leader-parent-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.entry_leader.pid:
+  dashed_name: process-entry-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.entry_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.entry_leader.real_group.id:
+  dashed_name: process-entry-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.real_group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.attested_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-attested-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.entry_leader.attested_user.entity.sub_type
+process.entry_leader.real_group.name:
+  dashed_name: process-entry-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.entry_leader.real_group.name
   ignore_above: 1024
   level: extended
-  name: sub_type
+  name: name
   normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.entry_leader.attested_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-attested-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.entry_leader.attested_user.entity.type
+process.entry_leader.real_user.id:
+  dashed_name: process-entry-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.real_user.id
   ignore_above: 1024
   level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.entry_leader.attested_user.full_name:
-  dashed_name: process-entry-leader-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.attested_user.full_name
+process.entry_leader.real_user.name:
+  dashed_name: process-entry-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.real_user.name
   ignore_above: 1024
-  level: extended
+  level: core
   multi_fields:
-  - flat_name: process.entry_leader.attested_user.full_name.text
+  - flat_name: process.entry_leader.real_user.name.text
     name: text
     type: match_only_text
-  name: full_name
+  name: name
   normalize: []
   original_fieldset: user
-  short: User's full name, if available.
+  short: Short name or login of the user.
   type: keyword
-process.entry_leader.attested_user.group.domain:
-  dashed_name: process-entry-leader-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
+process.entry_leader.same_as_process:
+  dashed_name: process-entry-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
 
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.attested_user.group.domain
-  ignore_above: 1024
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.entry_leader.same_as_process
   level: extended
-  name: domain
+  name: same_as_process
   normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.attested_user.group.id:
-  dashed_name: process-entry-leader-attested-user-group-id
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.entry_leader.saved_group.id:
+  dashed_name: process-entry-leader-saved-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.attested_user.group.id
+  flat_name: process.entry_leader.saved_group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -12013,10 +10158,10 @@ process.entry_leader.attested_user.group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.attested_user.group.name:
-  dashed_name: process-entry-leader-attested-user-group-name
+process.entry_leader.saved_group.name:
+  dashed_name: process-entry-leader-saved-group-name
   description: Name of the group.
-  flat_name: process.entry_leader.attested_user.group.name
+  flat_name: process.entry_leader.saved_group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -12024,26 +10169,11 @@ process.entry_leader.attested_user.group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.entry_leader.attested_user.hash:
-  dashed_name: process-entry-leader-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.attested_user.id:
-  dashed_name: process-entry-leader-attested-user-id
+process.entry_leader.saved_user.id:
+  dashed_name: process-entry-leader-saved-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.attested_user.id
+  flat_name: process.entry_leader.saved_user.id
   ignore_above: 1024
   level: core
   name: id
@@ -12051,15 +10181,15 @@ process.entry_leader.attested_user.id:
   original_fieldset: user
   short: Unique identifier of the user.
   type: keyword
-process.entry_leader.attested_user.name:
-  dashed_name: process-entry-leader-attested-user-name
+process.entry_leader.saved_user.name:
+  dashed_name: process-entry-leader-saved-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.entry_leader.attested_user.name
+  flat_name: process.entry_leader.saved_user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.entry_leader.attested_user.name.text
+  - flat_name: process.entry_leader.saved_user.name.text
     name: text
     type: match_only_text
   name: name
@@ -12067,262 +10197,250 @@ process.entry_leader.attested_user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.entry_leader.attested_user.risk.calculated_level:
-  dashed_name: process-entry-leader-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.attested_user.risk.calculated_level
+process.entry_leader.start:
+  dashed_name: process-entry-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.entry_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.entry_leader.supplemental_groups.id:
+  dashed_name: process-entry-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.entry_leader.supplemental_groups.id
   ignore_above: 1024
   level: extended
-  name: calculated_level
+  name: id
   normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.attested_user.risk.calculated_score:
-  dashed_name: process-entry-leader-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.attested_user.risk.calculated_score
+process.entry_leader.supplemental_groups.name:
+  dashed_name: process-entry-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.entry_leader.supplemental_groups.name
+  ignore_above: 1024
   level: extended
-  name: calculated_score
+  name: name
   normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.attested_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.attested_user.risk.calculated_score_norm
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.entry_leader.tty:
+  dashed_name: process-entry-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.entry_leader.tty
   level: extended
-  name: calculated_score_norm
+  name: tty
   normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.attested_user.risk.static_level:
-  dashed_name: process-entry-leader-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.attested_user.risk.static_score:
-  dashed_name: process-entry-leader-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.attested_user.risk.static_score
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.entry_leader.tty.char_device.major:
+  dashed_name: process-entry-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.entry_leader.tty.char_device.major
   level: extended
-  name: static_score
+  name: tty.char_device.major
   normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.attested_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.attested_user.risk.static_score_norm
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.entry_leader.tty.char_device.minor:
+  dashed_name: process-entry-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.entry_leader.tty.char_device.minor
   level: extended
-  name: static_score_norm
+  name: tty.char_device.minor
   normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.attested_user.roles:
-  dashed_name: process-entry-leader-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.attested_user.roles
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.entry_leader.user.id:
+  dashed_name: process-entry-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.entry_leader.user.id
   ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
+  level: core
+  name: id
+  normalize: []
   original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
+  short: Unique identifier of the user.
   type: keyword
-process.entry_leader.code_signature.digest_algorithm:
-  dashed_name: process-entry-leader-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.entry_leader.code_signature.digest_algorithm
+process.entry_leader.user.name:
+  dashed_name: process-entry-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.entry_leader.user.name
   ignore_above: 1024
-  level: extended
-  name: digest_algorithm
+  level: core
+  multi_fields:
+  - flat_name: process.entry_leader.user.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
+  original_fieldset: user
+  short: Short name or login of the user.
   type: keyword
-process.entry_leader.code_signature.exists:
-  dashed_name: process-entry-leader-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.entry_leader.code_signature.exists
+process.entry_leader.vpid:
+  dashed_name: process-entry-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.entry_leader.vpid
+  format: string
   level: core
-  name: exists
+  name: vpid
   normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.entry_leader.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.entry_leader.code_signature.flags
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.entry_leader.working_directory:
+  dashed_name: process-entry-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.entry_leader.working_directory
   ignore_above: 1024
   level: extended
-  name: flags
+  multi_fields:
+  - flat_name: process.entry_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
   normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
+  original_fieldset: process
+  short: The working directory of the process.
   type: keyword
-process.entry_leader.code_signature.signing_id:
-  dashed_name: process-entry-leader-code-signature-signing-id
-  description: 'The identifier used to sign the process.
+process.env_vars:
+  dashed_name: process-env-vars
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
 
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.entry_leader.code_signature.signing_id
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+  flat_name: process.env_vars
   ignore_above: 1024
   level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
+  name: env_vars
+  normalize:
+  - array
+  short: Array of environment variable bindings.
+  synthetic_source_keep: none
   type: keyword
-process.entry_leader.code_signature.status:
-  dashed_name: process-entry-leader-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.entry_leader.code_signature.status
+process.executable:
+  dashed_name: process-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.executable
   ignore_above: 1024
   level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.entry_leader.code_signature.subject_name:
-  dashed_name: process-entry-leader-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.entry_leader.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
+  multi_fields:
+  - flat_name: process.executable.text
+    name: text
+    type: match_only_text
+  name: executable
   normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
+  otel:
+  - attribute: process.executable.path
+    relation: equivalent
+    stability: development
+  short: Absolute path to the process executable.
   type: keyword
-process.entry_leader.code_signature.team_id:
-  dashed_name: process-entry-leader-code-signature-team-id
-  description: 'The team identifier used to sign the process.
+process.exit_code:
+  dashed_name: process-exit-code
+  description: 'The exit code of the process, if this is a termination event.
 
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.entry_leader.code_signature.team_id
-  ignore_above: 1024
+    The field should be absent if there is no exit code for the event (e.g. process
+    start).'
+  example: 137
+  flat_name: process.exit_code
   level: extended
-  name: team_id
+  name: exit_code
   normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.entry_leader.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.entry_leader.code_signature.thumbprint_sha256
-  ignore_above: 64
+  short: The exit code of the process.
+  type: long
+process.group.id:
+  dashed_name: process-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group.id
+  ignore_above: 1024
   level: extended
-  name: thumbprint_sha256
+  name: id
   normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.code_signature.timestamp:
-  dashed_name: process-entry-leader-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.entry_leader.code_signature.timestamp
+process.group.name:
+  dashed_name: process-group-name
+  description: Name of the group.
+  flat_name: process.group.name
+  ignore_above: 1024
   level: extended
-  name: timestamp
+  name: name
   normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.entry_leader.code_signature.trusted:
-  dashed_name: process-entry-leader-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.group_leader.args:
+  dashed_name: process-group-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
 
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.entry_leader.code_signature.trusted
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.group_leader.args
+  ignore_above: 1024
   level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.entry_leader.code_signature.valid:
-  dashed_name: process-entry-leader-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
+  name: args
+  normalize:
+  - array
+  original_fieldset: process
+  short: Array of process arguments.
+  type: keyword
+process.group_leader.args_count:
+  dashed_name: process-group-leader-args-count
+  description: 'Length of the process.args array.
 
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.entry_leader.code_signature.valid
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.group_leader.args_count
   level: extended
-  name: valid
+  name: args_count
   normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.entry_leader.command_line:
-  dashed_name: process-entry-leader-command-line
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.group_leader.command_line:
+  dashed_name: process-group-leader-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
 
     Some arguments may be filtered to protect sensitive information.'
   example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.entry_leader.command_line
+  flat_name: process.group_leader.command_line
   level: extended
   multi_fields:
-  - flat_name: process.entry_leader.command_line.text
+  - flat_name: process.group_leader.command_line.text
     name: text
     type: match_only_text
   name: command_line
@@ -12330,1022 +10448,473 @@ process.entry_leader.command_line:
   original_fieldset: process
   short: Full command line that started the process.
   type: wildcard
-process.entry_leader.elf.architecture:
-  dashed_name: process-entry-leader-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.entry_leader.elf.architecture
+process.group_leader.entity_id:
+  dashed_name: process-group-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.group_leader.entity_id
   ignore_above: 1024
   level: extended
-  name: architecture
+  name: entity_id
   normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
+  original_fieldset: process
+  short: Unique identifier for the process.
   type: keyword
-process.entry_leader.elf.byte_order:
-  dashed_name: process-entry-leader-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.entry_leader.elf.byte_order
+process.group_leader.executable:
+  dashed_name: process-group-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.group_leader.executable
   ignore_above: 1024
   level: extended
-  name: byte_order
+  multi_fields:
+  - flat_name: process.group_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
   normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
+  original_fieldset: process
+  short: Absolute path to the process executable.
   type: keyword
-process.entry_leader.elf.cpu_type:
-  dashed_name: process-entry-leader-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.entry_leader.elf.cpu_type
+process.group_leader.group.id:
+  dashed_name: process-group-leader-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.group.id
   ignore_above: 1024
   level: extended
-  name: cpu_type
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.elf.creation_date:
-  dashed_name: process-entry-leader-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.entry_leader.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.entry_leader.elf.exports:
-  dashed_name: process-entry-leader-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.entry_leader.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.entry_leader.elf.go_import_hash:
-  dashed_name: process-entry-leader-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.elf.go_import_hash
+process.group_leader.group.name:
+  dashed_name: process-group-leader-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.group.name
   ignore_above: 1024
   level: extended
-  name: go_import_hash
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.entry_leader.elf.go_imports:
-  dashed_name: process-entry-leader-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.elf.go_imports_names_entropy:
-  dashed_name: process-entry-leader-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.elf.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.elf.go_stripped:
-  dashed_name: process-entry-leader-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.elf.go_stripped
+process.group_leader.interactive:
+  dashed_name: process-group-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.group_leader.interactive
   level: extended
-  name: go_stripped
+  name: interactive
   normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
   type: boolean
-process.entry_leader.elf.header.abi_version:
-  dashed_name: process-entry-leader-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.entry_leader.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.entry_leader.elf.header.class:
-  dashed_name: process-entry-leader-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.entry_leader.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.entry_leader.elf.header.data:
-  dashed_name: process-entry-leader-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.entry_leader.elf.header.data
+process.group_leader.name:
+  dashed_name: process-group-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.group_leader.name
   ignore_above: 1024
   level: extended
-  name: header.data
+  multi_fields:
+  - flat_name: process.group_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
+  original_fieldset: process
+  short: Process name.
   type: keyword
-process.entry_leader.elf.header.entrypoint:
-  dashed_name: process-entry-leader-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.entry_leader.elf.header.entrypoint
+process.group_leader.pid:
+  dashed_name: process-group-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.group_leader.pid
   format: string
-  level: extended
-  name: header.entrypoint
+  level: core
+  name: pid
   normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
+  original_fieldset: process
+  otel:
+  - relation: match
+    stability: development
+  short: Process id.
   type: long
-process.entry_leader.elf.header.object_version:
-  dashed_name: process-entry-leader-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.entry_leader.elf.header.object_version
+process.group_leader.real_group.id:
+  dashed_name: process-group-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.real_group.id
   ignore_above: 1024
   level: extended
-  name: header.object_version
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.elf.header.os_abi:
-  dashed_name: process-entry-leader-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.entry_leader.elf.header.os_abi
+process.group_leader.real_group.name:
+  dashed_name: process-group-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.real_group.name
   ignore_above: 1024
   level: extended
-  name: header.os_abi
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.entry_leader.elf.header.type:
-  dashed_name: process-entry-leader-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.entry_leader.elf.header.type
+process.group_leader.real_user.id:
+  dashed_name: process-group-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.real_user.id
   ignore_above: 1024
-  level: extended
-  name: header.type
+  level: core
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.entry_leader.elf.header.version:
-  dashed_name: process-entry-leader-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.entry_leader.elf.header.version
+process.group_leader.real_user.name:
+  dashed_name: process-group-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.real_user.name
   ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.entry_leader.elf.import_hash:
-  dashed_name: process-entry-leader-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
+  original_fieldset: user
+  short: Short name or login of the user.
   type: keyword
-process.entry_leader.elf.imports:
-  dashed_name: process-entry-leader-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.elf.imports_names_entropy:
-  dashed_name: process-entry-leader-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.elf.imports_names_var_entropy:
-  dashed_name: process-entry-leader-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.elf.sections:
-  dashed_name: process-entry-leader-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
+process.group_leader.same_as_process:
+  dashed_name: process-group-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
 
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.entry_leader.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.entry_leader.elf.sections.chi2:
-  dashed_name: process-entry-leader-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.entry_leader.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.entry_leader.elf.sections.entropy:
-  dashed_name: process-entry-leader-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.elf.sections.entropy
-  format: number
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.group_leader.same_as_process
   level: extended
-  name: sections.entropy
+  name: same_as_process
   normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.elf.sections.flags:
-  dashed_name: process-entry-leader-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.entry_leader.elf.sections.flags
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.group_leader.saved_group.id:
+  dashed_name: process-group-leader-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.saved_group.id
   ignore_above: 1024
   level: extended
-  name: sections.flags
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.elf.sections.name:
-  dashed_name: process-entry-leader-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.entry_leader.elf.sections.name
+process.group_leader.saved_group.name:
+  dashed_name: process-group-leader-saved-group-name
+  description: Name of the group.
+  flat_name: process.group_leader.saved_group.name
   ignore_above: 1024
   level: extended
-  name: sections.name
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.entry_leader.elf.sections.physical_offset:
-  dashed_name: process-entry-leader-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.entry_leader.elf.sections.physical_offset
+process.group_leader.saved_user.id:
+  dashed_name: process-group-leader-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.saved_user.id
   ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
+  level: core
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.entry_leader.elf.sections.physical_size:
-  dashed_name: process-entry-leader-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.entry_leader.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.entry_leader.elf.sections.type:
-  dashed_name: process-entry-leader-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.entry_leader.elf.sections.type
+process.group_leader.saved_user.name:
+  dashed_name: process-group-leader-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.saved_user.name
   ignore_above: 1024
-  level: extended
-  name: sections.type
+  level: core
+  multi_fields:
+  - flat_name: process.group_leader.saved_user.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
+  original_fieldset: user
+  short: Short name or login of the user.
   type: keyword
-process.entry_leader.elf.sections.var_entropy:
-  dashed_name: process-entry-leader-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.elf.sections.virtual_address:
-  dashed_name: process-entry-leader-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.entry_leader.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.entry_leader.elf.sections.virtual_size:
-  dashed_name: process-entry-leader-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.entry_leader.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.entry_leader.elf.segments:
-  dashed_name: process-entry-leader-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.entry_leader.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.entry_leader.elf.segments.sections:
-  dashed_name: process-entry-leader-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.entry_leader.elf.segments.sections
-  ignore_above: 1024
+process.group_leader.start:
+  dashed_name: process-group-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.group_leader.start
   level: extended
-  name: segments.sections
+  name: start
   normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.entry_leader.elf.segments.type:
-  dashed_name: process-entry-leader-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.entry_leader.elf.segments.type
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.group_leader.supplemental_groups.id:
+  dashed_name: process-group-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.group_leader.supplemental_groups.id
   ignore_above: 1024
   level: extended
-  name: segments.type
+  name: id
   normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.entry_leader.elf.shared_libraries:
-  dashed_name: process-entry-leader-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.entry_leader.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.elf.telfhash:
-  dashed_name: process-entry-leader-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.entry_leader.elf.telfhash
+process.group_leader.supplemental_groups.name:
+  dashed_name: process-group-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.group_leader.supplemental_groups.name
   ignore_above: 1024
   level: extended
-  name: telfhash
+  name: name
   normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.entry_leader.end:
-  dashed_name: process-entry-leader-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.end
+process.group_leader.tty:
+  dashed_name: process-group-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.group_leader.tty
   level: extended
-  name: end
+  name: tty
   normalize: []
   original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.entry_leader.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.entry_leader.endpoint_security_client
+  short: Information about the controlling TTY device.
+  type: object
+process.group_leader.tty.char_device.major:
+  dashed_name: process-group-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.group_leader.tty.char_device.major
   level: extended
-  name: endpoint_security_client
+  name: tty.char_device.major
   normalize: []
   original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.entry_leader.entity_id:
-  dashed_name: process-entry-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.entry_leader.entity_id
-  ignore_above: 1024
+  short: The TTY character device's major number.
+  type: long
+process.group_leader.tty.char_device.minor:
+  dashed_name: process-group-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.group_leader.tty.char_device.minor
   level: extended
-  name: entity_id
+  name: tty.char_device.minor
   normalize: []
   original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.entry_leader.entry_meta.source.address:
-  dashed_name: process-entry-leader-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.entry_leader.entry_meta.source.address
+  short: The TTY character device's minor number.
+  type: long
+process.group_leader.user.id:
+  dashed_name: process-group-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.group_leader.user.id
   ignore_above: 1024
-  level: extended
-  name: address
+  level: core
+  name: id
   normalize: []
-  original_fieldset: source
-  short: Source network address.
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.entry_leader.entry_meta.source.as.number:
-  dashed_name: process-entry-leader-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.entry_leader.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.entry_leader.entry_meta.source.as.organization.name:
-  dashed_name: process-entry-leader-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.entry_leader.entry_meta.source.as.organization.name
+process.group_leader.user.name:
+  dashed_name: process-group-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.group_leader.user.name
   ignore_above: 1024
-  level: extended
+  level: core
   multi_fields:
-  - flat_name: process.entry_leader.entry_meta.source.as.organization.name.text
+  - flat_name: process.group_leader.user.name.text
     name: text
     type: match_only_text
-  name: organization.name
+  name: name
   normalize: []
-  original_fieldset: as
-  short: Organization name.
+  original_fieldset: user
+  short: Short name or login of the user.
   type: keyword
-process.entry_leader.entry_meta.source.bytes:
-  dashed_name: process-entry-leader-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.entry_leader.entry_meta.source.bytes
-  format: bytes
+process.group_leader.vpid:
+  dashed_name: process-group-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.group_leader.vpid
+  format: string
   level: core
-  name: bytes
+  name: vpid
   normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
+  original_fieldset: process
+  short: Virtual process id.
   type: long
-process.entry_leader.entry_meta.source.domain:
-  dashed_name: process-entry-leader-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.entry_leader.entry_meta.source.domain
+process.group_leader.working_directory:
+  dashed_name: process-group-leader-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.group_leader.working_directory
   ignore_above: 1024
-  level: core
-  name: domain
+  level: extended
+  multi_fields:
+  - flat_name: process.group_leader.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
   normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
+  original_fieldset: process
+  short: The working directory of the process.
   type: keyword
-process.entry_leader.entry_meta.source.geo.city_name:
-  dashed_name: process-entry-leader-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.entry_leader.entry_meta.source.geo.city_name
+process.hash.cdhash:
+  beta: This field is beta and subject to change.
+  dashed_name: process-hash-cdhash
+  description: Code directory hash, utilized to uniquely identify and authenticate
+    the integrity of the executable code.
+  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+  flat_name: process.hash.cdhash
   ignore_above: 1024
-  level: core
-  name: city_name
+  level: extended
+  name: cdhash
   normalize: []
-  original_fieldset: geo
-  short: City name.
+  original_fieldset: hash
+  short: The Code Directory (CD) hash of an executable.
   type: keyword
-process.entry_leader.entry_meta.source.geo.continent_code:
-  dashed_name: process-entry-leader-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.entry_leader.entry_meta.source.geo.continent_code
+process.hash.md5:
+  dashed_name: process-hash-md5
+  description: MD5 hash.
+  flat_name: process.hash.md5
   ignore_above: 1024
-  level: core
-  name: continent_code
+  level: extended
+  name: md5
   normalize: []
-  original_fieldset: geo
-  short: Continent code.
+  original_fieldset: hash
+  short: MD5 hash.
   type: keyword
-process.entry_leader.entry_meta.source.geo.continent_name:
-  dashed_name: process-entry-leader-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.entry_leader.entry_meta.source.geo.continent_name
+process.hash.sha1:
+  dashed_name: process-hash-sha1
+  description: SHA1 hash.
+  flat_name: process.hash.sha1
   ignore_above: 1024
-  level: core
-  name: continent_name
+  level: extended
+  name: sha1
   normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
+  original_fieldset: hash
+  short: SHA1 hash.
   type: keyword
-process.entry_leader.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-entry-leader-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.entry_leader.entry_meta.source.geo.country_iso_code
+process.hash.sha256:
+  dashed_name: process-hash-sha256
+  description: SHA256 hash.
+  flat_name: process.hash.sha256
   ignore_above: 1024
-  level: core
-  name: country_iso_code
+  level: extended
+  name: sha256
   normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
+  original_fieldset: hash
+  short: SHA256 hash.
   type: keyword
-process.entry_leader.entry_meta.source.geo.country_name:
-  dashed_name: process-entry-leader-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.entry_leader.entry_meta.source.geo.country_name
+process.hash.sha384:
+  dashed_name: process-hash-sha384
+  description: SHA384 hash.
+  flat_name: process.hash.sha384
   ignore_above: 1024
-  level: core
-  name: country_name
+  level: extended
+  name: sha384
   normalize: []
-  original_fieldset: geo
-  short: Country name.
+  original_fieldset: hash
+  short: SHA384 hash.
   type: keyword
-process.entry_leader.entry_meta.source.geo.location:
-  dashed_name: process-entry-leader-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.entry_leader.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.entry_leader.entry_meta.source.geo.name:
-  dashed_name: process-entry-leader-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.entry_leader.entry_meta.source.geo.name
+process.hash.sha512:
+  dashed_name: process-hash-sha512
+  description: SHA512 hash.
+  flat_name: process.hash.sha512
   ignore_above: 1024
   level: extended
-  name: name
+  name: sha512
   normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
+  original_fieldset: hash
+  short: SHA512 hash.
   type: keyword
-process.entry_leader.entry_meta.source.geo.postal_code:
-  dashed_name: process-entry-leader-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.entry_leader.entry_meta.source.geo.postal_code
+process.hash.ssdeep:
+  dashed_name: process-hash-ssdeep
+  description: SSDEEP hash.
+  flat_name: process.hash.ssdeep
   ignore_above: 1024
-  level: core
-  name: postal_code
+  level: extended
+  name: ssdeep
   normalize: []
-  original_fieldset: geo
-  short: Postal code.
+  original_fieldset: hash
+  short: SSDEEP hash.
   type: keyword
-process.entry_leader.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-entry-leader-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.entry_leader.entry_meta.source.geo.region_iso_code
+process.hash.tlsh:
+  dashed_name: process-hash-tlsh
+  description: TLSH hash.
+  flat_name: process.hash.tlsh
   ignore_above: 1024
-  level: core
-  name: region_iso_code
+  level: extended
+  name: tlsh
   normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
+  original_fieldset: hash
+  short: TLSH hash.
   type: keyword
-process.entry_leader.entry_meta.source.geo.region_name:
-  dashed_name: process-entry-leader-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.entry_leader.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.entry_leader.entry_meta.source.geo.timezone:
-  dashed_name: process-entry-leader-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.entry_leader.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.entry_leader.entry_meta.source.ip:
-  dashed_name: process-entry-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.entry_leader.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.entry_leader.entry_meta.source.mac:
-  dashed_name: process-entry-leader-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.entry_leader.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.entry_leader.entry_meta.source.nat.ip:
-  dashed_name: process-entry-leader-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.entry_leader.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.entry_leader.entry_meta.source.nat.port:
-  dashed_name: process-entry-leader-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.entry_leader.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.entry_leader.entry_meta.source.packets:
-  dashed_name: process-entry-leader-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.entry_leader.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.entry_leader.entry_meta.source.port:
-  dashed_name: process-entry-leader-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.entry_leader.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.entry_leader.entry_meta.source.registered_domain:
-  dashed_name: process-entry-leader-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.entry_leader.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.entry_leader.entry_meta.source.subdomain:
-  dashed_name: process-entry-leader-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.entry_leader.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.entry_leader.entry_meta.source.top_level_domain:
-  dashed_name: process-entry-leader-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.entry_leader.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.entry_leader.entry_meta.type:
-  dashed_name: process-entry-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.entry_leader.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.entry_leader.env_vars:
-  dashed_name: process-entry-leader-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.entry_leader.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.executable:
-  dashed_name: process-entry-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.entry_leader.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.entry_leader.exit_code:
-  dashed_name: process-entry-leader-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.entry_leader.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.entry_leader.group.domain:
-  dashed_name: process-entry-leader-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.group.id:
-  dashed_name: process-entry-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.group.name:
-  dashed_name: process-entry-leader-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.entry_leader.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.entry_leader.hash.md5:
-  dashed_name: process-entry-leader-hash-md5
-  description: MD5 hash.
-  flat_name: process.entry_leader.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.entry_leader.hash.sha1:
-  dashed_name: process-entry-leader-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.entry_leader.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.entry_leader.hash.sha256:
-  dashed_name: process-entry-leader-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.entry_leader.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.entry_leader.hash.sha384:
-  dashed_name: process-entry-leader-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.entry_leader.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.entry_leader.hash.sha512:
-  dashed_name: process-entry-leader-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.entry_leader.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.entry_leader.hash.ssdeep:
-  dashed_name: process-entry-leader-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.entry_leader.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.entry_leader.hash.tlsh:
-  dashed_name: process-entry-leader-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.entry_leader.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.entry_leader.interactive:
-  dashed_name: process-entry-leader-interactive
+process.interactive:
+  dashed_name: process-interactive
   description: 'Whether the process is connected to an interactive shell.
 
     Process interactivity is inferred from the processes file descriptors. If the
@@ -13358,126 +10927,119 @@ process.entry_leader.interactive:
     is still considered interactive if stdin and stderr are connected to the controlling
     TTY.'
   example: true
-  flat_name: process.entry_leader.interactive
+  flat_name: process.interactive
   level: extended
   name: interactive
   normalize: []
-  original_fieldset: process
+  otel:
+  - relation: match
+    stability: development
   short: Whether the process is connected to an interactive shell.
   type: boolean
-process.entry_leader.io:
-  dashed_name: process-entry-leader-io
+process.io:
+  dashed_name: process-io
   description: 'A chunk of input or output (IO) from a single process.
 
     This field only appears on the top level process object, which is the process
     that wrote the output or read the input.'
-  flat_name: process.entry_leader.io
+  flat_name: process.io
   level: extended
   name: io
   normalize: []
-  original_fieldset: process
   short: A chunk of input or output (IO) from a single process.
   type: object
-process.entry_leader.io.bytes_skipped:
-  dashed_name: process-entry-leader-io-bytes-skipped
+process.io.bytes_skipped:
+  dashed_name: process-io-bytes-skipped
   description: An array of byte offsets and lengths denoting where IO data has been
     skipped.
-  flat_name: process.entry_leader.io.bytes_skipped
+  flat_name: process.io.bytes_skipped
   level: extended
   name: io.bytes_skipped
   normalize:
   - array
-  original_fieldset: process
   short: An array of byte offsets and lengths denoting where IO data has been skipped.
   type: object
-process.entry_leader.io.bytes_skipped.length:
-  dashed_name: process-entry-leader-io-bytes-skipped-length
+process.io.bytes_skipped.length:
+  dashed_name: process-io-bytes-skipped-length
   description: The length of bytes skipped.
-  flat_name: process.entry_leader.io.bytes_skipped.length
+  flat_name: process.io.bytes_skipped.length
   level: extended
   name: io.bytes_skipped.length
   normalize: []
-  original_fieldset: process
   short: The length of bytes skipped.
   type: long
-process.entry_leader.io.bytes_skipped.offset:
-  dashed_name: process-entry-leader-io-bytes-skipped-offset
+process.io.bytes_skipped.offset:
+  dashed_name: process-io-bytes-skipped-offset
   description: The byte offset into this event's io.text (or io.bytes in the future)
     where length bytes were skipped.
-  flat_name: process.entry_leader.io.bytes_skipped.offset
+  flat_name: process.io.bytes_skipped.offset
   level: extended
   name: io.bytes_skipped.offset
   normalize: []
-  original_fieldset: process
   short: The byte offset into this event's io.text (or io.bytes in the future) where
     length bytes were skipped.
   type: long
-process.entry_leader.io.max_bytes_per_process_exceeded:
-  dashed_name: process-entry-leader-io-max-bytes-per-process-exceeded
+process.io.max_bytes_per_process_exceeded:
+  dashed_name: process-io-max-bytes-per-process-exceeded
   description: If true, the process producing the output has exceeded the max_kilobytes_per_process
     configuration setting.
-  flat_name: process.entry_leader.io.max_bytes_per_process_exceeded
+  flat_name: process.io.max_bytes_per_process_exceeded
   level: extended
   name: io.max_bytes_per_process_exceeded
   normalize: []
-  original_fieldset: process
   short: If true, the process producing the output has exceeded the max_kilobytes_per_process
     configuration setting.
   type: boolean
-process.entry_leader.io.text:
-  dashed_name: process-entry-leader-io-text
+process.io.text:
+  dashed_name: process-io-text
   description: 'A chunk of output or input sanitized to UTF-8.
 
     Best efforts are made to ensure complete lines are captured in these events. Assumptions
     should NOT be made that multiple lines will appear in the same event. TTY output
     may contain terminal control codes such as for cursor movement, so some string
     queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.entry_leader.io.text
+  flat_name: process.io.text
   level: extended
   name: io.text
   normalize: []
-  original_fieldset: process
   short: A chunk of output or input sanitized to UTF-8.
   type: wildcard
-process.entry_leader.io.total_bytes_captured:
-  dashed_name: process-entry-leader-io-total-bytes-captured
+process.io.total_bytes_captured:
+  dashed_name: process-io-total-bytes-captured
   description: The total number of bytes captured in this event.
-  flat_name: process.entry_leader.io.total_bytes_captured
+  flat_name: process.io.total_bytes_captured
   level: extended
   name: io.total_bytes_captured
   normalize: []
-  original_fieldset: process
   short: The total number of bytes captured in this event.
   type: long
-process.entry_leader.io.total_bytes_skipped:
-  dashed_name: process-entry-leader-io-total-bytes-skipped
+process.io.total_bytes_skipped:
+  dashed_name: process-io-total-bytes-skipped
   description: The total number of bytes that were not captured due to implementation
     restrictions such as buffer size limits. Implementors should strive to ensure
     this value is always zero
-  flat_name: process.entry_leader.io.total_bytes_skipped
+  flat_name: process.io.total_bytes_skipped
   level: extended
   name: io.total_bytes_skipped
   normalize: []
-  original_fieldset: process
   short: The total number of bytes that were not captured due to implementation restrictions
     such as buffer size limits.
   type: long
-process.entry_leader.io.type:
-  dashed_name: process-entry-leader-io-type
+process.io.type:
+  dashed_name: process-io-type
   description: 'The type of object on which the IO action (read or write) was taken.
 
     Currently only ''tty'' is supported. Other types may be added in the future for
     ''file'' and ''socket'' support.'
-  flat_name: process.entry_leader.io.type
+  flat_name: process.io.type
   ignore_above: 1024
   level: extended
   name: io.type
   normalize: []
-  original_fieldset: process
   short: The type of object on which the IO action (read or write) was taken.
   type: keyword
-process.entry_leader.macho.go_import_hash:
-  dashed_name: process-entry-leader-macho-go-import-hash
+process.macho.go_import_hash:
+  dashed_name: process-macho-go-import-hash
   description: 'A hash of the Go language imports in a Mach-O file excluding standard
     library imports. An import hash can be used to fingerprint binaries even after
     recompilation or other code-level transformations have occurred, which would change
@@ -13486,7 +11048,7 @@ process.entry_leader.macho.go_import_hash:
     The algorithm used to calculate the Go symbol hash and a reference implementation
     are available here: https://github.com/elastic/toutoumomoma'
   example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.macho.go_import_hash
+  flat_name: process.macho.go_import_hash
   ignore_above: 1024
   level: extended
   name: go_import_hash
@@ -13494,20 +11056,20 @@ process.entry_leader.macho.go_import_hash:
   original_fieldset: macho
   short: A hash of the Go language imports in a Mach-O file.
   type: keyword
-process.entry_leader.macho.go_imports:
-  dashed_name: process-entry-leader-macho-go-imports
+process.macho.go_imports:
+  dashed_name: process-macho-go-imports
   description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.macho.go_imports
+  flat_name: process.macho.go_imports
   level: extended
   name: go_imports
   normalize: []
   original_fieldset: macho
   short: List of imported Go language element names and types.
   type: flattened
-process.entry_leader.macho.go_imports_names_entropy:
-  dashed_name: process-entry-leader-macho-go-imports-names-entropy
+process.macho.go_imports_names_entropy:
+  dashed_name: process-macho-go-imports-names-entropy
   description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.macho.go_imports_names_entropy
+  flat_name: process.macho.go_imports_names_entropy
   format: number
   level: extended
   name: go_imports_names_entropy
@@ -13515,10 +11077,10 @@ process.entry_leader.macho.go_imports_names_entropy:
   original_fieldset: macho
   short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.entry_leader.macho.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-macho-go-imports-names-var-entropy
+process.macho.go_imports_names_var_entropy:
+  dashed_name: process-macho-go-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.macho.go_imports_names_var_entropy
+  flat_name: process.macho.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
@@ -13526,26 +11088,26 @@ process.entry_leader.macho.go_imports_names_var_entropy:
   original_fieldset: macho
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.entry_leader.macho.go_stripped:
-  dashed_name: process-entry-leader-macho-go-stripped
+process.macho.go_stripped:
+  dashed_name: process-macho-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.macho.go_stripped
+  flat_name: process.macho.go_stripped
   level: extended
   name: go_stripped
   normalize: []
   original_fieldset: macho
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.entry_leader.macho.import_hash:
-  dashed_name: process-entry-leader-macho-import-hash
+process.macho.import_hash:
+  dashed_name: process-macho-import-hash
   description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a synonym for symhash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.macho.import_hash
+  flat_name: process.macho.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
@@ -13553,10 +11115,10 @@ process.entry_leader.macho.import_hash:
   original_fieldset: macho
   short: A hash of the imports in a Mach-O file.
   type: keyword
-process.entry_leader.macho.imports:
-  dashed_name: process-entry-leader-macho-imports
+process.macho.imports:
+  dashed_name: process-macho-imports
   description: List of imported element names and types.
-  flat_name: process.entry_leader.macho.imports
+  flat_name: process.macho.imports
   level: extended
   name: imports
   normalize:
@@ -13564,11 +11126,11 @@ process.entry_leader.macho.imports:
   original_fieldset: macho
   short: List of imported element names and types.
   type: flattened
-process.entry_leader.macho.imports_names_entropy:
-  dashed_name: process-entry-leader-macho-imports-names-entropy
+process.macho.imports_names_entropy:
+  dashed_name: process-macho-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.entry_leader.macho.imports_names_entropy
+  flat_name: process.macho.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
@@ -13576,11 +11138,11 @@ process.entry_leader.macho.imports_names_entropy:
   original_fieldset: macho
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.entry_leader.macho.imports_names_var_entropy:
-  dashed_name: process-entry-leader-macho-imports-names-var-entropy
+process.macho.imports_names_var_entropy:
+  dashed_name: process-macho-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.entry_leader.macho.imports_names_var_entropy
+  flat_name: process.macho.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
@@ -13589,13 +11151,13 @@ process.entry_leader.macho.imports_names_var_entropy:
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.entry_leader.macho.sections:
-  dashed_name: process-entry-leader-macho-sections
+process.macho.sections:
+  dashed_name: process-macho-sections
   description: 'An array containing an object for each section of the Mach-O file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `macho.sections.*`.'
-  flat_name: process.entry_leader.macho.sections
+  flat_name: process.macho.sections
   level: extended
   name: sections
   normalize:
@@ -13603,10 +11165,10 @@ process.entry_leader.macho.sections:
   original_fieldset: macho
   short: Section information of the Mach-O file.
   type: nested
-process.entry_leader.macho.sections.entropy:
-  dashed_name: process-entry-leader-macho-sections-entropy
+process.macho.sections.entropy:
+  dashed_name: process-macho-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.macho.sections.entropy
+  flat_name: process.macho.sections.entropy
   format: number
   level: extended
   name: sections.entropy
@@ -13614,10 +11176,10 @@ process.entry_leader.macho.sections.entropy:
   original_fieldset: macho
   short: Shannon entropy calculation from the section.
   type: long
-process.entry_leader.macho.sections.name:
-  dashed_name: process-entry-leader-macho-sections-name
+process.macho.sections.name:
+  dashed_name: process-macho-sections-name
   description: Mach-O Section List name.
-  flat_name: process.entry_leader.macho.sections.name
+  flat_name: process.macho.sections.name
   ignore_above: 1024
   level: extended
   name: sections.name
@@ -13625,10 +11187,10 @@ process.entry_leader.macho.sections.name:
   original_fieldset: macho
   short: Mach-O Section List name.
   type: keyword
-process.entry_leader.macho.sections.physical_size:
-  dashed_name: process-entry-leader-macho-sections-physical-size
+process.macho.sections.physical_size:
+  dashed_name: process-macho-sections-physical-size
   description: Mach-O Section List physical size.
-  flat_name: process.entry_leader.macho.sections.physical_size
+  flat_name: process.macho.sections.physical_size
   format: bytes
   level: extended
   name: sections.physical_size
@@ -13636,10 +11198,10 @@ process.entry_leader.macho.sections.physical_size:
   original_fieldset: macho
   short: Mach-O Section List physical size.
   type: long
-process.entry_leader.macho.sections.var_entropy:
-  dashed_name: process-entry-leader-macho-sections-var-entropy
+process.macho.sections.var_entropy:
+  dashed_name: process-macho-sections-var-entropy
   description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.macho.sections.var_entropy
+  flat_name: process.macho.sections.var_entropy
   format: number
   level: extended
   name: sections.var_entropy
@@ -13647,10 +11209,10 @@ process.entry_leader.macho.sections.var_entropy:
   original_fieldset: macho
   short: Variance for Shannon entropy calculation from the section.
   type: long
-process.entry_leader.macho.sections.virtual_size:
-  dashed_name: process-entry-leader-macho-sections-virtual-size
+process.macho.sections.virtual_size:
+  dashed_name: process-macho-sections-virtual-size
   description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.entry_leader.macho.sections.virtual_size
+  flat_name: process.macho.sections.virtual_size
   format: string
   level: extended
   name: sections.virtual_size
@@ -13658,15 +11220,15 @@ process.entry_leader.macho.sections.virtual_size:
   original_fieldset: macho
   short: Mach-O Section List virtual size. This is always the same as `physical_size`.
   type: long
-process.entry_leader.macho.symhash:
-  dashed_name: process-entry-leader-macho-symhash
+process.macho.symhash:
+  dashed_name: process-macho-symhash
   description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a Mach-O implementation of the Windows PE imphash'
   example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.entry_leader.macho.symhash
+  flat_name: process.macho.symhash
   ignore_above: 1024
   level: extended
   name: symhash
@@ -13674,58 +11236,31 @@ process.entry_leader.macho.symhash:
   original_fieldset: macho
   short: A hash of the imports in a Mach-O file.
   type: keyword
-process.entry_leader.name:
-  dashed_name: process-entry-leader-name
+process.name:
+  dashed_name: process-name
   description: 'Process name.
 
     Sometimes called program name or similar.'
   example: ssh
-  flat_name: process.entry_leader.name
+  flat_name: process.name
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.entry_leader.name.text
+  - flat_name: process.name.text
     name: text
     type: match_only_text
   name: name
   normalize: []
-  original_fieldset: process
   short: Process name.
   type: keyword
-process.entry_leader.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.entry_leader.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.entry_leader.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.entry_leader.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.entry_leader.parent.args:
-  dashed_name: process-entry-leader-parent-args
+process.parent.args:
+  dashed_name: process-parent-args
   description: 'Array of process arguments, starting with the absolute path to the
     executable.
 
     May be filtered to protect sensitive information.'
   example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.entry_leader.parent.args
+  flat_name: process.parent.args
   ignore_above: 1024
   level: extended
   name: args
@@ -13734,662 +11269,165 @@ process.entry_leader.parent.args:
   original_fieldset: process
   short: Array of process arguments.
   type: keyword
-process.entry_leader.parent.args_count:
-  dashed_name: process-entry-leader-parent-args-count
+process.parent.args_count:
+  dashed_name: process-parent-args-count
   description: 'Length of the process.args array.
 
     This field can be useful for querying or performing bucket analysis on how many
     arguments were provided to start a process. More arguments may be an indication
     of suspicious activity.'
   example: 4
-  flat_name: process.entry_leader.parent.args_count
+  flat_name: process.parent.args_count
   level: extended
   name: args_count
   normalize: []
   original_fieldset: process
   short: Length of the process.args array.
   type: long
-process.entry_leader.parent.attested_groups.domain:
-  dashed_name: process-entry-leader-parent-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
+process.parent.code_signature.digest_algorithm:
+  dashed_name: process-parent-code-signature-digest-algorithm
+  description: 'The hashing algorithm used to sign the process.
 
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.attested_groups.domain
+    This value can distinguish signatures when a file is signed multiple times by
+    the same signer but with a different digest algorithm.'
+  example: sha256
+  flat_name: process.parent.code_signature.digest_algorithm
   ignore_above: 1024
   level: extended
-  name: domain
+  name: digest_algorithm
   normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
+  original_fieldset: code_signature
+  short: Hashing algorithm used to sign the process.
   type: keyword
-process.entry_leader.parent.attested_groups.id:
-  dashed_name: process-entry-leader-parent-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.attested_groups.id
+process.parent.code_signature.exists:
+  dashed_name: process-parent-code-signature-exists
+  description: Boolean to capture if a signature is present.
+  example: 'true'
+  flat_name: process.parent.code_signature.exists
+  level: core
+  name: exists
+  normalize: []
+  original_fieldset: code_signature
+  short: Boolean to capture if a signature is present.
+  type: boolean
+process.parent.code_signature.flags:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-code-signature-flags
+  description: The flags used to sign the process.
+  example: 570522385
+  flat_name: process.parent.code_signature.flags
   ignore_above: 1024
   level: extended
-  name: id
+  name: flags
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: code_signature
+  short: Code signing flags of the process
   type: keyword
-process.entry_leader.parent.attested_groups.name:
-  dashed_name: process-entry-leader-parent-attested-groups-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.attested_groups.name
+process.parent.code_signature.signing_id:
+  dashed_name: process-parent-code-signature-signing-id
+  description: 'The identifier used to sign the process.
+
+    This is used to identify the application manufactured by a software vendor. The
+    field is relevant to Apple *OS only.'
+  example: com.apple.xpc.proxy
+  flat_name: process.parent.code_signature.signing_id
   ignore_above: 1024
   level: extended
-  name: name
+  name: signing_id
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: code_signature
+  short: The identifier used to sign the process.
   type: keyword
-process.entry_leader.parent.attested_user.domain:
-  dashed_name: process-entry-leader-parent-attested-user-domain
-  description: 'Name of the directory the user is a member of.
+process.parent.code_signature.status:
+  dashed_name: process-parent-code-signature-status
+  description: 'Additional information about the certificate status.
 
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.attested_user.domain
+    This is useful for logging cryptographic errors with the certificate validity
+    or trust status. Leave unpopulated if the validity or trust of the certificate
+    was unchecked.'
+  example: ERROR_UNTRUSTED_ROOT
+  flat_name: process.parent.code_signature.status
   ignore_above: 1024
   level: extended
-  name: domain
+  name: status
   normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
+  original_fieldset: code_signature
+  short: Additional information about the certificate status.
   type: keyword
-process.entry_leader.parent.attested_user.email:
-  dashed_name: process-entry-leader-parent-attested-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.attested_user.email
+process.parent.code_signature.subject_name:
+  dashed_name: process-parent-code-signature-subject-name
+  description: Subject name of the code signer
+  example: Microsoft Corporation
+  flat_name: process.parent.code_signature.subject_name
+  ignore_above: 1024
+  level: core
+  name: subject_name
+  normalize: []
+  original_fieldset: code_signature
+  short: Subject name of the code signer
+  type: keyword
+process.parent.code_signature.team_id:
+  dashed_name: process-parent-code-signature-team-id
+  description: 'The team identifier used to sign the process.
+
+    This is used to identify the team or vendor of a software product. The field is
+    relevant to Apple *OS only.'
+  example: EQHXZ8M8AV
+  flat_name: process.parent.code_signature.team_id
   ignore_above: 1024
   level: extended
-  name: email
+  name: team_id
   normalize: []
-  original_fieldset: user
-  short: User email address.
+  original_fieldset: code_signature
+  short: The team identifier used to sign the process.
   type: keyword
-process.entry_leader.parent.attested_user.entity.attributes:
+process.parent.code_signature.thumbprint_sha256:
   beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-attested-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.attested_user.entity.attributes
+  dashed_name: process-parent-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.parent.code_signature.thumbprint_sha256
+  ignore_above: 64
   level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.entry_leader.parent.attested_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-attested-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.entry_leader.parent.attested_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.entry_leader.parent.attested_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-attested-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.entry_leader.parent.attested_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.attested_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.entry_leader.parent.attested_user.entity.id:
-  dashed_name: process-entry-leader-parent-attested-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.entry_leader.parent.attested_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.entry_leader.parent.attested_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-attested-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.entry_leader.parent.attested_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.entry_leader.parent.attested_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-attested-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.attested_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.entry_leader.parent.attested_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-attested-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.entry_leader.parent.attested_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.entry_leader.parent.attested_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-attested-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.entry_leader.parent.attested_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.attested_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.entry_leader.parent.attested_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-attested-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.entry_leader.parent.attested_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.entry_leader.parent.attested_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-attested-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.entry_leader.parent.attested_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.entry_leader.parent.attested_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-attested-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.entry_leader.parent.attested_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.entry_leader.parent.attested_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-attested-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.entry_leader.parent.attested_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.entry_leader.parent.attested_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-attested-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.entry_leader.parent.attested_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.entry_leader.parent.attested_user.full_name:
-  dashed_name: process-entry-leader-parent-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.attested_user.group.domain:
-  dashed_name: process-entry-leader-parent-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.attested_user.group.id:
-  dashed_name: process-entry-leader-parent-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.attested_user.group.name:
-  dashed_name: process-entry-leader-parent-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.attested_user.hash:
-  dashed_name: process-entry-leader-parent-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.attested_user.id:
-  dashed_name: process-entry-leader-parent-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.attested_user.name:
-  dashed_name: process-entry-leader-parent-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.attested_user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.attested_user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.attested_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.attested_user.risk.static_level:
-  dashed_name: process-entry-leader-parent-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.attested_user.risk.static_score:
-  dashed_name: process-entry-leader-parent-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.attested_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.attested_user.roles:
-  dashed_name: process-entry-leader-parent-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.code_signature.digest_algorithm:
-  dashed_name: process-entry-leader-parent-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.entry_leader.parent.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.entry_leader.parent.code_signature.exists:
-  dashed_name: process-entry-leader-parent-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.entry_leader.parent.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.entry_leader.parent.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.entry_leader.parent.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.entry_leader.parent.code_signature.signing_id:
-  dashed_name: process-entry-leader-parent-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.entry_leader.parent.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.entry_leader.parent.code_signature.status:
-  dashed_name: process-entry-leader-parent-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.entry_leader.parent.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.entry_leader.parent.code_signature.subject_name:
-  dashed_name: process-entry-leader-parent-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.entry_leader.parent.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.entry_leader.parent.code_signature.team_id:
-  dashed_name: process-entry-leader-parent-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.entry_leader.parent.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.entry_leader.parent.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.entry_leader.parent.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
+  name: thumbprint_sha256
   normalize: []
   original_fieldset: code_signature
   pattern: ^[0-9a-f]{64}$
   short: SHA256 hash of the certificate.
   type: keyword
-process.entry_leader.parent.code_signature.timestamp:
-  dashed_name: process-entry-leader-parent-code-signature-timestamp
+process.parent.code_signature.timestamp:
+  dashed_name: process-parent-code-signature-timestamp
   description: Date and time when the code signature was generated and signed.
   example: '2021-01-01T12:10:30Z'
-  flat_name: process.entry_leader.parent.code_signature.timestamp
+  flat_name: process.parent.code_signature.timestamp
   level: extended
   name: timestamp
   normalize: []
   original_fieldset: code_signature
   short: When the signature was generated and signed.
   type: date
-process.entry_leader.parent.code_signature.trusted:
-  dashed_name: process-entry-leader-parent-code-signature-trusted
+process.parent.code_signature.trusted:
+  dashed_name: process-parent-code-signature-trusted
   description: 'Stores the trust status of the certificate chain.
 
     Validating the trust of the certificate chain may be complicated, and this field
     should only be populated by tools that actively check the status.'
   example: 'true'
-  flat_name: process.entry_leader.parent.code_signature.trusted
+  flat_name: process.parent.code_signature.trusted
   level: extended
   name: trusted
   normalize: []
   original_fieldset: code_signature
   short: Stores the trust status of the certificate chain.
   type: boolean
-process.entry_leader.parent.code_signature.valid:
-  dashed_name: process-entry-leader-parent-code-signature-valid
+process.parent.code_signature.valid:
+  dashed_name: process-parent-code-signature-valid
   description: 'Boolean to capture if the digital signature is verified against the
     binary content.
 
     Leave unpopulated if a certificate was unchecked.'
   example: 'true'
-  flat_name: process.entry_leader.parent.code_signature.valid
+  flat_name: process.parent.code_signature.valid
   level: extended
   name: valid
   normalize: []
@@ -14397,17 +11435,17 @@ process.entry_leader.parent.code_signature.valid:
   short: Boolean to capture if the digital signature is verified against the binary
     content.
   type: boolean
-process.entry_leader.parent.command_line:
-  dashed_name: process-entry-leader-parent-command-line
+process.parent.command_line:
+  dashed_name: process-parent-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
 
     Some arguments may be filtered to protect sensitive information.'
   example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.entry_leader.parent.command_line
+  flat_name: process.parent.command_line
   level: extended
   multi_fields:
-  - flat_name: process.entry_leader.parent.command_line.text
+  - flat_name: process.parent.command_line.text
     name: text
     type: match_only_text
   name: command_line
@@ -14415,11 +11453,11 @@ process.entry_leader.parent.command_line:
   original_fieldset: process
   short: Full command line that started the process.
   type: wildcard
-process.entry_leader.parent.elf.architecture:
-  dashed_name: process-entry-leader-parent-elf-architecture
+process.parent.elf.architecture:
+  dashed_name: process-parent-elf-architecture
   description: Machine architecture of the ELF file.
   example: x86-64
-  flat_name: process.entry_leader.parent.elf.architecture
+  flat_name: process.parent.elf.architecture
   ignore_above: 1024
   level: extended
   name: architecture
@@ -14427,11 +11465,11 @@ process.entry_leader.parent.elf.architecture:
   original_fieldset: elf
   short: Machine architecture of the ELF file.
   type: keyword
-process.entry_leader.parent.elf.byte_order:
-  dashed_name: process-entry-leader-parent-elf-byte-order
+process.parent.elf.byte_order:
+  dashed_name: process-parent-elf-byte-order
   description: Byte sequence of ELF file.
   example: Little Endian
-  flat_name: process.entry_leader.parent.elf.byte_order
+  flat_name: process.parent.elf.byte_order
   ignore_above: 1024
   level: extended
   name: byte_order
@@ -14439,11 +11477,11 @@ process.entry_leader.parent.elf.byte_order:
   original_fieldset: elf
   short: Byte sequence of ELF file.
   type: keyword
-process.entry_leader.parent.elf.cpu_type:
-  dashed_name: process-entry-leader-parent-elf-cpu-type
+process.parent.elf.cpu_type:
+  dashed_name: process-parent-elf-cpu-type
   description: CPU type of the ELF file.
   example: Intel
-  flat_name: process.entry_leader.parent.elf.cpu_type
+  flat_name: process.parent.elf.cpu_type
   ignore_above: 1024
   level: extended
   name: cpu_type
@@ -14451,21 +11489,21 @@ process.entry_leader.parent.elf.cpu_type:
   original_fieldset: elf
   short: CPU type of the ELF file.
   type: keyword
-process.entry_leader.parent.elf.creation_date:
-  dashed_name: process-entry-leader-parent-elf-creation-date
+process.parent.elf.creation_date:
+  dashed_name: process-parent-elf-creation-date
   description: Extracted when possible from the file's metadata. Indicates when it
     was built or compiled. It can also be faked by malware creators.
-  flat_name: process.entry_leader.parent.elf.creation_date
+  flat_name: process.parent.elf.creation_date
   level: extended
   name: creation_date
   normalize: []
   original_fieldset: elf
   short: Build or compile date.
   type: date
-process.entry_leader.parent.elf.exports:
-  dashed_name: process-entry-leader-parent-elf-exports
+process.parent.elf.exports:
+  dashed_name: process-parent-elf-exports
   description: List of exported element names and types.
-  flat_name: process.entry_leader.parent.elf.exports
+  flat_name: process.parent.elf.exports
   level: extended
   name: exports
   normalize:
@@ -14473,8 +11511,8 @@ process.entry_leader.parent.elf.exports:
   original_fieldset: elf
   short: List of exported element names and types.
   type: flattened
-process.entry_leader.parent.elf.go_import_hash:
-  dashed_name: process-entry-leader-parent-elf-go-import-hash
+process.parent.elf.go_import_hash:
+  dashed_name: process-parent-elf-go-import-hash
   description: 'A hash of the Go language imports in an ELF file excluding standard
     library imports. An import hash can be used to fingerprint binaries even after
     recompilation or other code-level transformations have occurred, which would change
@@ -14483,7 +11521,7 @@ process.entry_leader.parent.elf.go_import_hash:
     The algorithm used to calculate the Go symbol hash and a reference implementation
     are available here: https://github.com/elastic/toutoumomoma'
   example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.parent.elf.go_import_hash
+  flat_name: process.parent.elf.go_import_hash
   ignore_above: 1024
   level: extended
   name: go_import_hash
@@ -14491,20 +11529,20 @@ process.entry_leader.parent.elf.go_import_hash:
   original_fieldset: elf
   short: A hash of the Go language imports in an ELF file.
   type: keyword
-process.entry_leader.parent.elf.go_imports:
-  dashed_name: process-entry-leader-parent-elf-go-imports
+process.parent.elf.go_imports:
+  dashed_name: process-parent-elf-go-imports
   description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.parent.elf.go_imports
+  flat_name: process.parent.elf.go_imports
   level: extended
   name: go_imports
   normalize: []
   original_fieldset: elf
   short: List of imported Go language element names and types.
   type: flattened
-process.entry_leader.parent.elf.go_imports_names_entropy:
-  dashed_name: process-entry-leader-parent-elf-go-imports-names-entropy
+process.parent.elf.go_imports_names_entropy:
+  dashed_name: process-parent-elf-go-imports-names-entropy
   description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.elf.go_imports_names_entropy
+  flat_name: process.parent.elf.go_imports_names_entropy
   format: number
   level: extended
   name: go_imports_names_entropy
@@ -14512,10 +11550,10 @@ process.entry_leader.parent.elf.go_imports_names_entropy:
   original_fieldset: elf
   short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.entry_leader.parent.elf.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-elf-go-imports-names-var-entropy
+process.parent.elf.go_imports_names_var_entropy:
+  dashed_name: process-parent-elf-go-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.elf.go_imports_names_var_entropy
+  flat_name: process.parent.elf.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
@@ -14523,21 +11561,21 @@ process.entry_leader.parent.elf.go_imports_names_var_entropy:
   original_fieldset: elf
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.entry_leader.parent.elf.go_stripped:
-  dashed_name: process-entry-leader-parent-elf-go-stripped
+process.parent.elf.go_stripped:
+  dashed_name: process-parent-elf-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.parent.elf.go_stripped
+  flat_name: process.parent.elf.go_stripped
   level: extended
   name: go_stripped
   normalize: []
   original_fieldset: elf
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.entry_leader.parent.elf.header.abi_version:
-  dashed_name: process-entry-leader-parent-elf-header-abi-version
+process.parent.elf.header.abi_version:
+  dashed_name: process-parent-elf-header-abi-version
   description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.entry_leader.parent.elf.header.abi_version
+  flat_name: process.parent.elf.header.abi_version
   ignore_above: 1024
   level: extended
   name: header.abi_version
@@ -14545,10 +11583,10 @@ process.entry_leader.parent.elf.header.abi_version:
   original_fieldset: elf
   short: Version of the ELF Application Binary Interface (ABI).
   type: keyword
-process.entry_leader.parent.elf.header.class:
-  dashed_name: process-entry-leader-parent-elf-header-class
+process.parent.elf.header.class:
+  dashed_name: process-parent-elf-header-class
   description: Header class of the ELF file.
-  flat_name: process.entry_leader.parent.elf.header.class
+  flat_name: process.parent.elf.header.class
   ignore_above: 1024
   level: extended
   name: header.class
@@ -14556,10 +11594,10 @@ process.entry_leader.parent.elf.header.class:
   original_fieldset: elf
   short: Header class of the ELF file.
   type: keyword
-process.entry_leader.parent.elf.header.data:
-  dashed_name: process-entry-leader-parent-elf-header-data
+process.parent.elf.header.data:
+  dashed_name: process-parent-elf-header-data
   description: Data table of the ELF header.
-  flat_name: process.entry_leader.parent.elf.header.data
+  flat_name: process.parent.elf.header.data
   ignore_above: 1024
   level: extended
   name: header.data
@@ -14567,10 +11605,10 @@ process.entry_leader.parent.elf.header.data:
   original_fieldset: elf
   short: Data table of the ELF header.
   type: keyword
-process.entry_leader.parent.elf.header.entrypoint:
-  dashed_name: process-entry-leader-parent-elf-header-entrypoint
+process.parent.elf.header.entrypoint:
+  dashed_name: process-parent-elf-header-entrypoint
   description: Header entrypoint of the ELF file.
-  flat_name: process.entry_leader.parent.elf.header.entrypoint
+  flat_name: process.parent.elf.header.entrypoint
   format: string
   level: extended
   name: header.entrypoint
@@ -14578,10 +11616,10 @@ process.entry_leader.parent.elf.header.entrypoint:
   original_fieldset: elf
   short: Header entrypoint of the ELF file.
   type: long
-process.entry_leader.parent.elf.header.object_version:
-  dashed_name: process-entry-leader-parent-elf-header-object-version
+process.parent.elf.header.object_version:
+  dashed_name: process-parent-elf-header-object-version
   description: '"0x1" for original ELF files.'
-  flat_name: process.entry_leader.parent.elf.header.object_version
+  flat_name: process.parent.elf.header.object_version
   ignore_above: 1024
   level: extended
   name: header.object_version
@@ -14589,10 +11627,10 @@ process.entry_leader.parent.elf.header.object_version:
   original_fieldset: elf
   short: '"0x1" for original ELF files.'
   type: keyword
-process.entry_leader.parent.elf.header.os_abi:
-  dashed_name: process-entry-leader-parent-elf-header-os-abi
+process.parent.elf.header.os_abi:
+  dashed_name: process-parent-elf-header-os-abi
   description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.entry_leader.parent.elf.header.os_abi
+  flat_name: process.parent.elf.header.os_abi
   ignore_above: 1024
   level: extended
   name: header.os_abi
@@ -14600,10 +11638,10 @@ process.entry_leader.parent.elf.header.os_abi:
   original_fieldset: elf
   short: Application Binary Interface (ABI) of the Linux OS.
   type: keyword
-process.entry_leader.parent.elf.header.type:
-  dashed_name: process-entry-leader-parent-elf-header-type
+process.parent.elf.header.type:
+  dashed_name: process-parent-elf-header-type
   description: Header type of the ELF file.
-  flat_name: process.entry_leader.parent.elf.header.type
+  flat_name: process.parent.elf.header.type
   ignore_above: 1024
   level: extended
   name: header.type
@@ -14611,10 +11649,10 @@ process.entry_leader.parent.elf.header.type:
   original_fieldset: elf
   short: Header type of the ELF file.
   type: keyword
-process.entry_leader.parent.elf.header.version:
-  dashed_name: process-entry-leader-parent-elf-header-version
+process.parent.elf.header.version:
+  dashed_name: process-parent-elf-header-version
   description: Version of the ELF header.
-  flat_name: process.entry_leader.parent.elf.header.version
+  flat_name: process.parent.elf.header.version
   ignore_above: 1024
   level: extended
   name: header.version
@@ -14622,15 +11660,15 @@ process.entry_leader.parent.elf.header.version:
   original_fieldset: elf
   short: Version of the ELF header.
   type: keyword
-process.entry_leader.parent.elf.import_hash:
-  dashed_name: process-entry-leader-parent-elf-import-hash
+process.parent.elf.import_hash:
+  dashed_name: process-parent-elf-import-hash
   description: 'A hash of the imports in an ELF file. An import hash can be used to
     fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is an ELF implementation of the Windows PE imphash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.parent.elf.import_hash
+  flat_name: process.parent.elf.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
@@ -14638,10 +11676,10 @@ process.entry_leader.parent.elf.import_hash:
   original_fieldset: elf
   short: A hash of the imports in an ELF file.
   type: keyword
-process.entry_leader.parent.elf.imports:
-  dashed_name: process-entry-leader-parent-elf-imports
+process.parent.elf.imports:
+  dashed_name: process-parent-elf-imports
   description: List of imported element names and types.
-  flat_name: process.entry_leader.parent.elf.imports
+  flat_name: process.parent.elf.imports
   level: extended
   name: imports
   normalize:
@@ -14649,11 +11687,11 @@ process.entry_leader.parent.elf.imports:
   original_fieldset: elf
   short: List of imported element names and types.
   type: flattened
-process.entry_leader.parent.elf.imports_names_entropy:
-  dashed_name: process-entry-leader-parent-elf-imports-names-entropy
+process.parent.elf.imports_names_entropy:
+  dashed_name: process-parent-elf-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.entry_leader.parent.elf.imports_names_entropy
+  flat_name: process.parent.elf.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
@@ -14661,11 +11699,11 @@ process.entry_leader.parent.elf.imports_names_entropy:
   original_fieldset: elf
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.entry_leader.parent.elf.imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-elf-imports-names-var-entropy
+process.parent.elf.imports_names_var_entropy:
+  dashed_name: process-parent-elf-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.entry_leader.parent.elf.imports_names_var_entropy
+  flat_name: process.parent.elf.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
@@ -14674,13 +11712,13 @@ process.entry_leader.parent.elf.imports_names_var_entropy:
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.entry_leader.parent.elf.sections:
-  dashed_name: process-entry-leader-parent-elf-sections
+process.parent.elf.sections:
+  dashed_name: process-parent-elf-sections
   description: 'An array containing an object for each section of the ELF file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `elf.sections.*`.'
-  flat_name: process.entry_leader.parent.elf.sections
+  flat_name: process.parent.elf.sections
   level: extended
   name: sections
   normalize:
@@ -14688,10 +11726,10 @@ process.entry_leader.parent.elf.sections:
   original_fieldset: elf
   short: Section information of the ELF file.
   type: nested
-process.entry_leader.parent.elf.sections.chi2:
-  dashed_name: process-entry-leader-parent-elf-sections-chi2
+process.parent.elf.sections.chi2:
+  dashed_name: process-parent-elf-sections-chi2
   description: Chi-square probability distribution of the section.
-  flat_name: process.entry_leader.parent.elf.sections.chi2
+  flat_name: process.parent.elf.sections.chi2
   format: number
   level: extended
   name: sections.chi2
@@ -14699,10 +11737,10 @@ process.entry_leader.parent.elf.sections.chi2:
   original_fieldset: elf
   short: Chi-square probability distribution of the section.
   type: long
-process.entry_leader.parent.elf.sections.entropy:
-  dashed_name: process-entry-leader-parent-elf-sections-entropy
+process.parent.elf.sections.entropy:
+  dashed_name: process-parent-elf-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.elf.sections.entropy
+  flat_name: process.parent.elf.sections.entropy
   format: number
   level: extended
   name: sections.entropy
@@ -14710,10 +11748,10 @@ process.entry_leader.parent.elf.sections.entropy:
   original_fieldset: elf
   short: Shannon entropy calculation from the section.
   type: long
-process.entry_leader.parent.elf.sections.flags:
-  dashed_name: process-entry-leader-parent-elf-sections-flags
+process.parent.elf.sections.flags:
+  dashed_name: process-parent-elf-sections-flags
   description: ELF Section List flags.
-  flat_name: process.entry_leader.parent.elf.sections.flags
+  flat_name: process.parent.elf.sections.flags
   ignore_above: 1024
   level: extended
   name: sections.flags
@@ -14721,10 +11759,10 @@ process.entry_leader.parent.elf.sections.flags:
   original_fieldset: elf
   short: ELF Section List flags.
   type: keyword
-process.entry_leader.parent.elf.sections.name:
-  dashed_name: process-entry-leader-parent-elf-sections-name
+process.parent.elf.sections.name:
+  dashed_name: process-parent-elf-sections-name
   description: ELF Section List name.
-  flat_name: process.entry_leader.parent.elf.sections.name
+  flat_name: process.parent.elf.sections.name
   ignore_above: 1024
   level: extended
   name: sections.name
@@ -14732,10 +11770,10 @@ process.entry_leader.parent.elf.sections.name:
   original_fieldset: elf
   short: ELF Section List name.
   type: keyword
-process.entry_leader.parent.elf.sections.physical_offset:
-  dashed_name: process-entry-leader-parent-elf-sections-physical-offset
+process.parent.elf.sections.physical_offset:
+  dashed_name: process-parent-elf-sections-physical-offset
   description: ELF Section List offset.
-  flat_name: process.entry_leader.parent.elf.sections.physical_offset
+  flat_name: process.parent.elf.sections.physical_offset
   ignore_above: 1024
   level: extended
   name: sections.physical_offset
@@ -14743,10 +11781,10 @@ process.entry_leader.parent.elf.sections.physical_offset:
   original_fieldset: elf
   short: ELF Section List offset.
   type: keyword
-process.entry_leader.parent.elf.sections.physical_size:
-  dashed_name: process-entry-leader-parent-elf-sections-physical-size
+process.parent.elf.sections.physical_size:
+  dashed_name: process-parent-elf-sections-physical-size
   description: ELF Section List physical size.
-  flat_name: process.entry_leader.parent.elf.sections.physical_size
+  flat_name: process.parent.elf.sections.physical_size
   format: bytes
   level: extended
   name: sections.physical_size
@@ -14754,10 +11792,10 @@ process.entry_leader.parent.elf.sections.physical_size:
   original_fieldset: elf
   short: ELF Section List physical size.
   type: long
-process.entry_leader.parent.elf.sections.type:
-  dashed_name: process-entry-leader-parent-elf-sections-type
+process.parent.elf.sections.type:
+  dashed_name: process-parent-elf-sections-type
   description: ELF Section List type.
-  flat_name: process.entry_leader.parent.elf.sections.type
+  flat_name: process.parent.elf.sections.type
   ignore_above: 1024
   level: extended
   name: sections.type
@@ -14765,10 +11803,10 @@ process.entry_leader.parent.elf.sections.type:
   original_fieldset: elf
   short: ELF Section List type.
   type: keyword
-process.entry_leader.parent.elf.sections.var_entropy:
-  dashed_name: process-entry-leader-parent-elf-sections-var-entropy
+process.parent.elf.sections.var_entropy:
+  dashed_name: process-parent-elf-sections-var-entropy
   description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.elf.sections.var_entropy
+  flat_name: process.parent.elf.sections.var_entropy
   format: number
   level: extended
   name: sections.var_entropy
@@ -14776,10 +11814,10 @@ process.entry_leader.parent.elf.sections.var_entropy:
   original_fieldset: elf
   short: Variance for Shannon entropy calculation from the section.
   type: long
-process.entry_leader.parent.elf.sections.virtual_address:
-  dashed_name: process-entry-leader-parent-elf-sections-virtual-address
+process.parent.elf.sections.virtual_address:
+  dashed_name: process-parent-elf-sections-virtual-address
   description: ELF Section List virtual address.
-  flat_name: process.entry_leader.parent.elf.sections.virtual_address
+  flat_name: process.parent.elf.sections.virtual_address
   format: string
   level: extended
   name: sections.virtual_address
@@ -14787,10 +11825,10 @@ process.entry_leader.parent.elf.sections.virtual_address:
   original_fieldset: elf
   short: ELF Section List virtual address.
   type: long
-process.entry_leader.parent.elf.sections.virtual_size:
-  dashed_name: process-entry-leader-parent-elf-sections-virtual-size
+process.parent.elf.sections.virtual_size:
+  dashed_name: process-parent-elf-sections-virtual-size
   description: ELF Section List virtual size.
-  flat_name: process.entry_leader.parent.elf.sections.virtual_size
+  flat_name: process.parent.elf.sections.virtual_size
   format: string
   level: extended
   name: sections.virtual_size
@@ -14798,13 +11836,13 @@ process.entry_leader.parent.elf.sections.virtual_size:
   original_fieldset: elf
   short: ELF Section List virtual size.
   type: long
-process.entry_leader.parent.elf.segments:
-  dashed_name: process-entry-leader-parent-elf-segments
+process.parent.elf.segments:
+  dashed_name: process-parent-elf-segments
   description: 'An array containing an object for each segment of the ELF file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `elf.segments.*`.'
-  flat_name: process.entry_leader.parent.elf.segments
+  flat_name: process.parent.elf.segments
   level: extended
   name: segments
   normalize:
@@ -14812,10 +11850,10 @@ process.entry_leader.parent.elf.segments:
   original_fieldset: elf
   short: ELF object segment list.
   type: nested
-process.entry_leader.parent.elf.segments.sections:
-  dashed_name: process-entry-leader-parent-elf-segments-sections
+process.parent.elf.segments.sections:
+  dashed_name: process-parent-elf-segments-sections
   description: ELF object segment sections.
-  flat_name: process.entry_leader.parent.elf.segments.sections
+  flat_name: process.parent.elf.segments.sections
   ignore_above: 1024
   level: extended
   name: segments.sections
@@ -14823,10 +11861,10 @@ process.entry_leader.parent.elf.segments.sections:
   original_fieldset: elf
   short: ELF object segment sections.
   type: keyword
-process.entry_leader.parent.elf.segments.type:
-  dashed_name: process-entry-leader-parent-elf-segments-type
+process.parent.elf.segments.type:
+  dashed_name: process-parent-elf-segments-type
   description: ELF object segment type.
-  flat_name: process.entry_leader.parent.elf.segments.type
+  flat_name: process.parent.elf.segments.type
   ignore_above: 1024
   level: extended
   name: segments.type
@@ -14834,10 +11872,10 @@ process.entry_leader.parent.elf.segments.type:
   original_fieldset: elf
   short: ELF object segment type.
   type: keyword
-process.entry_leader.parent.elf.shared_libraries:
-  dashed_name: process-entry-leader-parent-elf-shared-libraries
+process.parent.elf.shared_libraries:
+  dashed_name: process-parent-elf-shared-libraries
   description: List of shared libraries used by this ELF object.
-  flat_name: process.entry_leader.parent.elf.shared_libraries
+  flat_name: process.parent.elf.shared_libraries
   ignore_above: 1024
   level: extended
   name: shared_libraries
@@ -14846,10 +11884,10 @@ process.entry_leader.parent.elf.shared_libraries:
   original_fieldset: elf
   short: List of shared libraries used by this ELF object.
   type: keyword
-process.entry_leader.parent.elf.telfhash:
-  dashed_name: process-entry-leader-parent-elf-telfhash
+process.parent.elf.telfhash:
+  dashed_name: process-parent-elf-telfhash
   description: telfhash symbol hash for ELF file.
-  flat_name: process.entry_leader.parent.elf.telfhash
+  flat_name: process.parent.elf.telfhash
   ignore_above: 1024
   level: extended
   name: telfhash
@@ -14857,31 +11895,19 @@ process.entry_leader.parent.elf.telfhash:
   original_fieldset: elf
   short: telfhash hash for ELF file.
   type: keyword
-process.entry_leader.parent.end:
-  dashed_name: process-entry-leader-parent-end
+process.parent.end:
+  dashed_name: process-parent-end
   description: The time the process ended.
   example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.parent.end
+  flat_name: process.parent.end
   level: extended
   name: end
   normalize: []
   original_fieldset: process
   short: The time the process ended.
   type: date
-process.entry_leader.parent.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.entry_leader.parent.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.entry_leader.parent.entity_id:
-  dashed_name: process-entry-leader-parent-entity-id
+process.parent.entity_id:
+  dashed_name: process-parent-entity-id
   description: 'Unique identifier for the process.
 
     The implementation of this is specified by the data source, but some examples
@@ -14892,7 +11918,7 @@ process.entry_leader.parent.entity_id:
     reuse as well as to identify a specific process over time, across multiple monitored
     hosts.'
   example: c2c455d9f99375d
-  flat_name: process.entry_leader.parent.entity_id
+  flat_name: process.parent.entity_id
   ignore_above: 1024
   level: extended
   name: entity_id
@@ -14900,388 +11926,15 @@ process.entry_leader.parent.entity_id:
   original_fieldset: process
   short: Unique identifier for the process.
   type: keyword
-process.entry_leader.parent.entry_meta.source.address:
-  dashed_name: process-entry-leader-parent-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.entry_leader.parent.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.as.number:
-  dashed_name: process-entry-leader-parent-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.entry_leader.parent.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.entry_leader.parent.entry_meta.source.as.organization.name:
-  dashed_name: process-entry-leader-parent-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.bytes:
-  dashed_name: process-entry-leader-parent-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.entry_leader.parent.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.entry_leader.parent.entry_meta.source.domain:
-  dashed_name: process-entry-leader-parent-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.entry_leader.parent.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.city_name:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.continent_code:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.continent_name:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.country_name:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.location:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.entry_leader.parent.entry_meta.source.geo.name:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.postal_code:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.region_name:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.geo.timezone:
-  dashed_name: process-entry-leader-parent-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.entry_leader.parent.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.ip:
-  dashed_name: process-entry-leader-parent-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.entry_leader.parent.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.entry_leader.parent.entry_meta.source.mac:
-  dashed_name: process-entry-leader-parent-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.entry_leader.parent.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.nat.ip:
-  dashed_name: process-entry-leader-parent-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.entry_leader.parent.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.entry_leader.parent.entry_meta.source.nat.port:
-  dashed_name: process-entry-leader-parent-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.entry_leader.parent.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.entry_leader.parent.entry_meta.source.packets:
-  dashed_name: process-entry-leader-parent-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.entry_leader.parent.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.entry_leader.parent.entry_meta.source.port:
-  dashed_name: process-entry-leader-parent-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.entry_leader.parent.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.entry_leader.parent.entry_meta.source.registered_domain:
-  dashed_name: process-entry-leader-parent-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.entry_leader.parent.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.subdomain:
-  dashed_name: process-entry-leader-parent-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.entry_leader.parent.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.entry_leader.parent.entry_meta.source.top_level_domain:
-  dashed_name: process-entry-leader-parent-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.entry_leader.parent.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.entry_leader.parent.entry_meta.type:
-  dashed_name: process-entry-leader-parent-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.entry_leader.parent.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.entry_leader.parent.env_vars:
-  dashed_name: process-entry-leader-parent-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.entry_leader.parent.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.executable:
-  dashed_name: process-entry-leader-parent-executable
+process.parent.executable:
+  dashed_name: process-parent-executable
   description: Absolute path to the process executable.
   example: /usr/bin/ssh
-  flat_name: process.entry_leader.parent.executable
+  flat_name: process.parent.executable
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.entry_leader.parent.executable.text
+  - flat_name: process.parent.executable.text
     name: text
     type: match_only_text
   name: executable
@@ -15289,37 +11942,24 @@ process.entry_leader.parent.executable:
   original_fieldset: process
   short: Absolute path to the process executable.
   type: keyword
-process.entry_leader.parent.exit_code:
-  dashed_name: process-entry-leader-parent-exit-code
+process.parent.exit_code:
+  dashed_name: process-parent-exit-code
   description: 'The exit code of the process, if this is a termination event.
 
     The field should be absent if there is no exit code for the event (e.g. process
     start).'
   example: 137
-  flat_name: process.entry_leader.parent.exit_code
+  flat_name: process.parent.exit_code
   level: extended
   name: exit_code
   normalize: []
   original_fieldset: process
   short: The exit code of the process.
   type: long
-process.entry_leader.parent.group.domain:
-  dashed_name: process-entry-leader-parent-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.group.id:
-  dashed_name: process-entry-leader-parent-group-id
+process.parent.group.id:
+  dashed_name: process-parent-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.group.id
+  flat_name: process.parent.group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -15327,10 +11967,10 @@ process.entry_leader.parent.group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.parent.group.name:
-  dashed_name: process-entry-leader-parent-group-name
+process.parent.group.name:
+  dashed_name: process-parent-group-name
   description: Name of the group.
-  flat_name: process.entry_leader.parent.group.name
+  flat_name: process.parent.group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -15338,13 +11978,72 @@ process.entry_leader.parent.group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.entry_leader.parent.hash.cdhash:
+process.parent.group_leader.entity_id:
+  dashed_name: process-parent-group-leader-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.parent.group_leader.entity_id
+  ignore_above: 1024
+  level: extended
+  name: entity_id
+  normalize: []
+  original_fieldset: process
+  short: Unique identifier for the process.
+  type: keyword
+process.parent.group_leader.pid:
+  dashed_name: process-parent-group-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.parent.group_leader.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  original_fieldset: process
+  short: Process id.
+  type: long
+process.parent.group_leader.start:
+  dashed_name: process-parent-group-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.parent.group_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.parent.group_leader.vpid:
+  dashed_name: process-parent-group-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.parent.group_leader.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.parent.hash.cdhash:
   beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-hash-cdhash
+  dashed_name: process-parent-hash-cdhash
   description: Code directory hash, utilized to uniquely identify and authenticate
     the integrity of the executable code.
   example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.entry_leader.parent.hash.cdhash
+  flat_name: process.parent.hash.cdhash
   ignore_above: 1024
   level: extended
   name: cdhash
@@ -15352,10 +12051,10 @@ process.entry_leader.parent.hash.cdhash:
   original_fieldset: hash
   short: The Code Directory (CD) hash of an executable.
   type: keyword
-process.entry_leader.parent.hash.md5:
-  dashed_name: process-entry-leader-parent-hash-md5
+process.parent.hash.md5:
+  dashed_name: process-parent-hash-md5
   description: MD5 hash.
-  flat_name: process.entry_leader.parent.hash.md5
+  flat_name: process.parent.hash.md5
   ignore_above: 1024
   level: extended
   name: md5
@@ -15363,10 +12062,10 @@ process.entry_leader.parent.hash.md5:
   original_fieldset: hash
   short: MD5 hash.
   type: keyword
-process.entry_leader.parent.hash.sha1:
-  dashed_name: process-entry-leader-parent-hash-sha1
+process.parent.hash.sha1:
+  dashed_name: process-parent-hash-sha1
   description: SHA1 hash.
-  flat_name: process.entry_leader.parent.hash.sha1
+  flat_name: process.parent.hash.sha1
   ignore_above: 1024
   level: extended
   name: sha1
@@ -15374,10 +12073,10 @@ process.entry_leader.parent.hash.sha1:
   original_fieldset: hash
   short: SHA1 hash.
   type: keyword
-process.entry_leader.parent.hash.sha256:
-  dashed_name: process-entry-leader-parent-hash-sha256
+process.parent.hash.sha256:
+  dashed_name: process-parent-hash-sha256
   description: SHA256 hash.
-  flat_name: process.entry_leader.parent.hash.sha256
+  flat_name: process.parent.hash.sha256
   ignore_above: 1024
   level: extended
   name: sha256
@@ -15385,10 +12084,10 @@ process.entry_leader.parent.hash.sha256:
   original_fieldset: hash
   short: SHA256 hash.
   type: keyword
-process.entry_leader.parent.hash.sha384:
-  dashed_name: process-entry-leader-parent-hash-sha384
+process.parent.hash.sha384:
+  dashed_name: process-parent-hash-sha384
   description: SHA384 hash.
-  flat_name: process.entry_leader.parent.hash.sha384
+  flat_name: process.parent.hash.sha384
   ignore_above: 1024
   level: extended
   name: sha384
@@ -15396,10 +12095,10 @@ process.entry_leader.parent.hash.sha384:
   original_fieldset: hash
   short: SHA384 hash.
   type: keyword
-process.entry_leader.parent.hash.sha512:
-  dashed_name: process-entry-leader-parent-hash-sha512
+process.parent.hash.sha512:
+  dashed_name: process-parent-hash-sha512
   description: SHA512 hash.
-  flat_name: process.entry_leader.parent.hash.sha512
+  flat_name: process.parent.hash.sha512
   ignore_above: 1024
   level: extended
   name: sha512
@@ -15407,10 +12106,10 @@ process.entry_leader.parent.hash.sha512:
   original_fieldset: hash
   short: SHA512 hash.
   type: keyword
-process.entry_leader.parent.hash.ssdeep:
-  dashed_name: process-entry-leader-parent-hash-ssdeep
+process.parent.hash.ssdeep:
+  dashed_name: process-parent-hash-ssdeep
   description: SSDEEP hash.
-  flat_name: process.entry_leader.parent.hash.ssdeep
+  flat_name: process.parent.hash.ssdeep
   ignore_above: 1024
   level: extended
   name: ssdeep
@@ -15418,10 +12117,10 @@ process.entry_leader.parent.hash.ssdeep:
   original_fieldset: hash
   short: SSDEEP hash.
   type: keyword
-process.entry_leader.parent.hash.tlsh:
-  dashed_name: process-entry-leader-parent-hash-tlsh
+process.parent.hash.tlsh:
+  dashed_name: process-parent-hash-tlsh
   description: TLSH hash.
-  flat_name: process.entry_leader.parent.hash.tlsh
+  flat_name: process.parent.hash.tlsh
   ignore_above: 1024
   level: extended
   name: tlsh
@@ -15429,8 +12128,8 @@ process.entry_leader.parent.hash.tlsh:
   original_fieldset: hash
   short: TLSH hash.
   type: keyword
-process.entry_leader.parent.interactive:
-  dashed_name: process-entry-leader-parent-interactive
+process.parent.interactive:
+  dashed_name: process-parent-interactive
   description: 'Whether the process is connected to an interactive shell.
 
     Process interactivity is inferred from the processes file descriptors. If the
@@ -15443,167 +12142,56 @@ process.entry_leader.parent.interactive:
     is still considered interactive if stdin and stderr are connected to the controlling
     TTY.'
   example: true
-  flat_name: process.entry_leader.parent.interactive
+  flat_name: process.parent.interactive
   level: extended
   name: interactive
   normalize: []
   original_fieldset: process
   short: Whether the process is connected to an interactive shell.
   type: boolean
-process.entry_leader.parent.io:
-  dashed_name: process-entry-leader-parent-io
-  description: 'A chunk of input or output (IO) from a single process.
+process.parent.macho.go_import_hash:
+  dashed_name: process-parent-macho-go-import-hash
+  description: 'A hash of the Go language imports in a Mach-O file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
 
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.entry_leader.parent.io
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.parent.macho.go_import_hash
+  ignore_above: 1024
   level: extended
-  name: io
+  name: go_import_hash
   normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.entry_leader.parent.io.bytes_skipped:
-  dashed_name: process-entry-leader-parent-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.entry_leader.parent.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.entry_leader.parent.io.bytes_skipped.length:
-  dashed_name: process-entry-leader-parent-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.entry_leader.parent.io.bytes_skipped.length
+  original_fieldset: macho
+  short: A hash of the Go language imports in a Mach-O file.
+  type: keyword
+process.parent.macho.go_imports:
+  dashed_name: process-parent-macho-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.parent.macho.go_imports
   level: extended
-  name: io.bytes_skipped.length
+  name: go_imports
   normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.entry_leader.parent.io.bytes_skipped.offset:
-  dashed_name: process-entry-leader-parent-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.entry_leader.parent.io.bytes_skipped.offset
+  original_fieldset: macho
+  short: List of imported Go language element names and types.
+  type: flattened
+process.parent.macho.go_imports_names_entropy:
+  dashed_name: process-parent-macho-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.parent.macho.go_imports_names_entropy
+  format: number
   level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.entry_leader.parent.io.max_bytes_per_process_exceeded:
-  dashed_name: process-entry-leader-parent-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.entry_leader.parent.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.entry_leader.parent.io.text:
-  dashed_name: process-entry-leader-parent-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.entry_leader.parent.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.entry_leader.parent.io.total_bytes_captured:
-  dashed_name: process-entry-leader-parent-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.entry_leader.parent.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.entry_leader.parent.io.total_bytes_skipped:
-  dashed_name: process-entry-leader-parent-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.entry_leader.parent.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.entry_leader.parent.io.type:
-  dashed_name: process-entry-leader-parent-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.entry_leader.parent.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.entry_leader.parent.macho.go_import_hash:
-  dashed_name: process-entry-leader-parent-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.parent.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.entry_leader.parent.macho.go_imports:
-  dashed_name: process-entry-leader-parent-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.parent.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.parent.macho.go_imports_names_entropy:
-  dashed_name: process-entry-leader-parent-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
+  name: go_imports_names_entropy
   normalize: []
   original_fieldset: macho
   short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.entry_leader.parent.macho.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-macho-go-imports-names-var-entropy
+process.parent.macho.go_imports_names_var_entropy:
+  dashed_name: process-parent-macho-go-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.macho.go_imports_names_var_entropy
+  flat_name: process.parent.macho.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
@@ -15611,26 +12199,26 @@ process.entry_leader.parent.macho.go_imports_names_var_entropy:
   original_fieldset: macho
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.entry_leader.parent.macho.go_stripped:
-  dashed_name: process-entry-leader-parent-macho-go-stripped
+process.parent.macho.go_stripped:
+  dashed_name: process-parent-macho-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.parent.macho.go_stripped
+  flat_name: process.parent.macho.go_stripped
   level: extended
   name: go_stripped
   normalize: []
   original_fieldset: macho
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.entry_leader.parent.macho.import_hash:
-  dashed_name: process-entry-leader-parent-macho-import-hash
+process.parent.macho.import_hash:
+  dashed_name: process-parent-macho-import-hash
   description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a synonym for symhash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.parent.macho.import_hash
+  flat_name: process.parent.macho.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
@@ -15638,10 +12226,10 @@ process.entry_leader.parent.macho.import_hash:
   original_fieldset: macho
   short: A hash of the imports in a Mach-O file.
   type: keyword
-process.entry_leader.parent.macho.imports:
-  dashed_name: process-entry-leader-parent-macho-imports
+process.parent.macho.imports:
+  dashed_name: process-parent-macho-imports
   description: List of imported element names and types.
-  flat_name: process.entry_leader.parent.macho.imports
+  flat_name: process.parent.macho.imports
   level: extended
   name: imports
   normalize:
@@ -15649,11 +12237,11 @@ process.entry_leader.parent.macho.imports:
   original_fieldset: macho
   short: List of imported element names and types.
   type: flattened
-process.entry_leader.parent.macho.imports_names_entropy:
-  dashed_name: process-entry-leader-parent-macho-imports-names-entropy
+process.parent.macho.imports_names_entropy:
+  dashed_name: process-parent-macho-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.entry_leader.parent.macho.imports_names_entropy
+  flat_name: process.parent.macho.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
@@ -15661,11 +12249,11 @@ process.entry_leader.parent.macho.imports_names_entropy:
   original_fieldset: macho
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.entry_leader.parent.macho.imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-macho-imports-names-var-entropy
+process.parent.macho.imports_names_var_entropy:
+  dashed_name: process-parent-macho-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.entry_leader.parent.macho.imports_names_var_entropy
+  flat_name: process.parent.macho.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
@@ -15674,13 +12262,13 @@ process.entry_leader.parent.macho.imports_names_var_entropy:
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.entry_leader.parent.macho.sections:
-  dashed_name: process-entry-leader-parent-macho-sections
+process.parent.macho.sections:
+  dashed_name: process-parent-macho-sections
   description: 'An array containing an object for each section of the Mach-O file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `macho.sections.*`.'
-  flat_name: process.entry_leader.parent.macho.sections
+  flat_name: process.parent.macho.sections
   level: extended
   name: sections
   normalize:
@@ -15688,10 +12276,10 @@ process.entry_leader.parent.macho.sections:
   original_fieldset: macho
   short: Section information of the Mach-O file.
   type: nested
-process.entry_leader.parent.macho.sections.entropy:
-  dashed_name: process-entry-leader-parent-macho-sections-entropy
+process.parent.macho.sections.entropy:
+  dashed_name: process-parent-macho-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.macho.sections.entropy
+  flat_name: process.parent.macho.sections.entropy
   format: number
   level: extended
   name: sections.entropy
@@ -15699,10 +12287,10 @@ process.entry_leader.parent.macho.sections.entropy:
   original_fieldset: macho
   short: Shannon entropy calculation from the section.
   type: long
-process.entry_leader.parent.macho.sections.name:
-  dashed_name: process-entry-leader-parent-macho-sections-name
+process.parent.macho.sections.name:
+  dashed_name: process-parent-macho-sections-name
   description: Mach-O Section List name.
-  flat_name: process.entry_leader.parent.macho.sections.name
+  flat_name: process.parent.macho.sections.name
   ignore_above: 1024
   level: extended
   name: sections.name
@@ -15710,10 +12298,10 @@ process.entry_leader.parent.macho.sections.name:
   original_fieldset: macho
   short: Mach-O Section List name.
   type: keyword
-process.entry_leader.parent.macho.sections.physical_size:
-  dashed_name: process-entry-leader-parent-macho-sections-physical-size
+process.parent.macho.sections.physical_size:
+  dashed_name: process-parent-macho-sections-physical-size
   description: Mach-O Section List physical size.
-  flat_name: process.entry_leader.parent.macho.sections.physical_size
+  flat_name: process.parent.macho.sections.physical_size
   format: bytes
   level: extended
   name: sections.physical_size
@@ -15721,10 +12309,10 @@ process.entry_leader.parent.macho.sections.physical_size:
   original_fieldset: macho
   short: Mach-O Section List physical size.
   type: long
-process.entry_leader.parent.macho.sections.var_entropy:
-  dashed_name: process-entry-leader-parent-macho-sections-var-entropy
+process.parent.macho.sections.var_entropy:
+  dashed_name: process-parent-macho-sections-var-entropy
   description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.macho.sections.var_entropy
+  flat_name: process.parent.macho.sections.var_entropy
   format: number
   level: extended
   name: sections.var_entropy
@@ -15732,10 +12320,10 @@ process.entry_leader.parent.macho.sections.var_entropy:
   original_fieldset: macho
   short: Variance for Shannon entropy calculation from the section.
   type: long
-process.entry_leader.parent.macho.sections.virtual_size:
-  dashed_name: process-entry-leader-parent-macho-sections-virtual-size
+process.parent.macho.sections.virtual_size:
+  dashed_name: process-parent-macho-sections-virtual-size
   description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.entry_leader.parent.macho.sections.virtual_size
+  flat_name: process.parent.macho.sections.virtual_size
   format: string
   level: extended
   name: sections.virtual_size
@@ -15743,15 +12331,15 @@ process.entry_leader.parent.macho.sections.virtual_size:
   original_fieldset: macho
   short: Mach-O Section List virtual size. This is always the same as `physical_size`.
   type: long
-process.entry_leader.parent.macho.symhash:
-  dashed_name: process-entry-leader-parent-macho-symhash
+process.parent.macho.symhash:
+  dashed_name: process-parent-macho-symhash
   description: 'A hash of the imports in a Mach-O file. An import hash can be used
     to fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a Mach-O implementation of the Windows PE imphash'
   example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.entry_leader.parent.macho.symhash
+  flat_name: process.parent.macho.symhash
   ignore_above: 1024
   level: extended
   name: symhash
@@ -15759,17 +12347,17 @@ process.entry_leader.parent.macho.symhash:
   original_fieldset: macho
   short: A hash of the imports in a Mach-O file.
   type: keyword
-process.entry_leader.parent.name:
-  dashed_name: process-entry-leader-parent-name
+process.parent.name:
+  dashed_name: process-parent-name
   description: 'Process name.
 
     Sometimes called program name or similar.'
   example: ssh
-  flat_name: process.entry_leader.parent.name
+  flat_name: process.parent.name
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.entry_leader.parent.name.text
+  - flat_name: process.parent.name.text
     name: text
     type: match_only_text
   name: name
@@ -15777,37 +12365,11 @@ process.entry_leader.parent.name:
   original_fieldset: process
   short: Process name.
   type: keyword
-process.entry_leader.parent.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.entry_leader.parent.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.entry_leader.parent.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.entry_leader.parent.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.entry_leader.parent.pe.architecture:
-  dashed_name: process-entry-leader-parent-pe-architecture
+process.parent.pe.architecture:
+  dashed_name: process-parent-pe-architecture
   description: CPU architecture target for the file.
   example: x64
-  flat_name: process.entry_leader.parent.pe.architecture
+  flat_name: process.parent.pe.architecture
   ignore_above: 1024
   level: extended
   name: architecture
@@ -15815,11 +12377,11 @@ process.entry_leader.parent.pe.architecture:
   original_fieldset: pe
   short: CPU architecture target for the file.
   type: keyword
-process.entry_leader.parent.pe.company:
-  dashed_name: process-entry-leader-parent-pe-company
+process.parent.pe.company:
+  dashed_name: process-parent-pe-company
   description: Internal company name of the file, provided at compile-time.
   example: Microsoft Corporation
-  flat_name: process.entry_leader.parent.pe.company
+  flat_name: process.parent.pe.company
   ignore_above: 1024
   level: extended
   name: company
@@ -15827,11 +12389,11 @@ process.entry_leader.parent.pe.company:
   original_fieldset: pe
   short: Internal company name of the file, provided at compile-time.
   type: keyword
-process.entry_leader.parent.pe.description:
-  dashed_name: process-entry-leader-parent-pe-description
+process.parent.pe.description:
+  dashed_name: process-parent-pe-description
   description: Internal description of the file, provided at compile-time.
   example: Paint
-  flat_name: process.entry_leader.parent.pe.description
+  flat_name: process.parent.pe.description
   ignore_above: 1024
   level: extended
   name: description
@@ -15839,11 +12401,11 @@ process.entry_leader.parent.pe.description:
   original_fieldset: pe
   short: Internal description of the file, provided at compile-time.
   type: keyword
-process.entry_leader.parent.pe.file_version:
-  dashed_name: process-entry-leader-parent-pe-file-version
+process.parent.pe.file_version:
+  dashed_name: process-parent-pe-file-version
   description: Internal version of the file, provided at compile-time.
   example: 6.3.9600.17415
-  flat_name: process.entry_leader.parent.pe.file_version
+  flat_name: process.parent.pe.file_version
   ignore_above: 1024
   level: extended
   name: file_version
@@ -15851,8 +12413,8 @@ process.entry_leader.parent.pe.file_version:
   original_fieldset: pe
   short: Process name.
   type: keyword
-process.entry_leader.parent.pe.go_import_hash:
-  dashed_name: process-entry-leader-parent-pe-go-import-hash
+process.parent.pe.go_import_hash:
+  dashed_name: process-parent-pe-go-import-hash
   description: 'A hash of the Go language imports in a PE file excluding standard
     library imports. An import hash can be used to fingerprint binaries even after
     recompilation or other code-level transformations have occurred, which would change
@@ -15861,7 +12423,7 @@ process.entry_leader.parent.pe.go_import_hash:
     The algorithm used to calculate the Go symbol hash and a reference implementation
     are available here: https://github.com/elastic/toutoumomoma'
   example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.parent.pe.go_import_hash
+  flat_name: process.parent.pe.go_import_hash
   ignore_above: 1024
   level: extended
   name: go_import_hash
@@ -15869,20 +12431,20 @@ process.entry_leader.parent.pe.go_import_hash:
   original_fieldset: pe
   short: A hash of the Go language imports in a PE file.
   type: keyword
-process.entry_leader.parent.pe.go_imports:
-  dashed_name: process-entry-leader-parent-pe-go-imports
+process.parent.pe.go_imports:
+  dashed_name: process-parent-pe-go-imports
   description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.parent.pe.go_imports
+  flat_name: process.parent.pe.go_imports
   level: extended
   name: go_imports
   normalize: []
   original_fieldset: pe
   short: List of imported Go language element names and types.
   type: flattened
-process.entry_leader.parent.pe.go_imports_names_entropy:
-  dashed_name: process-entry-leader-parent-pe-go-imports-names-entropy
+process.parent.pe.go_imports_names_entropy:
+  dashed_name: process-parent-pe-go-imports-names-entropy
   description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.pe.go_imports_names_entropy
+  flat_name: process.parent.pe.go_imports_names_entropy
   format: number
   level: extended
   name: go_imports_names_entropy
@@ -15890,10 +12452,10 @@ process.entry_leader.parent.pe.go_imports_names_entropy:
   original_fieldset: pe
   short: Shannon entropy calculation from the list of Go imports.
   type: long
-process.entry_leader.parent.pe.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-pe-go-imports-names-var-entropy
+process.parent.pe.go_imports_names_var_entropy:
+  dashed_name: process-parent-pe-go-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.pe.go_imports_names_var_entropy
+  flat_name: process.parent.pe.go_imports_names_var_entropy
   format: number
   level: extended
   name: go_imports_names_var_entropy
@@ -15901,26 +12463,26 @@ process.entry_leader.parent.pe.go_imports_names_var_entropy:
   original_fieldset: pe
   short: Variance for Shannon entropy calculation from the list of Go imports.
   type: long
-process.entry_leader.parent.pe.go_stripped:
-  dashed_name: process-entry-leader-parent-pe-go-stripped
+process.parent.pe.go_stripped:
+  dashed_name: process-parent-pe-go-stripped
   description: Set to true if the file is a Go executable that has had its symbols
     stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.parent.pe.go_stripped
+  flat_name: process.parent.pe.go_stripped
   level: extended
   name: go_stripped
   normalize: []
   original_fieldset: pe
   short: Whether the file is a stripped or obfuscated Go executable.
   type: boolean
-process.entry_leader.parent.pe.imphash:
-  dashed_name: process-entry-leader-parent-pe-imphash
+process.parent.pe.imphash:
+  dashed_name: process-parent-pe-imphash
   description: 'A hash of the imports in a PE file. An imphash -- or import hash --
     can be used to fingerprint binaries even after recompilation or other code-level
     transformations have occurred, which would change more traditional hash values.
 
     Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
   example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.entry_leader.parent.pe.imphash
+  flat_name: process.parent.pe.imphash
   ignore_above: 1024
   level: extended
   name: imphash
@@ -15928,15 +12490,15 @@ process.entry_leader.parent.pe.imphash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
-process.entry_leader.parent.pe.import_hash:
-  dashed_name: process-entry-leader-parent-pe-import-hash
+process.parent.pe.import_hash:
+  dashed_name: process-parent-pe-import-hash
   description: 'A hash of the imports in a PE file. An import hash can be used to
     fingerprint binaries even after recompilation or other code-level transformations
     have occurred, which would change more traditional hash values.
 
     This is a synonym for imphash.'
   example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.parent.pe.import_hash
+  flat_name: process.parent.pe.import_hash
   ignore_above: 1024
   level: extended
   name: import_hash
@@ -15944,10 +12506,10 @@ process.entry_leader.parent.pe.import_hash:
   original_fieldset: pe
   short: A hash of the imports in a PE file.
   type: keyword
-process.entry_leader.parent.pe.imports:
-  dashed_name: process-entry-leader-parent-pe-imports
+process.parent.pe.imports:
+  dashed_name: process-parent-pe-imports
   description: List of imported element names and types.
-  flat_name: process.entry_leader.parent.pe.imports
+  flat_name: process.parent.pe.imports
   level: extended
   name: imports
   normalize:
@@ -15955,11 +12517,11 @@ process.entry_leader.parent.pe.imports:
   original_fieldset: pe
   short: List of imported element names and types.
   type: flattened
-process.entry_leader.parent.pe.imports_names_entropy:
-  dashed_name: process-entry-leader-parent-pe-imports-names-entropy
+process.parent.pe.imports_names_entropy:
+  dashed_name: process-parent-pe-imports-names-entropy
   description: Shannon entropy calculation from the list of imported element names
     and types.
-  flat_name: process.entry_leader.parent.pe.imports_names_entropy
+  flat_name: process.parent.pe.imports_names_entropy
   format: number
   level: extended
   name: imports_names_entropy
@@ -15967,11 +12529,11 @@ process.entry_leader.parent.pe.imports_names_entropy:
   original_fieldset: pe
   short: Shannon entropy calculation from the list of imported element names and types.
   type: long
-process.entry_leader.parent.pe.imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-pe-imports-names-var-entropy
+process.parent.pe.imports_names_var_entropy:
+  dashed_name: process-parent-pe-imports-names-var-entropy
   description: Variance for Shannon entropy calculation from the list of imported
     element names and types.
-  flat_name: process.entry_leader.parent.pe.imports_names_var_entropy
+  flat_name: process.parent.pe.imports_names_var_entropy
   format: number
   level: extended
   name: imports_names_var_entropy
@@ -15980,11 +12542,11 @@ process.entry_leader.parent.pe.imports_names_var_entropy:
   short: Variance for Shannon entropy calculation from the list of imported element
     names and types.
   type: long
-process.entry_leader.parent.pe.original_file_name:
-  dashed_name: process-entry-leader-parent-pe-original-file-name
+process.parent.pe.original_file_name:
+  dashed_name: process-parent-pe-original-file-name
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
-  flat_name: process.entry_leader.parent.pe.original_file_name
+  flat_name: process.parent.pe.original_file_name
   ignore_above: 1024
   level: extended
   name: original_file_name
@@ -15992,15 +12554,15 @@ process.entry_leader.parent.pe.original_file_name:
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
   type: keyword
-process.entry_leader.parent.pe.pehash:
-  dashed_name: process-entry-leader-parent-pe-pehash
+process.parent.pe.pehash:
+  dashed_name: process-parent-pe-pehash
   description: 'A hash of the PE header and data from one or more PE sections. An
     pehash can be used to cluster files by transforming structural information about
     a file into a hash value.
 
     Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
   example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.entry_leader.parent.pe.pehash
+  flat_name: process.parent.pe.pehash
   ignore_above: 1024
   level: extended
   name: pehash
@@ -16008,11 +12570,11 @@ process.entry_leader.parent.pe.pehash:
   original_fieldset: pe
   short: A hash of the PE header and data from one or more PE sections.
   type: keyword
-process.entry_leader.parent.pe.product:
-  dashed_name: process-entry-leader-parent-pe-product
+process.parent.pe.product:
+  dashed_name: process-parent-pe-product
   description: Internal product name of the file, provided at compile-time.
   example: Microsoft® Windows® Operating System
-  flat_name: process.entry_leader.parent.pe.product
+  flat_name: process.parent.pe.product
   ignore_above: 1024
   level: extended
   name: product
@@ -16020,13 +12582,13 @@ process.entry_leader.parent.pe.product:
   original_fieldset: pe
   short: Internal product name of the file, provided at compile-time.
   type: keyword
-process.entry_leader.parent.pe.sections:
-  dashed_name: process-entry-leader-parent-pe-sections
+process.parent.pe.sections:
+  dashed_name: process-parent-pe-sections
   description: 'An array containing an object for each section of the PE file.
 
     The keys that should be present in these objects are defined by sub-fields underneath
     `pe.sections.*`.'
-  flat_name: process.entry_leader.parent.pe.sections
+  flat_name: process.parent.pe.sections
   level: extended
   name: sections
   normalize:
@@ -16034,10 +12596,10 @@ process.entry_leader.parent.pe.sections:
   original_fieldset: pe
   short: Section information of the PE file.
   type: nested
-process.entry_leader.parent.pe.sections.entropy:
-  dashed_name: process-entry-leader-parent-pe-sections-entropy
+process.parent.pe.sections.entropy:
+  dashed_name: process-parent-pe-sections-entropy
   description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.pe.sections.entropy
+  flat_name: process.parent.pe.sections.entropy
   format: number
   level: extended
   name: sections.entropy
@@ -16045,10 +12607,10 @@ process.entry_leader.parent.pe.sections.entropy:
   original_fieldset: pe
   short: Shannon entropy calculation from the section.
   type: long
-process.entry_leader.parent.pe.sections.name:
-  dashed_name: process-entry-leader-parent-pe-sections-name
+process.parent.pe.sections.name:
+  dashed_name: process-parent-pe-sections-name
   description: PE Section List name.
-  flat_name: process.entry_leader.parent.pe.sections.name
+  flat_name: process.parent.pe.sections.name
   ignore_above: 1024
   level: extended
   name: sections.name
@@ -16056,10 +12618,10 @@ process.entry_leader.parent.pe.sections.name:
   original_fieldset: pe
   short: PE Section List name.
   type: keyword
-process.entry_leader.parent.pe.sections.physical_size:
-  dashed_name: process-entry-leader-parent-pe-sections-physical-size
+process.parent.pe.sections.physical_size:
+  dashed_name: process-parent-pe-sections-physical-size
   description: PE Section List physical size.
-  flat_name: process.entry_leader.parent.pe.sections.physical_size
+  flat_name: process.parent.pe.sections.physical_size
   format: bytes
   level: extended
   name: sections.physical_size
@@ -16067,10 +12629,10 @@ process.entry_leader.parent.pe.sections.physical_size:
   original_fieldset: pe
   short: PE Section List physical size.
   type: long
-process.entry_leader.parent.pe.sections.var_entropy:
-  dashed_name: process-entry-leader-parent-pe-sections-var-entropy
+process.parent.pe.sections.var_entropy:
+  dashed_name: process-parent-pe-sections-var-entropy
   description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.pe.sections.var_entropy
+  flat_name: process.parent.pe.sections.var_entropy
   format: number
   level: extended
   name: sections.var_entropy
@@ -16078,10 +12640,10 @@ process.entry_leader.parent.pe.sections.var_entropy:
   original_fieldset: pe
   short: Variance for Shannon entropy calculation from the section.
   type: long
-process.entry_leader.parent.pe.sections.virtual_size:
-  dashed_name: process-entry-leader-parent-pe-sections-virtual-size
+process.parent.pe.sections.virtual_size:
+  dashed_name: process-parent-pe-sections-virtual-size
   description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.entry_leader.parent.pe.sections.virtual_size
+  flat_name: process.parent.pe.sections.virtual_size
   format: string
   level: extended
   name: sections.virtual_size
@@ -16089,11 +12651,11 @@ process.entry_leader.parent.pe.sections.virtual_size:
   original_fieldset: pe
   short: PE Section List virtual size. This is always the same as `physical_size`.
   type: long
-process.entry_leader.parent.pid:
-  dashed_name: process-entry-leader-parent-pid
+process.parent.pid:
+  dashed_name: process-parent-pid
   description: Process id.
   example: 4242
-  flat_name: process.entry_leader.parent.pid
+  flat_name: process.parent.pid
   format: string
   level: core
   name: pid
@@ -16101,36 +12663,10 @@ process.entry_leader.parent.pid:
   original_fieldset: process
   short: Process id.
   type: long
-process.entry_leader.parent.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.entry_leader.parent.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.entry_leader.parent.real_group.domain:
-  dashed_name: process-entry-leader-parent-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.real_group.id:
-  dashed_name: process-entry-leader-parent-real-group-id
+process.parent.real_group.id:
+  dashed_name: process-parent-real-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.real_group.id
+  flat_name: process.parent.real_group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -16138,10 +12674,10 @@ process.entry_leader.parent.real_group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.parent.real_group.name:
-  dashed_name: process-entry-leader-parent-real-group-name
+process.parent.real_group.name:
+  dashed_name: process-parent-real-group-name
   description: Name of the group.
-  flat_name: process.entry_leader.parent.real_group.name
+  flat_name: process.parent.real_group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -16149,313 +12685,38 @@ process.entry_leader.parent.real_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.entry_leader.parent.real_user.domain:
-  dashed_name: process-entry-leader-parent-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.parent.real_user.email:
-  dashed_name: process-entry-leader-parent-real-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.parent.real_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-real-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.real_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.entry_leader.parent.real_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-real-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.entry_leader.parent.real_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.entry_leader.parent.real_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-real-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.entry_leader.parent.real_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.real_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.entry_leader.parent.real_user.entity.id:
-  dashed_name: process-entry-leader-parent-real-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.entry_leader.parent.real_user.entity.id
+process.parent.real_user.id:
+  dashed_name: process-parent-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.real_user.id
   ignore_above: 1024
   level: core
   name: id
   normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.entry_leader.parent.real_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-real-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.entry_leader.parent.real_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.entry_leader.parent.real_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-real-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.real_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.entry_leader.parent.real_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-real-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.entry_leader.parent.real_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.entry_leader.parent.real_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-real-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.entry_leader.parent.real_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.real_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.entry_leader.parent.real_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-real-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.entry_leader.parent.real_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.entry_leader.parent.real_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-real-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.entry_leader.parent.real_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.entry_leader.parent.real_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-real-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.entry_leader.parent.real_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.entry_leader.parent.real_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-real-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.entry_leader.parent.real_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.entry_leader.parent.real_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-real-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.entry_leader.parent.real_user.entity.type
+process.parent.real_user.name:
+  dashed_name: process-parent-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.real_user.name
   ignore_above: 1024
   level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.entry_leader.parent.real_user.full_name:
-  dashed_name: process-entry-leader-parent-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.real_user.full_name
-  ignore_above: 1024
-  level: extended
   multi_fields:
-  - flat_name: process.entry_leader.parent.real_user.full_name.text
+  - flat_name: process.parent.real_user.name.text
     name: text
     type: match_only_text
-  name: full_name
+  name: name
   normalize: []
   original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.real_user.group.domain:
-  dashed_name: process-entry-leader-parent-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
+  short: Short name or login of the user.
   type: keyword
-process.entry_leader.parent.real_user.group.id:
-  dashed_name: process-entry-leader-parent-real-user-group-id
+process.parent.saved_group.id:
+  dashed_name: process-parent-saved-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.real_user.group.id
+  flat_name: process.parent.saved_group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -16463,10 +12724,10 @@ process.entry_leader.parent.real_user.group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.parent.real_user.group.name:
-  dashed_name: process-entry-leader-parent-real-user-group-name
+process.parent.saved_group.name:
+  dashed_name: process-parent-saved-group-name
   description: Name of the group.
-  flat_name: process.entry_leader.parent.real_user.group.name
+  flat_name: process.parent.saved_group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -16474,26 +12735,11 @@ process.entry_leader.parent.real_user.group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.entry_leader.parent.real_user.hash:
-  dashed_name: process-entry-leader-parent-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.real_user.id:
-  dashed_name: process-entry-leader-parent-real-user-id
+process.parent.saved_user.id:
+  dashed_name: process-parent-saved-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.real_user.id
+  flat_name: process.parent.saved_user.id
   ignore_above: 1024
   level: core
   name: id
@@ -16501,15 +12747,15 @@ process.entry_leader.parent.real_user.id:
   original_fieldset: user
   short: Unique identifier of the user.
   type: keyword
-process.entry_leader.parent.real_user.name:
-  dashed_name: process-entry-leader-parent-real-user-name
+process.parent.saved_user.name:
+  dashed_name: process-parent-saved-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.entry_leader.parent.real_user.name
+  flat_name: process.parent.saved_user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.entry_leader.parent.real_user.name.text
+  - flat_name: process.parent.saved_user.name.text
     name: text
     type: match_only_text
   name: name
@@ -16517,147 +12763,21 @@ process.entry_leader.parent.real_user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.entry_leader.parent.real_user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.real_user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.real_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.real_user.risk.static_level:
-  dashed_name: process-entry-leader-parent-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.real_user.risk.static_score:
-  dashed_name: process-entry-leader-parent-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.real_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.real_user.roles:
-  dashed_name: process-entry-leader-parent-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.same_as_process:
-  dashed_name: process-entry-leader-parent-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.entry_leader.parent.same_as_process
+process.parent.start:
+  dashed_name: process-parent-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.parent.start
   level: extended
-  name: same_as_process
+  name: start
   normalize: []
   original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.entry_leader.parent.saved_group.domain:
-  dashed_name: process-entry-leader-parent-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.saved_group.id:
-  dashed_name: process-entry-leader-parent-saved-group-id
+  short: The time the process started.
+  type: date
+process.parent.supplemental_groups.id:
+  dashed_name: process-parent-supplemental-groups-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.saved_group.id
+  flat_name: process.parent.supplemental_groups.id
   ignore_above: 1024
   level: extended
   name: id
@@ -16665,10 +12785,10 @@ process.entry_leader.parent.saved_group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.parent.saved_group.name:
-  dashed_name: process-entry-leader-parent-saved-group-name
+process.parent.supplemental_groups.name:
+  dashed_name: process-parent-supplemental-groups-name
   description: Name of the group.
-  flat_name: process.entry_leader.parent.saved_group.name
+  flat_name: process.parent.supplemental_groups.name
   ignore_above: 1024
   level: extended
   name: name
@@ -16676,476 +12796,498 @@ process.entry_leader.parent.saved_group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.entry_leader.parent.saved_user.domain:
-  dashed_name: process-entry-leader-parent-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.saved_user.domain
+process.parent.thread.capabilities.effective:
+  dashed_name: process-parent-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.thread.capabilities.effective
   ignore_above: 1024
   level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  synthetic_source_keep: none
   type: keyword
-process.entry_leader.parent.saved_user.email:
-  dashed_name: process-entry-leader-parent-saved-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.saved_user.email
+process.parent.thread.capabilities.permitted:
+  dashed_name: process-parent-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.thread.capabilities.permitted
   ignore_above: 1024
   level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  synthetic_source_keep: none
   type: keyword
-process.entry_leader.parent.saved_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-saved-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.saved_user.entity.attributes
+process.parent.thread.id:
+  dashed_name: process-parent-thread-id
+  description: Thread ID.
+  example: 4242
+  flat_name: process.parent.thread.id
+  format: string
   level: extended
-  name: attributes
+  name: thread.id
   normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.entry_leader.parent.saved_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-saved-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.entry_leader.parent.saved_user.entity.behavior
+  original_fieldset: process
+  short: Thread ID.
+  type: long
+process.parent.thread.name:
+  dashed_name: process-parent-thread-name
+  description: Thread name.
+  example: thread-0
+  flat_name: process.parent.thread.name
+  ignore_above: 1024
   level: extended
-  name: behavior
+  name: thread.name
   normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.entry_leader.parent.saved_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-saved-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.entry_leader.parent.saved_user.entity.display_name
+  original_fieldset: process
+  short: Thread name.
+  type: keyword
+process.parent.title:
+  dashed_name: process-parent-title
+  description: 'Process title.
+
+    The proctitle, some times the same as process name. Can also be different: for
+    example a browser setting its title to the web page currently opened.'
+  flat_name: process.parent.title
   ignore_above: 1024
   level: extended
   multi_fields:
-  - flat_name: process.entry_leader.parent.saved_user.entity.display_name.text
+  - flat_name: process.parent.title.text
     name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.entry_leader.parent.saved_user.entity.id:
-  dashed_name: process-entry-leader-parent-saved-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.entry_leader.parent.saved_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
+    type: match_only_text
+  name: title
   normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
+  original_fieldset: process
+  short: Process title.
   type: keyword
-process.entry_leader.parent.saved_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-saved-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.entry_leader.parent.saved_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.entry_leader.parent.saved_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-saved-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.saved_user.entity.lifecycle
+process.parent.tty:
+  dashed_name: process-parent-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.parent.tty
   level: extended
-  name: lifecycle
+  name: tty
   normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
+  original_fieldset: process
+  short: Information about the controlling TTY device.
   type: object
-process.entry_leader.parent.saved_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-saved-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.entry_leader.parent.saved_user.entity.metrics
+process.parent.tty.char_device.major:
+  dashed_name: process-parent-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.parent.tty.char_device.major
   level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.entry_leader.parent.saved_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-saved-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.entry_leader.parent.saved_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.saved_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
+  name: tty.char_device.major
   normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.entry_leader.parent.saved_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-saved-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.entry_leader.parent.saved_user.entity.raw
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.parent.tty.char_device.minor:
+  dashed_name: process-parent-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.parent.tty.char_device.minor
   level: extended
-  name: raw
+  name: tty.char_device.minor
   normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.entry_leader.parent.saved_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-saved-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.entry_leader.parent.saved_user.entity.reference
-  ignore_above: 1024
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.parent.uptime:
+  dashed_name: process-parent-uptime
+  description: Seconds the process has been up.
+  example: 1325
+  flat_name: process.parent.uptime
   level: extended
-  name: reference
+  name: uptime
   normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.entry_leader.parent.saved_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-saved-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.entry_leader.parent.saved_user.entity.source
+  original_fieldset: process
+  short: Seconds the process has been up.
+  type: long
+process.parent.user.id:
+  dashed_name: process-parent-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.parent.user.id
   ignore_above: 1024
   level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.entry_leader.parent.saved_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-saved-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.entry_leader.parent.saved_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
+  name: id
   normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.entry_leader.parent.saved_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-saved-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.entry_leader.parent.saved_user.entity.type
+process.parent.user.name:
+  dashed_name: process-parent-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.parent.user.name
   ignore_above: 1024
   level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.entry_leader.parent.saved_user.full_name:
-  dashed_name: process-entry-leader-parent-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.saved_user.full_name
-  ignore_above: 1024
-  level: extended
   multi_fields:
-  - flat_name: process.entry_leader.parent.saved_user.full_name.text
+  - flat_name: process.parent.user.name.text
     name: text
     type: match_only_text
-  name: full_name
+  name: name
   normalize: []
   original_fieldset: user
-  short: User's full name, if available.
+  short: Short name or login of the user.
   type: keyword
-process.entry_leader.parent.saved_user.group.domain:
-  dashed_name: process-entry-leader-parent-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
+process.parent.vpid:
+  dashed_name: process-parent-vpid
+  description: 'Virtual process id.
 
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.saved_user.group.domain
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.parent.vpid
+  format: string
+  level: core
+  name: vpid
+  normalize: []
+  original_fieldset: process
+  short: Virtual process id.
+  type: long
+process.parent.working_directory:
+  dashed_name: process-parent-working-directory
+  description: The working directory of the process.
+  example: /home/alice
+  flat_name: process.parent.working_directory
   ignore_above: 1024
   level: extended
-  name: domain
+  multi_fields:
+  - flat_name: process.parent.working_directory.text
+    name: text
+    type: match_only_text
+  name: working_directory
   normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
+  original_fieldset: process
+  short: The working directory of the process.
   type: keyword
-process.entry_leader.parent.saved_user.group.id:
-  dashed_name: process-entry-leader-parent-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.saved_user.group.id
+process.pe.architecture:
+  dashed_name: process-pe-architecture
+  description: CPU architecture target for the file.
+  example: x64
+  flat_name: process.pe.architecture
   ignore_above: 1024
   level: extended
-  name: id
+  name: architecture
   normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
+  original_fieldset: pe
+  short: CPU architecture target for the file.
   type: keyword
-process.entry_leader.parent.saved_user.group.name:
-  dashed_name: process-entry-leader-parent-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.saved_user.group.name
+process.pe.company:
+  dashed_name: process-pe-company
+  description: Internal company name of the file, provided at compile-time.
+  example: Microsoft Corporation
+  flat_name: process.pe.company
   ignore_above: 1024
   level: extended
-  name: name
+  name: company
   normalize: []
-  original_fieldset: group
-  short: Name of the group.
+  original_fieldset: pe
+  short: Internal company name of the file, provided at compile-time.
   type: keyword
-process.entry_leader.parent.saved_user.hash:
-  dashed_name: process-entry-leader-parent-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.saved_user.hash
+process.pe.description:
+  dashed_name: process-pe-description
+  description: Internal description of the file, provided at compile-time.
+  example: Paint
+  flat_name: process.pe.description
   ignore_above: 1024
   level: extended
-  name: hash
+  name: description
   normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
+  original_fieldset: pe
+  short: Internal description of the file, provided at compile-time.
   type: keyword
-process.entry_leader.parent.saved_user.id:
-  dashed_name: process-entry-leader-parent-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.saved_user.id
+process.pe.file_version:
+  dashed_name: process-pe-file-version
+  description: Internal version of the file, provided at compile-time.
+  example: 6.3.9600.17415
+  flat_name: process.pe.file_version
   ignore_above: 1024
-  level: core
-  name: id
+  level: extended
+  name: file_version
   normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
+  original_fieldset: pe
+  short: Process name.
   type: keyword
-process.entry_leader.parent.saved_user.name:
-  dashed_name: process-entry-leader-parent-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.saved_user.name
+process.pe.go_import_hash:
+  dashed_name: process-pe-go-import-hash
+  description: 'A hash of the Go language imports in a PE file excluding standard
+    library imports. An import hash can be used to fingerprint binaries even after
+    recompilation or other code-level transformations have occurred, which would change
+    more traditional hash values.
+
+    The algorithm used to calculate the Go symbol hash and a reference implementation
+    are available here: https://github.com/elastic/toutoumomoma'
+  example: 10bddcb4cee42080f76c88d9ff964491
+  flat_name: process.pe.go_import_hash
   ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
+  level: extended
+  name: go_import_hash
   normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
+  original_fieldset: pe
+  short: A hash of the Go language imports in a PE file.
   type: keyword
-process.entry_leader.parent.saved_user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.saved_user.risk.calculated_level
+process.pe.go_imports:
+  dashed_name: process-pe-go-imports
+  description: List of imported Go language element names and types.
+  flat_name: process.pe.go_imports
+  level: extended
+  name: go_imports
+  normalize: []
+  original_fieldset: pe
+  short: List of imported Go language element names and types.
+  type: flattened
+process.pe.go_imports_names_entropy:
+  dashed_name: process-pe-go-imports-names-entropy
+  description: Shannon entropy calculation from the list of Go imports.
+  flat_name: process.pe.go_imports_names_entropy
+  format: number
+  level: extended
+  name: go_imports_names_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of Go imports.
+  type: long
+process.pe.go_imports_names_var_entropy:
+  dashed_name: process-pe-go-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of Go imports.
+  flat_name: process.pe.go_imports_names_var_entropy
+  format: number
+  level: extended
+  name: go_imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of Go imports.
+  type: long
+process.pe.go_stripped:
+  dashed_name: process-pe-go-stripped
+  description: Set to true if the file is a Go executable that has had its symbols
+    stripped or obfuscated and false if an unobfuscated Go executable.
+  flat_name: process.pe.go_stripped
+  level: extended
+  name: go_stripped
+  normalize: []
+  original_fieldset: pe
+  short: Whether the file is a stripped or obfuscated Go executable.
+  type: boolean
+process.pe.imphash:
+  dashed_name: process-pe-imphash
+  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
+    can be used to fingerprint binaries even after recompilation or other code-level
+    transformations have occurred, which would change more traditional hash values.
+
+    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+  example: 0c6803c4e922103c4dca5963aad36ddf
+  flat_name: process.pe.imphash
   ignore_above: 1024
   level: extended
-  name: calculated_level
+  name: imphash
   normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
   type: keyword
-process.entry_leader.parent.saved_user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.saved_user.risk.calculated_score
+process.pe.import_hash:
+  dashed_name: process-pe-import-hash
+  description: 'A hash of the imports in a PE file. An import hash can be used to
+    fingerprint binaries even after recompilation or other code-level transformations
+    have occurred, which would change more traditional hash values.
+
+    This is a synonym for imphash.'
+  example: d41d8cd98f00b204e9800998ecf8427e
+  flat_name: process.pe.import_hash
+  ignore_above: 1024
   level: extended
-  name: calculated_score
+  name: import_hash
   normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.saved_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.saved_user.risk.calculated_score_norm
+  original_fieldset: pe
+  short: A hash of the imports in a PE file.
+  type: keyword
+process.pe.imports:
+  dashed_name: process-pe-imports
+  description: List of imported element names and types.
+  flat_name: process.pe.imports
   level: extended
-  name: calculated_score_norm
+  name: imports
+  normalize:
+  - array
+  original_fieldset: pe
+  short: List of imported element names and types.
+  type: flattened
+process.pe.imports_names_entropy:
+  dashed_name: process-pe-imports-names-entropy
+  description: Shannon entropy calculation from the list of imported element names
+    and types.
+  flat_name: process.pe.imports_names_entropy
+  format: number
+  level: extended
+  name: imports_names_entropy
   normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.saved_user.risk.static_level:
-  dashed_name: process-entry-leader-parent-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.saved_user.risk.static_level
+  original_fieldset: pe
+  short: Shannon entropy calculation from the list of imported element names and types.
+  type: long
+process.pe.imports_names_var_entropy:
+  dashed_name: process-pe-imports-names-var-entropy
+  description: Variance for Shannon entropy calculation from the list of imported
+    element names and types.
+  flat_name: process.pe.imports_names_var_entropy
+  format: number
+  level: extended
+  name: imports_names_var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the list of imported element
+    names and types.
+  type: long
+process.pe.original_file_name:
+  dashed_name: process-pe-original-file-name
+  description: Internal name of the file, provided at compile-time.
+  example: MSPAINT.EXE
+  flat_name: process.pe.original_file_name
   ignore_above: 1024
   level: extended
-  name: static_level
+  name: original_file_name
   normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
+  original_fieldset: pe
+  short: Internal name of the file, provided at compile-time.
   type: keyword
-process.entry_leader.parent.saved_user.risk.static_score:
-  dashed_name: process-entry-leader-parent-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.saved_user.risk.static_score
+process.pe.pehash:
+  dashed_name: process-pe-pehash
+  description: 'A hash of the PE header and data from one or more PE sections. An
+    pehash can be used to cluster files by transforming structural information about
+    a file into a hash value.
+
+    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+  example: 73ff189b63cd6be375a7ff25179a38d347651975
+  flat_name: process.pe.pehash
+  ignore_above: 1024
   level: extended
-  name: static_score
+  name: pehash
   normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.saved_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.saved_user.risk.static_score_norm
+  original_fieldset: pe
+  short: A hash of the PE header and data from one or more PE sections.
+  type: keyword
+process.pe.product:
+  dashed_name: process-pe-product
+  description: Internal product name of the file, provided at compile-time.
+  example: Microsoft® Windows® Operating System
+  flat_name: process.pe.product
+  ignore_above: 1024
   level: extended
-  name: static_score_norm
+  name: product
   normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.saved_user.roles:
-  dashed_name: process-entry-leader-parent-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.saved_user.roles
-  ignore_above: 1024
+  original_fieldset: pe
+  short: Internal product name of the file, provided at compile-time.
+  type: keyword
+process.pe.sections:
+  dashed_name: process-pe-sections
+  description: 'An array containing an object for each section of the PE file.
+
+    The keys that should be present in these objects are defined by sub-fields underneath
+    `pe.sections.*`.'
+  flat_name: process.pe.sections
   level: extended
-  name: roles
+  name: sections
   normalize:
   - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
+  original_fieldset: pe
+  short: Section information of the PE file.
+  type: nested
+process.pe.sections.entropy:
+  dashed_name: process-pe-sections-entropy
+  description: Shannon entropy calculation from the section.
+  flat_name: process.pe.sections.entropy
+  format: number
+  level: extended
+  name: sections.entropy
+  normalize: []
+  original_fieldset: pe
+  short: Shannon entropy calculation from the section.
+  type: long
+process.pe.sections.name:
+  dashed_name: process-pe-sections-name
+  description: PE Section List name.
+  flat_name: process.pe.sections.name
+  ignore_above: 1024
+  level: extended
+  name: sections.name
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List name.
   type: keyword
-process.entry_leader.parent.session_leader.args:
-  dashed_name: process-entry-leader-parent-session-leader-args
+process.pe.sections.physical_size:
+  dashed_name: process-pe-sections-physical-size
+  description: PE Section List physical size.
+  flat_name: process.pe.sections.physical_size
+  format: bytes
+  level: extended
+  name: sections.physical_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List physical size.
+  type: long
+process.pe.sections.var_entropy:
+  dashed_name: process-pe-sections-var-entropy
+  description: Variance for Shannon entropy calculation from the section.
+  flat_name: process.pe.sections.var_entropy
+  format: number
+  level: extended
+  name: sections.var_entropy
+  normalize: []
+  original_fieldset: pe
+  short: Variance for Shannon entropy calculation from the section.
+  type: long
+process.pe.sections.virtual_size:
+  dashed_name: process-pe-sections-virtual-size
+  description: PE Section List virtual size. This is always the same as `physical_size`.
+  flat_name: process.pe.sections.virtual_size
+  format: string
+  level: extended
+  name: sections.virtual_size
+  normalize: []
+  original_fieldset: pe
+  short: PE Section List virtual size. This is always the same as `physical_size`.
+  type: long
+process.pid:
+  dashed_name: process-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.pid
+  format: string
+  level: core
+  name: pid
+  normalize: []
+  otel:
+  - relation: match
+    stability: development
+  short: Process id.
+  type: long
+process.previous.args:
+  dashed_name: process-previous-args
   description: 'Array of process arguments, starting with the absolute path to the
     executable.
 
     May be filtered to protect sensitive information.'
   example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.entry_leader.parent.session_leader.args
+  flat_name: process.previous.args
   ignore_above: 1024
   level: extended
   name: args
@@ -17154,38 +13296,41 @@ process.entry_leader.parent.session_leader.args:
   original_fieldset: process
   short: Array of process arguments.
   type: keyword
-process.entry_leader.parent.session_leader.args_count:
-  dashed_name: process-entry-leader-parent-session-leader-args-count
+process.previous.args_count:
+  dashed_name: process-previous-args-count
   description: 'Length of the process.args array.
 
     This field can be useful for querying or performing bucket analysis on how many
     arguments were provided to start a process. More arguments may be an indication
     of suspicious activity.'
   example: 4
-  flat_name: process.entry_leader.parent.session_leader.args_count
+  flat_name: process.previous.args_count
   level: extended
   name: args_count
   normalize: []
   original_fieldset: process
   short: Length of the process.args array.
   type: long
-process.entry_leader.parent.session_leader.attested_groups.domain:
-  dashed_name: process-entry-leader-parent-session-leader-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.attested_groups.domain
+process.previous.executable:
+  dashed_name: process-previous-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.previous.executable
   ignore_above: 1024
   level: extended
-  name: domain
+  multi_fields:
+  - flat_name: process.previous.executable.text
+    name: text
+    type: match_only_text
+  name: executable
   normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
+  original_fieldset: process
+  short: Absolute path to the process executable.
   type: keyword
-process.entry_leader.parent.session_leader.attested_groups.id:
-  dashed_name: process-entry-leader-parent-session-leader-attested-groups-id
+process.real_group.id:
+  dashed_name: process-real-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.attested_groups.id
+  flat_name: process.real_group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -17193,10 +13338,10 @@ process.entry_leader.parent.session_leader.attested_groups.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.entry_leader.parent.session_leader.attested_groups.name:
-  dashed_name: process-entry-leader-parent-session-leader-attested-groups-name
+process.real_group.name:
+  dashed_name: process-real-group-name
   description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.attested_groups.name
+  flat_name: process.real_group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -17204,630 +13349,138 @@ process.entry_leader.parent.session_leader.attested_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.entry_leader.parent.session_leader.attested_user.domain:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.attested_user.domain
+process.real_user.id:
+  dashed_name: process-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.real_user.id
   ignore_above: 1024
-  level: extended
-  name: domain
+  level: core
+  name: id
   normalize: []
   original_fieldset: user
-  short: Name of the directory the user is a member of.
+  otel:
+  - relation: match
+    stability: development
+  short: Unique identifier of the user.
   type: keyword
-process.entry_leader.parent.session_leader.attested_user.email:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.email
+process.real_user.name:
+  dashed_name: process-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.real_user.name
   ignore_above: 1024
-  level: extended
-  name: email
+  level: core
+  multi_fields:
+  - flat_name: process.real_user.name.text
+    name: text
+    type: match_only_text
+  name: name
   normalize: []
   original_fieldset: user
-  short: User email address.
+  otel:
+  - relation: match
+    stability: development
+  short: Short name or login of the user.
   type: keyword
-process.entry_leader.parent.session_leader.attested_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.entry_leader.parent.session_leader.attested_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.behavior
+process.saved_group.id:
+  dashed_name: process-saved-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.saved_group.id
+  ignore_above: 1024
   level: extended
-  name: behavior
+  name: id
   normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.entry_leader.parent.session_leader.attested_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+process.saved_group.name:
+  dashed_name: process-saved-group-name
+  description: Name of the group.
+  flat_name: process.saved_group.name
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
+  name: name
   normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.entry_leader.parent.session_leader.attested_user.entity.id:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.id
+process.saved_user.id:
+  dashed_name: process-saved-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.saved_user.id
   ignore_above: 1024
   level: core
   name: id
   normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
+  original_fieldset: user
+  otel:
+  - relation: match
+    stability: development
+  short: Unique identifier of the user.
   type: keyword
-process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.entry_leader.parent.session_leader.attested_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.entry_leader.parent.session_leader.attested_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.entry_leader.parent.session_leader.attested_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name
+process.saved_user.name:
+  dashed_name: process-saved-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.saved_user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name.text
+  - flat_name: process.saved_user.name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: name
   normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
+  original_fieldset: user
+  otel:
+  - relation: match
+    stability: development
+  short: Short name or login of the user.
   type: keyword
-process.entry_leader.parent.session_leader.attested_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.entry_leader.parent.session_leader.attested_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.reference
+process.session_leader.args:
+  dashed_name: process-session-leader-args
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
+
+    May be filtered to protect sensitive information.'
+  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+  flat_name: process.session_leader.args
   ignore_above: 1024
   level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.entry_leader.parent.session_leader.attested_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.full_name:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.session_leader.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.group.id:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.group.name:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.hash:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.session_leader.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.id:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.session_leader.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.name:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.session_leader.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.session_leader.attested_user.risk.static_level:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.session_leader.attested_user.risk.static_score:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.session_leader.attested_user.roles:
-  dashed_name: process-entry-leader-parent-session-leader-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.session_leader.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
+  name: args
   normalize:
   - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.digest_algorithm:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.entry_leader.parent.session_leader.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.exists:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.entry_leader.parent.session_leader.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.entry_leader.parent.session_leader.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.entry_leader.parent.session_leader.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.signing_id:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.entry_leader.parent.session_leader.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.status:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.entry_leader.parent.session_leader.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.subject_name:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.entry_leader.parent.session_leader.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.team_id:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.entry_leader.parent.session_leader.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
+  original_fieldset: process
+  short: Array of process arguments.
   type: keyword
-process.entry_leader.parent.session_leader.code_signature.timestamp:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.entry_leader.parent.session_leader.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.entry_leader.parent.session_leader.code_signature.trusted:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.entry_leader.parent.session_leader.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.entry_leader.parent.session_leader.code_signature.valid:
-  dashed_name: process-entry-leader-parent-session-leader-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
+process.session_leader.args_count:
+  dashed_name: process-session-leader-args-count
+  description: 'Length of the process.args array.
 
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.entry_leader.parent.session_leader.code_signature.valid
+    This field can be useful for querying or performing bucket analysis on how many
+    arguments were provided to start a process. More arguments may be an indication
+    of suspicious activity.'
+  example: 4
+  flat_name: process.session_leader.args_count
   level: extended
-  name: valid
+  name: args_count
   normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.entry_leader.parent.session_leader.command_line:
-  dashed_name: process-entry-leader-parent-session-leader-command-line
+  original_fieldset: process
+  short: Length of the process.args array.
+  type: long
+process.session_leader.command_line:
+  dashed_name: process-session-leader-command-line
   description: 'Full command line that started the process, including the absolute
     path to the executable, and all arguments.
 
     Some arguments may be filtered to protect sensitive information.'
   example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.entry_leader.parent.session_leader.command_line
+  flat_name: process.session_leader.command_line
   level: extended
   multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.command_line.text
+  - flat_name: process.session_leader.command_line.text
     name: text
     type: match_only_text
   name: command_line
@@ -17835,40618 +13488,46 @@ process.entry_leader.parent.session_leader.command_line:
   original_fieldset: process
   short: Full command line that started the process.
   type: wildcard
-process.entry_leader.parent.session_leader.elf.architecture:
-  dashed_name: process-entry-leader-parent-session-leader-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.entry_leader.parent.session_leader.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.byte_order:
-  dashed_name: process-entry-leader-parent-session-leader-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.entry_leader.parent.session_leader.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.cpu_type:
-  dashed_name: process-entry-leader-parent-session-leader-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.entry_leader.parent.session_leader.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.creation_date:
-  dashed_name: process-entry-leader-parent-session-leader-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.entry_leader.parent.session_leader.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.entry_leader.parent.session_leader.elf.exports:
-  dashed_name: process-entry-leader-parent-session-leader-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.entry_leader.parent.session_leader.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.elf.go_import_hash:
-  dashed_name: process-entry-leader-parent-session-leader-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.parent.session_leader.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.go_imports:
-  dashed_name: process-entry-leader-parent-session-leader-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.parent.session_leader.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.elf.go_imports_names_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.session_leader.elf.go_stripped:
-  dashed_name: process-entry-leader-parent-session-leader-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.parent.session_leader.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.entry_leader.parent.session_leader.elf.header.abi_version:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.entry_leader.parent.session_leader.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.entry_leader.parent.session_leader.elf.header.class:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.entry_leader.parent.session_leader.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.header.data:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.entry_leader.parent.session_leader.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.header.entrypoint:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.entry_leader.parent.session_leader.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.entry_leader.parent.session_leader.elf.header.object_version:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.entry_leader.parent.session_leader.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.entry_leader.parent.session_leader.elf.header.os_abi:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.entry_leader.parent.session_leader.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.header.type:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.entry_leader.parent.session_leader.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.header.version:
-  dashed_name: process-entry-leader-parent-session-leader-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.entry_leader.parent.session_leader.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.import_hash:
-  dashed_name: process-entry-leader-parent-session-leader-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.parent.session_leader.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.imports:
-  dashed_name: process-entry-leader-parent-session-leader-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.parent.session_leader.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.elf.imports_names_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.parent.session_leader.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.parent.session_leader.elf.imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.parent.session_leader.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.parent.session_leader.elf.sections:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.entry_leader.parent.session_leader.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.entry_leader.parent.session_leader.elf.sections.chi2:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.entry_leader.parent.session_leader.elf.sections.entropy:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.session_leader.elf.sections.flags:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.sections.name:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.sections.physical_offset:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.sections.physical_size:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.entry_leader.parent.session_leader.elf.sections.type:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.sections.var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.session_leader.elf.sections.virtual_address:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.entry_leader.parent.session_leader.elf.sections.virtual_size:
-  dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.entry_leader.parent.session_leader.elf.segments:
-  dashed_name: process-entry-leader-parent-session-leader-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.entry_leader.parent.session_leader.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.entry_leader.parent.session_leader.elf.segments.sections:
-  dashed_name: process-entry-leader-parent-session-leader-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.entry_leader.parent.session_leader.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.segments.type:
-  dashed_name: process-entry-leader-parent-session-leader-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.entry_leader.parent.session_leader.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.shared_libraries:
-  dashed_name: process-entry-leader-parent-session-leader-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.entry_leader.parent.session_leader.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.entry_leader.parent.session_leader.elf.telfhash:
-  dashed_name: process-entry-leader-parent-session-leader-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.entry_leader.parent.session_leader.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.entry_leader.parent.session_leader.end:
-  dashed_name: process-entry-leader-parent-session-leader-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.parent.session_leader.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.entry_leader.parent.session_leader.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.entry_leader.parent.session_leader.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.entry_leader.parent.session_leader.entity_id:
-  dashed_name: process-entry-leader-parent-session-leader-entity-id
-  description: 'Unique identifier for the process.
+process.session_leader.entity_id:
+  dashed_name: process-session-leader-entity-id
+  description: 'Unique identifier for the process.
 
     The implementation of this is specified by the data source, but some examples
     of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
     or a hash of some uniquely identifying components of a process.
 
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.entry_leader.parent.session_leader.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.address:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.as.number:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.bytes:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.entry_leader.parent.session_leader.entry_meta.source.domain:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.location:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.entry_leader.parent.session_leader.entry_meta.source.geo.name:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.ip:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.entry_leader.parent.session_leader.entry_meta.source.mac:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.nat.ip:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.entry_leader.parent.session_leader.entry_meta.source.nat.port:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.entry_leader.parent.session_leader.entry_meta.source.packets:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.entry_leader.parent.session_leader.entry_meta.source.port:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.entry_leader.parent.session_leader.entry_meta.source.registered_domain:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.subdomain:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.entry_leader.parent.session_leader.entry_meta.type:
-  dashed_name: process-entry-leader-parent-session-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.entry_leader.parent.session_leader.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.entry_leader.parent.session_leader.env_vars:
-  dashed_name: process-entry-leader-parent-session-leader-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.entry_leader.parent.session_leader.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.executable:
-  dashed_name: process-entry-leader-parent-session-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.entry_leader.parent.session_leader.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.entry_leader.parent.session_leader.exit_code:
-  dashed_name: process-entry-leader-parent-session-leader-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.entry_leader.parent.session_leader.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.entry_leader.parent.session_leader.group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.group.id:
-  dashed_name: process-entry-leader-parent-session-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.group.name:
-  dashed_name: process-entry-leader-parent-session-leader-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.entry_leader.parent.session_leader.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.md5:
-  dashed_name: process-entry-leader-parent-session-leader-hash-md5
-  description: MD5 hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.sha1:
-  dashed_name: process-entry-leader-parent-session-leader-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.sha256:
-  dashed_name: process-entry-leader-parent-session-leader-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.sha384:
-  dashed_name: process-entry-leader-parent-session-leader-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.sha512:
-  dashed_name: process-entry-leader-parent-session-leader-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.ssdeep:
-  dashed_name: process-entry-leader-parent-session-leader-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.entry_leader.parent.session_leader.hash.tlsh:
-  dashed_name: process-entry-leader-parent-session-leader-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.entry_leader.parent.session_leader.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.entry_leader.parent.session_leader.interactive:
-  dashed_name: process-entry-leader-parent-session-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.entry_leader.parent.session_leader.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.entry_leader.parent.session_leader.io:
-  dashed_name: process-entry-leader-parent-session-leader-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.entry_leader.parent.session_leader.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.entry_leader.parent.session_leader.io.bytes_skipped:
-  dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.entry_leader.parent.session_leader.io.bytes_skipped.length:
-  dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.entry_leader.parent.session_leader.io.bytes_skipped.offset:
-  dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
-  dashed_name: process-entry-leader-parent-session-leader-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.entry_leader.parent.session_leader.io.text:
-  dashed_name: process-entry-leader-parent-session-leader-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.entry_leader.parent.session_leader.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.entry_leader.parent.session_leader.io.total_bytes_captured:
-  dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.entry_leader.parent.session_leader.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.entry_leader.parent.session_leader.io.total_bytes_skipped:
-  dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.entry_leader.parent.session_leader.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.entry_leader.parent.session_leader.io.type:
-  dashed_name: process-entry-leader-parent-session-leader-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.entry_leader.parent.session_leader.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.entry_leader.parent.session_leader.macho.go_import_hash:
-  dashed_name: process-entry-leader-parent-session-leader-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.parent.session_leader.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.entry_leader.parent.session_leader.macho.go_imports:
-  dashed_name: process-entry-leader-parent-session-leader-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.parent.session_leader.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.macho.go_imports_names_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.session_leader.macho.go_stripped:
-  dashed_name: process-entry-leader-parent-session-leader-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.parent.session_leader.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.entry_leader.parent.session_leader.macho.import_hash:
-  dashed_name: process-entry-leader-parent-session-leader-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.parent.session_leader.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.entry_leader.parent.session_leader.macho.imports:
-  dashed_name: process-entry-leader-parent-session-leader-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.parent.session_leader.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.macho.imports_names_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.parent.session_leader.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.parent.session_leader.macho.imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.parent.session_leader.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.parent.session_leader.macho.sections:
-  dashed_name: process-entry-leader-parent-session-leader-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.entry_leader.parent.session_leader.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.entry_leader.parent.session_leader.macho.sections.entropy:
-  dashed_name: process-entry-leader-parent-session-leader-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.session_leader.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.session_leader.macho.sections.name:
-  dashed_name: process-entry-leader-parent-session-leader-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.entry_leader.parent.session_leader.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.entry_leader.parent.session_leader.macho.sections.physical_size:
-  dashed_name: process-entry-leader-parent-session-leader-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.entry_leader.parent.session_leader.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.entry_leader.parent.session_leader.macho.sections.var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.session_leader.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.session_leader.macho.sections.virtual_size:
-  dashed_name: process-entry-leader-parent-session-leader-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.entry_leader.parent.session_leader.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.entry_leader.parent.session_leader.macho.symhash:
-  dashed_name: process-entry-leader-parent-session-leader-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.entry_leader.parent.session_leader.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.entry_leader.parent.session_leader.name:
-  dashed_name: process-entry-leader-parent-session-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.entry_leader.parent.session_leader.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.entry_leader.parent.session_leader.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.entry_leader.parent.session_leader.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.entry_leader.parent.session_leader.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.entry_leader.parent.session_leader.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.architecture:
-  dashed_name: process-entry-leader-parent-session-leader-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.entry_leader.parent.session_leader.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.company:
-  dashed_name: process-entry-leader-parent-session-leader-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.entry_leader.parent.session_leader.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.description:
-  dashed_name: process-entry-leader-parent-session-leader-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.entry_leader.parent.session_leader.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.file_version:
-  dashed_name: process-entry-leader-parent-session-leader-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.entry_leader.parent.session_leader.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.go_import_hash:
-  dashed_name: process-entry-leader-parent-session-leader-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.parent.session_leader.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.go_imports:
-  dashed_name: process-entry-leader-parent-session-leader-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.parent.session_leader.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.pe.go_imports_names_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.parent.session_leader.pe.go_stripped:
-  dashed_name: process-entry-leader-parent-session-leader-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.parent.session_leader.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.entry_leader.parent.session_leader.pe.imphash:
-  dashed_name: process-entry-leader-parent-session-leader-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.entry_leader.parent.session_leader.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.import_hash:
-  dashed_name: process-entry-leader-parent-session-leader-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.parent.session_leader.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.imports:
-  dashed_name: process-entry-leader-parent-session-leader-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.parent.session_leader.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.parent.session_leader.pe.imports_names_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.parent.session_leader.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.parent.session_leader.pe.imports_names_var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.parent.session_leader.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.parent.session_leader.pe.original_file_name:
-  dashed_name: process-entry-leader-parent-session-leader-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.entry_leader.parent.session_leader.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.pehash:
-  dashed_name: process-entry-leader-parent-session-leader-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.entry_leader.parent.session_leader.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.product:
-  dashed_name: process-entry-leader-parent-session-leader-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.entry_leader.parent.session_leader.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.sections:
-  dashed_name: process-entry-leader-parent-session-leader-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.entry_leader.parent.session_leader.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.entry_leader.parent.session_leader.pe.sections.entropy:
-  dashed_name: process-entry-leader-parent-session-leader-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.session_leader.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.session_leader.pe.sections.name:
-  dashed_name: process-entry-leader-parent-session-leader-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.entry_leader.parent.session_leader.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.entry_leader.parent.session_leader.pe.sections.physical_size:
-  dashed_name: process-entry-leader-parent-session-leader-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.entry_leader.parent.session_leader.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.entry_leader.parent.session_leader.pe.sections.var_entropy:
-  dashed_name: process-entry-leader-parent-session-leader-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.parent.session_leader.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.parent.session_leader.pe.sections.virtual_size:
-  dashed_name: process-entry-leader-parent-session-leader-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.entry_leader.parent.session_leader.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.entry_leader.parent.session_leader.pid:
-  dashed_name: process-entry-leader-parent-session-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.entry_leader.parent.session_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.entry_leader.parent.session_leader.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.entry_leader.parent.session_leader.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.entry_leader.parent.session_leader.real_group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.real_group.id:
-  dashed_name: process-entry-leader-parent-session-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.real_group.name:
-  dashed_name: process-entry-leader-parent-session-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.domain:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.email:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.session_leader.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.session_leader.real_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.entry_leader.parent.session_leader.real_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.entry_leader.parent.session_leader.real_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.entry_leader.parent.session_leader.real_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.entity.id:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.entry_leader.parent.session_leader.real_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.entry_leader.parent.session_leader.real_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.session_leader.real_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.entry_leader.parent.session_leader.real_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.entry_leader.parent.session_leader.real_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.entry_leader.parent.session_leader.real_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.entry_leader.parent.session_leader.real_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.real_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.entry_leader.parent.session_leader.real_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.entry_leader.parent.session_leader.real_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.entry_leader.parent.session_leader.real_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.entry_leader.parent.session_leader.real_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.entry_leader.parent.session_leader.real_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-real-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.entry_leader.parent.session_leader.real_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.full_name:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.session_leader.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.group.id:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.group.name:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.hash:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.session_leader.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.id:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.session_leader.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.name:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.session_leader.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.session_leader.real_user.risk.static_level:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.session_leader.real_user.risk.static_score:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.session_leader.real_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.session_leader.real_user.roles:
-  dashed_name: process-entry-leader-parent-session-leader-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.session_leader.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.same_as_process:
-  dashed_name: process-entry-leader-parent-session-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.entry_leader.parent.session_leader.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.entry_leader.parent.session_leader.saved_group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_group.id:
-  dashed_name: process-entry-leader-parent-session-leader-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_group.name:
-  dashed_name: process-entry-leader-parent-session-leader-saved-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.domain:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.email:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.entry_leader.parent.session_leader.saved_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.entry_leader.parent.session_leader.saved_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.entity.id:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.entry_leader.parent.session_leader.saved_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.entry_leader.parent.session_leader.saved_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.entry_leader.parent.session_leader.saved_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.entry_leader.parent.session_leader.saved_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.entry_leader.parent.session_leader.saved_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.full_name:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.session_leader.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.group.id:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.group.name:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.hash:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.session_leader.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.id:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.session_leader.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.name:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.session_leader.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.session_leader.saved_user.risk.static_level:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.session_leader.saved_user.risk.static_score:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.session_leader.saved_user.roles:
-  dashed_name: process-entry-leader-parent-session-leader-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.session_leader.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.start:
-  dashed_name: process-entry-leader-parent-session-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.parent.session_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.entry_leader.parent.session_leader.supplemental_groups.domain:
-  dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.supplemental_groups.id:
-  dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.supplemental_groups.name:
-  dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.thread.capabilities.effective:
-  dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.entry_leader.parent.session_leader.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.thread.capabilities.permitted:
-  dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.entry_leader.parent.session_leader.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.thread.id:
-  dashed_name: process-entry-leader-parent-session-leader-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.entry_leader.parent.session_leader.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.entry_leader.parent.session_leader.thread.name:
-  dashed_name: process-entry-leader-parent-session-leader-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.entry_leader.parent.session_leader.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.entry_leader.parent.session_leader.title:
-  dashed_name: process-entry-leader-parent-session-leader-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.entry_leader.parent.session_leader.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.entry_leader.parent.session_leader.tty:
-  dashed_name: process-entry-leader-parent-session-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.entry_leader.parent.session_leader.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.entry_leader.parent.session_leader.tty.char_device.major:
-  dashed_name: process-entry-leader-parent-session-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.entry_leader.parent.session_leader.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.entry_leader.parent.session_leader.tty.char_device.minor:
-  dashed_name: process-entry-leader-parent-session-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.entry_leader.parent.session_leader.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.entry_leader.parent.session_leader.tty.columns:
-  dashed_name: process-entry-leader-parent-session-leader-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.entry_leader.parent.session_leader.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.entry_leader.parent.session_leader.tty.rows:
-  dashed_name: process-entry-leader-parent-session-leader-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.entry_leader.parent.session_leader.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.entry_leader.parent.session_leader.uptime:
-  dashed_name: process-entry-leader-parent-session-leader-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.entry_leader.parent.session_leader.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.entry_leader.parent.session_leader.user.domain:
-  dashed_name: process-entry-leader-parent-session-leader-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.user.email:
-  dashed_name: process-entry-leader-parent-session-leader-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.session_leader.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.parent.session_leader.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.session_leader.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.entry_leader.parent.session_leader.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.entry_leader.parent.session_leader.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.entry_leader.parent.session_leader.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.entry_leader.parent.session_leader.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.entry_leader.parent.session_leader.user.entity.id:
-  dashed_name: process-entry-leader-parent-session-leader-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.entry_leader.parent.session_leader.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.entry_leader.parent.session_leader.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.session_leader.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.entry_leader.parent.session_leader.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.entry_leader.parent.session_leader.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.entry_leader.parent.session_leader.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.entry_leader.parent.session_leader.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.entry_leader.parent.session_leader.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.entry_leader.parent.session_leader.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.entry_leader.parent.session_leader.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.entry_leader.parent.session_leader.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.entry_leader.parent.session_leader.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.entry_leader.parent.session_leader.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.entry_leader.parent.session_leader.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-session-leader-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.entry_leader.parent.session_leader.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.entry_leader.parent.session_leader.user.full_name:
-  dashed_name: process-entry-leader-parent-session-leader-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.session_leader.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.session_leader.user.group.domain:
-  dashed_name: process-entry-leader-parent-session-leader-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.session_leader.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.session_leader.user.group.id:
-  dashed_name: process-entry-leader-parent-session-leader-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.session_leader.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.session_leader.user.group.name:
-  dashed_name: process-entry-leader-parent-session-leader-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.session_leader.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.session_leader.user.hash:
-  dashed_name: process-entry-leader-parent-session-leader-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.session_leader.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.session_leader.user.id:
-  dashed_name: process-entry-leader-parent-session-leader-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.session_leader.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.user.name:
-  dashed_name: process-entry-leader-parent-session-leader-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.session_leader.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.session_leader.user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.session_leader.user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.session_leader.user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.session_leader.user.risk.static_level:
-  dashed_name: process-entry-leader-parent-session-leader-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.session_leader.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.session_leader.user.risk.static_score:
-  dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.session_leader.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.session_leader.user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.session_leader.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.session_leader.user.roles:
-  dashed_name: process-entry-leader-parent-session-leader-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.session_leader.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.session_leader.vpid:
-  dashed_name: process-entry-leader-parent-session-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.entry_leader.parent.session_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.entry_leader.parent.session_leader.working_directory:
-  dashed_name: process-entry-leader-parent-session-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.entry_leader.parent.session_leader.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.session_leader.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.entry_leader.parent.start:
-  dashed_name: process-entry-leader-parent-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.parent.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.entry_leader.parent.supplemental_groups.domain:
-  dashed_name: process-entry-leader-parent-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.supplemental_groups.id:
-  dashed_name: process-entry-leader-parent-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.supplemental_groups.name:
-  dashed_name: process-entry-leader-parent-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.thread.capabilities.effective:
-  dashed_name: process-entry-leader-parent-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.entry_leader.parent.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.thread.capabilities.permitted:
-  dashed_name: process-entry-leader-parent-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.entry_leader.parent.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.thread.id:
-  dashed_name: process-entry-leader-parent-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.entry_leader.parent.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.entry_leader.parent.thread.name:
-  dashed_name: process-entry-leader-parent-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.entry_leader.parent.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.entry_leader.parent.title:
-  dashed_name: process-entry-leader-parent-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.entry_leader.parent.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.entry_leader.parent.tty:
-  dashed_name: process-entry-leader-parent-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.entry_leader.parent.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.entry_leader.parent.tty.char_device.major:
-  dashed_name: process-entry-leader-parent-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.entry_leader.parent.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.entry_leader.parent.tty.char_device.minor:
-  dashed_name: process-entry-leader-parent-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.entry_leader.parent.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.entry_leader.parent.tty.columns:
-  dashed_name: process-entry-leader-parent-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.entry_leader.parent.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.entry_leader.parent.tty.rows:
-  dashed_name: process-entry-leader-parent-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.entry_leader.parent.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.entry_leader.parent.uptime:
-  dashed_name: process-entry-leader-parent-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.entry_leader.parent.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.entry_leader.parent.user.domain:
-  dashed_name: process-entry-leader-parent-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.parent.user.email:
-  dashed_name: process-entry-leader-parent-user-email
-  description: User email address.
-  flat_name: process.entry_leader.parent.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.parent.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.entry_leader.parent.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.entry_leader.parent.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.entry_leader.parent.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.entry_leader.parent.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.entry_leader.parent.user.entity.id:
-  dashed_name: process-entry-leader-parent-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.entry_leader.parent.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.entry_leader.parent.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.entry_leader.parent.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.entry_leader.parent.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.entry_leader.parent.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.entry_leader.parent.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.entry_leader.parent.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.entry_leader.parent.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.entry_leader.parent.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.entry_leader.parent.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.entry_leader.parent.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.entry_leader.parent.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.entry_leader.parent.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.entry_leader.parent.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.entry_leader.parent.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.entry_leader.parent.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.entry_leader.parent.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.entry_leader.parent.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-parent-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.entry_leader.parent.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.entry_leader.parent.user.full_name:
-  dashed_name: process-entry-leader-parent-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.parent.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.parent.user.group.domain:
-  dashed_name: process-entry-leader-parent-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.parent.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.parent.user.group.id:
-  dashed_name: process-entry-leader-parent-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.parent.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.parent.user.group.name:
-  dashed_name: process-entry-leader-parent-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.parent.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.parent.user.hash:
-  dashed_name: process-entry-leader-parent-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.parent.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.parent.user.id:
-  dashed_name: process-entry-leader-parent-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.parent.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.parent.user.name:
-  dashed_name: process-entry-leader-parent-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.parent.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.parent.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.parent.user.risk.calculated_level:
-  dashed_name: process-entry-leader-parent-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.parent.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.parent.user.risk.calculated_score:
-  dashed_name: process-entry-leader-parent-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.parent.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.parent.user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-parent-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.parent.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.parent.user.risk.static_level:
-  dashed_name: process-entry-leader-parent-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.parent.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.parent.user.risk.static_score:
-  dashed_name: process-entry-leader-parent-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.parent.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.parent.user.risk.static_score_norm:
-  dashed_name: process-entry-leader-parent-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.parent.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.parent.user.roles:
-  dashed_name: process-entry-leader-parent-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.parent.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.parent.vpid:
-  dashed_name: process-entry-leader-parent-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.entry_leader.parent.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.entry_leader.parent.working_directory:
-  dashed_name: process-entry-leader-parent-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.entry_leader.parent.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.parent.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.entry_leader.pe.architecture:
-  dashed_name: process-entry-leader-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.entry_leader.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.entry_leader.pe.company:
-  dashed_name: process-entry-leader-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.entry_leader.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.pe.description:
-  dashed_name: process-entry-leader-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.entry_leader.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.pe.file_version:
-  dashed_name: process-entry-leader-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.entry_leader.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.entry_leader.pe.go_import_hash:
-  dashed_name: process-entry-leader-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.entry_leader.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.entry_leader.pe.go_imports:
-  dashed_name: process-entry-leader-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.entry_leader.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.entry_leader.pe.go_imports_names_entropy:
-  dashed_name: process-entry-leader-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.pe.go_imports_names_var_entropy:
-  dashed_name: process-entry-leader-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.entry_leader.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.entry_leader.pe.go_stripped:
-  dashed_name: process-entry-leader-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.entry_leader.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.entry_leader.pe.imphash:
-  dashed_name: process-entry-leader-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.entry_leader.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.entry_leader.pe.import_hash:
-  dashed_name: process-entry-leader-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.entry_leader.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.entry_leader.pe.imports:
-  dashed_name: process-entry-leader-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.entry_leader.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.entry_leader.pe.imports_names_entropy:
-  dashed_name: process-entry-leader-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.entry_leader.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.entry_leader.pe.imports_names_var_entropy:
-  dashed_name: process-entry-leader-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.entry_leader.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.entry_leader.pe.original_file_name:
-  dashed_name: process-entry-leader-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.entry_leader.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.pe.pehash:
-  dashed_name: process-entry-leader-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.entry_leader.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.entry_leader.pe.product:
-  dashed_name: process-entry-leader-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.entry_leader.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.entry_leader.pe.sections:
-  dashed_name: process-entry-leader-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.entry_leader.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.entry_leader.pe.sections.entropy:
-  dashed_name: process-entry-leader-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.pe.sections.name:
-  dashed_name: process-entry-leader-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.entry_leader.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.entry_leader.pe.sections.physical_size:
-  dashed_name: process-entry-leader-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.entry_leader.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.entry_leader.pe.sections.var_entropy:
-  dashed_name: process-entry-leader-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.entry_leader.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.entry_leader.pe.sections.virtual_size:
-  dashed_name: process-entry-leader-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.entry_leader.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.entry_leader.pid:
-  dashed_name: process-entry-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.entry_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.entry_leader.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.entry_leader.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.entry_leader.real_group.domain:
-  dashed_name: process-entry-leader-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.real_group.id:
-  dashed_name: process-entry-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.real_group.name:
-  dashed_name: process-entry-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.real_user.domain:
-  dashed_name: process-entry-leader-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.real_user.email:
-  dashed_name: process-entry-leader-real-user-email
-  description: User email address.
-  flat_name: process.entry_leader.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.real_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-real-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.entry_leader.real_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.entry_leader.real_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-real-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.entry_leader.real_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.entry_leader.real_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-real-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.entry_leader.real_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.real_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.entry_leader.real_user.entity.id:
-  dashed_name: process-entry-leader-real-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.entry_leader.real_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.entry_leader.real_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-real-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.entry_leader.real_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.entry_leader.real_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-real-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.entry_leader.real_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.entry_leader.real_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-real-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.entry_leader.real_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.entry_leader.real_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-real-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.entry_leader.real_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.real_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.entry_leader.real_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-real-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.entry_leader.real_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.entry_leader.real_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-real-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.entry_leader.real_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.entry_leader.real_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-real-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.entry_leader.real_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.entry_leader.real_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-real-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.entry_leader.real_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.entry_leader.real_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-real-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.entry_leader.real_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.entry_leader.real_user.full_name:
-  dashed_name: process-entry-leader-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.real_user.group.domain:
-  dashed_name: process-entry-leader-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.real_user.group.id:
-  dashed_name: process-entry-leader-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.real_user.group.name:
-  dashed_name: process-entry-leader-real-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.real_user.hash:
-  dashed_name: process-entry-leader-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.real_user.id:
-  dashed_name: process-entry-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.real_user.name:
-  dashed_name: process-entry-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.real_user.risk.calculated_level:
-  dashed_name: process-entry-leader-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.real_user.risk.calculated_score:
-  dashed_name: process-entry-leader-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.real_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.real_user.risk.static_level:
-  dashed_name: process-entry-leader-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.real_user.risk.static_score:
-  dashed_name: process-entry-leader-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.real_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.real_user.roles:
-  dashed_name: process-entry-leader-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.same_as_process:
-  dashed_name: process-entry-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.entry_leader.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.entry_leader.saved_group.domain:
-  dashed_name: process-entry-leader-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.saved_group.id:
-  dashed_name: process-entry-leader-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.saved_group.name:
-  dashed_name: process-entry-leader-saved-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.saved_user.domain:
-  dashed_name: process-entry-leader-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.saved_user.email:
-  dashed_name: process-entry-leader-saved-user-email
-  description: User email address.
-  flat_name: process.entry_leader.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.saved_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-saved-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.entry_leader.saved_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.entry_leader.saved_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-saved-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.entry_leader.saved_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.entry_leader.saved_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-saved-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.entry_leader.saved_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.saved_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.entry_leader.saved_user.entity.id:
-  dashed_name: process-entry-leader-saved-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.entry_leader.saved_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.entry_leader.saved_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-saved-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.entry_leader.saved_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.entry_leader.saved_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-saved-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.entry_leader.saved_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.entry_leader.saved_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-saved-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.entry_leader.saved_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.entry_leader.saved_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-saved-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.entry_leader.saved_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.saved_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.entry_leader.saved_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-saved-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.entry_leader.saved_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.entry_leader.saved_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-saved-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.entry_leader.saved_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.entry_leader.saved_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-saved-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.entry_leader.saved_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.entry_leader.saved_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-saved-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.entry_leader.saved_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.entry_leader.saved_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-saved-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.entry_leader.saved_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.entry_leader.saved_user.full_name:
-  dashed_name: process-entry-leader-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.saved_user.group.domain:
-  dashed_name: process-entry-leader-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.saved_user.group.id:
-  dashed_name: process-entry-leader-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.saved_user.group.name:
-  dashed_name: process-entry-leader-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.saved_user.hash:
-  dashed_name: process-entry-leader-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.saved_user.id:
-  dashed_name: process-entry-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.saved_user.name:
-  dashed_name: process-entry-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.saved_user.risk.calculated_level:
-  dashed_name: process-entry-leader-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.saved_user.risk.calculated_score:
-  dashed_name: process-entry-leader-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.saved_user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.saved_user.risk.static_level:
-  dashed_name: process-entry-leader-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.saved_user.risk.static_score:
-  dashed_name: process-entry-leader-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.saved_user.risk.static_score_norm:
-  dashed_name: process-entry-leader-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.saved_user.roles:
-  dashed_name: process-entry-leader-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.start:
-  dashed_name: process-entry-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.entry_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.entry_leader.supplemental_groups.domain:
-  dashed_name: process-entry-leader-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.supplemental_groups.id:
-  dashed_name: process-entry-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.supplemental_groups.name:
-  dashed_name: process-entry-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.entry_leader.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.thread.capabilities.effective:
-  dashed_name: process-entry-leader-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.entry_leader.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.thread.capabilities.permitted:
-  dashed_name: process-entry-leader-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.entry_leader.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.thread.id:
-  dashed_name: process-entry-leader-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.entry_leader.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.entry_leader.thread.name:
-  dashed_name: process-entry-leader-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.entry_leader.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.entry_leader.title:
-  dashed_name: process-entry-leader-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.entry_leader.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.entry_leader.tty:
-  dashed_name: process-entry-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.entry_leader.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.entry_leader.tty.char_device.major:
-  dashed_name: process-entry-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.entry_leader.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.entry_leader.tty.char_device.minor:
-  dashed_name: process-entry-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.entry_leader.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.entry_leader.tty.columns:
-  dashed_name: process-entry-leader-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.entry_leader.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.entry_leader.tty.rows:
-  dashed_name: process-entry-leader-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.entry_leader.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.entry_leader.uptime:
-  dashed_name: process-entry-leader-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.entry_leader.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.entry_leader.user.domain:
-  dashed_name: process-entry-leader-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.entry_leader.user.email:
-  dashed_name: process-entry-leader-user-email
-  description: User email address.
-  flat_name: process.entry_leader.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.entry_leader.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.entry_leader.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.entry_leader.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.entry_leader.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.entry_leader.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.entry_leader.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.entry_leader.user.entity.id:
-  dashed_name: process-entry-leader-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.entry_leader.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.entry_leader.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.entry_leader.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.entry_leader.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.entry_leader.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.entry_leader.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.entry_leader.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.entry_leader.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.entry_leader.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.entry_leader.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.entry_leader.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.entry_leader.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.entry_leader.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.entry_leader.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.entry_leader.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.entry_leader.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.entry_leader.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.entry_leader.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-entry-leader-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.entry_leader.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.entry_leader.user.full_name:
-  dashed_name: process-entry-leader-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.entry_leader.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.entry_leader.user.group.domain:
-  dashed_name: process-entry-leader-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.entry_leader.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.entry_leader.user.group.id:
-  dashed_name: process-entry-leader-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.entry_leader.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.entry_leader.user.group.name:
-  dashed_name: process-entry-leader-user-group-name
-  description: Name of the group.
-  flat_name: process.entry_leader.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.entry_leader.user.hash:
-  dashed_name: process-entry-leader-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.entry_leader.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.entry_leader.user.id:
-  dashed_name: process-entry-leader-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.entry_leader.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.entry_leader.user.name:
-  dashed_name: process-entry-leader-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.entry_leader.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.entry_leader.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.entry_leader.user.risk.calculated_level:
-  dashed_name: process-entry-leader-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.entry_leader.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.entry_leader.user.risk.calculated_score:
-  dashed_name: process-entry-leader-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.entry_leader.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.entry_leader.user.risk.calculated_score_norm:
-  dashed_name: process-entry-leader-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.entry_leader.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.entry_leader.user.risk.static_level:
-  dashed_name: process-entry-leader-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.entry_leader.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.entry_leader.user.risk.static_score:
-  dashed_name: process-entry-leader-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.entry_leader.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.entry_leader.user.risk.static_score_norm:
-  dashed_name: process-entry-leader-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.entry_leader.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.entry_leader.user.roles:
-  dashed_name: process-entry-leader-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.entry_leader.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.entry_leader.vpid:
-  dashed_name: process-entry-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.entry_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.entry_leader.working_directory:
-  dashed_name: process-entry-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.entry_leader.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_leader.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.entry_meta.source.address:
-  dashed_name: process-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.entry_meta.source.as.number:
-  dashed_name: process-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.entry_meta.source.as.organization.name:
-  dashed_name: process-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.entry_meta.source.bytes:
-  dashed_name: process-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.entry_meta.source.domain:
-  dashed_name: process-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.entry_meta.source.geo.city_name:
-  dashed_name: process-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.entry_meta.source.geo.continent_code:
-  dashed_name: process-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.entry_meta.source.geo.continent_name:
-  dashed_name: process-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.entry_meta.source.geo.country_name:
-  dashed_name: process-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.entry_meta.source.geo.location:
-  dashed_name: process-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.entry_meta.source.geo.name:
-  dashed_name: process-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.entry_meta.source.geo.postal_code:
-  dashed_name: process-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.entry_meta.source.geo.region_name:
-  dashed_name: process-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.entry_meta.source.geo.timezone:
-  dashed_name: process-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.entry_meta.source.ip:
-  dashed_name: process-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.entry_meta.source.mac:
-  dashed_name: process-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.entry_meta.source.nat.ip:
-  dashed_name: process-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.entry_meta.source.nat.port:
-  dashed_name: process-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.entry_meta.source.packets:
-  dashed_name: process-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.entry_meta.source.port:
-  dashed_name: process-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.entry_meta.source.registered_domain:
-  dashed_name: process-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.entry_meta.source.subdomain:
-  dashed_name: process-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.entry_meta.source.top_level_domain:
-  dashed_name: process-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.entry_meta.type:
-  dashed_name: process-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  short: The entry type for the entry session leader.
-  type: keyword
-process.env_vars:
-  dashed_name: process-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.executable:
-  dashed_name: process-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  otel:
-  - attribute: process.executable.path
-    relation: equivalent
-    stability: development
-  short: Absolute path to the process executable.
-  type: keyword
-process.exit_code:
-  dashed_name: process-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  short: The exit code of the process.
-  type: long
-process.group.domain:
-  dashed_name: process-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group.id:
-  dashed_name: process-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group.name:
-  dashed_name: process-group-name
-  description: Name of the group.
-  flat_name: process.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.args:
-  dashed_name: process-group-leader-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.group_leader.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.group_leader.args_count:
-  dashed_name: process-group-leader-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.group_leader.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.group_leader.attested_groups.domain:
-  dashed_name: process-group-leader-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.attested_groups.id:
-  dashed_name: process-group-leader-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.attested_groups.name:
-  dashed_name: process-group-leader-attested-groups-name
-  description: Name of the group.
-  flat_name: process.group_leader.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.attested_user.domain:
-  dashed_name: process-group-leader-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.group_leader.attested_user.email:
-  dashed_name: process-group-leader-attested-user-email
-  description: User email address.
-  flat_name: process.group_leader.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.group_leader.attested_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-attested-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.group_leader.attested_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.group_leader.attested_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-attested-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.group_leader.attested_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.group_leader.attested_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-attested-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.group_leader.attested_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.attested_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.group_leader.attested_user.entity.id:
-  dashed_name: process-group-leader-attested-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.group_leader.attested_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.group_leader.attested_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-attested-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.group_leader.attested_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.group_leader.attested_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-attested-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.group_leader.attested_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.group_leader.attested_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-attested-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.group_leader.attested_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.group_leader.attested_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-attested-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.group_leader.attested_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.attested_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.group_leader.attested_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-attested-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.group_leader.attested_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.group_leader.attested_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-attested-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.group_leader.attested_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.group_leader.attested_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-attested-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.group_leader.attested_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.group_leader.attested_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-attested-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.group_leader.attested_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.group_leader.attested_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-attested-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.group_leader.attested_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.group_leader.attested_user.full_name:
-  dashed_name: process-group-leader-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.group_leader.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.group_leader.attested_user.group.domain:
-  dashed_name: process-group-leader-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.attested_user.group.id:
-  dashed_name: process-group-leader-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.attested_user.group.name:
-  dashed_name: process-group-leader-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.attested_user.hash:
-  dashed_name: process-group-leader-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.group_leader.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.group_leader.attested_user.id:
-  dashed_name: process-group-leader-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.group_leader.attested_user.name:
-  dashed_name: process-group-leader-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.group_leader.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.group_leader.attested_user.risk.calculated_level:
-  dashed_name: process-group-leader-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.group_leader.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.group_leader.attested_user.risk.calculated_score:
-  dashed_name: process-group-leader-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.group_leader.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.group_leader.attested_user.risk.calculated_score_norm:
-  dashed_name: process-group-leader-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.group_leader.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.group_leader.attested_user.risk.static_level:
-  dashed_name: process-group-leader-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.group_leader.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.group_leader.attested_user.risk.static_score:
-  dashed_name: process-group-leader-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.group_leader.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.group_leader.attested_user.risk.static_score_norm:
-  dashed_name: process-group-leader-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.group_leader.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.group_leader.attested_user.roles:
-  dashed_name: process-group-leader-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.group_leader.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.code_signature.digest_algorithm:
-  dashed_name: process-group-leader-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.group_leader.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.group_leader.code_signature.exists:
-  dashed_name: process-group-leader-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.group_leader.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.group_leader.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.group_leader.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.group_leader.code_signature.signing_id:
-  dashed_name: process-group-leader-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.group_leader.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.group_leader.code_signature.status:
-  dashed_name: process-group-leader-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.group_leader.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.group_leader.code_signature.subject_name:
-  dashed_name: process-group-leader-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.group_leader.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.group_leader.code_signature.team_id:
-  dashed_name: process-group-leader-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.group_leader.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.group_leader.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.group_leader.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.group_leader.code_signature.timestamp:
-  dashed_name: process-group-leader-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.group_leader.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.group_leader.code_signature.trusted:
-  dashed_name: process-group-leader-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.group_leader.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.group_leader.code_signature.valid:
-  dashed_name: process-group-leader-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.group_leader.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.group_leader.command_line:
-  dashed_name: process-group-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.group_leader.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.group_leader.elf.architecture:
-  dashed_name: process-group-leader-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.group_leader.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.group_leader.elf.byte_order:
-  dashed_name: process-group-leader-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.group_leader.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.group_leader.elf.cpu_type:
-  dashed_name: process-group-leader-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.group_leader.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.group_leader.elf.creation_date:
-  dashed_name: process-group-leader-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.group_leader.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.group_leader.elf.exports:
-  dashed_name: process-group-leader-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.group_leader.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.group_leader.elf.go_import_hash:
-  dashed_name: process-group-leader-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.group_leader.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.group_leader.elf.go_imports:
-  dashed_name: process-group-leader-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.group_leader.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.group_leader.elf.go_imports_names_entropy:
-  dashed_name: process-group-leader-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.group_leader.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.group_leader.elf.go_imports_names_var_entropy:
-  dashed_name: process-group-leader-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.group_leader.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.group_leader.elf.go_stripped:
-  dashed_name: process-group-leader-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.group_leader.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.group_leader.elf.header.abi_version:
-  dashed_name: process-group-leader-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.group_leader.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.group_leader.elf.header.class:
-  dashed_name: process-group-leader-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.group_leader.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.group_leader.elf.header.data:
-  dashed_name: process-group-leader-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.group_leader.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.group_leader.elf.header.entrypoint:
-  dashed_name: process-group-leader-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.group_leader.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.group_leader.elf.header.object_version:
-  dashed_name: process-group-leader-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.group_leader.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.group_leader.elf.header.os_abi:
-  dashed_name: process-group-leader-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.group_leader.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.group_leader.elf.header.type:
-  dashed_name: process-group-leader-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.group_leader.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.group_leader.elf.header.version:
-  dashed_name: process-group-leader-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.group_leader.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.group_leader.elf.import_hash:
-  dashed_name: process-group-leader-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.group_leader.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.group_leader.elf.imports:
-  dashed_name: process-group-leader-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.group_leader.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.group_leader.elf.imports_names_entropy:
-  dashed_name: process-group-leader-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.group_leader.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.group_leader.elf.imports_names_var_entropy:
-  dashed_name: process-group-leader-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.group_leader.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.group_leader.elf.sections:
-  dashed_name: process-group-leader-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.group_leader.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.group_leader.elf.sections.chi2:
-  dashed_name: process-group-leader-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.group_leader.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.group_leader.elf.sections.entropy:
-  dashed_name: process-group-leader-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.group_leader.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.group_leader.elf.sections.flags:
-  dashed_name: process-group-leader-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.group_leader.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.group_leader.elf.sections.name:
-  dashed_name: process-group-leader-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.group_leader.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.group_leader.elf.sections.physical_offset:
-  dashed_name: process-group-leader-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.group_leader.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.group_leader.elf.sections.physical_size:
-  dashed_name: process-group-leader-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.group_leader.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.group_leader.elf.sections.type:
-  dashed_name: process-group-leader-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.group_leader.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.group_leader.elf.sections.var_entropy:
-  dashed_name: process-group-leader-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.group_leader.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.group_leader.elf.sections.virtual_address:
-  dashed_name: process-group-leader-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.group_leader.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.group_leader.elf.sections.virtual_size:
-  dashed_name: process-group-leader-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.group_leader.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.group_leader.elf.segments:
-  dashed_name: process-group-leader-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.group_leader.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.group_leader.elf.segments.sections:
-  dashed_name: process-group-leader-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.group_leader.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.group_leader.elf.segments.type:
-  dashed_name: process-group-leader-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.group_leader.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.group_leader.elf.shared_libraries:
-  dashed_name: process-group-leader-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.group_leader.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.group_leader.elf.telfhash:
-  dashed_name: process-group-leader-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.group_leader.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.group_leader.end:
-  dashed_name: process-group-leader-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.group_leader.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.group_leader.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.group_leader.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.group_leader.entity_id:
-  dashed_name: process-group-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.group_leader.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.group_leader.entry_meta.source.address:
-  dashed_name: process-group-leader-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.group_leader.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.group_leader.entry_meta.source.as.number:
-  dashed_name: process-group-leader-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.group_leader.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.group_leader.entry_meta.source.as.organization.name:
-  dashed_name: process-group-leader-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.group_leader.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.group_leader.entry_meta.source.bytes:
-  dashed_name: process-group-leader-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.group_leader.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.group_leader.entry_meta.source.domain:
-  dashed_name: process-group-leader-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.group_leader.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.group_leader.entry_meta.source.geo.city_name:
-  dashed_name: process-group-leader-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.group_leader.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.group_leader.entry_meta.source.geo.continent_code:
-  dashed_name: process-group-leader-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.group_leader.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.group_leader.entry_meta.source.geo.continent_name:
-  dashed_name: process-group-leader-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.group_leader.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.group_leader.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-group-leader-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.group_leader.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.group_leader.entry_meta.source.geo.country_name:
-  dashed_name: process-group-leader-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.group_leader.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.group_leader.entry_meta.source.geo.location:
-  dashed_name: process-group-leader-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.group_leader.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.group_leader.entry_meta.source.geo.name:
-  dashed_name: process-group-leader-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.group_leader.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.group_leader.entry_meta.source.geo.postal_code:
-  dashed_name: process-group-leader-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.group_leader.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.group_leader.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-group-leader-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.group_leader.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.group_leader.entry_meta.source.geo.region_name:
-  dashed_name: process-group-leader-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.group_leader.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.group_leader.entry_meta.source.geo.timezone:
-  dashed_name: process-group-leader-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.group_leader.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.group_leader.entry_meta.source.ip:
-  dashed_name: process-group-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.group_leader.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.group_leader.entry_meta.source.mac:
-  dashed_name: process-group-leader-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.group_leader.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.group_leader.entry_meta.source.nat.ip:
-  dashed_name: process-group-leader-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.group_leader.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.group_leader.entry_meta.source.nat.port:
-  dashed_name: process-group-leader-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.group_leader.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.group_leader.entry_meta.source.packets:
-  dashed_name: process-group-leader-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.group_leader.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.group_leader.entry_meta.source.port:
-  dashed_name: process-group-leader-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.group_leader.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.group_leader.entry_meta.source.registered_domain:
-  dashed_name: process-group-leader-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.group_leader.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.group_leader.entry_meta.source.subdomain:
-  dashed_name: process-group-leader-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.group_leader.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.group_leader.entry_meta.source.top_level_domain:
-  dashed_name: process-group-leader-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.group_leader.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.group_leader.entry_meta.type:
-  dashed_name: process-group-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.group_leader.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.group_leader.env_vars:
-  dashed_name: process-group-leader-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.group_leader.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.executable:
-  dashed_name: process-group-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.group_leader.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.group_leader.exit_code:
-  dashed_name: process-group-leader-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.group_leader.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.group_leader.group.domain:
-  dashed_name: process-group-leader-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.group.id:
-  dashed_name: process-group-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.group.name:
-  dashed_name: process-group-leader-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.group_leader.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.group_leader.hash.md5:
-  dashed_name: process-group-leader-hash-md5
-  description: MD5 hash.
-  flat_name: process.group_leader.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.group_leader.hash.sha1:
-  dashed_name: process-group-leader-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.group_leader.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.group_leader.hash.sha256:
-  dashed_name: process-group-leader-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.group_leader.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.group_leader.hash.sha384:
-  dashed_name: process-group-leader-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.group_leader.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.group_leader.hash.sha512:
-  dashed_name: process-group-leader-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.group_leader.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.group_leader.hash.ssdeep:
-  dashed_name: process-group-leader-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.group_leader.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.group_leader.hash.tlsh:
-  dashed_name: process-group-leader-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.group_leader.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.group_leader.interactive:
-  dashed_name: process-group-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.group_leader.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.group_leader.io:
-  dashed_name: process-group-leader-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.group_leader.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.group_leader.io.bytes_skipped:
-  dashed_name: process-group-leader-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.group_leader.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.group_leader.io.bytes_skipped.length:
-  dashed_name: process-group-leader-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.group_leader.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.group_leader.io.bytes_skipped.offset:
-  dashed_name: process-group-leader-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.group_leader.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.group_leader.io.max_bytes_per_process_exceeded:
-  dashed_name: process-group-leader-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.group_leader.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.group_leader.io.text:
-  dashed_name: process-group-leader-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.group_leader.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.group_leader.io.total_bytes_captured:
-  dashed_name: process-group-leader-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.group_leader.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.group_leader.io.total_bytes_skipped:
-  dashed_name: process-group-leader-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.group_leader.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.group_leader.io.type:
-  dashed_name: process-group-leader-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.group_leader.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.group_leader.macho.go_import_hash:
-  dashed_name: process-group-leader-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.group_leader.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.group_leader.macho.go_imports:
-  dashed_name: process-group-leader-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.group_leader.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.group_leader.macho.go_imports_names_entropy:
-  dashed_name: process-group-leader-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.group_leader.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.group_leader.macho.go_imports_names_var_entropy:
-  dashed_name: process-group-leader-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.group_leader.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.group_leader.macho.go_stripped:
-  dashed_name: process-group-leader-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.group_leader.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.group_leader.macho.import_hash:
-  dashed_name: process-group-leader-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.group_leader.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.group_leader.macho.imports:
-  dashed_name: process-group-leader-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.group_leader.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.group_leader.macho.imports_names_entropy:
-  dashed_name: process-group-leader-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.group_leader.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.group_leader.macho.imports_names_var_entropy:
-  dashed_name: process-group-leader-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.group_leader.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.group_leader.macho.sections:
-  dashed_name: process-group-leader-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.group_leader.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.group_leader.macho.sections.entropy:
-  dashed_name: process-group-leader-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.group_leader.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.group_leader.macho.sections.name:
-  dashed_name: process-group-leader-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.group_leader.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.group_leader.macho.sections.physical_size:
-  dashed_name: process-group-leader-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.group_leader.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.group_leader.macho.sections.var_entropy:
-  dashed_name: process-group-leader-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.group_leader.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.group_leader.macho.sections.virtual_size:
-  dashed_name: process-group-leader-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.group_leader.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.group_leader.macho.symhash:
-  dashed_name: process-group-leader-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.group_leader.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.group_leader.name:
-  dashed_name: process-group-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.group_leader.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.group_leader.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.group_leader.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.group_leader.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.group_leader.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.group_leader.pe.architecture:
-  dashed_name: process-group-leader-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.group_leader.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.group_leader.pe.company:
-  dashed_name: process-group-leader-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.group_leader.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.group_leader.pe.description:
-  dashed_name: process-group-leader-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.group_leader.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.group_leader.pe.file_version:
-  dashed_name: process-group-leader-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.group_leader.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.group_leader.pe.go_import_hash:
-  dashed_name: process-group-leader-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.group_leader.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.group_leader.pe.go_imports:
-  dashed_name: process-group-leader-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.group_leader.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.group_leader.pe.go_imports_names_entropy:
-  dashed_name: process-group-leader-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.group_leader.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.group_leader.pe.go_imports_names_var_entropy:
-  dashed_name: process-group-leader-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.group_leader.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.group_leader.pe.go_stripped:
-  dashed_name: process-group-leader-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.group_leader.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.group_leader.pe.imphash:
-  dashed_name: process-group-leader-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.group_leader.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.group_leader.pe.import_hash:
-  dashed_name: process-group-leader-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.group_leader.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.group_leader.pe.imports:
-  dashed_name: process-group-leader-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.group_leader.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.group_leader.pe.imports_names_entropy:
-  dashed_name: process-group-leader-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.group_leader.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.group_leader.pe.imports_names_var_entropy:
-  dashed_name: process-group-leader-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.group_leader.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.group_leader.pe.original_file_name:
-  dashed_name: process-group-leader-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.group_leader.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.group_leader.pe.pehash:
-  dashed_name: process-group-leader-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.group_leader.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.group_leader.pe.product:
-  dashed_name: process-group-leader-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.group_leader.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.group_leader.pe.sections:
-  dashed_name: process-group-leader-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.group_leader.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.group_leader.pe.sections.entropy:
-  dashed_name: process-group-leader-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.group_leader.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.group_leader.pe.sections.name:
-  dashed_name: process-group-leader-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.group_leader.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.group_leader.pe.sections.physical_size:
-  dashed_name: process-group-leader-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.group_leader.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.group_leader.pe.sections.var_entropy:
-  dashed_name: process-group-leader-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.group_leader.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.group_leader.pe.sections.virtual_size:
-  dashed_name: process-group-leader-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.group_leader.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.group_leader.pid:
-  dashed_name: process-group-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.group_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  otel:
-  - relation: match
-    stability: development
-  short: Process id.
-  type: long
-process.group_leader.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.group_leader.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.group_leader.real_group.domain:
-  dashed_name: process-group-leader-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.real_group.id:
-  dashed_name: process-group-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.real_group.name:
-  dashed_name: process-group-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.real_user.domain:
-  dashed_name: process-group-leader-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.group_leader.real_user.email:
-  dashed_name: process-group-leader-real-user-email
-  description: User email address.
-  flat_name: process.group_leader.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.group_leader.real_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-real-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.group_leader.real_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.group_leader.real_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-real-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.group_leader.real_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.group_leader.real_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-real-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.group_leader.real_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.real_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.group_leader.real_user.entity.id:
-  dashed_name: process-group-leader-real-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.group_leader.real_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.group_leader.real_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-real-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.group_leader.real_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.group_leader.real_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-real-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.group_leader.real_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.group_leader.real_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-real-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.group_leader.real_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.group_leader.real_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-real-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.group_leader.real_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.real_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.group_leader.real_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-real-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.group_leader.real_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.group_leader.real_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-real-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.group_leader.real_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.group_leader.real_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-real-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.group_leader.real_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.group_leader.real_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-real-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.group_leader.real_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.group_leader.real_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-real-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.group_leader.real_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.group_leader.real_user.full_name:
-  dashed_name: process-group-leader-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.group_leader.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.group_leader.real_user.group.domain:
-  dashed_name: process-group-leader-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.real_user.group.id:
-  dashed_name: process-group-leader-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.real_user.group.name:
-  dashed_name: process-group-leader-real-user-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.real_user.hash:
-  dashed_name: process-group-leader-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.group_leader.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.group_leader.real_user.id:
-  dashed_name: process-group-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.group_leader.real_user.name:
-  dashed_name: process-group-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.group_leader.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.group_leader.real_user.risk.calculated_level:
-  dashed_name: process-group-leader-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.group_leader.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.group_leader.real_user.risk.calculated_score:
-  dashed_name: process-group-leader-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.group_leader.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.group_leader.real_user.risk.calculated_score_norm:
-  dashed_name: process-group-leader-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.group_leader.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.group_leader.real_user.risk.static_level:
-  dashed_name: process-group-leader-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.group_leader.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.group_leader.real_user.risk.static_score:
-  dashed_name: process-group-leader-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.group_leader.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.group_leader.real_user.risk.static_score_norm:
-  dashed_name: process-group-leader-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.group_leader.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.group_leader.real_user.roles:
-  dashed_name: process-group-leader-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.group_leader.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.same_as_process:
-  dashed_name: process-group-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.group_leader.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.group_leader.saved_group.domain:
-  dashed_name: process-group-leader-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.saved_group.id:
-  dashed_name: process-group-leader-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.saved_group.name:
-  dashed_name: process-group-leader-saved-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.saved_user.domain:
-  dashed_name: process-group-leader-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.group_leader.saved_user.email:
-  dashed_name: process-group-leader-saved-user-email
-  description: User email address.
-  flat_name: process.group_leader.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.group_leader.saved_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-saved-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.group_leader.saved_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.group_leader.saved_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-saved-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.group_leader.saved_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.group_leader.saved_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-saved-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.group_leader.saved_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.saved_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.group_leader.saved_user.entity.id:
-  dashed_name: process-group-leader-saved-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.group_leader.saved_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.group_leader.saved_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-saved-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.group_leader.saved_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.group_leader.saved_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-saved-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.group_leader.saved_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.group_leader.saved_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-saved-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.group_leader.saved_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.group_leader.saved_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-saved-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.group_leader.saved_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.saved_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.group_leader.saved_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-saved-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.group_leader.saved_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.group_leader.saved_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-saved-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.group_leader.saved_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.group_leader.saved_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-saved-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.group_leader.saved_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.group_leader.saved_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-saved-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.group_leader.saved_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.group_leader.saved_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-saved-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.group_leader.saved_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.group_leader.saved_user.full_name:
-  dashed_name: process-group-leader-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.group_leader.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.group_leader.saved_user.group.domain:
-  dashed_name: process-group-leader-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.saved_user.group.id:
-  dashed_name: process-group-leader-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.saved_user.group.name:
-  dashed_name: process-group-leader-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.saved_user.hash:
-  dashed_name: process-group-leader-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.group_leader.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.group_leader.saved_user.id:
-  dashed_name: process-group-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.group_leader.saved_user.name:
-  dashed_name: process-group-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.group_leader.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.group_leader.saved_user.risk.calculated_level:
-  dashed_name: process-group-leader-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.group_leader.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.group_leader.saved_user.risk.calculated_score:
-  dashed_name: process-group-leader-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.group_leader.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.group_leader.saved_user.risk.calculated_score_norm:
-  dashed_name: process-group-leader-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.group_leader.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.group_leader.saved_user.risk.static_level:
-  dashed_name: process-group-leader-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.group_leader.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.group_leader.saved_user.risk.static_score:
-  dashed_name: process-group-leader-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.group_leader.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.group_leader.saved_user.risk.static_score_norm:
-  dashed_name: process-group-leader-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.group_leader.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.group_leader.saved_user.roles:
-  dashed_name: process-group-leader-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.group_leader.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.start:
-  dashed_name: process-group-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.group_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.group_leader.supplemental_groups.domain:
-  dashed_name: process-group-leader-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.supplemental_groups.id:
-  dashed_name: process-group-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.supplemental_groups.name:
-  dashed_name: process-group-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.group_leader.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.thread.capabilities.effective:
-  dashed_name: process-group-leader-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.group_leader.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.thread.capabilities.permitted:
-  dashed_name: process-group-leader-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.group_leader.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.thread.id:
-  dashed_name: process-group-leader-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.group_leader.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.group_leader.thread.name:
-  dashed_name: process-group-leader-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.group_leader.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.group_leader.title:
-  dashed_name: process-group-leader-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.group_leader.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.group_leader.tty:
-  dashed_name: process-group-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.group_leader.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.group_leader.tty.char_device.major:
-  dashed_name: process-group-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.group_leader.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.group_leader.tty.char_device.minor:
-  dashed_name: process-group-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.group_leader.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.group_leader.tty.columns:
-  dashed_name: process-group-leader-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.group_leader.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.group_leader.tty.rows:
-  dashed_name: process-group-leader-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.group_leader.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.group_leader.uptime:
-  dashed_name: process-group-leader-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.group_leader.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.group_leader.user.domain:
-  dashed_name: process-group-leader-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.group_leader.user.email:
-  dashed_name: process-group-leader-user-email
-  description: User email address.
-  flat_name: process.group_leader.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.group_leader.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.group_leader.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.group_leader.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.group_leader.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.group_leader.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.group_leader.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.group_leader.user.entity.id:
-  dashed_name: process-group-leader-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.group_leader.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.group_leader.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.group_leader.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.group_leader.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.group_leader.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.group_leader.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.group_leader.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.group_leader.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.group_leader.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.group_leader.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.group_leader.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.group_leader.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.group_leader.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.group_leader.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.group_leader.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.group_leader.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.group_leader.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.group_leader.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-group-leader-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.group_leader.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.group_leader.user.full_name:
-  dashed_name: process-group-leader-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.group_leader.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.group_leader.user.group.domain:
-  dashed_name: process-group-leader-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.group_leader.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.group_leader.user.group.id:
-  dashed_name: process-group-leader-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.group_leader.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.group_leader.user.group.name:
-  dashed_name: process-group-leader-user-group-name
-  description: Name of the group.
-  flat_name: process.group_leader.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.group_leader.user.hash:
-  dashed_name: process-group-leader-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.group_leader.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.group_leader.user.id:
-  dashed_name: process-group-leader-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.group_leader.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.group_leader.user.name:
-  dashed_name: process-group-leader-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.group_leader.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.group_leader.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.group_leader.user.risk.calculated_level:
-  dashed_name: process-group-leader-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.group_leader.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.group_leader.user.risk.calculated_score:
-  dashed_name: process-group-leader-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.group_leader.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.group_leader.user.risk.calculated_score_norm:
-  dashed_name: process-group-leader-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.group_leader.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.group_leader.user.risk.static_level:
-  dashed_name: process-group-leader-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.group_leader.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.group_leader.user.risk.static_score:
-  dashed_name: process-group-leader-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.group_leader.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.group_leader.user.risk.static_score_norm:
-  dashed_name: process-group-leader-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.group_leader.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.group_leader.user.roles:
-  dashed_name: process-group-leader-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.group_leader.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.group_leader.vpid:
-  dashed_name: process-group-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.group_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.group_leader.working_directory:
-  dashed_name: process-group-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.group_leader.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.group_leader.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.hash.md5:
-  dashed_name: process-hash-md5
-  description: MD5 hash.
-  flat_name: process.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.hash.sha1:
-  dashed_name: process-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.hash.sha256:
-  dashed_name: process-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.hash.sha384:
-  dashed_name: process-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.hash.sha512:
-  dashed_name: process-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.hash.ssdeep:
-  dashed_name: process-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.hash.tlsh:
-  dashed_name: process-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.interactive:
-  dashed_name: process-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  otel:
-  - relation: match
-    stability: development
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.io:
-  dashed_name: process-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.io
-  level: extended
-  name: io
-  normalize: []
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.io.bytes_skipped:
-  dashed_name: process-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.io.bytes_skipped.length:
-  dashed_name: process-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  short: The length of bytes skipped.
-  type: long
-process.io.bytes_skipped.offset:
-  dashed_name: process-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.io.max_bytes_per_process_exceeded:
-  dashed_name: process-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.io.text:
-  dashed_name: process-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.io.total_bytes_captured:
-  dashed_name: process-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  short: The total number of bytes captured in this event.
-  type: long
-process.io.total_bytes_skipped:
-  dashed_name: process-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.io.type:
-  dashed_name: process-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.macho.go_import_hash:
-  dashed_name: process-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.macho.go_imports:
-  dashed_name: process-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.macho.go_imports_names_entropy:
-  dashed_name: process-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.macho.go_imports_names_var_entropy:
-  dashed_name: process-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.macho.go_stripped:
-  dashed_name: process-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.macho.import_hash:
-  dashed_name: process-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.macho.imports:
-  dashed_name: process-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.macho.imports_names_entropy:
-  dashed_name: process-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.macho.imports_names_var_entropy:
-  dashed_name: process-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.macho.sections:
-  dashed_name: process-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.macho.sections.entropy:
-  dashed_name: process-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.macho.sections.name:
-  dashed_name: process-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.macho.sections.physical_size:
-  dashed_name: process-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.macho.sections.var_entropy:
-  dashed_name: process-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.macho.sections.virtual_size:
-  dashed_name: process-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.macho.symhash:
-  dashed_name: process-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.name:
-  dashed_name: process-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  short: Process name.
-  type: keyword
-process.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.parent.args:
-  dashed_name: process-parent-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.parent.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.parent.args_count:
-  dashed_name: process-parent-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.parent.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.parent.attested_groups.domain:
-  dashed_name: process-parent-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.attested_groups.id:
-  dashed_name: process-parent-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.attested_groups.name:
-  dashed_name: process-parent-attested-groups-name
-  description: Name of the group.
-  flat_name: process.parent.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.attested_user.domain:
-  dashed_name: process-parent-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.attested_user.email:
-  dashed_name: process-parent-attested-user-email
-  description: User email address.
-  flat_name: process.parent.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.attested_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-attested-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.parent.attested_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.parent.attested_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-attested-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.parent.attested_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.parent.attested_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-attested-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.parent.attested_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.attested_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.parent.attested_user.entity.id:
-  dashed_name: process-parent-attested-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.parent.attested_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.parent.attested_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-attested-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.parent.attested_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.parent.attested_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-attested-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.parent.attested_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.parent.attested_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-attested-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.parent.attested_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.parent.attested_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-attested-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.parent.attested_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.attested_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.parent.attested_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-attested-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.parent.attested_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.parent.attested_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-attested-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.parent.attested_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.parent.attested_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-attested-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.parent.attested_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.parent.attested_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-attested-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.parent.attested_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.parent.attested_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-attested-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.parent.attested_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.parent.attested_user.full_name:
-  dashed_name: process-parent-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.attested_user.group.domain:
-  dashed_name: process-parent-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.attested_user.group.id:
-  dashed_name: process-parent-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.attested_user.group.name:
-  dashed_name: process-parent-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.attested_user.hash:
-  dashed_name: process-parent-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.attested_user.id:
-  dashed_name: process-parent-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.attested_user.name:
-  dashed_name: process-parent-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.attested_user.risk.calculated_level:
-  dashed_name: process-parent-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.attested_user.risk.calculated_score:
-  dashed_name: process-parent-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.attested_user.risk.calculated_score_norm:
-  dashed_name: process-parent-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.attested_user.risk.static_level:
-  dashed_name: process-parent-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.attested_user.risk.static_score:
-  dashed_name: process-parent-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.attested_user.risk.static_score_norm:
-  dashed_name: process-parent-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.attested_user.roles:
-  dashed_name: process-parent-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.code_signature.digest_algorithm:
-  dashed_name: process-parent-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.parent.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.parent.code_signature.exists:
-  dashed_name: process-parent-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.parent.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.parent.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.parent.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.parent.code_signature.signing_id:
-  dashed_name: process-parent-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.parent.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.parent.code_signature.status:
-  dashed_name: process-parent-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.parent.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.parent.code_signature.subject_name:
-  dashed_name: process-parent-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.parent.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.parent.code_signature.team_id:
-  dashed_name: process-parent-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.parent.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.parent.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.parent.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.parent.code_signature.timestamp:
-  dashed_name: process-parent-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.parent.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.parent.code_signature.trusted:
-  dashed_name: process-parent-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.parent.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.parent.code_signature.valid:
-  dashed_name: process-parent-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.parent.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.parent.command_line:
-  dashed_name: process-parent-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.parent.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.parent.elf.architecture:
-  dashed_name: process-parent-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.parent.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.parent.elf.byte_order:
-  dashed_name: process-parent-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.parent.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.parent.elf.cpu_type:
-  dashed_name: process-parent-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.parent.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.parent.elf.creation_date:
-  dashed_name: process-parent-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.parent.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.parent.elf.exports:
-  dashed_name: process-parent-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.parent.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.parent.elf.go_import_hash:
-  dashed_name: process-parent-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.parent.elf.go_imports:
-  dashed_name: process-parent-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.parent.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.parent.elf.go_imports_names_entropy:
-  dashed_name: process-parent-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.elf.go_imports_names_var_entropy:
-  dashed_name: process-parent-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.elf.go_stripped:
-  dashed_name: process-parent-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.parent.elf.header.abi_version:
-  dashed_name: process-parent-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.parent.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.parent.elf.header.class:
-  dashed_name: process-parent-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.parent.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.parent.elf.header.data:
-  dashed_name: process-parent-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.parent.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.parent.elf.header.entrypoint:
-  dashed_name: process-parent-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.parent.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.parent.elf.header.object_version:
-  dashed_name: process-parent-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.parent.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.parent.elf.header.os_abi:
-  dashed_name: process-parent-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.parent.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.parent.elf.header.type:
-  dashed_name: process-parent-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.parent.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.parent.elf.header.version:
-  dashed_name: process-parent-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.parent.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.parent.elf.import_hash:
-  dashed_name: process-parent-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.parent.elf.imports:
-  dashed_name: process-parent-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.parent.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.parent.elf.imports_names_entropy:
-  dashed_name: process-parent-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.parent.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.parent.elf.imports_names_var_entropy:
-  dashed_name: process-parent-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.parent.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.parent.elf.sections:
-  dashed_name: process-parent-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.parent.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.parent.elf.sections.chi2:
-  dashed_name: process-parent-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.parent.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.parent.elf.sections.entropy:
-  dashed_name: process-parent-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.parent.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.parent.elf.sections.flags:
-  dashed_name: process-parent-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.parent.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.parent.elf.sections.name:
-  dashed_name: process-parent-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.parent.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.parent.elf.sections.physical_offset:
-  dashed_name: process-parent-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.parent.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.parent.elf.sections.physical_size:
-  dashed_name: process-parent-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.parent.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.parent.elf.sections.type:
-  dashed_name: process-parent-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.parent.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.parent.elf.sections.var_entropy:
-  dashed_name: process-parent-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.parent.elf.sections.virtual_address:
-  dashed_name: process-parent-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.parent.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.parent.elf.sections.virtual_size:
-  dashed_name: process-parent-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.parent.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.parent.elf.segments:
-  dashed_name: process-parent-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.parent.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.parent.elf.segments.sections:
-  dashed_name: process-parent-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.parent.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.parent.elf.segments.type:
-  dashed_name: process-parent-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.parent.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.parent.elf.shared_libraries:
-  dashed_name: process-parent-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.parent.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.parent.elf.telfhash:
-  dashed_name: process-parent-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.parent.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.parent.end:
-  dashed_name: process-parent-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.parent.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.parent.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.parent.entity_id:
-  dashed_name: process-parent-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.parent.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.parent.entry_meta.source.address:
-  dashed_name: process-parent-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.parent.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.parent.entry_meta.source.as.number:
-  dashed_name: process-parent-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.parent.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.parent.entry_meta.source.as.organization.name:
-  dashed_name: process-parent-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.parent.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.parent.entry_meta.source.bytes:
-  dashed_name: process-parent-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.parent.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.parent.entry_meta.source.domain:
-  dashed_name: process-parent-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.parent.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.parent.entry_meta.source.geo.city_name:
-  dashed_name: process-parent-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.parent.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.parent.entry_meta.source.geo.continent_code:
-  dashed_name: process-parent-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.parent.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.parent.entry_meta.source.geo.continent_name:
-  dashed_name: process-parent-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.parent.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.parent.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-parent-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.parent.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.parent.entry_meta.source.geo.country_name:
-  dashed_name: process-parent-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.parent.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.parent.entry_meta.source.geo.location:
-  dashed_name: process-parent-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.parent.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.parent.entry_meta.source.geo.name:
-  dashed_name: process-parent-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.parent.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.parent.entry_meta.source.geo.postal_code:
-  dashed_name: process-parent-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.parent.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.parent.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-parent-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.parent.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.parent.entry_meta.source.geo.region_name:
-  dashed_name: process-parent-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.parent.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.parent.entry_meta.source.geo.timezone:
-  dashed_name: process-parent-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.parent.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.parent.entry_meta.source.ip:
-  dashed_name: process-parent-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.parent.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.parent.entry_meta.source.mac:
-  dashed_name: process-parent-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.parent.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.parent.entry_meta.source.nat.ip:
-  dashed_name: process-parent-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.parent.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.parent.entry_meta.source.nat.port:
-  dashed_name: process-parent-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.parent.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.parent.entry_meta.source.packets:
-  dashed_name: process-parent-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.parent.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.parent.entry_meta.source.port:
-  dashed_name: process-parent-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.parent.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.parent.entry_meta.source.registered_domain:
-  dashed_name: process-parent-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.parent.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.parent.entry_meta.source.subdomain:
-  dashed_name: process-parent-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.parent.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.parent.entry_meta.source.top_level_domain:
-  dashed_name: process-parent-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.parent.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.parent.entry_meta.type:
-  dashed_name: process-parent-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.parent.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.parent.env_vars:
-  dashed_name: process-parent-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.parent.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.executable:
-  dashed_name: process-parent-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.parent.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.parent.exit_code:
-  dashed_name: process-parent-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.parent.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.parent.group.domain:
-  dashed_name: process-parent-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group.id:
-  dashed_name: process-parent-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group.name:
-  dashed_name: process-parent-group-name
-  description: Name of the group.
-  flat_name: process.parent.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.args:
-  dashed_name: process-parent-group-leader-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.parent.group_leader.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.parent.group_leader.args_count:
-  dashed_name: process-parent-group-leader-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.parent.group_leader.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.parent.group_leader.attested_groups.domain:
-  dashed_name: process-parent-group-leader-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.attested_groups.id:
-  dashed_name: process-parent-group-leader-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.attested_groups.name:
-  dashed_name: process-parent-group-leader-attested-groups-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.attested_user.domain:
-  dashed_name: process-parent-group-leader-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.group_leader.attested_user.email:
-  dashed_name: process-parent-group-leader-attested-user-email
-  description: User email address.
-  flat_name: process.parent.group_leader.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.group_leader.attested_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-attested-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.parent.group_leader.attested_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.parent.group_leader.attested_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-attested-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.parent.group_leader.attested_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.parent.group_leader.attested_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-attested-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.parent.group_leader.attested_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.attested_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.parent.group_leader.attested_user.entity.id:
-  dashed_name: process-parent-group-leader-attested-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.parent.group_leader.attested_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.parent.group_leader.attested_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-attested-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.parent.group_leader.attested_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.parent.group_leader.attested_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-attested-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.parent.group_leader.attested_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.parent.group_leader.attested_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-attested-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.parent.group_leader.attested_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.parent.group_leader.attested_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-attested-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.parent.group_leader.attested_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.group_leader.attested_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.parent.group_leader.attested_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-attested-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.parent.group_leader.attested_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.parent.group_leader.attested_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-attested-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.parent.group_leader.attested_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.parent.group_leader.attested_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-attested-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.parent.group_leader.attested_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.parent.group_leader.attested_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-attested-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.parent.group_leader.attested_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.parent.group_leader.attested_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-attested-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.parent.group_leader.attested_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.parent.group_leader.attested_user.full_name:
-  dashed_name: process-parent-group-leader-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.group_leader.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.group_leader.attested_user.group.domain:
-  dashed_name: process-parent-group-leader-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.attested_user.group.id:
-  dashed_name: process-parent-group-leader-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.attested_user.group.name:
-  dashed_name: process-parent-group-leader-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.attested_user.hash:
-  dashed_name: process-parent-group-leader-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.group_leader.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.group_leader.attested_user.id:
-  dashed_name: process-parent-group-leader-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.group_leader.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.group_leader.attested_user.name:
-  dashed_name: process-parent-group-leader-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.group_leader.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.group_leader.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.group_leader.attested_user.risk.calculated_level:
-  dashed_name: process-parent-group-leader-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.group_leader.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.group_leader.attested_user.risk.calculated_score:
-  dashed_name: process-parent-group-leader-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.group_leader.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.group_leader.attested_user.risk.calculated_score_norm:
-  dashed_name: process-parent-group-leader-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.group_leader.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.group_leader.attested_user.risk.static_level:
-  dashed_name: process-parent-group-leader-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.group_leader.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.group_leader.attested_user.risk.static_score:
-  dashed_name: process-parent-group-leader-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.group_leader.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.group_leader.attested_user.risk.static_score_norm:
-  dashed_name: process-parent-group-leader-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.group_leader.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.group_leader.attested_user.roles:
-  dashed_name: process-parent-group-leader-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.group_leader.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.code_signature.digest_algorithm:
-  dashed_name: process-parent-group-leader-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.parent.group_leader.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.parent.group_leader.code_signature.exists:
-  dashed_name: process-parent-group-leader-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.parent.group_leader.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.parent.group_leader.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.parent.group_leader.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.parent.group_leader.code_signature.signing_id:
-  dashed_name: process-parent-group-leader-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.parent.group_leader.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.parent.group_leader.code_signature.status:
-  dashed_name: process-parent-group-leader-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.parent.group_leader.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.parent.group_leader.code_signature.subject_name:
-  dashed_name: process-parent-group-leader-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.parent.group_leader.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.parent.group_leader.code_signature.team_id:
-  dashed_name: process-parent-group-leader-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.parent.group_leader.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.parent.group_leader.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.parent.group_leader.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.parent.group_leader.code_signature.timestamp:
-  dashed_name: process-parent-group-leader-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.parent.group_leader.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.parent.group_leader.code_signature.trusted:
-  dashed_name: process-parent-group-leader-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.parent.group_leader.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.parent.group_leader.code_signature.valid:
-  dashed_name: process-parent-group-leader-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.parent.group_leader.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.parent.group_leader.command_line:
-  dashed_name: process-parent-group-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.parent.group_leader.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.parent.group_leader.elf.architecture:
-  dashed_name: process-parent-group-leader-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.parent.group_leader.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.parent.group_leader.elf.byte_order:
-  dashed_name: process-parent-group-leader-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.parent.group_leader.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.parent.group_leader.elf.cpu_type:
-  dashed_name: process-parent-group-leader-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.parent.group_leader.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.parent.group_leader.elf.creation_date:
-  dashed_name: process-parent-group-leader-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.parent.group_leader.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.parent.group_leader.elf.exports:
-  dashed_name: process-parent-group-leader-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.parent.group_leader.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.parent.group_leader.elf.go_import_hash:
-  dashed_name: process-parent-group-leader-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.group_leader.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.parent.group_leader.elf.go_imports:
-  dashed_name: process-parent-group-leader-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.parent.group_leader.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.parent.group_leader.elf.go_imports_names_entropy:
-  dashed_name: process-parent-group-leader-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.group_leader.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.group_leader.elf.go_imports_names_var_entropy:
-  dashed_name: process-parent-group-leader-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.group_leader.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.group_leader.elf.go_stripped:
-  dashed_name: process-parent-group-leader-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.group_leader.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.parent.group_leader.elf.header.abi_version:
-  dashed_name: process-parent-group-leader-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.parent.group_leader.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.parent.group_leader.elf.header.class:
-  dashed_name: process-parent-group-leader-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.parent.group_leader.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.parent.group_leader.elf.header.data:
-  dashed_name: process-parent-group-leader-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.parent.group_leader.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.parent.group_leader.elf.header.entrypoint:
-  dashed_name: process-parent-group-leader-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.parent.group_leader.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.parent.group_leader.elf.header.object_version:
-  dashed_name: process-parent-group-leader-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.parent.group_leader.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.parent.group_leader.elf.header.os_abi:
-  dashed_name: process-parent-group-leader-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.parent.group_leader.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.parent.group_leader.elf.header.type:
-  dashed_name: process-parent-group-leader-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.parent.group_leader.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.parent.group_leader.elf.header.version:
-  dashed_name: process-parent-group-leader-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.parent.group_leader.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.parent.group_leader.elf.import_hash:
-  dashed_name: process-parent-group-leader-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.group_leader.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.parent.group_leader.elf.imports:
-  dashed_name: process-parent-group-leader-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.parent.group_leader.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.parent.group_leader.elf.imports_names_entropy:
-  dashed_name: process-parent-group-leader-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.parent.group_leader.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.parent.group_leader.elf.imports_names_var_entropy:
-  dashed_name: process-parent-group-leader-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.parent.group_leader.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.parent.group_leader.elf.sections:
-  dashed_name: process-parent-group-leader-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.parent.group_leader.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.parent.group_leader.elf.sections.chi2:
-  dashed_name: process-parent-group-leader-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.parent.group_leader.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.parent.group_leader.elf.sections.entropy:
-  dashed_name: process-parent-group-leader-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.parent.group_leader.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.parent.group_leader.elf.sections.flags:
-  dashed_name: process-parent-group-leader-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.parent.group_leader.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.parent.group_leader.elf.sections.name:
-  dashed_name: process-parent-group-leader-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.parent.group_leader.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.parent.group_leader.elf.sections.physical_offset:
-  dashed_name: process-parent-group-leader-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.parent.group_leader.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.parent.group_leader.elf.sections.physical_size:
-  dashed_name: process-parent-group-leader-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.parent.group_leader.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.parent.group_leader.elf.sections.type:
-  dashed_name: process-parent-group-leader-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.parent.group_leader.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.parent.group_leader.elf.sections.var_entropy:
-  dashed_name: process-parent-group-leader-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.group_leader.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.parent.group_leader.elf.sections.virtual_address:
-  dashed_name: process-parent-group-leader-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.parent.group_leader.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.parent.group_leader.elf.sections.virtual_size:
-  dashed_name: process-parent-group-leader-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.parent.group_leader.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.parent.group_leader.elf.segments:
-  dashed_name: process-parent-group-leader-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.parent.group_leader.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.parent.group_leader.elf.segments.sections:
-  dashed_name: process-parent-group-leader-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.parent.group_leader.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.parent.group_leader.elf.segments.type:
-  dashed_name: process-parent-group-leader-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.parent.group_leader.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.parent.group_leader.elf.shared_libraries:
-  dashed_name: process-parent-group-leader-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.parent.group_leader.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.parent.group_leader.elf.telfhash:
-  dashed_name: process-parent-group-leader-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.parent.group_leader.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.parent.group_leader.end:
-  dashed_name: process-parent-group-leader-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.group_leader.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.parent.group_leader.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.parent.group_leader.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.parent.group_leader.entity_id:
-  dashed_name: process-parent-group-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.parent.group_leader.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.parent.group_leader.entry_meta.source.address:
-  dashed_name: process-parent-group-leader-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.parent.group_leader.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.parent.group_leader.entry_meta.source.as.number:
-  dashed_name: process-parent-group-leader-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.parent.group_leader.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.parent.group_leader.entry_meta.source.as.organization.name:
-  dashed_name: process-parent-group-leader-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.parent.group_leader.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.parent.group_leader.entry_meta.source.bytes:
-  dashed_name: process-parent-group-leader-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.parent.group_leader.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.parent.group_leader.entry_meta.source.domain:
-  dashed_name: process-parent-group-leader-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.parent.group_leader.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.city_name:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.parent.group_leader.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.continent_code:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.parent.group_leader.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.continent_name:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.parent.group_leader.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.parent.group_leader.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.country_name:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.parent.group_leader.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.location:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.parent.group_leader.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.parent.group_leader.entry_meta.source.geo.name:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.parent.group_leader.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.postal_code:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.parent.group_leader.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.parent.group_leader.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.region_name:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.parent.group_leader.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.parent.group_leader.entry_meta.source.geo.timezone:
-  dashed_name: process-parent-group-leader-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.parent.group_leader.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.parent.group_leader.entry_meta.source.ip:
-  dashed_name: process-parent-group-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.parent.group_leader.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.parent.group_leader.entry_meta.source.mac:
-  dashed_name: process-parent-group-leader-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.parent.group_leader.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.parent.group_leader.entry_meta.source.nat.ip:
-  dashed_name: process-parent-group-leader-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.parent.group_leader.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.parent.group_leader.entry_meta.source.nat.port:
-  dashed_name: process-parent-group-leader-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.parent.group_leader.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.parent.group_leader.entry_meta.source.packets:
-  dashed_name: process-parent-group-leader-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.parent.group_leader.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.parent.group_leader.entry_meta.source.port:
-  dashed_name: process-parent-group-leader-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.parent.group_leader.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.parent.group_leader.entry_meta.source.registered_domain:
-  dashed_name: process-parent-group-leader-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.parent.group_leader.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.parent.group_leader.entry_meta.source.subdomain:
-  dashed_name: process-parent-group-leader-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.parent.group_leader.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.parent.group_leader.entry_meta.source.top_level_domain:
-  dashed_name: process-parent-group-leader-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.parent.group_leader.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.parent.group_leader.entry_meta.type:
-  dashed_name: process-parent-group-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.parent.group_leader.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.parent.group_leader.env_vars:
-  dashed_name: process-parent-group-leader-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.parent.group_leader.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.executable:
-  dashed_name: process-parent-group-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.parent.group_leader.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.parent.group_leader.exit_code:
-  dashed_name: process-parent-group-leader-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.parent.group_leader.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.parent.group_leader.group.domain:
-  dashed_name: process-parent-group-leader-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.group.id:
-  dashed_name: process-parent-group-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.group.name:
-  dashed_name: process-parent-group-leader-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.parent.group_leader.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.parent.group_leader.hash.md5:
-  dashed_name: process-parent-group-leader-hash-md5
-  description: MD5 hash.
-  flat_name: process.parent.group_leader.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.parent.group_leader.hash.sha1:
-  dashed_name: process-parent-group-leader-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.parent.group_leader.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.parent.group_leader.hash.sha256:
-  dashed_name: process-parent-group-leader-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.parent.group_leader.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.parent.group_leader.hash.sha384:
-  dashed_name: process-parent-group-leader-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.parent.group_leader.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.parent.group_leader.hash.sha512:
-  dashed_name: process-parent-group-leader-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.parent.group_leader.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.parent.group_leader.hash.ssdeep:
-  dashed_name: process-parent-group-leader-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.parent.group_leader.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.parent.group_leader.hash.tlsh:
-  dashed_name: process-parent-group-leader-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.parent.group_leader.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.parent.group_leader.interactive:
-  dashed_name: process-parent-group-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.parent.group_leader.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.parent.group_leader.io:
-  dashed_name: process-parent-group-leader-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.parent.group_leader.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.parent.group_leader.io.bytes_skipped:
-  dashed_name: process-parent-group-leader-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.parent.group_leader.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.parent.group_leader.io.bytes_skipped.length:
-  dashed_name: process-parent-group-leader-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.parent.group_leader.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.parent.group_leader.io.bytes_skipped.offset:
-  dashed_name: process-parent-group-leader-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.parent.group_leader.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.parent.group_leader.io.max_bytes_per_process_exceeded:
-  dashed_name: process-parent-group-leader-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.parent.group_leader.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.parent.group_leader.io.text:
-  dashed_name: process-parent-group-leader-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.parent.group_leader.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.parent.group_leader.io.total_bytes_captured:
-  dashed_name: process-parent-group-leader-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.parent.group_leader.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.parent.group_leader.io.total_bytes_skipped:
-  dashed_name: process-parent-group-leader-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.parent.group_leader.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.parent.group_leader.io.type:
-  dashed_name: process-parent-group-leader-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.parent.group_leader.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.parent.group_leader.macho.go_import_hash:
-  dashed_name: process-parent-group-leader-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.group_leader.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.parent.group_leader.macho.go_imports:
-  dashed_name: process-parent-group-leader-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.parent.group_leader.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.parent.group_leader.macho.go_imports_names_entropy:
-  dashed_name: process-parent-group-leader-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.group_leader.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.group_leader.macho.go_imports_names_var_entropy:
-  dashed_name: process-parent-group-leader-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.group_leader.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.group_leader.macho.go_stripped:
-  dashed_name: process-parent-group-leader-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.group_leader.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.parent.group_leader.macho.import_hash:
-  dashed_name: process-parent-group-leader-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.group_leader.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.parent.group_leader.macho.imports:
-  dashed_name: process-parent-group-leader-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.parent.group_leader.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.parent.group_leader.macho.imports_names_entropy:
-  dashed_name: process-parent-group-leader-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.parent.group_leader.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.parent.group_leader.macho.imports_names_var_entropy:
-  dashed_name: process-parent-group-leader-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.parent.group_leader.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.parent.group_leader.macho.sections:
-  dashed_name: process-parent-group-leader-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.parent.group_leader.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.parent.group_leader.macho.sections.entropy:
-  dashed_name: process-parent-group-leader-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.parent.group_leader.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.parent.group_leader.macho.sections.name:
-  dashed_name: process-parent-group-leader-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.parent.group_leader.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.parent.group_leader.macho.sections.physical_size:
-  dashed_name: process-parent-group-leader-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.parent.group_leader.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.parent.group_leader.macho.sections.var_entropy:
-  dashed_name: process-parent-group-leader-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.group_leader.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.parent.group_leader.macho.sections.virtual_size:
-  dashed_name: process-parent-group-leader-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.parent.group_leader.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.parent.group_leader.macho.symhash:
-  dashed_name: process-parent-group-leader-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.parent.group_leader.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.parent.group_leader.name:
-  dashed_name: process-parent-group-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.parent.group_leader.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.parent.group_leader.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.parent.group_leader.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.parent.group_leader.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.parent.group_leader.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.parent.group_leader.pe.architecture:
-  dashed_name: process-parent-group-leader-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.parent.group_leader.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.parent.group_leader.pe.company:
-  dashed_name: process-parent-group-leader-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.parent.group_leader.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.parent.group_leader.pe.description:
-  dashed_name: process-parent-group-leader-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.parent.group_leader.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.parent.group_leader.pe.file_version:
-  dashed_name: process-parent-group-leader-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.parent.group_leader.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.parent.group_leader.pe.go_import_hash:
-  dashed_name: process-parent-group-leader-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.group_leader.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.parent.group_leader.pe.go_imports:
-  dashed_name: process-parent-group-leader-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.parent.group_leader.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.parent.group_leader.pe.go_imports_names_entropy:
-  dashed_name: process-parent-group-leader-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.group_leader.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.group_leader.pe.go_imports_names_var_entropy:
-  dashed_name: process-parent-group-leader-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.group_leader.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.group_leader.pe.go_stripped:
-  dashed_name: process-parent-group-leader-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.group_leader.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.parent.group_leader.pe.imphash:
-  dashed_name: process-parent-group-leader-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.parent.group_leader.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.parent.group_leader.pe.import_hash:
-  dashed_name: process-parent-group-leader-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.group_leader.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.parent.group_leader.pe.imports:
-  dashed_name: process-parent-group-leader-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.parent.group_leader.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.parent.group_leader.pe.imports_names_entropy:
-  dashed_name: process-parent-group-leader-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.parent.group_leader.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.parent.group_leader.pe.imports_names_var_entropy:
-  dashed_name: process-parent-group-leader-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.parent.group_leader.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.parent.group_leader.pe.original_file_name:
-  dashed_name: process-parent-group-leader-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.parent.group_leader.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.parent.group_leader.pe.pehash:
-  dashed_name: process-parent-group-leader-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.parent.group_leader.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.parent.group_leader.pe.product:
-  dashed_name: process-parent-group-leader-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.parent.group_leader.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.parent.group_leader.pe.sections:
-  dashed_name: process-parent-group-leader-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.parent.group_leader.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.parent.group_leader.pe.sections.entropy:
-  dashed_name: process-parent-group-leader-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.parent.group_leader.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.parent.group_leader.pe.sections.name:
-  dashed_name: process-parent-group-leader-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.parent.group_leader.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.parent.group_leader.pe.sections.physical_size:
-  dashed_name: process-parent-group-leader-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.parent.group_leader.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.parent.group_leader.pe.sections.var_entropy:
-  dashed_name: process-parent-group-leader-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.group_leader.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.parent.group_leader.pe.sections.virtual_size:
-  dashed_name: process-parent-group-leader-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.parent.group_leader.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.parent.group_leader.pid:
-  dashed_name: process-parent-group-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.parent.group_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.parent.group_leader.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.parent.group_leader.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.parent.group_leader.real_group.domain:
-  dashed_name: process-parent-group-leader-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.real_group.id:
-  dashed_name: process-parent-group-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.real_group.name:
-  dashed_name: process-parent-group-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.real_user.domain:
-  dashed_name: process-parent-group-leader-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.group_leader.real_user.email:
-  dashed_name: process-parent-group-leader-real-user-email
-  description: User email address.
-  flat_name: process.parent.group_leader.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.group_leader.real_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-real-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.parent.group_leader.real_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.parent.group_leader.real_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-real-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.parent.group_leader.real_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.parent.group_leader.real_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-real-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.parent.group_leader.real_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.real_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.parent.group_leader.real_user.entity.id:
-  dashed_name: process-parent-group-leader-real-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.parent.group_leader.real_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.parent.group_leader.real_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-real-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.parent.group_leader.real_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.parent.group_leader.real_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-real-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.parent.group_leader.real_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.parent.group_leader.real_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-real-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.parent.group_leader.real_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.parent.group_leader.real_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-real-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.parent.group_leader.real_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.group_leader.real_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.parent.group_leader.real_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-real-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.parent.group_leader.real_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.parent.group_leader.real_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-real-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.parent.group_leader.real_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.parent.group_leader.real_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-real-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.parent.group_leader.real_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.parent.group_leader.real_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-real-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.parent.group_leader.real_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.parent.group_leader.real_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-real-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.parent.group_leader.real_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.parent.group_leader.real_user.full_name:
-  dashed_name: process-parent-group-leader-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.group_leader.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.group_leader.real_user.group.domain:
-  dashed_name: process-parent-group-leader-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.real_user.group.id:
-  dashed_name: process-parent-group-leader-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.real_user.group.name:
-  dashed_name: process-parent-group-leader-real-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.real_user.hash:
-  dashed_name: process-parent-group-leader-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.group_leader.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.group_leader.real_user.id:
-  dashed_name: process-parent-group-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.group_leader.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.group_leader.real_user.name:
-  dashed_name: process-parent-group-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.group_leader.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.group_leader.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.group_leader.real_user.risk.calculated_level:
-  dashed_name: process-parent-group-leader-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.group_leader.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.group_leader.real_user.risk.calculated_score:
-  dashed_name: process-parent-group-leader-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.group_leader.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.group_leader.real_user.risk.calculated_score_norm:
-  dashed_name: process-parent-group-leader-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.group_leader.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.group_leader.real_user.risk.static_level:
-  dashed_name: process-parent-group-leader-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.group_leader.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.group_leader.real_user.risk.static_score:
-  dashed_name: process-parent-group-leader-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.group_leader.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.group_leader.real_user.risk.static_score_norm:
-  dashed_name: process-parent-group-leader-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.group_leader.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.group_leader.real_user.roles:
-  dashed_name: process-parent-group-leader-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.group_leader.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.same_as_process:
-  dashed_name: process-parent-group-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.parent.group_leader.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.parent.group_leader.saved_group.domain:
-  dashed_name: process-parent-group-leader-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.saved_group.id:
-  dashed_name: process-parent-group-leader-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.saved_group.name:
-  dashed_name: process-parent-group-leader-saved-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.saved_user.domain:
-  dashed_name: process-parent-group-leader-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.group_leader.saved_user.email:
-  dashed_name: process-parent-group-leader-saved-user-email
-  description: User email address.
-  flat_name: process.parent.group_leader.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.group_leader.saved_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-saved-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.parent.group_leader.saved_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.parent.group_leader.saved_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-saved-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.parent.group_leader.saved_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.parent.group_leader.saved_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-saved-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.parent.group_leader.saved_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.saved_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.parent.group_leader.saved_user.entity.id:
-  dashed_name: process-parent-group-leader-saved-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.parent.group_leader.saved_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.parent.group_leader.saved_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-saved-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.parent.group_leader.saved_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.parent.group_leader.saved_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-saved-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.parent.group_leader.saved_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.parent.group_leader.saved_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-saved-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.parent.group_leader.saved_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.parent.group_leader.saved_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-saved-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.parent.group_leader.saved_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.group_leader.saved_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.parent.group_leader.saved_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-saved-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.parent.group_leader.saved_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.parent.group_leader.saved_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-saved-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.parent.group_leader.saved_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.parent.group_leader.saved_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-saved-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.parent.group_leader.saved_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.parent.group_leader.saved_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-saved-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.parent.group_leader.saved_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.parent.group_leader.saved_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-saved-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.parent.group_leader.saved_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.parent.group_leader.saved_user.full_name:
-  dashed_name: process-parent-group-leader-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.group_leader.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.group_leader.saved_user.group.domain:
-  dashed_name: process-parent-group-leader-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.saved_user.group.id:
-  dashed_name: process-parent-group-leader-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.saved_user.group.name:
-  dashed_name: process-parent-group-leader-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.saved_user.hash:
-  dashed_name: process-parent-group-leader-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.group_leader.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.group_leader.saved_user.id:
-  dashed_name: process-parent-group-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.group_leader.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.group_leader.saved_user.name:
-  dashed_name: process-parent-group-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.group_leader.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.group_leader.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.group_leader.saved_user.risk.calculated_level:
-  dashed_name: process-parent-group-leader-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.group_leader.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.group_leader.saved_user.risk.calculated_score:
-  dashed_name: process-parent-group-leader-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.group_leader.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.group_leader.saved_user.risk.calculated_score_norm:
-  dashed_name: process-parent-group-leader-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.group_leader.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.group_leader.saved_user.risk.static_level:
-  dashed_name: process-parent-group-leader-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.group_leader.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.group_leader.saved_user.risk.static_score:
-  dashed_name: process-parent-group-leader-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.group_leader.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.group_leader.saved_user.risk.static_score_norm:
-  dashed_name: process-parent-group-leader-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.group_leader.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.group_leader.saved_user.roles:
-  dashed_name: process-parent-group-leader-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.group_leader.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.start:
-  dashed_name: process-parent-group-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.group_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.parent.group_leader.supplemental_groups.domain:
-  dashed_name: process-parent-group-leader-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.supplemental_groups.id:
-  dashed_name: process-parent-group-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.supplemental_groups.name:
-  dashed_name: process-parent-group-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.thread.capabilities.effective:
-  dashed_name: process-parent-group-leader-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.parent.group_leader.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.thread.capabilities.permitted:
-  dashed_name: process-parent-group-leader-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.parent.group_leader.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.thread.id:
-  dashed_name: process-parent-group-leader-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.parent.group_leader.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.parent.group_leader.thread.name:
-  dashed_name: process-parent-group-leader-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.parent.group_leader.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.parent.group_leader.title:
-  dashed_name: process-parent-group-leader-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.parent.group_leader.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.parent.group_leader.tty:
-  dashed_name: process-parent-group-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.parent.group_leader.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.parent.group_leader.tty.char_device.major:
-  dashed_name: process-parent-group-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.parent.group_leader.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.parent.group_leader.tty.char_device.minor:
-  dashed_name: process-parent-group-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.parent.group_leader.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.parent.group_leader.tty.columns:
-  dashed_name: process-parent-group-leader-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.parent.group_leader.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.parent.group_leader.tty.rows:
-  dashed_name: process-parent-group-leader-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.parent.group_leader.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.parent.group_leader.uptime:
-  dashed_name: process-parent-group-leader-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.parent.group_leader.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.parent.group_leader.user.domain:
-  dashed_name: process-parent-group-leader-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.group_leader.user.email:
-  dashed_name: process-parent-group-leader-user-email
-  description: User email address.
-  flat_name: process.parent.group_leader.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.group_leader.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.parent.group_leader.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.parent.group_leader.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.parent.group_leader.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.parent.group_leader.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.parent.group_leader.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.parent.group_leader.user.entity.id:
-  dashed_name: process-parent-group-leader-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.parent.group_leader.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.parent.group_leader.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.parent.group_leader.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.parent.group_leader.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.parent.group_leader.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.parent.group_leader.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.parent.group_leader.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.parent.group_leader.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.parent.group_leader.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.group_leader.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.parent.group_leader.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.parent.group_leader.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.parent.group_leader.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.parent.group_leader.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.parent.group_leader.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.parent.group_leader.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.parent.group_leader.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.parent.group_leader.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.parent.group_leader.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-group-leader-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.parent.group_leader.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.parent.group_leader.user.full_name:
-  dashed_name: process-parent-group-leader-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.group_leader.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.group_leader.user.group.domain:
-  dashed_name: process-parent-group-leader-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.group_leader.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.group_leader.user.group.id:
-  dashed_name: process-parent-group-leader-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.group_leader.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.group_leader.user.group.name:
-  dashed_name: process-parent-group-leader-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.group_leader.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.group_leader.user.hash:
-  dashed_name: process-parent-group-leader-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.group_leader.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.group_leader.user.id:
-  dashed_name: process-parent-group-leader-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.group_leader.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.group_leader.user.name:
-  dashed_name: process-parent-group-leader-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.group_leader.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.group_leader.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.group_leader.user.risk.calculated_level:
-  dashed_name: process-parent-group-leader-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.group_leader.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.group_leader.user.risk.calculated_score:
-  dashed_name: process-parent-group-leader-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.group_leader.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.group_leader.user.risk.calculated_score_norm:
-  dashed_name: process-parent-group-leader-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.group_leader.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.group_leader.user.risk.static_level:
-  dashed_name: process-parent-group-leader-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.group_leader.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.group_leader.user.risk.static_score:
-  dashed_name: process-parent-group-leader-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.group_leader.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.group_leader.user.risk.static_score_norm:
-  dashed_name: process-parent-group-leader-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.group_leader.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.group_leader.user.roles:
-  dashed_name: process-parent-group-leader-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.group_leader.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.group_leader.vpid:
-  dashed_name: process-parent-group-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.parent.group_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.parent.group_leader.working_directory:
-  dashed_name: process-parent-group-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.parent.group_leader.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.group_leader.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.parent.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.parent.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.parent.hash.md5:
-  dashed_name: process-parent-hash-md5
-  description: MD5 hash.
-  flat_name: process.parent.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.parent.hash.sha1:
-  dashed_name: process-parent-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.parent.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.parent.hash.sha256:
-  dashed_name: process-parent-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.parent.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.parent.hash.sha384:
-  dashed_name: process-parent-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.parent.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.parent.hash.sha512:
-  dashed_name: process-parent-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.parent.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.parent.hash.ssdeep:
-  dashed_name: process-parent-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.parent.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.parent.hash.tlsh:
-  dashed_name: process-parent-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.parent.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.parent.interactive:
-  dashed_name: process-parent-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.parent.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.parent.io:
-  dashed_name: process-parent-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.parent.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.parent.io.bytes_skipped:
-  dashed_name: process-parent-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.parent.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.parent.io.bytes_skipped.length:
-  dashed_name: process-parent-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.parent.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.parent.io.bytes_skipped.offset:
-  dashed_name: process-parent-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.parent.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.parent.io.max_bytes_per_process_exceeded:
-  dashed_name: process-parent-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.parent.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.parent.io.text:
-  dashed_name: process-parent-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.parent.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.parent.io.total_bytes_captured:
-  dashed_name: process-parent-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.parent.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.parent.io.total_bytes_skipped:
-  dashed_name: process-parent-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.parent.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.parent.io.type:
-  dashed_name: process-parent-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.parent.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.parent.macho.go_import_hash:
-  dashed_name: process-parent-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.parent.macho.go_imports:
-  dashed_name: process-parent-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.parent.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.parent.macho.go_imports_names_entropy:
-  dashed_name: process-parent-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.macho.go_imports_names_var_entropy:
-  dashed_name: process-parent-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.macho.go_stripped:
-  dashed_name: process-parent-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.parent.macho.import_hash:
-  dashed_name: process-parent-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.parent.macho.imports:
-  dashed_name: process-parent-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.parent.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.parent.macho.imports_names_entropy:
-  dashed_name: process-parent-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.parent.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.parent.macho.imports_names_var_entropy:
-  dashed_name: process-parent-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.parent.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.parent.macho.sections:
-  dashed_name: process-parent-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.parent.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.parent.macho.sections.entropy:
-  dashed_name: process-parent-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.parent.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.parent.macho.sections.name:
-  dashed_name: process-parent-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.parent.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.parent.macho.sections.physical_size:
-  dashed_name: process-parent-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.parent.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.parent.macho.sections.var_entropy:
-  dashed_name: process-parent-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.parent.macho.sections.virtual_size:
-  dashed_name: process-parent-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.parent.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.parent.macho.symhash:
-  dashed_name: process-parent-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.parent.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.parent.name:
-  dashed_name: process-parent-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.parent.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.parent.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.parent.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.parent.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.parent.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.parent.pe.architecture:
-  dashed_name: process-parent-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.parent.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.parent.pe.company:
-  dashed_name: process-parent-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.parent.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.parent.pe.description:
-  dashed_name: process-parent-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.parent.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.parent.pe.file_version:
-  dashed_name: process-parent-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.parent.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.parent.pe.go_import_hash:
-  dashed_name: process-parent-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.parent.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.parent.pe.go_imports:
-  dashed_name: process-parent-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.parent.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.parent.pe.go_imports_names_entropy:
-  dashed_name: process-parent-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.pe.go_imports_names_var_entropy:
-  dashed_name: process-parent-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.parent.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.parent.pe.go_stripped:
-  dashed_name: process-parent-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.parent.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.parent.pe.imphash:
-  dashed_name: process-parent-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.parent.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.parent.pe.import_hash:
-  dashed_name: process-parent-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.parent.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.parent.pe.imports:
-  dashed_name: process-parent-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.parent.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.parent.pe.imports_names_entropy:
-  dashed_name: process-parent-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.parent.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.parent.pe.imports_names_var_entropy:
-  dashed_name: process-parent-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.parent.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.parent.pe.original_file_name:
-  dashed_name: process-parent-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.parent.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.parent.pe.pehash:
-  dashed_name: process-parent-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.parent.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.parent.pe.product:
-  dashed_name: process-parent-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.parent.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.parent.pe.sections:
-  dashed_name: process-parent-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.parent.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.parent.pe.sections.entropy:
-  dashed_name: process-parent-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.parent.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.parent.pe.sections.name:
-  dashed_name: process-parent-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.parent.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.parent.pe.sections.physical_size:
-  dashed_name: process-parent-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.parent.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.parent.pe.sections.var_entropy:
-  dashed_name: process-parent-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.parent.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.parent.pe.sections.virtual_size:
-  dashed_name: process-parent-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.parent.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.parent.pid:
-  dashed_name: process-parent-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.parent.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.parent.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.parent.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.parent.real_group.domain:
-  dashed_name: process-parent-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.real_group.id:
-  dashed_name: process-parent-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.real_group.name:
-  dashed_name: process-parent-real-group-name
-  description: Name of the group.
-  flat_name: process.parent.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.real_user.domain:
-  dashed_name: process-parent-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.real_user.email:
-  dashed_name: process-parent-real-user-email
-  description: User email address.
-  flat_name: process.parent.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.real_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-real-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.parent.real_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.parent.real_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-real-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.parent.real_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.parent.real_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-real-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.parent.real_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.real_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.parent.real_user.entity.id:
-  dashed_name: process-parent-real-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.parent.real_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.parent.real_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-real-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.parent.real_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.parent.real_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-real-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.parent.real_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.parent.real_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-real-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.parent.real_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.parent.real_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-real-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.parent.real_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.real_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.parent.real_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-real-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.parent.real_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.parent.real_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-real-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.parent.real_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.parent.real_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-real-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.parent.real_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.parent.real_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-real-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.parent.real_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.parent.real_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-real-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.parent.real_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.parent.real_user.full_name:
-  dashed_name: process-parent-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.real_user.group.domain:
-  dashed_name: process-parent-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.real_user.group.id:
-  dashed_name: process-parent-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.real_user.group.name:
-  dashed_name: process-parent-real-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.real_user.hash:
-  dashed_name: process-parent-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.real_user.id:
-  dashed_name: process-parent-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.real_user.name:
-  dashed_name: process-parent-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.real_user.risk.calculated_level:
-  dashed_name: process-parent-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.real_user.risk.calculated_score:
-  dashed_name: process-parent-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.real_user.risk.calculated_score_norm:
-  dashed_name: process-parent-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.real_user.risk.static_level:
-  dashed_name: process-parent-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.real_user.risk.static_score:
-  dashed_name: process-parent-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.real_user.risk.static_score_norm:
-  dashed_name: process-parent-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.real_user.roles:
-  dashed_name: process-parent-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.same_as_process:
-  dashed_name: process-parent-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.parent.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.parent.saved_group.domain:
-  dashed_name: process-parent-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.saved_group.id:
-  dashed_name: process-parent-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.saved_group.name:
-  dashed_name: process-parent-saved-group-name
-  description: Name of the group.
-  flat_name: process.parent.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.saved_user.domain:
-  dashed_name: process-parent-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.saved_user.email:
-  dashed_name: process-parent-saved-user-email
-  description: User email address.
-  flat_name: process.parent.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.saved_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-saved-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.parent.saved_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.parent.saved_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-saved-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.parent.saved_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.parent.saved_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-saved-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.parent.saved_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.saved_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.parent.saved_user.entity.id:
-  dashed_name: process-parent-saved-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.parent.saved_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.parent.saved_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-saved-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.parent.saved_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.parent.saved_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-saved-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.parent.saved_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.parent.saved_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-saved-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.parent.saved_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.parent.saved_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-saved-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.parent.saved_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.saved_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.parent.saved_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-saved-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.parent.saved_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.parent.saved_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-saved-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.parent.saved_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.parent.saved_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-saved-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.parent.saved_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.parent.saved_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-saved-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.parent.saved_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.parent.saved_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-saved-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.parent.saved_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.parent.saved_user.full_name:
-  dashed_name: process-parent-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.saved_user.group.domain:
-  dashed_name: process-parent-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.saved_user.group.id:
-  dashed_name: process-parent-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.saved_user.group.name:
-  dashed_name: process-parent-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.saved_user.hash:
-  dashed_name: process-parent-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.saved_user.id:
-  dashed_name: process-parent-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.saved_user.name:
-  dashed_name: process-parent-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.saved_user.risk.calculated_level:
-  dashed_name: process-parent-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.saved_user.risk.calculated_score:
-  dashed_name: process-parent-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.saved_user.risk.calculated_score_norm:
-  dashed_name: process-parent-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.saved_user.risk.static_level:
-  dashed_name: process-parent-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.saved_user.risk.static_score:
-  dashed_name: process-parent-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.saved_user.risk.static_score_norm:
-  dashed_name: process-parent-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.saved_user.roles:
-  dashed_name: process-parent-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.start:
-  dashed_name: process-parent-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.parent.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.parent.supplemental_groups.domain:
-  dashed_name: process-parent-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.supplemental_groups.id:
-  dashed_name: process-parent-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.supplemental_groups.name:
-  dashed_name: process-parent-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.parent.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.thread.capabilities.effective:
-  dashed_name: process-parent-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.parent.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.thread.capabilities.permitted:
-  dashed_name: process-parent-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.parent.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.thread.id:
-  dashed_name: process-parent-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.parent.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.parent.thread.name:
-  dashed_name: process-parent-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.parent.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.parent.title:
-  dashed_name: process-parent-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.parent.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.parent.tty:
-  dashed_name: process-parent-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.parent.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.parent.tty.char_device.major:
-  dashed_name: process-parent-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.parent.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.parent.tty.char_device.minor:
-  dashed_name: process-parent-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.parent.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.parent.tty.columns:
-  dashed_name: process-parent-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.parent.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.parent.tty.rows:
-  dashed_name: process-parent-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.parent.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.parent.uptime:
-  dashed_name: process-parent-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.parent.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.parent.user.domain:
-  dashed_name: process-parent-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.parent.user.email:
-  dashed_name: process-parent-user-email
-  description: User email address.
-  flat_name: process.parent.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.parent.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.parent.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.parent.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.parent.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.parent.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.parent.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.parent.user.entity.id:
-  dashed_name: process-parent-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.parent.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.parent.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.parent.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.parent.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.parent.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.parent.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.parent.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.parent.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.parent.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.parent.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.parent.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.parent.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.parent.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.parent.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.parent.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.parent.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.parent.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.parent.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-parent-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.parent.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.parent.user.full_name:
-  dashed_name: process-parent-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.parent.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.parent.user.group.domain:
-  dashed_name: process-parent-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.parent.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.parent.user.group.id:
-  dashed_name: process-parent-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.parent.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.parent.user.group.name:
-  dashed_name: process-parent-user-group-name
-  description: Name of the group.
-  flat_name: process.parent.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.parent.user.hash:
-  dashed_name: process-parent-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.parent.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.parent.user.id:
-  dashed_name: process-parent-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.parent.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.parent.user.name:
-  dashed_name: process-parent-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.parent.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.parent.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.parent.user.risk.calculated_level:
-  dashed_name: process-parent-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.parent.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.parent.user.risk.calculated_score:
-  dashed_name: process-parent-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.parent.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.parent.user.risk.calculated_score_norm:
-  dashed_name: process-parent-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.parent.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.parent.user.risk.static_level:
-  dashed_name: process-parent-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.parent.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.parent.user.risk.static_score:
-  dashed_name: process-parent-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.parent.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.parent.user.risk.static_score_norm:
-  dashed_name: process-parent-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.parent.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.parent.user.roles:
-  dashed_name: process-parent-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.parent.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.parent.vpid:
-  dashed_name: process-parent-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.parent.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.parent.working_directory:
-  dashed_name: process-parent-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.parent.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.parent.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.pe.architecture:
-  dashed_name: process-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.pe.company:
-  dashed_name: process-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.pe.description:
-  dashed_name: process-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.pe.file_version:
-  dashed_name: process-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.pe.go_import_hash:
-  dashed_name: process-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.pe.go_imports:
-  dashed_name: process-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.pe.go_imports_names_entropy:
-  dashed_name: process-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.pe.go_imports_names_var_entropy:
-  dashed_name: process-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.pe.go_stripped:
-  dashed_name: process-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.pe.imphash:
-  dashed_name: process-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.pe.import_hash:
-  dashed_name: process-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.pe.imports:
-  dashed_name: process-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.pe.imports_names_entropy:
-  dashed_name: process-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.pe.imports_names_var_entropy:
-  dashed_name: process-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.pe.original_file_name:
-  dashed_name: process-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.pe.pehash:
-  dashed_name: process-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.pe.product:
-  dashed_name: process-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.pe.sections:
-  dashed_name: process-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.pe.sections.entropy:
-  dashed_name: process-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.pe.sections.name:
-  dashed_name: process-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.pe.sections.physical_size:
-  dashed_name: process-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.pe.sections.var_entropy:
-  dashed_name: process-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.pe.sections.virtual_size:
-  dashed_name: process-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.pid:
-  dashed_name: process-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  otel:
-  - relation: match
-    stability: development
-  short: Process id.
-  type: long
-process.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.previous.args:
-  dashed_name: process-previous-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.previous.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.previous.args_count:
-  dashed_name: process-previous-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.previous.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.previous.attested_groups.domain:
-  dashed_name: process-previous-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.attested_groups.id:
-  dashed_name: process-previous-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.attested_groups.name:
-  dashed_name: process-previous-attested-groups-name
-  description: Name of the group.
-  flat_name: process.previous.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.attested_user.domain:
-  dashed_name: process-previous-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.previous.attested_user.email:
-  dashed_name: process-previous-attested-user-email
-  description: User email address.
-  flat_name: process.previous.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.previous.attested_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-attested-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.previous.attested_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.previous.attested_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-attested-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.previous.attested_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.previous.attested_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-attested-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.previous.attested_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.attested_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.previous.attested_user.entity.id:
-  dashed_name: process-previous-attested-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.previous.attested_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.previous.attested_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-attested-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.previous.attested_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.previous.attested_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-attested-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.previous.attested_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.previous.attested_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-attested-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.previous.attested_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.previous.attested_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-attested-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.previous.attested_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.previous.attested_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.previous.attested_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-attested-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.previous.attested_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.previous.attested_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-attested-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.previous.attested_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.previous.attested_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-attested-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.previous.attested_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.previous.attested_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-attested-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.previous.attested_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.previous.attested_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-attested-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.previous.attested_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.previous.attested_user.full_name:
-  dashed_name: process-previous-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.previous.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.previous.attested_user.group.domain:
-  dashed_name: process-previous-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.attested_user.group.id:
-  dashed_name: process-previous-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.attested_user.group.name:
-  dashed_name: process-previous-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.previous.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.attested_user.hash:
-  dashed_name: process-previous-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.previous.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.previous.attested_user.id:
-  dashed_name: process-previous-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.previous.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.previous.attested_user.name:
-  dashed_name: process-previous-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.previous.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.previous.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.previous.attested_user.risk.calculated_level:
-  dashed_name: process-previous-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.previous.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.previous.attested_user.risk.calculated_score:
-  dashed_name: process-previous-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.previous.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.previous.attested_user.risk.calculated_score_norm:
-  dashed_name: process-previous-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.previous.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.previous.attested_user.risk.static_level:
-  dashed_name: process-previous-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.previous.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.previous.attested_user.risk.static_score:
-  dashed_name: process-previous-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.previous.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.previous.attested_user.risk.static_score_norm:
-  dashed_name: process-previous-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.previous.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.previous.attested_user.roles:
-  dashed_name: process-previous-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.previous.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.code_signature.digest_algorithm:
-  dashed_name: process-previous-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.previous.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.previous.code_signature.exists:
-  dashed_name: process-previous-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.previous.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.previous.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.previous.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.previous.code_signature.signing_id:
-  dashed_name: process-previous-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.previous.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.previous.code_signature.status:
-  dashed_name: process-previous-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.previous.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.previous.code_signature.subject_name:
-  dashed_name: process-previous-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.previous.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.previous.code_signature.team_id:
-  dashed_name: process-previous-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.previous.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.previous.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.previous.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.previous.code_signature.timestamp:
-  dashed_name: process-previous-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.previous.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.previous.code_signature.trusted:
-  dashed_name: process-previous-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.previous.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.previous.code_signature.valid:
-  dashed_name: process-previous-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.previous.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.previous.command_line:
-  dashed_name: process-previous-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.previous.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.previous.elf.architecture:
-  dashed_name: process-previous-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.previous.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.previous.elf.byte_order:
-  dashed_name: process-previous-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.previous.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.previous.elf.cpu_type:
-  dashed_name: process-previous-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.previous.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.previous.elf.creation_date:
-  dashed_name: process-previous-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.previous.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.previous.elf.exports:
-  dashed_name: process-previous-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.previous.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.previous.elf.go_import_hash:
-  dashed_name: process-previous-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.previous.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.previous.elf.go_imports:
-  dashed_name: process-previous-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.previous.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.previous.elf.go_imports_names_entropy:
-  dashed_name: process-previous-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.previous.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.previous.elf.go_imports_names_var_entropy:
-  dashed_name: process-previous-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.previous.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.previous.elf.go_stripped:
-  dashed_name: process-previous-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.previous.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.previous.elf.header.abi_version:
-  dashed_name: process-previous-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.previous.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.previous.elf.header.class:
-  dashed_name: process-previous-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.previous.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.previous.elf.header.data:
-  dashed_name: process-previous-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.previous.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.previous.elf.header.entrypoint:
-  dashed_name: process-previous-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.previous.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.previous.elf.header.object_version:
-  dashed_name: process-previous-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.previous.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.previous.elf.header.os_abi:
-  dashed_name: process-previous-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.previous.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.previous.elf.header.type:
-  dashed_name: process-previous-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.previous.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.previous.elf.header.version:
-  dashed_name: process-previous-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.previous.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.previous.elf.import_hash:
-  dashed_name: process-previous-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.previous.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.previous.elf.imports:
-  dashed_name: process-previous-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.previous.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.previous.elf.imports_names_entropy:
-  dashed_name: process-previous-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.previous.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.previous.elf.imports_names_var_entropy:
-  dashed_name: process-previous-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.previous.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.previous.elf.sections:
-  dashed_name: process-previous-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.previous.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.previous.elf.sections.chi2:
-  dashed_name: process-previous-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.previous.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.previous.elf.sections.entropy:
-  dashed_name: process-previous-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.previous.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.previous.elf.sections.flags:
-  dashed_name: process-previous-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.previous.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.previous.elf.sections.name:
-  dashed_name: process-previous-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.previous.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.previous.elf.sections.physical_offset:
-  dashed_name: process-previous-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.previous.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.previous.elf.sections.physical_size:
-  dashed_name: process-previous-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.previous.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.previous.elf.sections.type:
-  dashed_name: process-previous-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.previous.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.previous.elf.sections.var_entropy:
-  dashed_name: process-previous-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.previous.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.previous.elf.sections.virtual_address:
-  dashed_name: process-previous-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.previous.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.previous.elf.sections.virtual_size:
-  dashed_name: process-previous-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.previous.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.previous.elf.segments:
-  dashed_name: process-previous-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.previous.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.previous.elf.segments.sections:
-  dashed_name: process-previous-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.previous.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.previous.elf.segments.type:
-  dashed_name: process-previous-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.previous.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.previous.elf.shared_libraries:
-  dashed_name: process-previous-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.previous.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.previous.elf.telfhash:
-  dashed_name: process-previous-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.previous.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.previous.end:
-  dashed_name: process-previous-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.previous.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.previous.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.previous.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.previous.entity_id:
-  dashed_name: process-previous-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.previous.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.previous.entry_meta.source.address:
-  dashed_name: process-previous-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.previous.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.previous.entry_meta.source.as.number:
-  dashed_name: process-previous-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.previous.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.previous.entry_meta.source.as.organization.name:
-  dashed_name: process-previous-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.previous.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.previous.entry_meta.source.bytes:
-  dashed_name: process-previous-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.previous.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.previous.entry_meta.source.domain:
-  dashed_name: process-previous-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.previous.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.previous.entry_meta.source.geo.city_name:
-  dashed_name: process-previous-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.previous.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.previous.entry_meta.source.geo.continent_code:
-  dashed_name: process-previous-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.previous.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.previous.entry_meta.source.geo.continent_name:
-  dashed_name: process-previous-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.previous.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.previous.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-previous-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.previous.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.previous.entry_meta.source.geo.country_name:
-  dashed_name: process-previous-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.previous.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.previous.entry_meta.source.geo.location:
-  dashed_name: process-previous-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.previous.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.previous.entry_meta.source.geo.name:
-  dashed_name: process-previous-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.previous.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.previous.entry_meta.source.geo.postal_code:
-  dashed_name: process-previous-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.previous.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.previous.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-previous-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.previous.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.previous.entry_meta.source.geo.region_name:
-  dashed_name: process-previous-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.previous.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.previous.entry_meta.source.geo.timezone:
-  dashed_name: process-previous-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.previous.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.previous.entry_meta.source.ip:
-  dashed_name: process-previous-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.previous.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.previous.entry_meta.source.mac:
-  dashed_name: process-previous-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.previous.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.previous.entry_meta.source.nat.ip:
-  dashed_name: process-previous-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.previous.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.previous.entry_meta.source.nat.port:
-  dashed_name: process-previous-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.previous.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.previous.entry_meta.source.packets:
-  dashed_name: process-previous-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.previous.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.previous.entry_meta.source.port:
-  dashed_name: process-previous-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.previous.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.previous.entry_meta.source.registered_domain:
-  dashed_name: process-previous-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.previous.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.previous.entry_meta.source.subdomain:
-  dashed_name: process-previous-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.previous.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.previous.entry_meta.source.top_level_domain:
-  dashed_name: process-previous-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.previous.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.previous.entry_meta.type:
-  dashed_name: process-previous-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.previous.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.previous.env_vars:
-  dashed_name: process-previous-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.previous.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.executable:
-  dashed_name: process-previous-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.previous.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.previous.exit_code:
-  dashed_name: process-previous-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.previous.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.previous.group.domain:
-  dashed_name: process-previous-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.group.id:
-  dashed_name: process-previous-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.group.name:
-  dashed_name: process-previous-group-name
-  description: Name of the group.
-  flat_name: process.previous.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.previous.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.previous.hash.md5:
-  dashed_name: process-previous-hash-md5
-  description: MD5 hash.
-  flat_name: process.previous.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.previous.hash.sha1:
-  dashed_name: process-previous-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.previous.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.previous.hash.sha256:
-  dashed_name: process-previous-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.previous.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.previous.hash.sha384:
-  dashed_name: process-previous-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.previous.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.previous.hash.sha512:
-  dashed_name: process-previous-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.previous.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.previous.hash.ssdeep:
-  dashed_name: process-previous-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.previous.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.previous.hash.tlsh:
-  dashed_name: process-previous-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.previous.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.previous.interactive:
-  dashed_name: process-previous-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.previous.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.previous.io:
-  dashed_name: process-previous-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.previous.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.previous.io.bytes_skipped:
-  dashed_name: process-previous-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.previous.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.previous.io.bytes_skipped.length:
-  dashed_name: process-previous-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.previous.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.previous.io.bytes_skipped.offset:
-  dashed_name: process-previous-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.previous.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.previous.io.max_bytes_per_process_exceeded:
-  dashed_name: process-previous-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.previous.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.previous.io.text:
-  dashed_name: process-previous-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.previous.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.previous.io.total_bytes_captured:
-  dashed_name: process-previous-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.previous.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.previous.io.total_bytes_skipped:
-  dashed_name: process-previous-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.previous.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.previous.io.type:
-  dashed_name: process-previous-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.previous.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.previous.macho.go_import_hash:
-  dashed_name: process-previous-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.previous.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.previous.macho.go_imports:
-  dashed_name: process-previous-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.previous.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.previous.macho.go_imports_names_entropy:
-  dashed_name: process-previous-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.previous.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.previous.macho.go_imports_names_var_entropy:
-  dashed_name: process-previous-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.previous.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.previous.macho.go_stripped:
-  dashed_name: process-previous-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.previous.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.previous.macho.import_hash:
-  dashed_name: process-previous-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.previous.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.previous.macho.imports:
-  dashed_name: process-previous-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.previous.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.previous.macho.imports_names_entropy:
-  dashed_name: process-previous-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.previous.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.previous.macho.imports_names_var_entropy:
-  dashed_name: process-previous-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.previous.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.previous.macho.sections:
-  dashed_name: process-previous-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.previous.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.previous.macho.sections.entropy:
-  dashed_name: process-previous-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.previous.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.previous.macho.sections.name:
-  dashed_name: process-previous-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.previous.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.previous.macho.sections.physical_size:
-  dashed_name: process-previous-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.previous.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.previous.macho.sections.var_entropy:
-  dashed_name: process-previous-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.previous.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.previous.macho.sections.virtual_size:
-  dashed_name: process-previous-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.previous.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.previous.macho.symhash:
-  dashed_name: process-previous-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.previous.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.previous.name:
-  dashed_name: process-previous-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.previous.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.previous.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.previous.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.previous.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.previous.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.previous.pe.architecture:
-  dashed_name: process-previous-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.previous.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.previous.pe.company:
-  dashed_name: process-previous-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.previous.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.previous.pe.description:
-  dashed_name: process-previous-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.previous.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.previous.pe.file_version:
-  dashed_name: process-previous-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.previous.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.previous.pe.go_import_hash:
-  dashed_name: process-previous-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.previous.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.previous.pe.go_imports:
-  dashed_name: process-previous-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.previous.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.previous.pe.go_imports_names_entropy:
-  dashed_name: process-previous-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.previous.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.previous.pe.go_imports_names_var_entropy:
-  dashed_name: process-previous-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.previous.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.previous.pe.go_stripped:
-  dashed_name: process-previous-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.previous.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.previous.pe.imphash:
-  dashed_name: process-previous-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.previous.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.previous.pe.import_hash:
-  dashed_name: process-previous-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.previous.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.previous.pe.imports:
-  dashed_name: process-previous-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.previous.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.previous.pe.imports_names_entropy:
-  dashed_name: process-previous-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.previous.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.previous.pe.imports_names_var_entropy:
-  dashed_name: process-previous-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.previous.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.previous.pe.original_file_name:
-  dashed_name: process-previous-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.previous.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.previous.pe.pehash:
-  dashed_name: process-previous-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.previous.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.previous.pe.product:
-  dashed_name: process-previous-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.previous.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.previous.pe.sections:
-  dashed_name: process-previous-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.previous.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.previous.pe.sections.entropy:
-  dashed_name: process-previous-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.previous.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.previous.pe.sections.name:
-  dashed_name: process-previous-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.previous.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.previous.pe.sections.physical_size:
-  dashed_name: process-previous-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.previous.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.previous.pe.sections.var_entropy:
-  dashed_name: process-previous-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.previous.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.previous.pe.sections.virtual_size:
-  dashed_name: process-previous-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.previous.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.previous.pid:
-  dashed_name: process-previous-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.previous.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.previous.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.previous.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.previous.real_group.domain:
-  dashed_name: process-previous-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.real_group.id:
-  dashed_name: process-previous-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.real_group.name:
-  dashed_name: process-previous-real-group-name
-  description: Name of the group.
-  flat_name: process.previous.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.real_user.domain:
-  dashed_name: process-previous-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.previous.real_user.email:
-  dashed_name: process-previous-real-user-email
-  description: User email address.
-  flat_name: process.previous.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.previous.real_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-real-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.previous.real_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.previous.real_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-real-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.previous.real_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.previous.real_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-real-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.previous.real_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.real_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.previous.real_user.entity.id:
-  dashed_name: process-previous-real-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.previous.real_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.previous.real_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-real-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.previous.real_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.previous.real_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-real-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.previous.real_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.previous.real_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-real-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.previous.real_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.previous.real_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-real-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.previous.real_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.previous.real_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.previous.real_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-real-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.previous.real_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.previous.real_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-real-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.previous.real_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.previous.real_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-real-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.previous.real_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.previous.real_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-real-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.previous.real_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.previous.real_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-real-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.previous.real_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.previous.real_user.full_name:
-  dashed_name: process-previous-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.previous.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.previous.real_user.group.domain:
-  dashed_name: process-previous-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.real_user.group.id:
-  dashed_name: process-previous-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.real_user.group.name:
-  dashed_name: process-previous-real-user-group-name
-  description: Name of the group.
-  flat_name: process.previous.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.real_user.hash:
-  dashed_name: process-previous-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.previous.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.previous.real_user.id:
-  dashed_name: process-previous-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.previous.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.previous.real_user.name:
-  dashed_name: process-previous-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.previous.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.previous.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.previous.real_user.risk.calculated_level:
-  dashed_name: process-previous-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.previous.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.previous.real_user.risk.calculated_score:
-  dashed_name: process-previous-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.previous.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.previous.real_user.risk.calculated_score_norm:
-  dashed_name: process-previous-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.previous.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.previous.real_user.risk.static_level:
-  dashed_name: process-previous-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.previous.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.previous.real_user.risk.static_score:
-  dashed_name: process-previous-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.previous.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.previous.real_user.risk.static_score_norm:
-  dashed_name: process-previous-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.previous.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.previous.real_user.roles:
-  dashed_name: process-previous-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.previous.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.same_as_process:
-  dashed_name: process-previous-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.previous.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.previous.saved_group.domain:
-  dashed_name: process-previous-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.saved_group.id:
-  dashed_name: process-previous-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.saved_group.name:
-  dashed_name: process-previous-saved-group-name
-  description: Name of the group.
-  flat_name: process.previous.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.saved_user.domain:
-  dashed_name: process-previous-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.previous.saved_user.email:
-  dashed_name: process-previous-saved-user-email
-  description: User email address.
-  flat_name: process.previous.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.previous.saved_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-saved-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.previous.saved_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.previous.saved_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-saved-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.previous.saved_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.previous.saved_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-saved-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.previous.saved_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.saved_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.previous.saved_user.entity.id:
-  dashed_name: process-previous-saved-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.previous.saved_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.previous.saved_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-saved-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.previous.saved_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.previous.saved_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-saved-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.previous.saved_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.previous.saved_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-saved-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.previous.saved_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.previous.saved_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-saved-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.previous.saved_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.previous.saved_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.previous.saved_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-saved-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.previous.saved_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.previous.saved_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-saved-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.previous.saved_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.previous.saved_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-saved-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.previous.saved_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.previous.saved_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-saved-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.previous.saved_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.previous.saved_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-saved-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.previous.saved_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.previous.saved_user.full_name:
-  dashed_name: process-previous-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.previous.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.previous.saved_user.group.domain:
-  dashed_name: process-previous-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.saved_user.group.id:
-  dashed_name: process-previous-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.saved_user.group.name:
-  dashed_name: process-previous-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.previous.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.saved_user.hash:
-  dashed_name: process-previous-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.previous.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.previous.saved_user.id:
-  dashed_name: process-previous-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.previous.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.previous.saved_user.name:
-  dashed_name: process-previous-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.previous.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.previous.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.previous.saved_user.risk.calculated_level:
-  dashed_name: process-previous-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.previous.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.previous.saved_user.risk.calculated_score:
-  dashed_name: process-previous-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.previous.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.previous.saved_user.risk.calculated_score_norm:
-  dashed_name: process-previous-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.previous.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.previous.saved_user.risk.static_level:
-  dashed_name: process-previous-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.previous.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.previous.saved_user.risk.static_score:
-  dashed_name: process-previous-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.previous.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.previous.saved_user.risk.static_score_norm:
-  dashed_name: process-previous-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.previous.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.previous.saved_user.roles:
-  dashed_name: process-previous-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.previous.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.start:
-  dashed_name: process-previous-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.previous.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.previous.supplemental_groups.domain:
-  dashed_name: process-previous-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.supplemental_groups.id:
-  dashed_name: process-previous-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.supplemental_groups.name:
-  dashed_name: process-previous-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.previous.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.thread.capabilities.effective:
-  dashed_name: process-previous-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.previous.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.thread.capabilities.permitted:
-  dashed_name: process-previous-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.previous.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.thread.id:
-  dashed_name: process-previous-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.previous.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.previous.thread.name:
-  dashed_name: process-previous-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.previous.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.previous.title:
-  dashed_name: process-previous-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.previous.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.previous.tty:
-  dashed_name: process-previous-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.previous.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.previous.tty.char_device.major:
-  dashed_name: process-previous-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.previous.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.previous.tty.char_device.minor:
-  dashed_name: process-previous-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.previous.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.previous.tty.columns:
-  dashed_name: process-previous-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.previous.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.previous.tty.rows:
-  dashed_name: process-previous-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.previous.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.previous.uptime:
-  dashed_name: process-previous-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.previous.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.previous.user.domain:
-  dashed_name: process-previous-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.previous.user.email:
-  dashed_name: process-previous-user-email
-  description: User email address.
-  flat_name: process.previous.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.previous.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.previous.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.previous.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.previous.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.previous.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.previous.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.previous.user.entity.id:
-  dashed_name: process-previous-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.previous.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.previous.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.previous.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.previous.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.previous.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.previous.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.previous.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.previous.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.previous.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.previous.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.previous.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.previous.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.previous.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.previous.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.previous.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.previous.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.previous.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.previous.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.previous.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-previous-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.previous.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.previous.user.full_name:
-  dashed_name: process-previous-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.previous.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.previous.user.group.domain:
-  dashed_name: process-previous-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.previous.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.previous.user.group.id:
-  dashed_name: process-previous-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.previous.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.previous.user.group.name:
-  dashed_name: process-previous-user-group-name
-  description: Name of the group.
-  flat_name: process.previous.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.previous.user.hash:
-  dashed_name: process-previous-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.previous.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.previous.user.id:
-  dashed_name: process-previous-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.previous.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.previous.user.name:
-  dashed_name: process-previous-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.previous.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.previous.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.previous.user.risk.calculated_level:
-  dashed_name: process-previous-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.previous.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.previous.user.risk.calculated_score:
-  dashed_name: process-previous-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.previous.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.previous.user.risk.calculated_score_norm:
-  dashed_name: process-previous-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.previous.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.previous.user.risk.static_level:
-  dashed_name: process-previous-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.previous.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.previous.user.risk.static_score:
-  dashed_name: process-previous-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.previous.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.previous.user.risk.static_score_norm:
-  dashed_name: process-previous-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.previous.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.previous.user.roles:
-  dashed_name: process-previous-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.previous.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.previous.vpid:
-  dashed_name: process-previous-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.previous.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.previous.working_directory:
-  dashed_name: process-previous-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.previous.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.previous.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.real_group.domain:
-  dashed_name: process-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.real_group.id:
-  dashed_name: process-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.real_group.name:
-  dashed_name: process-real-group-name
-  description: Name of the group.
-  flat_name: process.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.real_user.domain:
-  dashed_name: process-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.real_user.email:
-  dashed_name: process-real-user-email
-  description: User email address.
-  flat_name: process.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.real_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-real-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.real_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.real_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-real-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.real_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.real_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-real-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.real_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.real_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.real_user.entity.id:
-  dashed_name: process-real-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.real_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.real_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-real-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.real_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.real_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-real-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.real_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.real_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-real-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.real_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.real_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-real-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.real_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.real_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.real_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-real-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.real_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.real_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-real-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.real_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.real_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-real-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.real_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.real_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-real-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.real_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.real_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-real-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.real_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.real_user.full_name:
-  dashed_name: process-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.real_user.group.domain:
-  dashed_name: process-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.real_user.group.id:
-  dashed_name: process-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.real_user.group.name:
-  dashed_name: process-real-user-group-name
-  description: Name of the group.
-  flat_name: process.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.real_user.hash:
-  dashed_name: process-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.real_user.id:
-  dashed_name: process-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
-  short: Unique identifier of the user.
-  type: keyword
-process.real_user.name:
-  dashed_name: process-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
-  short: Short name or login of the user.
-  type: keyword
-process.real_user.risk.calculated_level:
-  dashed_name: process-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.real_user.risk.calculated_score:
-  dashed_name: process-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.real_user.risk.calculated_score_norm:
-  dashed_name: process-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.real_user.risk.static_level:
-  dashed_name: process-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.real_user.risk.static_score:
-  dashed_name: process-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.real_user.risk.static_score_norm:
-  dashed_name: process-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.real_user.roles:
-  dashed_name: process-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.args:
-  dashed_name: process-responsible-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.responsible.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.responsible.args_count:
-  dashed_name: process-responsible-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.responsible.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.responsible.attested_groups.domain:
-  dashed_name: process-responsible-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.attested_groups.id:
-  dashed_name: process-responsible-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.attested_groups.name:
-  dashed_name: process-responsible-attested-groups-name
-  description: Name of the group.
-  flat_name: process.responsible.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.attested_user.domain:
-  dashed_name: process-responsible-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.responsible.attested_user.email:
-  dashed_name: process-responsible-attested-user-email
-  description: User email address.
-  flat_name: process.responsible.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.responsible.attested_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-attested-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.responsible.attested_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.responsible.attested_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-attested-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.responsible.attested_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.responsible.attested_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-attested-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.responsible.attested_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.attested_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.responsible.attested_user.entity.id:
-  dashed_name: process-responsible-attested-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.responsible.attested_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.responsible.attested_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-attested-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.responsible.attested_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.responsible.attested_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-attested-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.responsible.attested_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.responsible.attested_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-attested-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.responsible.attested_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.responsible.attested_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-attested-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.responsible.attested_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.responsible.attested_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.responsible.attested_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-attested-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.responsible.attested_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.responsible.attested_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-attested-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.responsible.attested_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.responsible.attested_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-attested-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.responsible.attested_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.responsible.attested_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-attested-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.responsible.attested_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.responsible.attested_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-attested-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.responsible.attested_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.responsible.attested_user.full_name:
-  dashed_name: process-responsible-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.responsible.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.responsible.attested_user.group.domain:
-  dashed_name: process-responsible-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.attested_user.group.id:
-  dashed_name: process-responsible-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.attested_user.group.name:
-  dashed_name: process-responsible-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.responsible.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.attested_user.hash:
-  dashed_name: process-responsible-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.responsible.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.responsible.attested_user.id:
-  dashed_name: process-responsible-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.responsible.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.responsible.attested_user.name:
-  dashed_name: process-responsible-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.responsible.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.responsible.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.responsible.attested_user.risk.calculated_level:
-  dashed_name: process-responsible-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.responsible.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.responsible.attested_user.risk.calculated_score:
-  dashed_name: process-responsible-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.responsible.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.responsible.attested_user.risk.calculated_score_norm:
-  dashed_name: process-responsible-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.responsible.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.responsible.attested_user.risk.static_level:
-  dashed_name: process-responsible-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.responsible.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.responsible.attested_user.risk.static_score:
-  dashed_name: process-responsible-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.responsible.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.responsible.attested_user.risk.static_score_norm:
-  dashed_name: process-responsible-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.responsible.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.responsible.attested_user.roles:
-  dashed_name: process-responsible-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.responsible.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.code_signature.digest_algorithm:
-  dashed_name: process-responsible-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.responsible.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.responsible.code_signature.exists:
-  dashed_name: process-responsible-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.responsible.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.responsible.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.responsible.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.responsible.code_signature.signing_id:
-  dashed_name: process-responsible-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.responsible.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.responsible.code_signature.status:
-  dashed_name: process-responsible-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.responsible.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.responsible.code_signature.subject_name:
-  dashed_name: process-responsible-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.responsible.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.responsible.code_signature.team_id:
-  dashed_name: process-responsible-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.responsible.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.responsible.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.responsible.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.responsible.code_signature.timestamp:
-  dashed_name: process-responsible-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.responsible.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.responsible.code_signature.trusted:
-  dashed_name: process-responsible-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.responsible.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.responsible.code_signature.valid:
-  dashed_name: process-responsible-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.responsible.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.responsible.command_line:
-  dashed_name: process-responsible-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.responsible.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.responsible.elf.architecture:
-  dashed_name: process-responsible-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.responsible.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.responsible.elf.byte_order:
-  dashed_name: process-responsible-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.responsible.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.responsible.elf.cpu_type:
-  dashed_name: process-responsible-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.responsible.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.responsible.elf.creation_date:
-  dashed_name: process-responsible-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.responsible.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.responsible.elf.exports:
-  dashed_name: process-responsible-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.responsible.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.responsible.elf.go_import_hash:
-  dashed_name: process-responsible-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.responsible.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.responsible.elf.go_imports:
-  dashed_name: process-responsible-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.responsible.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.responsible.elf.go_imports_names_entropy:
-  dashed_name: process-responsible-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.responsible.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.responsible.elf.go_imports_names_var_entropy:
-  dashed_name: process-responsible-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.responsible.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.responsible.elf.go_stripped:
-  dashed_name: process-responsible-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.responsible.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.responsible.elf.header.abi_version:
-  dashed_name: process-responsible-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.responsible.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.responsible.elf.header.class:
-  dashed_name: process-responsible-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.responsible.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.responsible.elf.header.data:
-  dashed_name: process-responsible-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.responsible.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.responsible.elf.header.entrypoint:
-  dashed_name: process-responsible-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.responsible.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.responsible.elf.header.object_version:
-  dashed_name: process-responsible-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.responsible.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.responsible.elf.header.os_abi:
-  dashed_name: process-responsible-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.responsible.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.responsible.elf.header.type:
-  dashed_name: process-responsible-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.responsible.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.responsible.elf.header.version:
-  dashed_name: process-responsible-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.responsible.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.responsible.elf.import_hash:
-  dashed_name: process-responsible-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.responsible.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.responsible.elf.imports:
-  dashed_name: process-responsible-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.responsible.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.responsible.elf.imports_names_entropy:
-  dashed_name: process-responsible-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.responsible.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.responsible.elf.imports_names_var_entropy:
-  dashed_name: process-responsible-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.responsible.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.responsible.elf.sections:
-  dashed_name: process-responsible-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.responsible.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.responsible.elf.sections.chi2:
-  dashed_name: process-responsible-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.responsible.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.responsible.elf.sections.entropy:
-  dashed_name: process-responsible-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.responsible.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.responsible.elf.sections.flags:
-  dashed_name: process-responsible-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.responsible.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.responsible.elf.sections.name:
-  dashed_name: process-responsible-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.responsible.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.responsible.elf.sections.physical_offset:
-  dashed_name: process-responsible-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.responsible.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.responsible.elf.sections.physical_size:
-  dashed_name: process-responsible-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.responsible.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.responsible.elf.sections.type:
-  dashed_name: process-responsible-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.responsible.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.responsible.elf.sections.var_entropy:
-  dashed_name: process-responsible-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.responsible.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.responsible.elf.sections.virtual_address:
-  dashed_name: process-responsible-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.responsible.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.responsible.elf.sections.virtual_size:
-  dashed_name: process-responsible-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.responsible.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.responsible.elf.segments:
-  dashed_name: process-responsible-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.responsible.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.responsible.elf.segments.sections:
-  dashed_name: process-responsible-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.responsible.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.responsible.elf.segments.type:
-  dashed_name: process-responsible-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.responsible.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.responsible.elf.shared_libraries:
-  dashed_name: process-responsible-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.responsible.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.responsible.elf.telfhash:
-  dashed_name: process-responsible-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.responsible.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.responsible.end:
-  dashed_name: process-responsible-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.responsible.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.responsible.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.responsible.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.responsible.entity_id:
-  dashed_name: process-responsible-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.responsible.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.responsible.entry_meta.source.address:
-  dashed_name: process-responsible-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.responsible.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.responsible.entry_meta.source.as.number:
-  dashed_name: process-responsible-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.responsible.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.responsible.entry_meta.source.as.organization.name:
-  dashed_name: process-responsible-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.responsible.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.responsible.entry_meta.source.bytes:
-  dashed_name: process-responsible-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.responsible.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.responsible.entry_meta.source.domain:
-  dashed_name: process-responsible-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.responsible.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.responsible.entry_meta.source.geo.city_name:
-  dashed_name: process-responsible-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.responsible.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.responsible.entry_meta.source.geo.continent_code:
-  dashed_name: process-responsible-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.responsible.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.responsible.entry_meta.source.geo.continent_name:
-  dashed_name: process-responsible-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.responsible.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.responsible.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-responsible-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.responsible.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.responsible.entry_meta.source.geo.country_name:
-  dashed_name: process-responsible-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.responsible.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.responsible.entry_meta.source.geo.location:
-  dashed_name: process-responsible-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.responsible.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.responsible.entry_meta.source.geo.name:
-  dashed_name: process-responsible-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.responsible.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.responsible.entry_meta.source.geo.postal_code:
-  dashed_name: process-responsible-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.responsible.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.responsible.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-responsible-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.responsible.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.responsible.entry_meta.source.geo.region_name:
-  dashed_name: process-responsible-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.responsible.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.responsible.entry_meta.source.geo.timezone:
-  dashed_name: process-responsible-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.responsible.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.responsible.entry_meta.source.ip:
-  dashed_name: process-responsible-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.responsible.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.responsible.entry_meta.source.mac:
-  dashed_name: process-responsible-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.responsible.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.responsible.entry_meta.source.nat.ip:
-  dashed_name: process-responsible-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.responsible.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.responsible.entry_meta.source.nat.port:
-  dashed_name: process-responsible-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.responsible.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.responsible.entry_meta.source.packets:
-  dashed_name: process-responsible-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.responsible.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.responsible.entry_meta.source.port:
-  dashed_name: process-responsible-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.responsible.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.responsible.entry_meta.source.registered_domain:
-  dashed_name: process-responsible-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.responsible.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.responsible.entry_meta.source.subdomain:
-  dashed_name: process-responsible-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.responsible.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.responsible.entry_meta.source.top_level_domain:
-  dashed_name: process-responsible-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.responsible.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.responsible.entry_meta.type:
-  dashed_name: process-responsible-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.responsible.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.responsible.env_vars:
-  dashed_name: process-responsible-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.responsible.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.executable:
-  dashed_name: process-responsible-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.responsible.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.responsible.exit_code:
-  dashed_name: process-responsible-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.responsible.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.responsible.group.domain:
-  dashed_name: process-responsible-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.group.id:
-  dashed_name: process-responsible-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.group.name:
-  dashed_name: process-responsible-group-name
-  description: Name of the group.
-  flat_name: process.responsible.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.responsible.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.responsible.hash.md5:
-  dashed_name: process-responsible-hash-md5
-  description: MD5 hash.
-  flat_name: process.responsible.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.responsible.hash.sha1:
-  dashed_name: process-responsible-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.responsible.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.responsible.hash.sha256:
-  dashed_name: process-responsible-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.responsible.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.responsible.hash.sha384:
-  dashed_name: process-responsible-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.responsible.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.responsible.hash.sha512:
-  dashed_name: process-responsible-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.responsible.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.responsible.hash.ssdeep:
-  dashed_name: process-responsible-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.responsible.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.responsible.hash.tlsh:
-  dashed_name: process-responsible-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.responsible.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.responsible.interactive:
-  dashed_name: process-responsible-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.responsible.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.responsible.io:
-  dashed_name: process-responsible-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.responsible.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.responsible.io.bytes_skipped:
-  dashed_name: process-responsible-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.responsible.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.responsible.io.bytes_skipped.length:
-  dashed_name: process-responsible-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.responsible.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.responsible.io.bytes_skipped.offset:
-  dashed_name: process-responsible-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.responsible.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.responsible.io.max_bytes_per_process_exceeded:
-  dashed_name: process-responsible-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.responsible.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.responsible.io.text:
-  dashed_name: process-responsible-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.responsible.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.responsible.io.total_bytes_captured:
-  dashed_name: process-responsible-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.responsible.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.responsible.io.total_bytes_skipped:
-  dashed_name: process-responsible-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.responsible.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.responsible.io.type:
-  dashed_name: process-responsible-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.responsible.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.responsible.macho.go_import_hash:
-  dashed_name: process-responsible-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.responsible.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.responsible.macho.go_imports:
-  dashed_name: process-responsible-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.responsible.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.responsible.macho.go_imports_names_entropy:
-  dashed_name: process-responsible-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.responsible.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.responsible.macho.go_imports_names_var_entropy:
-  dashed_name: process-responsible-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.responsible.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.responsible.macho.go_stripped:
-  dashed_name: process-responsible-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.responsible.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.responsible.macho.import_hash:
-  dashed_name: process-responsible-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.responsible.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.responsible.macho.imports:
-  dashed_name: process-responsible-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.responsible.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.responsible.macho.imports_names_entropy:
-  dashed_name: process-responsible-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.responsible.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.responsible.macho.imports_names_var_entropy:
-  dashed_name: process-responsible-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.responsible.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.responsible.macho.sections:
-  dashed_name: process-responsible-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.responsible.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.responsible.macho.sections.entropy:
-  dashed_name: process-responsible-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.responsible.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.responsible.macho.sections.name:
-  dashed_name: process-responsible-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.responsible.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.responsible.macho.sections.physical_size:
-  dashed_name: process-responsible-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.responsible.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.responsible.macho.sections.var_entropy:
-  dashed_name: process-responsible-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.responsible.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.responsible.macho.sections.virtual_size:
-  dashed_name: process-responsible-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.responsible.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.responsible.macho.symhash:
-  dashed_name: process-responsible-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.responsible.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.responsible.name:
-  dashed_name: process-responsible-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.responsible.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.responsible.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.responsible.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.responsible.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.responsible.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.responsible.pe.architecture:
-  dashed_name: process-responsible-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.responsible.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.responsible.pe.company:
-  dashed_name: process-responsible-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.responsible.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.responsible.pe.description:
-  dashed_name: process-responsible-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.responsible.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.responsible.pe.file_version:
-  dashed_name: process-responsible-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.responsible.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.responsible.pe.go_import_hash:
-  dashed_name: process-responsible-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.responsible.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.responsible.pe.go_imports:
-  dashed_name: process-responsible-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.responsible.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.responsible.pe.go_imports_names_entropy:
-  dashed_name: process-responsible-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.responsible.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.responsible.pe.go_imports_names_var_entropy:
-  dashed_name: process-responsible-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.responsible.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.responsible.pe.go_stripped:
-  dashed_name: process-responsible-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.responsible.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.responsible.pe.imphash:
-  dashed_name: process-responsible-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.responsible.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.responsible.pe.import_hash:
-  dashed_name: process-responsible-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.responsible.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.responsible.pe.imports:
-  dashed_name: process-responsible-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.responsible.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.responsible.pe.imports_names_entropy:
-  dashed_name: process-responsible-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.responsible.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.responsible.pe.imports_names_var_entropy:
-  dashed_name: process-responsible-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.responsible.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.responsible.pe.original_file_name:
-  dashed_name: process-responsible-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.responsible.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.responsible.pe.pehash:
-  dashed_name: process-responsible-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.responsible.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.responsible.pe.product:
-  dashed_name: process-responsible-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.responsible.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.responsible.pe.sections:
-  dashed_name: process-responsible-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.responsible.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.responsible.pe.sections.entropy:
-  dashed_name: process-responsible-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.responsible.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.responsible.pe.sections.name:
-  dashed_name: process-responsible-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.responsible.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.responsible.pe.sections.physical_size:
-  dashed_name: process-responsible-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.responsible.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.responsible.pe.sections.var_entropy:
-  dashed_name: process-responsible-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.responsible.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.responsible.pe.sections.virtual_size:
-  dashed_name: process-responsible-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.responsible.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.responsible.pid:
-  dashed_name: process-responsible-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.responsible.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.responsible.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.responsible.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.responsible.real_group.domain:
-  dashed_name: process-responsible-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.real_group.id:
-  dashed_name: process-responsible-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.real_group.name:
-  dashed_name: process-responsible-real-group-name
-  description: Name of the group.
-  flat_name: process.responsible.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.real_user.domain:
-  dashed_name: process-responsible-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.responsible.real_user.email:
-  dashed_name: process-responsible-real-user-email
-  description: User email address.
-  flat_name: process.responsible.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.responsible.real_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-real-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.responsible.real_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.responsible.real_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-real-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.responsible.real_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.responsible.real_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-real-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.responsible.real_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.real_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.responsible.real_user.entity.id:
-  dashed_name: process-responsible-real-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.responsible.real_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.responsible.real_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-real-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.responsible.real_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.responsible.real_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-real-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.responsible.real_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.responsible.real_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-real-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.responsible.real_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.responsible.real_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-real-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.responsible.real_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.responsible.real_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.responsible.real_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-real-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.responsible.real_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.responsible.real_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-real-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.responsible.real_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.responsible.real_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-real-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.responsible.real_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.responsible.real_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-real-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.responsible.real_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.responsible.real_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-real-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.responsible.real_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.responsible.real_user.full_name:
-  dashed_name: process-responsible-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.responsible.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.responsible.real_user.group.domain:
-  dashed_name: process-responsible-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.real_user.group.id:
-  dashed_name: process-responsible-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.real_user.group.name:
-  dashed_name: process-responsible-real-user-group-name
-  description: Name of the group.
-  flat_name: process.responsible.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.real_user.hash:
-  dashed_name: process-responsible-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.responsible.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.responsible.real_user.id:
-  dashed_name: process-responsible-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.responsible.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.responsible.real_user.name:
-  dashed_name: process-responsible-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.responsible.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.responsible.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.responsible.real_user.risk.calculated_level:
-  dashed_name: process-responsible-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.responsible.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.responsible.real_user.risk.calculated_score:
-  dashed_name: process-responsible-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.responsible.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.responsible.real_user.risk.calculated_score_norm:
-  dashed_name: process-responsible-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.responsible.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.responsible.real_user.risk.static_level:
-  dashed_name: process-responsible-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.responsible.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.responsible.real_user.risk.static_score:
-  dashed_name: process-responsible-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.responsible.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.responsible.real_user.risk.static_score_norm:
-  dashed_name: process-responsible-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.responsible.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.responsible.real_user.roles:
-  dashed_name: process-responsible-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.responsible.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.same_as_process:
-  dashed_name: process-responsible-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.responsible.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.responsible.saved_group.domain:
-  dashed_name: process-responsible-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.saved_group.id:
-  dashed_name: process-responsible-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.saved_group.name:
-  dashed_name: process-responsible-saved-group-name
-  description: Name of the group.
-  flat_name: process.responsible.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.saved_user.domain:
-  dashed_name: process-responsible-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.responsible.saved_user.email:
-  dashed_name: process-responsible-saved-user-email
-  description: User email address.
-  flat_name: process.responsible.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.responsible.saved_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-saved-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.responsible.saved_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.responsible.saved_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-saved-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.responsible.saved_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.responsible.saved_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-saved-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.responsible.saved_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.saved_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.responsible.saved_user.entity.id:
-  dashed_name: process-responsible-saved-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.responsible.saved_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.responsible.saved_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-saved-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.responsible.saved_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.responsible.saved_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-saved-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.responsible.saved_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.responsible.saved_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-saved-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.responsible.saved_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.responsible.saved_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-saved-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.responsible.saved_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.responsible.saved_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.responsible.saved_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-saved-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.responsible.saved_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.responsible.saved_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-saved-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.responsible.saved_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.responsible.saved_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-saved-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.responsible.saved_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.responsible.saved_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-saved-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.responsible.saved_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.responsible.saved_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-saved-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.responsible.saved_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.responsible.saved_user.full_name:
-  dashed_name: process-responsible-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.responsible.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.responsible.saved_user.group.domain:
-  dashed_name: process-responsible-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.saved_user.group.id:
-  dashed_name: process-responsible-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.saved_user.group.name:
-  dashed_name: process-responsible-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.responsible.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.saved_user.hash:
-  dashed_name: process-responsible-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.responsible.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.responsible.saved_user.id:
-  dashed_name: process-responsible-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.responsible.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.responsible.saved_user.name:
-  dashed_name: process-responsible-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.responsible.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.responsible.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.responsible.saved_user.risk.calculated_level:
-  dashed_name: process-responsible-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.responsible.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.responsible.saved_user.risk.calculated_score:
-  dashed_name: process-responsible-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.responsible.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.responsible.saved_user.risk.calculated_score_norm:
-  dashed_name: process-responsible-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.responsible.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.responsible.saved_user.risk.static_level:
-  dashed_name: process-responsible-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.responsible.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.responsible.saved_user.risk.static_score:
-  dashed_name: process-responsible-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.responsible.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.responsible.saved_user.risk.static_score_norm:
-  dashed_name: process-responsible-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.responsible.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.responsible.saved_user.roles:
-  dashed_name: process-responsible-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.responsible.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.start:
-  dashed_name: process-responsible-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.responsible.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.responsible.supplemental_groups.domain:
-  dashed_name: process-responsible-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.supplemental_groups.id:
-  dashed_name: process-responsible-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.supplemental_groups.name:
-  dashed_name: process-responsible-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.responsible.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.thread.capabilities.effective:
-  dashed_name: process-responsible-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.responsible.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.thread.capabilities.permitted:
-  dashed_name: process-responsible-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.responsible.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.thread.id:
-  dashed_name: process-responsible-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.responsible.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.responsible.thread.name:
-  dashed_name: process-responsible-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.responsible.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.responsible.title:
-  dashed_name: process-responsible-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.responsible.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.responsible.tty:
-  dashed_name: process-responsible-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.responsible.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.responsible.tty.char_device.major:
-  dashed_name: process-responsible-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.responsible.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.responsible.tty.char_device.minor:
-  dashed_name: process-responsible-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.responsible.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.responsible.tty.columns:
-  dashed_name: process-responsible-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.responsible.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.responsible.tty.rows:
-  dashed_name: process-responsible-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.responsible.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.responsible.uptime:
-  dashed_name: process-responsible-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.responsible.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.responsible.user.domain:
-  dashed_name: process-responsible-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.responsible.user.email:
-  dashed_name: process-responsible-user-email
-  description: User email address.
-  flat_name: process.responsible.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.responsible.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.responsible.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.responsible.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.responsible.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.responsible.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.responsible.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.responsible.user.entity.id:
-  dashed_name: process-responsible-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.responsible.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.responsible.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.responsible.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.responsible.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.responsible.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.responsible.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.responsible.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.responsible.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.responsible.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.responsible.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.responsible.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.responsible.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.responsible.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.responsible.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.responsible.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.responsible.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.responsible.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.responsible.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.responsible.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-responsible-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.responsible.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.responsible.user.full_name:
-  dashed_name: process-responsible-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.responsible.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.responsible.user.group.domain:
-  dashed_name: process-responsible-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.responsible.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.responsible.user.group.id:
-  dashed_name: process-responsible-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.responsible.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.responsible.user.group.name:
-  dashed_name: process-responsible-user-group-name
-  description: Name of the group.
-  flat_name: process.responsible.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.responsible.user.hash:
-  dashed_name: process-responsible-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.responsible.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.responsible.user.id:
-  dashed_name: process-responsible-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.responsible.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.responsible.user.name:
-  dashed_name: process-responsible-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.responsible.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.responsible.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.responsible.user.risk.calculated_level:
-  dashed_name: process-responsible-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.responsible.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.responsible.user.risk.calculated_score:
-  dashed_name: process-responsible-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.responsible.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.responsible.user.risk.calculated_score_norm:
-  dashed_name: process-responsible-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.responsible.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.responsible.user.risk.static_level:
-  dashed_name: process-responsible-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.responsible.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.responsible.user.risk.static_score:
-  dashed_name: process-responsible-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.responsible.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.responsible.user.risk.static_score_norm:
-  dashed_name: process-responsible-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.responsible.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.responsible.user.roles:
-  dashed_name: process-responsible-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.responsible.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.responsible.vpid:
-  dashed_name: process-responsible-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.responsible.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.responsible.working_directory:
-  dashed_name: process-responsible-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.responsible.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.responsible.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.same_as_process:
-  dashed_name: process-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.saved_group.domain:
-  dashed_name: process-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.saved_group.id:
-  dashed_name: process-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.saved_group.name:
-  dashed_name: process-saved-group-name
-  description: Name of the group.
-  flat_name: process.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.saved_user.domain:
-  dashed_name: process-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.saved_user.email:
-  dashed_name: process-saved-user-email
-  description: User email address.
-  flat_name: process.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.saved_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-saved-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.saved_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.saved_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-saved-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.saved_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.saved_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-saved-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.saved_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.saved_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.saved_user.entity.id:
-  dashed_name: process-saved-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.saved_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.saved_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-saved-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.saved_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.saved_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-saved-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.saved_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.saved_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-saved-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.saved_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.saved_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-saved-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.saved_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.saved_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.saved_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-saved-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.saved_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.saved_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-saved-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.saved_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.saved_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-saved-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.saved_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.saved_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-saved-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.saved_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.saved_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-saved-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.saved_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.saved_user.full_name:
-  dashed_name: process-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.saved_user.group.domain:
-  dashed_name: process-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.saved_user.group.id:
-  dashed_name: process-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.saved_user.group.name:
-  dashed_name: process-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.saved_user.hash:
-  dashed_name: process-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.saved_user.id:
-  dashed_name: process-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
-  short: Unique identifier of the user.
-  type: keyword
-process.saved_user.name:
-  dashed_name: process-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  otel:
-  - relation: match
-    stability: development
-  short: Short name or login of the user.
-  type: keyword
-process.saved_user.risk.calculated_level:
-  dashed_name: process-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.saved_user.risk.calculated_score:
-  dashed_name: process-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.saved_user.risk.calculated_score_norm:
-  dashed_name: process-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.saved_user.risk.static_level:
-  dashed_name: process-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.saved_user.risk.static_score:
-  dashed_name: process-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.saved_user.risk.static_score_norm:
-  dashed_name: process-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.saved_user.roles:
-  dashed_name: process-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.args:
-  dashed_name: process-session-leader-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.session_leader.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.session_leader.args_count:
-  dashed_name: process-session-leader-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.session_leader.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.session_leader.attested_groups.domain:
-  dashed_name: process-session-leader-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.attested_groups.id:
-  dashed_name: process-session-leader-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.attested_groups.name:
-  dashed_name: process-session-leader-attested-groups-name
-  description: Name of the group.
-  flat_name: process.session_leader.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.attested_user.domain:
-  dashed_name: process-session-leader-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.attested_user.email:
-  dashed_name: process-session-leader-attested-user-email
-  description: User email address.
-  flat_name: process.session_leader.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.attested_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-attested-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.session_leader.attested_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.session_leader.attested_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-attested-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.session_leader.attested_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.session_leader.attested_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-attested-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.session_leader.attested_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.attested_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.session_leader.attested_user.entity.id:
-  dashed_name: process-session-leader-attested-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.session_leader.attested_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.session_leader.attested_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-attested-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.session_leader.attested_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.session_leader.attested_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-attested-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.session_leader.attested_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.session_leader.attested_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-attested-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.session_leader.attested_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.session_leader.attested_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-attested-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.session_leader.attested_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.attested_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.session_leader.attested_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-attested-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.session_leader.attested_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.session_leader.attested_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-attested-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.session_leader.attested_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.session_leader.attested_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-attested-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.session_leader.attested_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.session_leader.attested_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-attested-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.session_leader.attested_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.session_leader.attested_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-attested-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.session_leader.attested_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.session_leader.attested_user.full_name:
-  dashed_name: process-session-leader-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.attested_user.group.domain:
-  dashed_name: process-session-leader-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.attested_user.group.id:
-  dashed_name: process-session-leader-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.attested_user.group.name:
-  dashed_name: process-session-leader-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.attested_user.hash:
-  dashed_name: process-session-leader-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.attested_user.id:
-  dashed_name: process-session-leader-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.attested_user.name:
-  dashed_name: process-session-leader-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.attested_user.risk.calculated_level:
-  dashed_name: process-session-leader-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.attested_user.risk.calculated_score:
-  dashed_name: process-session-leader-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.attested_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.attested_user.risk.static_level:
-  dashed_name: process-session-leader-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.attested_user.risk.static_score:
-  dashed_name: process-session-leader-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.attested_user.risk.static_score_norm:
-  dashed_name: process-session-leader-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.attested_user.roles:
-  dashed_name: process-session-leader-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.code_signature.digest_algorithm:
-  dashed_name: process-session-leader-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.session_leader.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.session_leader.code_signature.exists:
-  dashed_name: process-session-leader-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.session_leader.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.session_leader.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.session_leader.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.session_leader.code_signature.signing_id:
-  dashed_name: process-session-leader-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.session_leader.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.session_leader.code_signature.status:
-  dashed_name: process-session-leader-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.session_leader.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.session_leader.code_signature.subject_name:
-  dashed_name: process-session-leader-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.session_leader.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.session_leader.code_signature.team_id:
-  dashed_name: process-session-leader-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.session_leader.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.session_leader.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.session_leader.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.session_leader.code_signature.timestamp:
-  dashed_name: process-session-leader-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.session_leader.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.session_leader.code_signature.trusted:
-  dashed_name: process-session-leader-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.session_leader.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.session_leader.code_signature.valid:
-  dashed_name: process-session-leader-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.session_leader.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.session_leader.command_line:
-  dashed_name: process-session-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.session_leader.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.session_leader.elf.architecture:
-  dashed_name: process-session-leader-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.session_leader.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.session_leader.elf.byte_order:
-  dashed_name: process-session-leader-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.session_leader.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.session_leader.elf.cpu_type:
-  dashed_name: process-session-leader-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.session_leader.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.session_leader.elf.creation_date:
-  dashed_name: process-session-leader-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.session_leader.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.session_leader.elf.exports:
-  dashed_name: process-session-leader-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.session_leader.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.session_leader.elf.go_import_hash:
-  dashed_name: process-session-leader-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.session_leader.elf.go_imports:
-  dashed_name: process-session-leader-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.elf.go_imports_names_entropy:
-  dashed_name: process-session-leader-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.elf.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.elf.go_stripped:
-  dashed_name: process-session-leader-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.elf.header.abi_version:
-  dashed_name: process-session-leader-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.session_leader.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.session_leader.elf.header.class:
-  dashed_name: process-session-leader-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.session_leader.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.session_leader.elf.header.data:
-  dashed_name: process-session-leader-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.session_leader.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.session_leader.elf.header.entrypoint:
-  dashed_name: process-session-leader-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.session_leader.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.session_leader.elf.header.object_version:
-  dashed_name: process-session-leader-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.session_leader.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.session_leader.elf.header.os_abi:
-  dashed_name: process-session-leader-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.session_leader.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.session_leader.elf.header.type:
-  dashed_name: process-session-leader-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.session_leader.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.session_leader.elf.header.version:
-  dashed_name: process-session-leader-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.session_leader.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.session_leader.elf.import_hash:
-  dashed_name: process-session-leader-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.session_leader.elf.imports:
-  dashed_name: process-session-leader-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.elf.imports_names_entropy:
-  dashed_name: process-session-leader-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.elf.imports_names_var_entropy:
-  dashed_name: process-session-leader-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.elf.sections:
-  dashed_name: process-session-leader-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.session_leader.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.session_leader.elf.sections.chi2:
-  dashed_name: process-session-leader-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.session_leader.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.session_leader.elf.sections.entropy:
-  dashed_name: process-session-leader-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.elf.sections.flags:
-  dashed_name: process-session-leader-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.session_leader.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.session_leader.elf.sections.name:
-  dashed_name: process-session-leader-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.session_leader.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.session_leader.elf.sections.physical_offset:
-  dashed_name: process-session-leader-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.session_leader.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.session_leader.elf.sections.physical_size:
-  dashed_name: process-session-leader-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.session_leader.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.session_leader.elf.sections.type:
-  dashed_name: process-session-leader-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.session_leader.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.session_leader.elf.sections.var_entropy:
-  dashed_name: process-session-leader-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.elf.sections.virtual_address:
-  dashed_name: process-session-leader-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.session_leader.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.session_leader.elf.sections.virtual_size:
-  dashed_name: process-session-leader-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.session_leader.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.session_leader.elf.segments:
-  dashed_name: process-session-leader-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.session_leader.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.session_leader.elf.segments.sections:
-  dashed_name: process-session-leader-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.session_leader.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.session_leader.elf.segments.type:
-  dashed_name: process-session-leader-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.session_leader.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.session_leader.elf.shared_libraries:
-  dashed_name: process-session-leader-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.session_leader.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.session_leader.elf.telfhash:
-  dashed_name: process-session-leader-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.session_leader.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.session_leader.end:
-  dashed_name: process-session-leader-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.session_leader.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.session_leader.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.session_leader.entity_id:
-  dashed_name: process-session-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.session_leader.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.session_leader.entry_meta.source.address:
-  dashed_name: process-session-leader-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.session_leader.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.session_leader.entry_meta.source.as.number:
-  dashed_name: process-session-leader-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.session_leader.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.session_leader.entry_meta.source.as.organization.name:
-  dashed_name: process-session-leader-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.session_leader.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.session_leader.entry_meta.source.bytes:
-  dashed_name: process-session-leader-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.session_leader.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.session_leader.entry_meta.source.domain:
-  dashed_name: process-session-leader-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.session_leader.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.session_leader.entry_meta.source.geo.city_name:
-  dashed_name: process-session-leader-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.session_leader.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.session_leader.entry_meta.source.geo.continent_code:
-  dashed_name: process-session-leader-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.session_leader.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.session_leader.entry_meta.source.geo.continent_name:
-  dashed_name: process-session-leader-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.session_leader.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.session_leader.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-session-leader-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.session_leader.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.session_leader.entry_meta.source.geo.country_name:
-  dashed_name: process-session-leader-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.session_leader.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.session_leader.entry_meta.source.geo.location:
-  dashed_name: process-session-leader-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.session_leader.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.session_leader.entry_meta.source.geo.name:
-  dashed_name: process-session-leader-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.session_leader.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.session_leader.entry_meta.source.geo.postal_code:
-  dashed_name: process-session-leader-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.session_leader.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.session_leader.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-session-leader-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.session_leader.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.session_leader.entry_meta.source.geo.region_name:
-  dashed_name: process-session-leader-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.session_leader.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.session_leader.entry_meta.source.geo.timezone:
-  dashed_name: process-session-leader-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.session_leader.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.session_leader.entry_meta.source.ip:
-  dashed_name: process-session-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.session_leader.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.session_leader.entry_meta.source.mac:
-  dashed_name: process-session-leader-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.session_leader.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.session_leader.entry_meta.source.nat.ip:
-  dashed_name: process-session-leader-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.session_leader.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.session_leader.entry_meta.source.nat.port:
-  dashed_name: process-session-leader-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.session_leader.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.session_leader.entry_meta.source.packets:
-  dashed_name: process-session-leader-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.session_leader.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.session_leader.entry_meta.source.port:
-  dashed_name: process-session-leader-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.session_leader.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.session_leader.entry_meta.source.registered_domain:
-  dashed_name: process-session-leader-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.session_leader.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.session_leader.entry_meta.source.subdomain:
-  dashed_name: process-session-leader-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.session_leader.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.session_leader.entry_meta.source.top_level_domain:
-  dashed_name: process-session-leader-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.session_leader.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.session_leader.entry_meta.type:
-  dashed_name: process-session-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.session_leader.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.session_leader.env_vars:
-  dashed_name: process-session-leader-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.session_leader.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.executable:
-  dashed_name: process-session-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.session_leader.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.session_leader.exit_code:
-  dashed_name: process-session-leader-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.session_leader.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.session_leader.group.domain:
-  dashed_name: process-session-leader-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.group.id:
-  dashed_name: process-session-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.group.name:
-  dashed_name: process-session-leader-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.session_leader.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.session_leader.hash.md5:
-  dashed_name: process-session-leader-hash-md5
-  description: MD5 hash.
-  flat_name: process.session_leader.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.session_leader.hash.sha1:
-  dashed_name: process-session-leader-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.session_leader.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.session_leader.hash.sha256:
-  dashed_name: process-session-leader-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.session_leader.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.session_leader.hash.sha384:
-  dashed_name: process-session-leader-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.session_leader.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.session_leader.hash.sha512:
-  dashed_name: process-session-leader-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.session_leader.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.session_leader.hash.ssdeep:
-  dashed_name: process-session-leader-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.session_leader.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.session_leader.hash.tlsh:
-  dashed_name: process-session-leader-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.session_leader.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.session_leader.interactive:
-  dashed_name: process-session-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.session_leader.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.session_leader.io:
-  dashed_name: process-session-leader-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.session_leader.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.session_leader.io.bytes_skipped:
-  dashed_name: process-session-leader-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.session_leader.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.session_leader.io.bytes_skipped.length:
-  dashed_name: process-session-leader-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.session_leader.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.session_leader.io.bytes_skipped.offset:
-  dashed_name: process-session-leader-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.session_leader.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.session_leader.io.max_bytes_per_process_exceeded:
-  dashed_name: process-session-leader-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.session_leader.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.session_leader.io.text:
-  dashed_name: process-session-leader-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.session_leader.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.session_leader.io.total_bytes_captured:
-  dashed_name: process-session-leader-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.session_leader.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.session_leader.io.total_bytes_skipped:
-  dashed_name: process-session-leader-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.session_leader.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.session_leader.io.type:
-  dashed_name: process-session-leader-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.session_leader.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.session_leader.macho.go_import_hash:
-  dashed_name: process-session-leader-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.session_leader.macho.go_imports:
-  dashed_name: process-session-leader-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.macho.go_imports_names_entropy:
-  dashed_name: process-session-leader-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.macho.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.macho.go_stripped:
-  dashed_name: process-session-leader-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.macho.import_hash:
-  dashed_name: process-session-leader-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.session_leader.macho.imports:
-  dashed_name: process-session-leader-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.macho.imports_names_entropy:
-  dashed_name: process-session-leader-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.macho.imports_names_var_entropy:
-  dashed_name: process-session-leader-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.macho.sections:
-  dashed_name: process-session-leader-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.session_leader.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.session_leader.macho.sections.entropy:
-  dashed_name: process-session-leader-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.macho.sections.name:
-  dashed_name: process-session-leader-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.session_leader.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.session_leader.macho.sections.physical_size:
-  dashed_name: process-session-leader-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.session_leader.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.session_leader.macho.sections.var_entropy:
-  dashed_name: process-session-leader-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.macho.sections.virtual_size:
-  dashed_name: process-session-leader-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.session_leader.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.session_leader.macho.symhash:
-  dashed_name: process-session-leader-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.session_leader.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.session_leader.name:
-  dashed_name: process-session-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.session_leader.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.session_leader.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.session_leader.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.session_leader.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.session_leader.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.session_leader.parent.args:
-  dashed_name: process-session-leader-parent-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.session_leader.parent.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.session_leader.parent.args_count:
-  dashed_name: process-session-leader-parent-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.session_leader.parent.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.session_leader.parent.attested_groups.domain:
-  dashed_name: process-session-leader-parent-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.attested_groups.id:
-  dashed_name: process-session-leader-parent-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.attested_groups.name:
-  dashed_name: process-session-leader-parent-attested-groups-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.attested_user.domain:
-  dashed_name: process-session-leader-parent-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.attested_user.email:
-  dashed_name: process-session-leader-parent-attested-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.attested_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-attested-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.session_leader.parent.attested_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.session_leader.parent.attested_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-attested-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.session_leader.parent.attested_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.session_leader.parent.attested_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-attested-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.session_leader.parent.attested_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.attested_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.session_leader.parent.attested_user.entity.id:
-  dashed_name: process-session-leader-parent-attested-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.session_leader.parent.attested_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.session_leader.parent.attested_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-attested-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.session_leader.parent.attested_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.session_leader.parent.attested_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-attested-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.session_leader.parent.attested_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.session_leader.parent.attested_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-attested-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.session_leader.parent.attested_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.session_leader.parent.attested_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-attested-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.session_leader.parent.attested_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.attested_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.session_leader.parent.attested_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-attested-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.session_leader.parent.attested_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.session_leader.parent.attested_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-attested-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.session_leader.parent.attested_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.session_leader.parent.attested_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-attested-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.session_leader.parent.attested_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.session_leader.parent.attested_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-attested-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.session_leader.parent.attested_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.session_leader.parent.attested_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-attested-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.session_leader.parent.attested_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.session_leader.parent.attested_user.full_name:
-  dashed_name: process-session-leader-parent-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.attested_user.group.domain:
-  dashed_name: process-session-leader-parent-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.attested_user.group.id:
-  dashed_name: process-session-leader-parent-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.attested_user.group.name:
-  dashed_name: process-session-leader-parent-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.attested_user.hash:
-  dashed_name: process-session-leader-parent-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.attested_user.id:
-  dashed_name: process-session-leader-parent-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.parent.attested_user.name:
-  dashed_name: process-session-leader-parent-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.parent.attested_user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.attested_user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.attested_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.attested_user.risk.static_level:
-  dashed_name: process-session-leader-parent-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.attested_user.risk.static_score:
-  dashed_name: process-session-leader-parent-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.attested_user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.attested_user.roles:
-  dashed_name: process-session-leader-parent-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.code_signature.digest_algorithm:
-  dashed_name: process-session-leader-parent-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.session_leader.parent.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.session_leader.parent.code_signature.exists:
-  dashed_name: process-session-leader-parent-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.session_leader.parent.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.session_leader.parent.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.session_leader.parent.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.session_leader.parent.code_signature.signing_id:
-  dashed_name: process-session-leader-parent-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.session_leader.parent.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.session_leader.parent.code_signature.status:
-  dashed_name: process-session-leader-parent-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.session_leader.parent.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.session_leader.parent.code_signature.subject_name:
-  dashed_name: process-session-leader-parent-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.session_leader.parent.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.session_leader.parent.code_signature.team_id:
-  dashed_name: process-session-leader-parent-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.session_leader.parent.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.session_leader.parent.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.session_leader.parent.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.session_leader.parent.code_signature.timestamp:
-  dashed_name: process-session-leader-parent-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.session_leader.parent.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.session_leader.parent.code_signature.trusted:
-  dashed_name: process-session-leader-parent-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.session_leader.parent.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.session_leader.parent.code_signature.valid:
-  dashed_name: process-session-leader-parent-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.session_leader.parent.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.session_leader.parent.command_line:
-  dashed_name: process-session-leader-parent-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.session_leader.parent.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.session_leader.parent.elf.architecture:
-  dashed_name: process-session-leader-parent-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.session_leader.parent.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.session_leader.parent.elf.byte_order:
-  dashed_name: process-session-leader-parent-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.session_leader.parent.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.session_leader.parent.elf.cpu_type:
-  dashed_name: process-session-leader-parent-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.session_leader.parent.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.session_leader.parent.elf.creation_date:
-  dashed_name: process-session-leader-parent-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.session_leader.parent.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.session_leader.parent.elf.exports:
-  dashed_name: process-session-leader-parent-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.session_leader.parent.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.session_leader.parent.elf.go_import_hash:
-  dashed_name: process-session-leader-parent-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.parent.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.session_leader.parent.elf.go_imports:
-  dashed_name: process-session-leader-parent-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.parent.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.parent.elf.go_imports_names_entropy:
-  dashed_name: process-session-leader-parent-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.elf.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.elf.go_stripped:
-  dashed_name: process-session-leader-parent-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.parent.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.parent.elf.header.abi_version:
-  dashed_name: process-session-leader-parent-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.session_leader.parent.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.session_leader.parent.elf.header.class:
-  dashed_name: process-session-leader-parent-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.session_leader.parent.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.session_leader.parent.elf.header.data:
-  dashed_name: process-session-leader-parent-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.session_leader.parent.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.session_leader.parent.elf.header.entrypoint:
-  dashed_name: process-session-leader-parent-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.session_leader.parent.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.session_leader.parent.elf.header.object_version:
-  dashed_name: process-session-leader-parent-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.session_leader.parent.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.session_leader.parent.elf.header.os_abi:
-  dashed_name: process-session-leader-parent-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.session_leader.parent.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.session_leader.parent.elf.header.type:
-  dashed_name: process-session-leader-parent-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.session_leader.parent.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.session_leader.parent.elf.header.version:
-  dashed_name: process-session-leader-parent-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.session_leader.parent.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.session_leader.parent.elf.import_hash:
-  dashed_name: process-session-leader-parent-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.parent.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.session_leader.parent.elf.imports:
-  dashed_name: process-session-leader-parent-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.parent.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.parent.elf.imports_names_entropy:
-  dashed_name: process-session-leader-parent-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.parent.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.parent.elf.imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.parent.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.parent.elf.sections:
-  dashed_name: process-session-leader-parent-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.session_leader.parent.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.session_leader.parent.elf.sections.chi2:
-  dashed_name: process-session-leader-parent-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.session_leader.parent.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.session_leader.parent.elf.sections.entropy:
-  dashed_name: process-session-leader-parent-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.elf.sections.flags:
-  dashed_name: process-session-leader-parent-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.session_leader.parent.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.session_leader.parent.elf.sections.name:
-  dashed_name: process-session-leader-parent-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.session_leader.parent.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.session_leader.parent.elf.sections.physical_offset:
-  dashed_name: process-session-leader-parent-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.session_leader.parent.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.session_leader.parent.elf.sections.physical_size:
-  dashed_name: process-session-leader-parent-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.session_leader.parent.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.session_leader.parent.elf.sections.type:
-  dashed_name: process-session-leader-parent-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.session_leader.parent.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.session_leader.parent.elf.sections.var_entropy:
-  dashed_name: process-session-leader-parent-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.elf.sections.virtual_address:
-  dashed_name: process-session-leader-parent-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.session_leader.parent.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.session_leader.parent.elf.sections.virtual_size:
-  dashed_name: process-session-leader-parent-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.session_leader.parent.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.session_leader.parent.elf.segments:
-  dashed_name: process-session-leader-parent-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.session_leader.parent.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.session_leader.parent.elf.segments.sections:
-  dashed_name: process-session-leader-parent-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.session_leader.parent.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.session_leader.parent.elf.segments.type:
-  dashed_name: process-session-leader-parent-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.session_leader.parent.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.session_leader.parent.elf.shared_libraries:
-  dashed_name: process-session-leader-parent-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.session_leader.parent.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.session_leader.parent.elf.telfhash:
-  dashed_name: process-session-leader-parent-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.session_leader.parent.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.session_leader.parent.end:
-  dashed_name: process-session-leader-parent-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.parent.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.session_leader.parent.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.session_leader.parent.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.session_leader.parent.entity_id:
-  dashed_name: process-session-leader-parent-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.session_leader.parent.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.session_leader.parent.entry_meta.source.address:
-  dashed_name: process-session-leader-parent-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.session_leader.parent.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.session_leader.parent.entry_meta.source.as.number:
-  dashed_name: process-session-leader-parent-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.session_leader.parent.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.session_leader.parent.entry_meta.source.as.organization.name:
-  dashed_name: process-session-leader-parent-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.session_leader.parent.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.session_leader.parent.entry_meta.source.bytes:
-  dashed_name: process-session-leader-parent-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.session_leader.parent.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.session_leader.parent.entry_meta.source.domain:
-  dashed_name: process-session-leader-parent-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.session_leader.parent.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.city_name:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.session_leader.parent.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.continent_code:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.session_leader.parent.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.continent_name:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.session_leader.parent.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.session_leader.parent.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.country_name:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.session_leader.parent.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.location:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.session_leader.parent.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.session_leader.parent.entry_meta.source.geo.name:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.session_leader.parent.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.postal_code:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.session_leader.parent.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.session_leader.parent.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.region_name:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.session_leader.parent.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.session_leader.parent.entry_meta.source.geo.timezone:
-  dashed_name: process-session-leader-parent-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.session_leader.parent.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.session_leader.parent.entry_meta.source.ip:
-  dashed_name: process-session-leader-parent-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.session_leader.parent.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.session_leader.parent.entry_meta.source.mac:
-  dashed_name: process-session-leader-parent-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.session_leader.parent.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.session_leader.parent.entry_meta.source.nat.ip:
-  dashed_name: process-session-leader-parent-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.session_leader.parent.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.session_leader.parent.entry_meta.source.nat.port:
-  dashed_name: process-session-leader-parent-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.session_leader.parent.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.session_leader.parent.entry_meta.source.packets:
-  dashed_name: process-session-leader-parent-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.session_leader.parent.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.session_leader.parent.entry_meta.source.port:
-  dashed_name: process-session-leader-parent-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.session_leader.parent.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.session_leader.parent.entry_meta.source.registered_domain:
-  dashed_name: process-session-leader-parent-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.session_leader.parent.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.session_leader.parent.entry_meta.source.subdomain:
-  dashed_name: process-session-leader-parent-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.session_leader.parent.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.session_leader.parent.entry_meta.source.top_level_domain:
-  dashed_name: process-session-leader-parent-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.session_leader.parent.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.session_leader.parent.entry_meta.type:
-  dashed_name: process-session-leader-parent-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.session_leader.parent.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.session_leader.parent.env_vars:
-  dashed_name: process-session-leader-parent-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.session_leader.parent.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.executable:
-  dashed_name: process-session-leader-parent-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.session_leader.parent.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.session_leader.parent.exit_code:
-  dashed_name: process-session-leader-parent-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.session_leader.parent.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.session_leader.parent.group.domain:
-  dashed_name: process-session-leader-parent-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.group.id:
-  dashed_name: process-session-leader-parent-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.group.name:
-  dashed_name: process-session-leader-parent-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.session_leader.parent.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.session_leader.parent.hash.md5:
-  dashed_name: process-session-leader-parent-hash-md5
-  description: MD5 hash.
-  flat_name: process.session_leader.parent.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.session_leader.parent.hash.sha1:
-  dashed_name: process-session-leader-parent-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.session_leader.parent.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.session_leader.parent.hash.sha256:
-  dashed_name: process-session-leader-parent-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.session_leader.parent.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.session_leader.parent.hash.sha384:
-  dashed_name: process-session-leader-parent-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.session_leader.parent.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.session_leader.parent.hash.sha512:
-  dashed_name: process-session-leader-parent-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.session_leader.parent.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.session_leader.parent.hash.ssdeep:
-  dashed_name: process-session-leader-parent-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.session_leader.parent.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.session_leader.parent.hash.tlsh:
-  dashed_name: process-session-leader-parent-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.session_leader.parent.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.session_leader.parent.interactive:
-  dashed_name: process-session-leader-parent-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.session_leader.parent.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.session_leader.parent.io:
-  dashed_name: process-session-leader-parent-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.session_leader.parent.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.session_leader.parent.io.bytes_skipped:
-  dashed_name: process-session-leader-parent-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.session_leader.parent.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.session_leader.parent.io.bytes_skipped.length:
-  dashed_name: process-session-leader-parent-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.session_leader.parent.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.session_leader.parent.io.bytes_skipped.offset:
-  dashed_name: process-session-leader-parent-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.session_leader.parent.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.session_leader.parent.io.max_bytes_per_process_exceeded:
-  dashed_name: process-session-leader-parent-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.session_leader.parent.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.session_leader.parent.io.text:
-  dashed_name: process-session-leader-parent-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.session_leader.parent.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.session_leader.parent.io.total_bytes_captured:
-  dashed_name: process-session-leader-parent-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.session_leader.parent.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.session_leader.parent.io.total_bytes_skipped:
-  dashed_name: process-session-leader-parent-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.session_leader.parent.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.session_leader.parent.io.type:
-  dashed_name: process-session-leader-parent-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.session_leader.parent.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.session_leader.parent.macho.go_import_hash:
-  dashed_name: process-session-leader-parent-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.parent.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.session_leader.parent.macho.go_imports:
-  dashed_name: process-session-leader-parent-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.parent.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.parent.macho.go_imports_names_entropy:
-  dashed_name: process-session-leader-parent-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.macho.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.macho.go_stripped:
-  dashed_name: process-session-leader-parent-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.parent.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.parent.macho.import_hash:
-  dashed_name: process-session-leader-parent-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.parent.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.session_leader.parent.macho.imports:
-  dashed_name: process-session-leader-parent-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.parent.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.parent.macho.imports_names_entropy:
-  dashed_name: process-session-leader-parent-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.parent.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.parent.macho.imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.parent.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.parent.macho.sections:
-  dashed_name: process-session-leader-parent-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.session_leader.parent.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.session_leader.parent.macho.sections.entropy:
-  dashed_name: process-session-leader-parent-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.macho.sections.name:
-  dashed_name: process-session-leader-parent-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.session_leader.parent.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.session_leader.parent.macho.sections.physical_size:
-  dashed_name: process-session-leader-parent-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.session_leader.parent.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.session_leader.parent.macho.sections.var_entropy:
-  dashed_name: process-session-leader-parent-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.macho.sections.virtual_size:
-  dashed_name: process-session-leader-parent-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.session_leader.parent.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.session_leader.parent.macho.symhash:
-  dashed_name: process-session-leader-parent-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.session_leader.parent.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.session_leader.parent.name:
-  dashed_name: process-session-leader-parent-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.session_leader.parent.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.session_leader.parent.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.session_leader.parent.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.session_leader.parent.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.session_leader.parent.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.session_leader.parent.pe.architecture:
-  dashed_name: process-session-leader-parent-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.session_leader.parent.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.session_leader.parent.pe.company:
-  dashed_name: process-session-leader-parent-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.session_leader.parent.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.pe.description:
-  dashed_name: process-session-leader-parent-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.session_leader.parent.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.pe.file_version:
-  dashed_name: process-session-leader-parent-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.session_leader.parent.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.session_leader.parent.pe.go_import_hash:
-  dashed_name: process-session-leader-parent-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.parent.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.session_leader.parent.pe.go_imports:
-  dashed_name: process-session-leader-parent-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.parent.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.parent.pe.go_imports_names_entropy:
-  dashed_name: process-session-leader-parent-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.pe.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.pe.go_stripped:
-  dashed_name: process-session-leader-parent-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.parent.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.parent.pe.imphash:
-  dashed_name: process-session-leader-parent-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.session_leader.parent.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.session_leader.parent.pe.import_hash:
-  dashed_name: process-session-leader-parent-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.parent.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.session_leader.parent.pe.imports:
-  dashed_name: process-session-leader-parent-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.parent.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.parent.pe.imports_names_entropy:
-  dashed_name: process-session-leader-parent-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.parent.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.parent.pe.imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.parent.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.parent.pe.original_file_name:
-  dashed_name: process-session-leader-parent-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.session_leader.parent.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.pe.pehash:
-  dashed_name: process-session-leader-parent-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.session_leader.parent.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.session_leader.parent.pe.product:
-  dashed_name: process-session-leader-parent-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.session_leader.parent.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.pe.sections:
-  dashed_name: process-session-leader-parent-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.session_leader.parent.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.session_leader.parent.pe.sections.entropy:
-  dashed_name: process-session-leader-parent-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.pe.sections.name:
-  dashed_name: process-session-leader-parent-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.session_leader.parent.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.session_leader.parent.pe.sections.physical_size:
-  dashed_name: process-session-leader-parent-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.session_leader.parent.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.session_leader.parent.pe.sections.var_entropy:
-  dashed_name: process-session-leader-parent-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.pe.sections.virtual_size:
-  dashed_name: process-session-leader-parent-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.session_leader.parent.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.session_leader.parent.pid:
-  dashed_name: process-session-leader-parent-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.session_leader.parent.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.session_leader.parent.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.session_leader.parent.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.session_leader.parent.real_group.domain:
-  dashed_name: process-session-leader-parent-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.real_group.id:
-  dashed_name: process-session-leader-parent-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.real_group.name:
-  dashed_name: process-session-leader-parent-real-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.real_user.domain:
-  dashed_name: process-session-leader-parent-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.real_user.email:
-  dashed_name: process-session-leader-parent-real-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.real_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-real-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.session_leader.parent.real_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.session_leader.parent.real_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-real-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.session_leader.parent.real_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.session_leader.parent.real_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-real-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.session_leader.parent.real_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.real_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.session_leader.parent.real_user.entity.id:
-  dashed_name: process-session-leader-parent-real-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.session_leader.parent.real_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.session_leader.parent.real_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-real-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.session_leader.parent.real_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.session_leader.parent.real_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-real-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.session_leader.parent.real_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.session_leader.parent.real_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-real-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.session_leader.parent.real_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.session_leader.parent.real_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-real-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.session_leader.parent.real_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.real_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.session_leader.parent.real_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-real-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.session_leader.parent.real_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.session_leader.parent.real_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-real-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.session_leader.parent.real_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.session_leader.parent.real_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-real-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.session_leader.parent.real_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.session_leader.parent.real_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-real-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.session_leader.parent.real_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.session_leader.parent.real_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-real-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.session_leader.parent.real_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.session_leader.parent.real_user.full_name:
-  dashed_name: process-session-leader-parent-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.real_user.group.domain:
-  dashed_name: process-session-leader-parent-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.real_user.group.id:
-  dashed_name: process-session-leader-parent-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.real_user.group.name:
-  dashed_name: process-session-leader-parent-real-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.real_user.hash:
-  dashed_name: process-session-leader-parent-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.real_user.id:
-  dashed_name: process-session-leader-parent-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.parent.real_user.name:
-  dashed_name: process-session-leader-parent-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.parent.real_user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.real_user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.real_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.real_user.risk.static_level:
-  dashed_name: process-session-leader-parent-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.real_user.risk.static_score:
-  dashed_name: process-session-leader-parent-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.real_user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.real_user.roles:
-  dashed_name: process-session-leader-parent-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.same_as_process:
-  dashed_name: process-session-leader-parent-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.session_leader.parent.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.session_leader.parent.saved_group.domain:
-  dashed_name: process-session-leader-parent-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.saved_group.id:
-  dashed_name: process-session-leader-parent-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.saved_group.name:
-  dashed_name: process-session-leader-parent-saved-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.saved_user.domain:
-  dashed_name: process-session-leader-parent-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.saved_user.email:
-  dashed_name: process-session-leader-parent-saved-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.saved_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-saved-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.session_leader.parent.saved_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.session_leader.parent.saved_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-saved-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.session_leader.parent.saved_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.session_leader.parent.saved_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-saved-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.session_leader.parent.saved_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.saved_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.session_leader.parent.saved_user.entity.id:
-  dashed_name: process-session-leader-parent-saved-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.session_leader.parent.saved_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.session_leader.parent.saved_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-saved-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.session_leader.parent.saved_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.session_leader.parent.saved_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-saved-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.session_leader.parent.saved_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.session_leader.parent.saved_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-saved-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.session_leader.parent.saved_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.session_leader.parent.saved_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-saved-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.session_leader.parent.saved_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.saved_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.session_leader.parent.saved_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-saved-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.session_leader.parent.saved_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.session_leader.parent.saved_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-saved-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.session_leader.parent.saved_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.session_leader.parent.saved_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-saved-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.session_leader.parent.saved_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.session_leader.parent.saved_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-saved-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.session_leader.parent.saved_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.session_leader.parent.saved_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-saved-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.session_leader.parent.saved_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.session_leader.parent.saved_user.full_name:
-  dashed_name: process-session-leader-parent-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.saved_user.group.domain:
-  dashed_name: process-session-leader-parent-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.saved_user.group.id:
-  dashed_name: process-session-leader-parent-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.saved_user.group.name:
-  dashed_name: process-session-leader-parent-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.saved_user.hash:
-  dashed_name: process-session-leader-parent-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.saved_user.id:
-  dashed_name: process-session-leader-parent-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.parent.saved_user.name:
-  dashed_name: process-session-leader-parent-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.parent.saved_user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.saved_user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.saved_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.saved_user.risk.static_level:
-  dashed_name: process-session-leader-parent-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.saved_user.risk.static_score:
-  dashed_name: process-session-leader-parent-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.saved_user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.saved_user.roles:
-  dashed_name: process-session-leader-parent-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.args:
-  dashed_name: process-session-leader-parent-session-leader-args
-  description: 'Array of process arguments, starting with the absolute path to the
-    executable.
-
-    May be filtered to protect sensitive information.'
-  example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-  flat_name: process.session_leader.parent.session_leader.args
-  ignore_above: 1024
-  level: extended
-  name: args
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of process arguments.
-  type: keyword
-process.session_leader.parent.session_leader.args_count:
-  dashed_name: process-session-leader-parent-session-leader-args-count
-  description: 'Length of the process.args array.
-
-    This field can be useful for querying or performing bucket analysis on how many
-    arguments were provided to start a process. More arguments may be an indication
-    of suspicious activity.'
-  example: 4
-  flat_name: process.session_leader.parent.session_leader.args_count
-  level: extended
-  name: args_count
-  normalize: []
-  original_fieldset: process
-  short: Length of the process.args array.
-  type: long
-process.session_leader.parent.session_leader.attested_groups.domain:
-  dashed_name: process-session-leader-parent-session-leader-attested-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.attested_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.attested_groups.id:
-  dashed_name: process-session-leader-parent-session-leader-attested-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.attested_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.attested_groups.name:
-  dashed_name: process-session-leader-parent-session-leader-attested-groups-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.attested_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.domain:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.attested_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.email:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.session_leader.attested_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.session_leader.parent.session_leader.attested_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.session_leader.parent.session_leader.attested_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.session_leader.parent.session_leader.attested_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.session_leader.parent.session_leader.attested_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.entity.id:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.session_leader.parent.session_leader.attested_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.session_leader.parent.session_leader.attested_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.session_leader.parent.session_leader.attested_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.session_leader.parent.session_leader.attested_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.session_leader.parent.session_leader.attested_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.session_leader.parent.session_leader.attested_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.session_leader.parent.session_leader.attested_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.attested_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.session_leader.parent.session_leader.attested_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.session_leader.parent.session_leader.attested_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.session_leader.parent.session_leader.attested_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.session_leader.parent.session_leader.attested_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.session_leader.parent.session_leader.attested_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-attested-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.session_leader.parent.session_leader.attested_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.full_name:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.session_leader.attested_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.attested_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.group.domain:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.attested_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.group.id:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.attested_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.group.name:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.attested_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.hash:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.session_leader.attested_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.id:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.session_leader.attested_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.name:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.session_leader.attested_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.attested_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.session_leader.attested_user.risk.static_level:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.session_leader.attested_user.risk.static_score:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.session_leader.attested_user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.session_leader.attested_user.roles:
-  dashed_name: process-session-leader-parent-session-leader-attested-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.session_leader.attested_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.digest_algorithm:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-digest-algorithm
-  description: 'The hashing algorithm used to sign the process.
-
-    This value can distinguish signatures when a file is signed multiple times by
-    the same signer but with a different digest algorithm.'
-  example: sha256
-  flat_name: process.session_leader.parent.session_leader.code_signature.digest_algorithm
-  ignore_above: 1024
-  level: extended
-  name: digest_algorithm
-  normalize: []
-  original_fieldset: code_signature
-  short: Hashing algorithm used to sign the process.
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.exists:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-exists
-  description: Boolean to capture if a signature is present.
-  example: 'true'
-  flat_name: process.session_leader.parent.session_leader.code_signature.exists
-  level: core
-  name: exists
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if a signature is present.
-  type: boolean
-process.session_leader.parent.session_leader.code_signature.flags:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-code-signature-flags
-  description: The flags used to sign the process.
-  example: 570522385
-  flat_name: process.session_leader.parent.session_leader.code_signature.flags
-  ignore_above: 1024
-  level: extended
-  name: flags
-  normalize: []
-  original_fieldset: code_signature
-  short: Code signing flags of the process
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.signing_id:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-signing-id
-  description: 'The identifier used to sign the process.
-
-    This is used to identify the application manufactured by a software vendor. The
-    field is relevant to Apple *OS only.'
-  example: com.apple.xpc.proxy
-  flat_name: process.session_leader.parent.session_leader.code_signature.signing_id
-  ignore_above: 1024
-  level: extended
-  name: signing_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The identifier used to sign the process.
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.status:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-status
-  description: 'Additional information about the certificate status.
-
-    This is useful for logging cryptographic errors with the certificate validity
-    or trust status. Leave unpopulated if the validity or trust of the certificate
-    was unchecked.'
-  example: ERROR_UNTRUSTED_ROOT
-  flat_name: process.session_leader.parent.session_leader.code_signature.status
-  ignore_above: 1024
-  level: extended
-  name: status
-  normalize: []
-  original_fieldset: code_signature
-  short: Additional information about the certificate status.
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.subject_name:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-subject-name
-  description: Subject name of the code signer
-  example: Microsoft Corporation
-  flat_name: process.session_leader.parent.session_leader.code_signature.subject_name
-  ignore_above: 1024
-  level: core
-  name: subject_name
-  normalize: []
-  original_fieldset: code_signature
-  short: Subject name of the code signer
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.team_id:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-team-id
-  description: 'The team identifier used to sign the process.
-
-    This is used to identify the team or vendor of a software product. The field is
-    relevant to Apple *OS only.'
-  example: EQHXZ8M8AV
-  flat_name: process.session_leader.parent.session_leader.code_signature.team_id
-  ignore_above: 1024
-  level: extended
-  name: team_id
-  normalize: []
-  original_fieldset: code_signature
-  short: The team identifier used to sign the process.
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.thumbprint_sha256:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-code-signature-thumbprint-sha256
-  description: Certificate SHA256 hash that uniquely identifies the code signer.
-  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-  flat_name: process.session_leader.parent.session_leader.code_signature.thumbprint_sha256
-  ignore_above: 64
-  level: extended
-  name: thumbprint_sha256
-  normalize: []
-  original_fieldset: code_signature
-  pattern: ^[0-9a-f]{64}$
-  short: SHA256 hash of the certificate.
-  type: keyword
-process.session_leader.parent.session_leader.code_signature.timestamp:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-timestamp
-  description: Date and time when the code signature was generated and signed.
-  example: '2021-01-01T12:10:30Z'
-  flat_name: process.session_leader.parent.session_leader.code_signature.timestamp
-  level: extended
-  name: timestamp
-  normalize: []
-  original_fieldset: code_signature
-  short: When the signature was generated and signed.
-  type: date
-process.session_leader.parent.session_leader.code_signature.trusted:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-trusted
-  description: 'Stores the trust status of the certificate chain.
-
-    Validating the trust of the certificate chain may be complicated, and this field
-    should only be populated by tools that actively check the status.'
-  example: 'true'
-  flat_name: process.session_leader.parent.session_leader.code_signature.trusted
-  level: extended
-  name: trusted
-  normalize: []
-  original_fieldset: code_signature
-  short: Stores the trust status of the certificate chain.
-  type: boolean
-process.session_leader.parent.session_leader.code_signature.valid:
-  dashed_name: process-session-leader-parent-session-leader-code-signature-valid
-  description: 'Boolean to capture if the digital signature is verified against the
-    binary content.
-
-    Leave unpopulated if a certificate was unchecked.'
-  example: 'true'
-  flat_name: process.session_leader.parent.session_leader.code_signature.valid
-  level: extended
-  name: valid
-  normalize: []
-  original_fieldset: code_signature
-  short: Boolean to capture if the digital signature is verified against the binary
-    content.
-  type: boolean
-process.session_leader.parent.session_leader.command_line:
-  dashed_name: process-session-leader-parent-session-leader-command-line
-  description: 'Full command line that started the process, including the absolute
-    path to the executable, and all arguments.
-
-    Some arguments may be filtered to protect sensitive information.'
-  example: /usr/bin/ssh -l user 10.0.0.16
-  flat_name: process.session_leader.parent.session_leader.command_line
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.command_line.text
-    name: text
-    type: match_only_text
-  name: command_line
-  normalize: []
-  original_fieldset: process
-  short: Full command line that started the process.
-  type: wildcard
-process.session_leader.parent.session_leader.elf.architecture:
-  dashed_name: process-session-leader-parent-session-leader-elf-architecture
-  description: Machine architecture of the ELF file.
-  example: x86-64
-  flat_name: process.session_leader.parent.session_leader.elf.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: elf
-  short: Machine architecture of the ELF file.
-  type: keyword
-process.session_leader.parent.session_leader.elf.byte_order:
-  dashed_name: process-session-leader-parent-session-leader-elf-byte-order
-  description: Byte sequence of ELF file.
-  example: Little Endian
-  flat_name: process.session_leader.parent.session_leader.elf.byte_order
-  ignore_above: 1024
-  level: extended
-  name: byte_order
-  normalize: []
-  original_fieldset: elf
-  short: Byte sequence of ELF file.
-  type: keyword
-process.session_leader.parent.session_leader.elf.cpu_type:
-  dashed_name: process-session-leader-parent-session-leader-elf-cpu-type
-  description: CPU type of the ELF file.
-  example: Intel
-  flat_name: process.session_leader.parent.session_leader.elf.cpu_type
-  ignore_above: 1024
-  level: extended
-  name: cpu_type
-  normalize: []
-  original_fieldset: elf
-  short: CPU type of the ELF file.
-  type: keyword
-process.session_leader.parent.session_leader.elf.creation_date:
-  dashed_name: process-session-leader-parent-session-leader-elf-creation-date
-  description: Extracted when possible from the file's metadata. Indicates when it
-    was built or compiled. It can also be faked by malware creators.
-  flat_name: process.session_leader.parent.session_leader.elf.creation_date
-  level: extended
-  name: creation_date
-  normalize: []
-  original_fieldset: elf
-  short: Build or compile date.
-  type: date
-process.session_leader.parent.session_leader.elf.exports:
-  dashed_name: process-session-leader-parent-session-leader-elf-exports
-  description: List of exported element names and types.
-  flat_name: process.session_leader.parent.session_leader.elf.exports
-  level: extended
-  name: exports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of exported element names and types.
-  type: flattened
-process.session_leader.parent.session_leader.elf.go_import_hash:
-  dashed_name: process-session-leader-parent-session-leader-elf-go-import-hash
-  description: 'A hash of the Go language imports in an ELF file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.parent.session_leader.elf.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the Go language imports in an ELF file.
-  type: keyword
-process.session_leader.parent.session_leader.elf.go_imports:
-  dashed_name: process-session-leader-parent-session-leader-elf-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.parent.session_leader.elf.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: elf
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.parent.session_leader.elf.go_imports_names_entropy:
-  dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.session_leader.elf.go_stripped:
-  dashed_name: process-session-leader-parent-session-leader-elf-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.parent.session_leader.elf.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: elf
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.parent.session_leader.elf.header.abi_version:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-abi-version
-  description: Version of the ELF Application Binary Interface (ABI).
-  flat_name: process.session_leader.parent.session_leader.elf.header.abi_version
-  ignore_above: 1024
-  level: extended
-  name: header.abi_version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF Application Binary Interface (ABI).
-  type: keyword
-process.session_leader.parent.session_leader.elf.header.class:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-class
-  description: Header class of the ELF file.
-  flat_name: process.session_leader.parent.session_leader.elf.header.class
-  ignore_above: 1024
-  level: extended
-  name: header.class
-  normalize: []
-  original_fieldset: elf
-  short: Header class of the ELF file.
-  type: keyword
-process.session_leader.parent.session_leader.elf.header.data:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-data
-  description: Data table of the ELF header.
-  flat_name: process.session_leader.parent.session_leader.elf.header.data
-  ignore_above: 1024
-  level: extended
-  name: header.data
-  normalize: []
-  original_fieldset: elf
-  short: Data table of the ELF header.
-  type: keyword
-process.session_leader.parent.session_leader.elf.header.entrypoint:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-entrypoint
-  description: Header entrypoint of the ELF file.
-  flat_name: process.session_leader.parent.session_leader.elf.header.entrypoint
-  format: string
-  level: extended
-  name: header.entrypoint
-  normalize: []
-  original_fieldset: elf
-  short: Header entrypoint of the ELF file.
-  type: long
-process.session_leader.parent.session_leader.elf.header.object_version:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-object-version
-  description: '"0x1" for original ELF files.'
-  flat_name: process.session_leader.parent.session_leader.elf.header.object_version
-  ignore_above: 1024
-  level: extended
-  name: header.object_version
-  normalize: []
-  original_fieldset: elf
-  short: '"0x1" for original ELF files.'
-  type: keyword
-process.session_leader.parent.session_leader.elf.header.os_abi:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-os-abi
-  description: Application Binary Interface (ABI) of the Linux OS.
-  flat_name: process.session_leader.parent.session_leader.elf.header.os_abi
-  ignore_above: 1024
-  level: extended
-  name: header.os_abi
-  normalize: []
-  original_fieldset: elf
-  short: Application Binary Interface (ABI) of the Linux OS.
-  type: keyword
-process.session_leader.parent.session_leader.elf.header.type:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-type
-  description: Header type of the ELF file.
-  flat_name: process.session_leader.parent.session_leader.elf.header.type
-  ignore_above: 1024
-  level: extended
-  name: header.type
-  normalize: []
-  original_fieldset: elf
-  short: Header type of the ELF file.
-  type: keyword
-process.session_leader.parent.session_leader.elf.header.version:
-  dashed_name: process-session-leader-parent-session-leader-elf-header-version
-  description: Version of the ELF header.
-  flat_name: process.session_leader.parent.session_leader.elf.header.version
-  ignore_above: 1024
-  level: extended
-  name: header.version
-  normalize: []
-  original_fieldset: elf
-  short: Version of the ELF header.
-  type: keyword
-process.session_leader.parent.session_leader.elf.import_hash:
-  dashed_name: process-session-leader-parent-session-leader-elf-import-hash
-  description: 'A hash of the imports in an ELF file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is an ELF implementation of the Windows PE imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.parent.session_leader.elf.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: elf
-  short: A hash of the imports in an ELF file.
-  type: keyword
-process.session_leader.parent.session_leader.elf.imports:
-  dashed_name: process-session-leader-parent-session-leader-elf-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.parent.session_leader.elf.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.parent.session_leader.elf.imports_names_entropy:
-  dashed_name: process-session-leader-parent-session-leader-elf-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.parent.session_leader.elf.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.parent.session_leader.elf.imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-elf-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.parent.session_leader.elf.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.parent.session_leader.elf.sections:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections
-  description: 'An array containing an object for each section of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.sections.*`.'
-  flat_name: process.session_leader.parent.session_leader.elf.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: elf
-  short: Section information of the ELF file.
-  type: nested
-process.session_leader.parent.session_leader.elf.sections.chi2:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-chi2
-  description: Chi-square probability distribution of the section.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.chi2
-  format: number
-  level: extended
-  name: sections.chi2
-  normalize: []
-  original_fieldset: elf
-  short: Chi-square probability distribution of the section.
-  type: long
-process.session_leader.parent.session_leader.elf.sections.entropy:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: elf
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.session_leader.elf.sections.flags:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-flags
-  description: ELF Section List flags.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.flags
-  ignore_above: 1024
-  level: extended
-  name: sections.flags
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List flags.
-  type: keyword
-process.session_leader.parent.session_leader.elf.sections.name:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-name
-  description: ELF Section List name.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List name.
-  type: keyword
-process.session_leader.parent.session_leader.elf.sections.physical_offset:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-offset
-  description: ELF Section List offset.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.physical_offset
-  ignore_above: 1024
-  level: extended
-  name: sections.physical_offset
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List offset.
-  type: keyword
-process.session_leader.parent.session_leader.elf.sections.physical_size:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-size
-  description: ELF Section List physical size.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List physical size.
-  type: long
-process.session_leader.parent.session_leader.elf.sections.type:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-type
-  description: ELF Section List type.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.type
-  ignore_above: 1024
-  level: extended
-  name: sections.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List type.
-  type: keyword
-process.session_leader.parent.session_leader.elf.sections.var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: elf
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.session_leader.elf.sections.virtual_address:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-address
-  description: ELF Section List virtual address.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_address
-  format: string
-  level: extended
-  name: sections.virtual_address
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual address.
-  type: long
-process.session_leader.parent.session_leader.elf.sections.virtual_size:
-  dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-size
-  description: ELF Section List virtual size.
-  flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: elf
-  short: ELF Section List virtual size.
-  type: long
-process.session_leader.parent.session_leader.elf.segments:
-  dashed_name: process-session-leader-parent-session-leader-elf-segments
-  description: 'An array containing an object for each segment of the ELF file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `elf.segments.*`.'
-  flat_name: process.session_leader.parent.session_leader.elf.segments
-  level: extended
-  name: segments
-  normalize:
-  - array
-  original_fieldset: elf
-  short: ELF object segment list.
-  type: nested
-process.session_leader.parent.session_leader.elf.segments.sections:
-  dashed_name: process-session-leader-parent-session-leader-elf-segments-sections
-  description: ELF object segment sections.
-  flat_name: process.session_leader.parent.session_leader.elf.segments.sections
-  ignore_above: 1024
-  level: extended
-  name: segments.sections
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment sections.
-  type: keyword
-process.session_leader.parent.session_leader.elf.segments.type:
-  dashed_name: process-session-leader-parent-session-leader-elf-segments-type
-  description: ELF object segment type.
-  flat_name: process.session_leader.parent.session_leader.elf.segments.type
-  ignore_above: 1024
-  level: extended
-  name: segments.type
-  normalize: []
-  original_fieldset: elf
-  short: ELF object segment type.
-  type: keyword
-process.session_leader.parent.session_leader.elf.shared_libraries:
-  dashed_name: process-session-leader-parent-session-leader-elf-shared-libraries
-  description: List of shared libraries used by this ELF object.
-  flat_name: process.session_leader.parent.session_leader.elf.shared_libraries
-  ignore_above: 1024
-  level: extended
-  name: shared_libraries
-  normalize:
-  - array
-  original_fieldset: elf
-  short: List of shared libraries used by this ELF object.
-  type: keyword
-process.session_leader.parent.session_leader.elf.telfhash:
-  dashed_name: process-session-leader-parent-session-leader-elf-telfhash
-  description: telfhash symbol hash for ELF file.
-  flat_name: process.session_leader.parent.session_leader.elf.telfhash
-  ignore_above: 1024
-  level: extended
-  name: telfhash
-  normalize: []
-  original_fieldset: elf
-  short: telfhash hash for ELF file.
-  type: keyword
-process.session_leader.parent.session_leader.end:
-  dashed_name: process-session-leader-parent-session-leader-end
-  description: The time the process ended.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.parent.session_leader.end
-  level: extended
-  name: end
-  normalize: []
-  original_fieldset: process
-  short: The time the process ended.
-  type: date
-process.session_leader.parent.session_leader.endpoint_security_client:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-endpoint-security-client
-  description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-    entitlement and the value is set to true in the message.
-  flat_name: process.session_leader.parent.session_leader.endpoint_security_client
-  level: extended
-  name: endpoint_security_client
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is an Endpoint Security client.
-  type: boolean
-process.session_leader.parent.session_leader.entity_id:
-  dashed_name: process-session-leader-parent-session-leader-entity-id
-  description: 'Unique identifier for the process.
-
-    The implementation of this is specified by the data source, but some examples
-    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-    or a hash of some uniquely identifying components of a process.
-
-    Constructing a globally unique identifier is a common practice to mitigate PID
-    reuse as well as to identify a specific process over time, across multiple monitored
-    hosts.'
-  example: c2c455d9f99375d
-  flat_name: process.session_leader.parent.session_leader.entity_id
-  ignore_above: 1024
-  level: extended
-  name: entity_id
-  normalize: []
-  original_fieldset: process
-  short: Unique identifier for the process.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.address:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-address
-  description: 'Some event source addresses are defined ambiguously. The event will
-    sometimes list an IP, a domain or a unix socket.  You should always store the
-    raw address in the `.address` field.
-
-    Then it should be duplicated to `.ip` or `.domain`, depending on which one it
-    is.'
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.address
-  ignore_above: 1024
-  level: extended
-  name: address
-  normalize: []
-  original_fieldset: source
-  short: Source network address.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.as.number:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-number
-  description: Unique number allocated to the autonomous system. The autonomous system
-    number (ASN) uniquely identifies each network on the Internet.
-  example: 15169
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.number
-  level: extended
-  name: number
-  normalize: []
-  original_fieldset: as
-  short: Unique number allocated to the autonomous system.
-  type: long
-process.session_leader.parent.session_leader.entry_meta.source.as.organization.name:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-organization-name
-  description: Organization name.
-  example: Google LLC
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text
-    name: text
-    type: match_only_text
-  name: organization.name
-  normalize: []
-  original_fieldset: as
-  short: Organization name.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.bytes:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-bytes
-  description: Bytes sent from the source to the destination.
-  example: 184
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.bytes
-  format: bytes
-  level: core
-  name: bytes
-  normalize: []
-  original_fieldset: source
-  short: Bytes sent from the source to the destination.
-  type: long
-process.session_leader.parent.session_leader.entry_meta.source.domain:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-domain
-  description: 'The domain name of the source system.
-
-    This value may be a host name, a fully qualified domain name, or another host
-    naming format. The value may derive from the original event or be added from enrichment.'
-  example: foo.example.com
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.domain
-  ignore_above: 1024
-  level: core
-  name: domain
-  normalize: []
-  original_fieldset: source
-  short: The domain name of the source.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.city_name:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-city-name
-  description: City name.
-  example: Montreal
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.city_name
-  ignore_above: 1024
-  level: core
-  name: city_name
-  normalize: []
-  original_fieldset: geo
-  short: City name.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-code
-  description: Two-letter code representing continent's name.
-  example: NA
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code
-  ignore_above: 1024
-  level: core
-  name: continent_code
-  normalize: []
-  original_fieldset: geo
-  short: Continent code.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-name
-  description: Name of the continent.
-  example: North America
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name
-  ignore_above: 1024
-  level: core
-  name: continent_name
-  normalize: []
-  original_fieldset: geo
-  short: Name of the continent.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
-  description: Country ISO code.
-  example: CA
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
-  ignore_above: 1024
-  level: core
-  name: country_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Country ISO code.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.country_name:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-name
-  description: Country name.
-  example: Canada
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_name
-  ignore_above: 1024
-  level: core
-  name: country_name
-  normalize: []
-  original_fieldset: geo
-  short: Country name.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.location:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-location
-  description: Longitude and latitude.
-  example: '{ "lon": -73.614830, "lat": 45.505918 }'
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.location
-  level: core
-  name: location
-  normalize: []
-  original_fieldset: geo
-  short: Longitude and latitude.
-  type: geo_point
-process.session_leader.parent.session_leader.entry_meta.source.geo.name:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-name
-  description: 'User-defined description of a location, at the level of granularity
-    they care about.
-
-    Could be the name of their data centers, the floor number, if this describes a
-    local physical entity, city names.
-
-    Not typically used in automated geolocation.'
-  example: boston-dc
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: geo
-  short: User-defined description of a location.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-postal-code
-  description: 'Postal code associated with the location.
-
-    Values appropriate for this field may also be known as a postcode or ZIP code
-    and will vary widely from country to country.'
-  example: 94040
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code
-  ignore_above: 1024
-  level: core
-  name: postal_code
-  normalize: []
-  original_fieldset: geo
-  short: Postal code.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
-  description: Region ISO code.
-  example: CA-QC
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
-  ignore_above: 1024
-  level: core
-  name: region_iso_code
-  normalize: []
-  original_fieldset: geo
-  short: Region ISO code.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.region_name:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-name
-  description: Region name.
-  example: Quebec
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_name
-  ignore_above: 1024
-  level: core
-  name: region_name
-  normalize: []
-  original_fieldset: geo
-  short: Region name.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.geo.timezone:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-timezone
-  description: The time zone of the location, such as IANA time zone name.
-  example: America/Argentina/Buenos_Aires
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.timezone
-  ignore_above: 1024
-  level: core
-  name: timezone
-  normalize: []
-  original_fieldset: geo
-  short: Time zone.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.ip:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-ip
-  description: IP address of the source (IPv4 or IPv6).
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.ip
-  level: core
-  name: ip
-  normalize: []
-  original_fieldset: source
-  short: IP address of the source.
-  type: ip
-process.session_leader.parent.session_leader.entry_meta.source.mac:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-mac
-  description: 'MAC address of the source.
-
-    The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte)
-    is represented by two [uppercase] hexadecimal digits giving the value of the octet
-    as an unsigned integer. Successive octets are separated by a hyphen.'
-  example: 00-00-5E-00-53-23
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.mac
-  ignore_above: 1024
-  level: core
-  name: mac
-  normalize: []
-  original_fieldset: source
-  pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-  short: MAC address of the source.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.nat.ip:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-ip
-  description: 'Translated ip of source based NAT sessions (e.g. internal client to
-    internet)
-
-    Typically connections traversing load balancers, firewalls, or routers.'
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.ip
-  level: extended
-  name: nat.ip
-  normalize: []
-  original_fieldset: source
-  short: Source NAT ip
-  type: ip
-process.session_leader.parent.session_leader.entry_meta.source.nat.port:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-port
-  description: 'Translated port of source based NAT sessions. (e.g. internal client
-    to internet)
-
-    Typically used with load balancers, firewalls, or routers.'
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.port
-  format: string
-  level: extended
-  name: nat.port
-  normalize: []
-  original_fieldset: source
-  short: Source NAT port
-  type: long
-process.session_leader.parent.session_leader.entry_meta.source.packets:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-packets
-  description: Packets sent from the source to the destination.
-  example: 12
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.packets
-  level: core
-  name: packets
-  normalize: []
-  original_fieldset: source
-  short: Packets sent from the source to the destination.
-  type: long
-process.session_leader.parent.session_leader.entry_meta.source.port:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-port
-  description: Port of the source.
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.port
-  format: string
-  level: core
-  name: port
-  normalize: []
-  original_fieldset: source
-  short: Port of the source.
-  type: long
-process.session_leader.parent.session_leader.entry_meta.source.registered_domain:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-registered-domain
-  description: 'The highest registered source domain, stripped of the subdomain.
-
-    For example, the registered domain for "foo.example.com" is "example.com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    two labels will not work well for TLDs such as "co.uk".'
-  example: example.com
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.registered_domain
-  ignore_above: 1024
-  level: extended
-  name: registered_domain
-  normalize: []
-  original_fieldset: source
-  short: The highest registered source domain, stripped of the subdomain.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.subdomain:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  original_fieldset: source
-  short: The subdomain of the domain.
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.source.top_level_domain:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-source-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: process.session_leader.parent.session_leader.entry_meta.source.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  original_fieldset: source
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-process.session_leader.parent.session_leader.entry_meta.type:
-  dashed_name: process-session-leader-parent-session-leader-entry-meta-type
-  description: 'The entry type for the entry session leader. Values include: init(e.g
-    systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-    Note: This field is only set on process.session_leader.'
-  flat_name: process.session_leader.parent.session_leader.entry_meta.type
-  ignore_above: 1024
-  level: extended
-  name: entry_meta.type
-  normalize: []
-  original_fieldset: process
-  short: The entry type for the entry session leader.
-  type: keyword
-process.session_leader.parent.session_leader.env_vars:
-  dashed_name: process-session-leader-parent-session-leader-env-vars
-  description: 'Array of environment variable bindings. Captured from a snapshot of
-    the environment at the time of execution.
-
-    May be filtered to protect sensitive information.'
-  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-  flat_name: process.session_leader.parent.session_leader.env_vars
-  ignore_above: 1024
-  level: extended
-  name: env_vars
-  normalize:
-  - array
-  original_fieldset: process
-  short: Array of environment variable bindings.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.executable:
-  dashed_name: process-session-leader-parent-session-leader-executable
-  description: Absolute path to the process executable.
-  example: /usr/bin/ssh
-  flat_name: process.session_leader.parent.session_leader.executable
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.executable.text
-    name: text
-    type: match_only_text
-  name: executable
-  normalize: []
-  original_fieldset: process
-  short: Absolute path to the process executable.
-  type: keyword
-process.session_leader.parent.session_leader.exit_code:
-  dashed_name: process-session-leader-parent-session-leader-exit-code
-  description: 'The exit code of the process, if this is a termination event.
-
-    The field should be absent if there is no exit code for the event (e.g. process
-    start).'
-  example: 137
-  flat_name: process.session_leader.parent.session_leader.exit_code
-  level: extended
-  name: exit_code
-  normalize: []
-  original_fieldset: process
-  short: The exit code of the process.
-  type: long
-process.session_leader.parent.session_leader.group.domain:
-  dashed_name: process-session-leader-parent-session-leader-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.group.id:
-  dashed_name: process-session-leader-parent-session-leader-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.group.name:
-  dashed_name: process-session-leader-parent-session-leader-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.hash.cdhash:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-hash-cdhash
-  description: Code directory hash, utilized to uniquely identify and authenticate
-    the integrity of the executable code.
-  example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-  flat_name: process.session_leader.parent.session_leader.hash.cdhash
-  ignore_above: 1024
-  level: extended
-  name: cdhash
-  normalize: []
-  original_fieldset: hash
-  short: The Code Directory (CD) hash of an executable.
-  type: keyword
-process.session_leader.parent.session_leader.hash.md5:
-  dashed_name: process-session-leader-parent-session-leader-hash-md5
-  description: MD5 hash.
-  flat_name: process.session_leader.parent.session_leader.hash.md5
-  ignore_above: 1024
-  level: extended
-  name: md5
-  normalize: []
-  original_fieldset: hash
-  short: MD5 hash.
-  type: keyword
-process.session_leader.parent.session_leader.hash.sha1:
-  dashed_name: process-session-leader-parent-session-leader-hash-sha1
-  description: SHA1 hash.
-  flat_name: process.session_leader.parent.session_leader.hash.sha1
-  ignore_above: 1024
-  level: extended
-  name: sha1
-  normalize: []
-  original_fieldset: hash
-  short: SHA1 hash.
-  type: keyword
-process.session_leader.parent.session_leader.hash.sha256:
-  dashed_name: process-session-leader-parent-session-leader-hash-sha256
-  description: SHA256 hash.
-  flat_name: process.session_leader.parent.session_leader.hash.sha256
-  ignore_above: 1024
-  level: extended
-  name: sha256
-  normalize: []
-  original_fieldset: hash
-  short: SHA256 hash.
-  type: keyword
-process.session_leader.parent.session_leader.hash.sha384:
-  dashed_name: process-session-leader-parent-session-leader-hash-sha384
-  description: SHA384 hash.
-  flat_name: process.session_leader.parent.session_leader.hash.sha384
-  ignore_above: 1024
-  level: extended
-  name: sha384
-  normalize: []
-  original_fieldset: hash
-  short: SHA384 hash.
-  type: keyword
-process.session_leader.parent.session_leader.hash.sha512:
-  dashed_name: process-session-leader-parent-session-leader-hash-sha512
-  description: SHA512 hash.
-  flat_name: process.session_leader.parent.session_leader.hash.sha512
-  ignore_above: 1024
-  level: extended
-  name: sha512
-  normalize: []
-  original_fieldset: hash
-  short: SHA512 hash.
-  type: keyword
-process.session_leader.parent.session_leader.hash.ssdeep:
-  dashed_name: process-session-leader-parent-session-leader-hash-ssdeep
-  description: SSDEEP hash.
-  flat_name: process.session_leader.parent.session_leader.hash.ssdeep
-  ignore_above: 1024
-  level: extended
-  name: ssdeep
-  normalize: []
-  original_fieldset: hash
-  short: SSDEEP hash.
-  type: keyword
-process.session_leader.parent.session_leader.hash.tlsh:
-  dashed_name: process-session-leader-parent-session-leader-hash-tlsh
-  description: TLSH hash.
-  flat_name: process.session_leader.parent.session_leader.hash.tlsh
-  ignore_above: 1024
-  level: extended
-  name: tlsh
-  normalize: []
-  original_fieldset: hash
-  short: TLSH hash.
-  type: keyword
-process.session_leader.parent.session_leader.interactive:
-  dashed_name: process-session-leader-parent-session-leader-interactive
-  description: 'Whether the process is connected to an interactive shell.
-
-    Process interactivity is inferred from the processes file descriptors. If the
-    character device for the controlling tty is the same as stdin and stderr for the
-    process, the process is considered interactive.
-
-    Note: A non-interactive process can belong to an interactive session and is simply
-    one that does not have open file descriptors reading the controlling TTY on FD
-    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
-    is still considered interactive if stdin and stderr are connected to the controlling
-    TTY.'
-  example: true
-  flat_name: process.session_leader.parent.session_leader.interactive
-  level: extended
-  name: interactive
-  normalize: []
-  original_fieldset: process
-  short: Whether the process is connected to an interactive shell.
-  type: boolean
-process.session_leader.parent.session_leader.io:
-  dashed_name: process-session-leader-parent-session-leader-io
-  description: 'A chunk of input or output (IO) from a single process.
-
-    This field only appears on the top level process object, which is the process
-    that wrote the output or read the input.'
-  flat_name: process.session_leader.parent.session_leader.io
-  level: extended
-  name: io
-  normalize: []
-  original_fieldset: process
-  short: A chunk of input or output (IO) from a single process.
-  type: object
-process.session_leader.parent.session_leader.io.bytes_skipped:
-  dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped
-  description: An array of byte offsets and lengths denoting where IO data has been
-    skipped.
-  flat_name: process.session_leader.parent.session_leader.io.bytes_skipped
-  level: extended
-  name: io.bytes_skipped
-  normalize:
-  - array
-  original_fieldset: process
-  short: An array of byte offsets and lengths denoting where IO data has been skipped.
-  type: object
-process.session_leader.parent.session_leader.io.bytes_skipped.length:
-  dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-length
-  description: The length of bytes skipped.
-  flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.length
-  level: extended
-  name: io.bytes_skipped.length
-  normalize: []
-  original_fieldset: process
-  short: The length of bytes skipped.
-  type: long
-process.session_leader.parent.session_leader.io.bytes_skipped.offset:
-  dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-offset
-  description: The byte offset into this event's io.text (or io.bytes in the future)
-    where length bytes were skipped.
-  flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.offset
-  level: extended
-  name: io.bytes_skipped.offset
-  normalize: []
-  original_fieldset: process
-  short: The byte offset into this event's io.text (or io.bytes in the future) where
-    length bytes were skipped.
-  type: long
-process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
-  dashed_name: process-session-leader-parent-session-leader-io-max-bytes-per-process-exceeded
-  description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  flat_name: process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded
-  level: extended
-  name: io.max_bytes_per_process_exceeded
-  normalize: []
-  original_fieldset: process
-  short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-    configuration setting.
-  type: boolean
-process.session_leader.parent.session_leader.io.text:
-  dashed_name: process-session-leader-parent-session-leader-io-text
-  description: 'A chunk of output or input sanitized to UTF-8.
-
-    Best efforts are made to ensure complete lines are captured in these events. Assumptions
-    should NOT be made that multiple lines will appear in the same event. TTY output
-    may contain terminal control codes such as for cursor movement, so some string
-    queries may not match due to terminal codes inserted between characters of a word.'
-  flat_name: process.session_leader.parent.session_leader.io.text
-  level: extended
-  name: io.text
-  normalize: []
-  original_fieldset: process
-  short: A chunk of output or input sanitized to UTF-8.
-  type: wildcard
-process.session_leader.parent.session_leader.io.total_bytes_captured:
-  dashed_name: process-session-leader-parent-session-leader-io-total-bytes-captured
-  description: The total number of bytes captured in this event.
-  flat_name: process.session_leader.parent.session_leader.io.total_bytes_captured
-  level: extended
-  name: io.total_bytes_captured
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes captured in this event.
-  type: long
-process.session_leader.parent.session_leader.io.total_bytes_skipped:
-  dashed_name: process-session-leader-parent-session-leader-io-total-bytes-skipped
-  description: The total number of bytes that were not captured due to implementation
-    restrictions such as buffer size limits. Implementors should strive to ensure
-    this value is always zero
-  flat_name: process.session_leader.parent.session_leader.io.total_bytes_skipped
-  level: extended
-  name: io.total_bytes_skipped
-  normalize: []
-  original_fieldset: process
-  short: The total number of bytes that were not captured due to implementation restrictions
-    such as buffer size limits.
-  type: long
-process.session_leader.parent.session_leader.io.type:
-  dashed_name: process-session-leader-parent-session-leader-io-type
-  description: 'The type of object on which the IO action (read or write) was taken.
-
-    Currently only ''tty'' is supported. Other types may be added in the future for
-    ''file'' and ''socket'' support.'
-  flat_name: process.session_leader.parent.session_leader.io.type
-  ignore_above: 1024
-  level: extended
-  name: io.type
-  normalize: []
-  original_fieldset: process
-  short: The type of object on which the IO action (read or write) was taken.
-  type: keyword
-process.session_leader.parent.session_leader.macho.go_import_hash:
-  dashed_name: process-session-leader-parent-session-leader-macho-go-import-hash
-  description: 'A hash of the Go language imports in a Mach-O file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.parent.session_leader.macho.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the Go language imports in a Mach-O file.
-  type: keyword
-process.session_leader.parent.session_leader.macho.go_imports:
-  dashed_name: process-session-leader-parent-session-leader-macho-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.parent.session_leader.macho.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: macho
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.parent.session_leader.macho.go_imports_names_entropy:
-  dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.session_leader.macho.go_stripped:
-  dashed_name: process-session-leader-parent-session-leader-macho-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.parent.session_leader.macho.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: macho
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.parent.session_leader.macho.import_hash:
-  dashed_name: process-session-leader-parent-session-leader-macho-import-hash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for symhash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.parent.session_leader.macho.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.session_leader.parent.session_leader.macho.imports:
-  dashed_name: process-session-leader-parent-session-leader-macho-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.parent.session_leader.macho.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: macho
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.parent.session_leader.macho.imports_names_entropy:
-  dashed_name: process-session-leader-parent-session-leader-macho-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.parent.session_leader.macho.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.parent.session_leader.macho.imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-macho-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.parent.session_leader.macho.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.parent.session_leader.macho.sections:
-  dashed_name: process-session-leader-parent-session-leader-macho-sections
-  description: 'An array containing an object for each section of the Mach-O file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `macho.sections.*`.'
-  flat_name: process.session_leader.parent.session_leader.macho.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: macho
-  short: Section information of the Mach-O file.
-  type: nested
-process.session_leader.parent.session_leader.macho.sections.entropy:
-  dashed_name: process-session-leader-parent-session-leader-macho-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.session_leader.macho.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: macho
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.session_leader.macho.sections.name:
-  dashed_name: process-session-leader-parent-session-leader-macho-sections-name
-  description: Mach-O Section List name.
-  flat_name: process.session_leader.parent.session_leader.macho.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List name.
-  type: keyword
-process.session_leader.parent.session_leader.macho.sections.physical_size:
-  dashed_name: process-session-leader-parent-session-leader-macho-sections-physical-size
-  description: Mach-O Section List physical size.
-  flat_name: process.session_leader.parent.session_leader.macho.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List physical size.
-  type: long
-process.session_leader.parent.session_leader.macho.sections.var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-macho-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.session_leader.macho.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: macho
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.session_leader.macho.sections.virtual_size:
-  dashed_name: process-session-leader-parent-session-leader-macho-sections-virtual-size
-  description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.session_leader.parent.session_leader.macho.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: macho
-  short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.session_leader.parent.session_leader.macho.symhash:
-  dashed_name: process-session-leader-parent-session-leader-macho-symhash
-  description: 'A hash of the imports in a Mach-O file. An import hash can be used
-    to fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a Mach-O implementation of the Windows PE imphash'
-  example: d3ccf195b62a9279c3c19af1080497ec
-  flat_name: process.session_leader.parent.session_leader.macho.symhash
-  ignore_above: 1024
-  level: extended
-  name: symhash
-  normalize: []
-  original_fieldset: macho
-  short: A hash of the imports in a Mach-O file.
-  type: keyword
-process.session_leader.parent.session_leader.name:
-  dashed_name: process-session-leader-parent-session-leader-name
-  description: 'Process name.
-
-    Sometimes called program name or similar.'
-  example: ssh
-  flat_name: process.session_leader.parent.session_leader.name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: process
-  short: Process name.
-  type: keyword
-process.session_leader.parent.session_leader.origin_referrer_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-origin-referrer-url
-  description: The URL of the webpage that linked to the process's executable file.
-  example: http://example.com/article1.html
-  flat_name: process.session_leader.parent.session_leader.origin_referrer_url
-  ignore_above: 8192
-  level: extended
-  name: origin_referrer_url
-  normalize: []
-  original_fieldset: process
-  short: The URL of the webpage that linked to the process's executable file.
-  type: keyword
-process.session_leader.parent.session_leader.origin_url:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-origin-url
-  description: The URL where the process's executable file is hosted.
-  example: http://example.com/files/example.exe
-  flat_name: process.session_leader.parent.session_leader.origin_url
-  ignore_above: 8192
-  level: extended
-  name: origin_url
-  normalize: []
-  original_fieldset: process
-  short: The URL where the process's executable file is hosted.
-  type: keyword
-process.session_leader.parent.session_leader.pe.architecture:
-  dashed_name: process-session-leader-parent-session-leader-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.session_leader.parent.session_leader.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.session_leader.parent.session_leader.pe.company:
-  dashed_name: process-session-leader-parent-session-leader-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.session_leader.parent.session_leader.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.session_leader.pe.description:
-  dashed_name: process-session-leader-parent-session-leader-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.session_leader.parent.session_leader.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.session_leader.pe.file_version:
-  dashed_name: process-session-leader-parent-session-leader-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.session_leader.parent.session_leader.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.session_leader.parent.session_leader.pe.go_import_hash:
-  dashed_name: process-session-leader-parent-session-leader-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.parent.session_leader.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.session_leader.parent.session_leader.pe.go_imports:
-  dashed_name: process-session-leader-parent-session-leader-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.parent.session_leader.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.parent.session_leader.pe.go_imports_names_entropy:
-  dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.parent.session_leader.pe.go_stripped:
-  dashed_name: process-session-leader-parent-session-leader-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.parent.session_leader.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.parent.session_leader.pe.imphash:
-  dashed_name: process-session-leader-parent-session-leader-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.session_leader.parent.session_leader.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.session_leader.parent.session_leader.pe.import_hash:
-  dashed_name: process-session-leader-parent-session-leader-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.parent.session_leader.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.session_leader.parent.session_leader.pe.imports:
-  dashed_name: process-session-leader-parent-session-leader-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.parent.session_leader.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.parent.session_leader.pe.imports_names_entropy:
-  dashed_name: process-session-leader-parent-session-leader-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.parent.session_leader.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.parent.session_leader.pe.imports_names_var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.parent.session_leader.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.parent.session_leader.pe.original_file_name:
-  dashed_name: process-session-leader-parent-session-leader-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.session_leader.parent.session_leader.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.session_leader.pe.pehash:
-  dashed_name: process-session-leader-parent-session-leader-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.session_leader.parent.session_leader.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.session_leader.parent.session_leader.pe.product:
-  dashed_name: process-session-leader-parent-session-leader-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.session_leader.parent.session_leader.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.parent.session_leader.pe.sections:
-  dashed_name: process-session-leader-parent-session-leader-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.session_leader.parent.session_leader.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.session_leader.parent.session_leader.pe.sections.entropy:
-  dashed_name: process-session-leader-parent-session-leader-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.session_leader.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.session_leader.pe.sections.name:
-  dashed_name: process-session-leader-parent-session-leader-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.session_leader.parent.session_leader.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.session_leader.parent.session_leader.pe.sections.physical_size:
-  dashed_name: process-session-leader-parent-session-leader-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.session_leader.parent.session_leader.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.session_leader.parent.session_leader.pe.sections.var_entropy:
-  dashed_name: process-session-leader-parent-session-leader-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.parent.session_leader.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.parent.session_leader.pe.sections.virtual_size:
-  dashed_name: process-session-leader-parent-session-leader-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.session_leader.parent.session_leader.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.session_leader.parent.session_leader.pid:
-  dashed_name: process-session-leader-parent-session-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.session_leader.parent.session_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  short: Process id.
-  type: long
-process.session_leader.parent.session_leader.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.session_leader.parent.session_leader.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.session_leader.parent.session_leader.real_group.domain:
-  dashed_name: process-session-leader-parent-session-leader-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.real_group.id:
-  dashed_name: process-session-leader-parent-session-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.real_group.name:
-  dashed_name: process-session-leader-parent-session-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.domain:
-  dashed_name: process-session-leader-parent-session-leader-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.email:
-  dashed_name: process-session-leader-parent-session-leader-real-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.session_leader.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-real-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.session_leader.parent.session_leader.real_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.session_leader.parent.session_leader.real_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-real-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.session_leader.parent.session_leader.real_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.session_leader.parent.session_leader.real_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-real-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.entity.id:
-  dashed_name: process-session-leader-parent-session-leader-real-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.session_leader.parent.session_leader.real_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-real-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.session_leader.parent.session_leader.real_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-real-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.session_leader.parent.session_leader.real_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.session_leader.parent.session_leader.real_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-real-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.session_leader.parent.session_leader.real_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.session_leader.parent.session_leader.real_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-real-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.session_leader.parent.session_leader.real_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.real_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-real-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.session_leader.parent.session_leader.real_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.session_leader.parent.session_leader.real_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-real-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.session_leader.parent.session_leader.real_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-real-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.session_leader.parent.session_leader.real_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-real-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.session_leader.parent.session_leader.real_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-real-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.session_leader.parent.session_leader.real_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.full_name:
-  dashed_name: process-session-leader-parent-session-leader-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.session_leader.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.group.domain:
-  dashed_name: process-session-leader-parent-session-leader-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.group.id:
-  dashed_name: process-session-leader-parent-session-leader-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.group.name:
-  dashed_name: process-session-leader-parent-session-leader-real-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.hash:
-  dashed_name: process-session-leader-parent-session-leader-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.session_leader.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.id:
-  dashed_name: process-session-leader-parent-session-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.session_leader.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.name:
-  dashed_name: process-session-leader-parent-session-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.session_leader.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.session_leader.real_user.risk.static_level:
-  dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.session_leader.real_user.risk.static_score:
-  dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.session_leader.real_user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.session_leader.real_user.roles:
-  dashed_name: process-session-leader-parent-session-leader-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.session_leader.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.same_as_process:
-  dashed_name: process-session-leader-parent-session-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.session_leader.parent.session_leader.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.session_leader.parent.session_leader.saved_group.domain:
-  dashed_name: process-session-leader-parent-session-leader-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.saved_group.id:
-  dashed_name: process-session-leader-parent-session-leader-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.saved_group.name:
-  dashed_name: process-session-leader-parent-session-leader-saved-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.domain:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.email:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.session_leader.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.session_leader.parent.session_leader.saved_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.session_leader.parent.session_leader.saved_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.session_leader.parent.session_leader.saved_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.session_leader.parent.session_leader.saved_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.entity.id:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.session_leader.parent.session_leader.saved_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.session_leader.parent.session_leader.saved_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.session_leader.parent.session_leader.saved_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.session_leader.parent.session_leader.saved_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.session_leader.parent.session_leader.saved_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.session_leader.parent.session_leader.saved_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.session_leader.parent.session_leader.saved_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.saved_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.session_leader.parent.session_leader.saved_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.session_leader.parent.session_leader.saved_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.session_leader.parent.session_leader.saved_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.session_leader.parent.session_leader.saved_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.session_leader.parent.session_leader.saved_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-saved-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.session_leader.parent.session_leader.saved_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.full_name:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.session_leader.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.group.domain:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.group.id:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.group.name:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.hash:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.session_leader.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.id:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.session_leader.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.name:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.session_leader.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.session_leader.saved_user.risk.static_level:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.session_leader.saved_user.risk.static_score:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.session_leader.saved_user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.session_leader.saved_user.roles:
-  dashed_name: process-session-leader-parent-session-leader-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.session_leader.saved_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.start:
-  dashed_name: process-session-leader-parent-session-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.parent.session_leader.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.session_leader.parent.session_leader.supplemental_groups.domain:
-  dashed_name: process-session-leader-parent-session-leader-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.supplemental_groups.id:
-  dashed_name: process-session-leader-parent-session-leader-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.supplemental_groups.name:
-  dashed_name: process-session-leader-parent-session-leader-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.thread.capabilities.effective:
-  dashed_name: process-session-leader-parent-session-leader-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.session_leader.parent.session_leader.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.thread.capabilities.permitted:
-  dashed_name: process-session-leader-parent-session-leader-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.session_leader.parent.session_leader.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.thread.id:
-  dashed_name: process-session-leader-parent-session-leader-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.session_leader.parent.session_leader.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.session_leader.parent.session_leader.thread.name:
-  dashed_name: process-session-leader-parent-session-leader-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.session_leader.parent.session_leader.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.session_leader.parent.session_leader.title:
-  dashed_name: process-session-leader-parent-session-leader-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.session_leader.parent.session_leader.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.session_leader.parent.session_leader.tty:
-  dashed_name: process-session-leader-parent-session-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.session_leader.parent.session_leader.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.session_leader.parent.session_leader.tty.char_device.major:
-  dashed_name: process-session-leader-parent-session-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.session_leader.parent.session_leader.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.session_leader.parent.session_leader.tty.char_device.minor:
-  dashed_name: process-session-leader-parent-session-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.session_leader.parent.session_leader.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.session_leader.parent.session_leader.tty.columns:
-  dashed_name: process-session-leader-parent-session-leader-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.session_leader.parent.session_leader.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.session_leader.parent.session_leader.tty.rows:
-  dashed_name: process-session-leader-parent-session-leader-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.session_leader.parent.session_leader.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.session_leader.parent.session_leader.uptime:
-  dashed_name: process-session-leader-parent-session-leader-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.session_leader.parent.session_leader.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.session_leader.parent.session_leader.user.domain:
-  dashed_name: process-session-leader-parent-session-leader-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.user.email:
-  dashed_name: process-session-leader-parent-session-leader-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.session_leader.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.session_leader.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.session_leader.parent.session_leader.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.session_leader.parent.session_leader.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.session_leader.parent.session_leader.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.session_leader.parent.session_leader.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.session_leader.parent.session_leader.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.session_leader.parent.session_leader.user.entity.id:
-  dashed_name: process-session-leader-parent-session-leader-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.session_leader.parent.session_leader.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.session_leader.parent.session_leader.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.session_leader.parent.session_leader.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.session_leader.parent.session_leader.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.session_leader.parent.session_leader.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.session_leader.parent.session_leader.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.session_leader.parent.session_leader.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.session_leader.parent.session_leader.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.session_leader.parent.session_leader.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.session_leader.parent.session_leader.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.session_leader.parent.session_leader.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.session_leader.parent.session_leader.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.session_leader.parent.session_leader.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.session_leader.parent.session_leader.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.session_leader.parent.session_leader.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.session_leader.parent.session_leader.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.session_leader.parent.session_leader.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.session_leader.parent.session_leader.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-session-leader-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.session_leader.parent.session_leader.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.session_leader.parent.session_leader.user.full_name:
-  dashed_name: process-session-leader-parent-session-leader-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.session_leader.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.session_leader.user.group.domain:
-  dashed_name: process-session-leader-parent-session-leader-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.session_leader.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.session_leader.user.group.id:
-  dashed_name: process-session-leader-parent-session-leader-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.session_leader.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.session_leader.user.group.name:
-  dashed_name: process-session-leader-parent-session-leader-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.session_leader.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.session_leader.user.hash:
-  dashed_name: process-session-leader-parent-session-leader-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.session_leader.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.session_leader.user.id:
-  dashed_name: process-session-leader-parent-session-leader-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.session_leader.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.parent.session_leader.user.name:
-  dashed_name: process-session-leader-parent-session-leader-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.session_leader.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.parent.session_leader.user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.session_leader.user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.session_leader.user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.session_leader.user.risk.static_level:
-  dashed_name: process-session-leader-parent-session-leader-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.session_leader.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.session_leader.user.risk.static_score:
-  dashed_name: process-session-leader-parent-session-leader-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.session_leader.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.session_leader.user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-session-leader-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.session_leader.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.session_leader.user.roles:
-  dashed_name: process-session-leader-parent-session-leader-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.session_leader.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.session_leader.vpid:
-  dashed_name: process-session-leader-parent-session-leader-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.session_leader.parent.session_leader.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.session_leader.parent.session_leader.working_directory:
-  dashed_name: process-session-leader-parent-session-leader-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.session_leader.parent.session_leader.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.session_leader.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.session_leader.parent.start:
-  dashed_name: process-session-leader-parent-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.parent.start
-  level: extended
-  name: start
-  normalize: []
-  original_fieldset: process
-  short: The time the process started.
-  type: date
-process.session_leader.parent.supplemental_groups.domain:
-  dashed_name: process-session-leader-parent-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.supplemental_groups.id:
-  dashed_name: process-session-leader-parent-supplemental-groups-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.supplemental_groups.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.supplemental_groups.name:
-  dashed_name: process-session-leader-parent-supplemental-groups-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.supplemental_groups.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.thread.capabilities.effective:
-  dashed_name: process-session-leader-parent-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.session_leader.parent.thread.capabilities.effective
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.thread.capabilities.permitted:
-  dashed_name: process-session-leader-parent-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.session_leader.parent.thread.capabilities.permitted
-  ignore_above: 1024
-  level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
-  original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.thread.id:
-  dashed_name: process-session-leader-parent-thread-id
-  description: Thread ID.
-  example: 4242
-  flat_name: process.session_leader.parent.thread.id
-  format: string
-  level: extended
-  name: thread.id
-  normalize: []
-  original_fieldset: process
-  short: Thread ID.
-  type: long
-process.session_leader.parent.thread.name:
-  dashed_name: process-session-leader-parent-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.session_leader.parent.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.session_leader.parent.title:
-  dashed_name: process-session-leader-parent-title
-  description: 'Process title.
-
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.session_leader.parent.title
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.title.text
-    name: text
-    type: match_only_text
-  name: title
-  normalize: []
-  original_fieldset: process
-  short: Process title.
-  type: keyword
-process.session_leader.parent.tty:
-  dashed_name: process-session-leader-parent-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.session_leader.parent.tty
-  level: extended
-  name: tty
-  normalize: []
-  original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.session_leader.parent.tty.char_device.major:
-  dashed_name: process-session-leader-parent-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.session_leader.parent.tty.char_device.major
-  level: extended
-  name: tty.char_device.major
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.session_leader.parent.tty.char_device.minor:
-  dashed_name: process-session-leader-parent-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.session_leader.parent.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
-  normalize: []
-  original_fieldset: process
-  short: The TTY character device's minor number.
-  type: long
-process.session_leader.parent.tty.columns:
-  dashed_name: process-session-leader-parent-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.session_leader.parent.tty.columns
-  level: extended
-  name: tty.columns
-  normalize: []
-  original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.session_leader.parent.tty.rows:
-  dashed_name: process-session-leader-parent-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.session_leader.parent.tty.rows
-  level: extended
-  name: tty.rows
-  normalize: []
-  original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
-  type: long
-process.session_leader.parent.uptime:
-  dashed_name: process-session-leader-parent-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.session_leader.parent.uptime
-  level: extended
-  name: uptime
-  normalize: []
-  original_fieldset: process
-  short: Seconds the process has been up.
-  type: long
-process.session_leader.parent.user.domain:
-  dashed_name: process-session-leader-parent-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.parent.user.email:
-  dashed_name: process-session-leader-parent-user-email
-  description: User email address.
-  flat_name: process.session_leader.parent.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.parent.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.session_leader.parent.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.session_leader.parent.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.session_leader.parent.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.session_leader.parent.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.session_leader.parent.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.session_leader.parent.user.entity.id:
-  dashed_name: process-session-leader-parent-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.session_leader.parent.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.session_leader.parent.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.session_leader.parent.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.session_leader.parent.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.session_leader.parent.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.session_leader.parent.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.session_leader.parent.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.session_leader.parent.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.session_leader.parent.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.session_leader.parent.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.session_leader.parent.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.session_leader.parent.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.session_leader.parent.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.session_leader.parent.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.session_leader.parent.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.session_leader.parent.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.session_leader.parent.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.session_leader.parent.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-parent-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.session_leader.parent.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.session_leader.parent.user.full_name:
-  dashed_name: process-session-leader-parent-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.parent.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.parent.user.group.domain:
-  dashed_name: process-session-leader-parent-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.parent.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.parent.user.group.id:
-  dashed_name: process-session-leader-parent-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.parent.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.parent.user.group.name:
-  dashed_name: process-session-leader-parent-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.parent.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.parent.user.hash:
-  dashed_name: process-session-leader-parent-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.parent.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.parent.user.id:
-  dashed_name: process-session-leader-parent-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.parent.user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.parent.user.name:
-  dashed_name: process-session-leader-parent-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.parent.user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.parent.user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.parent.user.risk.calculated_level:
-  dashed_name: process-session-leader-parent-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.parent.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.parent.user.risk.calculated_score:
-  dashed_name: process-session-leader-parent-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.parent.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.parent.user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-parent-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.parent.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.parent.user.risk.static_level:
-  dashed_name: process-session-leader-parent-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.parent.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.parent.user.risk.static_score:
-  dashed_name: process-session-leader-parent-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.parent.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.parent.user.risk.static_score_norm:
-  dashed_name: process-session-leader-parent-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.parent.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.parent.user.roles:
-  dashed_name: process-session-leader-parent-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.parent.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.parent.vpid:
-  dashed_name: process-session-leader-parent-vpid
-  description: 'Virtual process id.
-
-    The process id within a pid namespace. This is not necessarily unique across all
-    processes on the host but it is unique within the process namespace that the process
-    exists within.'
-  example: 4242
-  flat_name: process.session_leader.parent.vpid
-  format: string
-  level: core
-  name: vpid
-  normalize: []
-  original_fieldset: process
-  short: Virtual process id.
-  type: long
-process.session_leader.parent.working_directory:
-  dashed_name: process-session-leader-parent-working-directory
-  description: The working directory of the process.
-  example: /home/alice
-  flat_name: process.session_leader.parent.working_directory
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.parent.working_directory.text
-    name: text
-    type: match_only_text
-  name: working_directory
-  normalize: []
-  original_fieldset: process
-  short: The working directory of the process.
-  type: keyword
-process.session_leader.pe.architecture:
-  dashed_name: process-session-leader-pe-architecture
-  description: CPU architecture target for the file.
-  example: x64
-  flat_name: process.session_leader.pe.architecture
-  ignore_above: 1024
-  level: extended
-  name: architecture
-  normalize: []
-  original_fieldset: pe
-  short: CPU architecture target for the file.
-  type: keyword
-process.session_leader.pe.company:
-  dashed_name: process-session-leader-pe-company
-  description: Internal company name of the file, provided at compile-time.
-  example: Microsoft Corporation
-  flat_name: process.session_leader.pe.company
-  ignore_above: 1024
-  level: extended
-  name: company
-  normalize: []
-  original_fieldset: pe
-  short: Internal company name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.pe.description:
-  dashed_name: process-session-leader-pe-description
-  description: Internal description of the file, provided at compile-time.
-  example: Paint
-  flat_name: process.session_leader.pe.description
-  ignore_above: 1024
-  level: extended
-  name: description
-  normalize: []
-  original_fieldset: pe
-  short: Internal description of the file, provided at compile-time.
-  type: keyword
-process.session_leader.pe.file_version:
-  dashed_name: process-session-leader-pe-file-version
-  description: Internal version of the file, provided at compile-time.
-  example: 6.3.9600.17415
-  flat_name: process.session_leader.pe.file_version
-  ignore_above: 1024
-  level: extended
-  name: file_version
-  normalize: []
-  original_fieldset: pe
-  short: Process name.
-  type: keyword
-process.session_leader.pe.go_import_hash:
-  dashed_name: process-session-leader-pe-go-import-hash
-  description: 'A hash of the Go language imports in a PE file excluding standard
-    library imports. An import hash can be used to fingerprint binaries even after
-    recompilation or other code-level transformations have occurred, which would change
-    more traditional hash values.
-
-    The algorithm used to calculate the Go symbol hash and a reference implementation
-    are available here: https://github.com/elastic/toutoumomoma'
-  example: 10bddcb4cee42080f76c88d9ff964491
-  flat_name: process.session_leader.pe.go_import_hash
-  ignore_above: 1024
-  level: extended
-  name: go_import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the Go language imports in a PE file.
-  type: keyword
-process.session_leader.pe.go_imports:
-  dashed_name: process-session-leader-pe-go-imports
-  description: List of imported Go language element names and types.
-  flat_name: process.session_leader.pe.go_imports
-  level: extended
-  name: go_imports
-  normalize: []
-  original_fieldset: pe
-  short: List of imported Go language element names and types.
-  type: flattened
-process.session_leader.pe.go_imports_names_entropy:
-  dashed_name: process-session-leader-pe-go-imports-names-entropy
-  description: Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.pe.go_imports_names_entropy
-  format: number
-  level: extended
-  name: go_imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.pe.go_imports_names_var_entropy:
-  dashed_name: process-session-leader-pe-go-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of Go imports.
-  flat_name: process.session_leader.pe.go_imports_names_var_entropy
-  format: number
-  level: extended
-  name: go_imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of Go imports.
-  type: long
-process.session_leader.pe.go_stripped:
-  dashed_name: process-session-leader-pe-go-stripped
-  description: Set to true if the file is a Go executable that has had its symbols
-    stripped or obfuscated and false if an unobfuscated Go executable.
-  flat_name: process.session_leader.pe.go_stripped
-  level: extended
-  name: go_stripped
-  normalize: []
-  original_fieldset: pe
-  short: Whether the file is a stripped or obfuscated Go executable.
-  type: boolean
-process.session_leader.pe.imphash:
-  dashed_name: process-session-leader-pe-imphash
-  description: 'A hash of the imports in a PE file. An imphash -- or import hash --
-    can be used to fingerprint binaries even after recompilation or other code-level
-    transformations have occurred, which would change more traditional hash values.
-
-    Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-  example: 0c6803c4e922103c4dca5963aad36ddf
-  flat_name: process.session_leader.pe.imphash
-  ignore_above: 1024
-  level: extended
-  name: imphash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.session_leader.pe.import_hash:
-  dashed_name: process-session-leader-pe-import-hash
-  description: 'A hash of the imports in a PE file. An import hash can be used to
-    fingerprint binaries even after recompilation or other code-level transformations
-    have occurred, which would change more traditional hash values.
-
-    This is a synonym for imphash.'
-  example: d41d8cd98f00b204e9800998ecf8427e
-  flat_name: process.session_leader.pe.import_hash
-  ignore_above: 1024
-  level: extended
-  name: import_hash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the imports in a PE file.
-  type: keyword
-process.session_leader.pe.imports:
-  dashed_name: process-session-leader-pe-imports
-  description: List of imported element names and types.
-  flat_name: process.session_leader.pe.imports
-  level: extended
-  name: imports
-  normalize:
-  - array
-  original_fieldset: pe
-  short: List of imported element names and types.
-  type: flattened
-process.session_leader.pe.imports_names_entropy:
-  dashed_name: process-session-leader-pe-imports-names-entropy
-  description: Shannon entropy calculation from the list of imported element names
-    and types.
-  flat_name: process.session_leader.pe.imports_names_entropy
-  format: number
-  level: extended
-  name: imports_names_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the list of imported element names and types.
-  type: long
-process.session_leader.pe.imports_names_var_entropy:
-  dashed_name: process-session-leader-pe-imports-names-var-entropy
-  description: Variance for Shannon entropy calculation from the list of imported
-    element names and types.
-  flat_name: process.session_leader.pe.imports_names_var_entropy
-  format: number
-  level: extended
-  name: imports_names_var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the list of imported element
-    names and types.
-  type: long
-process.session_leader.pe.original_file_name:
-  dashed_name: process-session-leader-pe-original-file-name
-  description: Internal name of the file, provided at compile-time.
-  example: MSPAINT.EXE
-  flat_name: process.session_leader.pe.original_file_name
-  ignore_above: 1024
-  level: extended
-  name: original_file_name
-  normalize: []
-  original_fieldset: pe
-  short: Internal name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.pe.pehash:
-  dashed_name: process-session-leader-pe-pehash
-  description: 'A hash of the PE header and data from one or more PE sections. An
-    pehash can be used to cluster files by transforming structural information about
-    a file into a hash value.
-
-    Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-  example: 73ff189b63cd6be375a7ff25179a38d347651975
-  flat_name: process.session_leader.pe.pehash
-  ignore_above: 1024
-  level: extended
-  name: pehash
-  normalize: []
-  original_fieldset: pe
-  short: A hash of the PE header and data from one or more PE sections.
-  type: keyword
-process.session_leader.pe.product:
-  dashed_name: process-session-leader-pe-product
-  description: Internal product name of the file, provided at compile-time.
-  example: Microsoft® Windows® Operating System
-  flat_name: process.session_leader.pe.product
-  ignore_above: 1024
-  level: extended
-  name: product
-  normalize: []
-  original_fieldset: pe
-  short: Internal product name of the file, provided at compile-time.
-  type: keyword
-process.session_leader.pe.sections:
-  dashed_name: process-session-leader-pe-sections
-  description: 'An array containing an object for each section of the PE file.
-
-    The keys that should be present in these objects are defined by sub-fields underneath
-    `pe.sections.*`.'
-  flat_name: process.session_leader.pe.sections
-  level: extended
-  name: sections
-  normalize:
-  - array
-  original_fieldset: pe
-  short: Section information of the PE file.
-  type: nested
-process.session_leader.pe.sections.entropy:
-  dashed_name: process-session-leader-pe-sections-entropy
-  description: Shannon entropy calculation from the section.
-  flat_name: process.session_leader.pe.sections.entropy
-  format: number
-  level: extended
-  name: sections.entropy
-  normalize: []
-  original_fieldset: pe
-  short: Shannon entropy calculation from the section.
-  type: long
-process.session_leader.pe.sections.name:
-  dashed_name: process-session-leader-pe-sections-name
-  description: PE Section List name.
-  flat_name: process.session_leader.pe.sections.name
-  ignore_above: 1024
-  level: extended
-  name: sections.name
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List name.
-  type: keyword
-process.session_leader.pe.sections.physical_size:
-  dashed_name: process-session-leader-pe-sections-physical-size
-  description: PE Section List physical size.
-  flat_name: process.session_leader.pe.sections.physical_size
-  format: bytes
-  level: extended
-  name: sections.physical_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List physical size.
-  type: long
-process.session_leader.pe.sections.var_entropy:
-  dashed_name: process-session-leader-pe-sections-var-entropy
-  description: Variance for Shannon entropy calculation from the section.
-  flat_name: process.session_leader.pe.sections.var_entropy
-  format: number
-  level: extended
-  name: sections.var_entropy
-  normalize: []
-  original_fieldset: pe
-  short: Variance for Shannon entropy calculation from the section.
-  type: long
-process.session_leader.pe.sections.virtual_size:
-  dashed_name: process-session-leader-pe-sections-virtual-size
-  description: PE Section List virtual size. This is always the same as `physical_size`.
-  flat_name: process.session_leader.pe.sections.virtual_size
-  format: string
-  level: extended
-  name: sections.virtual_size
-  normalize: []
-  original_fieldset: pe
-  short: PE Section List virtual size. This is always the same as `physical_size`.
-  type: long
-process.session_leader.pid:
-  dashed_name: process-session-leader-pid
-  description: Process id.
-  example: 4242
-  flat_name: process.session_leader.pid
-  format: string
-  level: core
-  name: pid
-  normalize: []
-  original_fieldset: process
-  otel:
-  - relation: match
-    stability: development
-  short: Process id.
-  type: long
-process.session_leader.platform_binary:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-platform-binary
-  description: Binaries that are shipped by the operating system are defined as platform
-    binaries, this value is then set to true.
-  flat_name: process.session_leader.platform_binary
-  level: extended
-  name: platform_binary
-  normalize: []
-  original_fieldset: process
-  short: Indicates whether this process executable is a default platform binary shipped
-    with the operating system.
-  type: boolean
-process.session_leader.real_group.domain:
-  dashed_name: process-session-leader-real-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.real_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.real_group.id:
-  dashed_name: process-session-leader-real-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.real_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.real_group.name:
-  dashed_name: process-session-leader-real-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.real_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.real_user.domain:
-  dashed_name: process-session-leader-real-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.real_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.real_user.email:
-  dashed_name: process-session-leader-real-user-email
-  description: User email address.
-  flat_name: process.session_leader.real_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.real_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-real-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.session_leader.real_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.session_leader.real_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-real-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.session_leader.real_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.session_leader.real_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-real-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.session_leader.real_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.real_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.session_leader.real_user.entity.id:
-  dashed_name: process-session-leader-real-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.session_leader.real_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.session_leader.real_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-real-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.session_leader.real_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.session_leader.real_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-real-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.session_leader.real_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.session_leader.real_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-real-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.session_leader.real_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.session_leader.real_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-real-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.session_leader.real_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.real_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.session_leader.real_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-real-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.session_leader.real_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.session_leader.real_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-real-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.session_leader.real_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.session_leader.real_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-real-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.session_leader.real_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.session_leader.real_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-real-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.session_leader.real_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.session_leader.real_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-real-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.session_leader.real_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.session_leader.real_user.full_name:
-  dashed_name: process-session-leader-real-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.real_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.real_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.real_user.group.domain:
-  dashed_name: process-session-leader-real-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.real_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.real_user.group.id:
-  dashed_name: process-session-leader-real-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.real_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.real_user.group.name:
-  dashed_name: process-session-leader-real-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.real_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.real_user.hash:
-  dashed_name: process-session-leader-real-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.real_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.real_user.id:
-  dashed_name: process-session-leader-real-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.real_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.real_user.name:
-  dashed_name: process-session-leader-real-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.real_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.real_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.real_user.risk.calculated_level:
-  dashed_name: process-session-leader-real-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.real_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.real_user.risk.calculated_score:
-  dashed_name: process-session-leader-real-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.real_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.real_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-real-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.real_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.real_user.risk.static_level:
-  dashed_name: process-session-leader-real-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.real_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.real_user.risk.static_score:
-  dashed_name: process-session-leader-real-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.real_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.real_user.risk.static_score_norm:
-  dashed_name: process-session-leader-real-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.real_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.real_user.roles:
-  dashed_name: process-session-leader-real-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.real_user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.same_as_process:
-  dashed_name: process-session-leader-same-as-process
-  description: 'This boolean is used to identify if a leader process is the same as
-    the top level process.
-
-    For example, if `process.group_leader.same_as_process = true`, it means the process
-    event in question is the leader of its process group. Details under `process.*`
-    like `pid` would be the same under `process.group_leader.*` The same applies for
-    both `process.session_leader` and `process.entry_leader`.
-
-    This field exists to the benefit of EQL and other rule engines since it''s not
-    possible to compare equality between two fields in a single document. e.g `process.entity_id`
-    = `process.group_leader.entity_id` (top level process is the process group leader)
-    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
-    the entry session leader)
-
-    Instead these rules could be written like: `process.group_leader.same_as_process:
-    true` OR `process.entry_leader.same_as_process: true`
-
-    Note: This field is only set on `process.entry_leader`, `process.session_leader`
-    and `process.group_leader`.'
-  example: true
-  flat_name: process.session_leader.same_as_process
-  level: extended
-  name: same_as_process
-  normalize: []
-  original_fieldset: process
-  short: This boolean is used to identify if a leader process is the same as the top
-    level process.
-  type: boolean
-process.session_leader.saved_group.domain:
-  dashed_name: process-session-leader-saved-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.saved_group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.saved_group.id:
-  dashed_name: process-session-leader-saved-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.saved_group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.saved_group.name:
-  dashed_name: process-session-leader-saved-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.saved_group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.saved_user.domain:
-  dashed_name: process-session-leader-saved-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.saved_user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.saved_user.email:
-  dashed_name: process-session-leader-saved-user-email
-  description: User email address.
-  flat_name: process.session_leader.saved_user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.saved_user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-saved-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.session_leader.saved_user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.session_leader.saved_user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-saved-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.session_leader.saved_user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.session_leader.saved_user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-saved-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.session_leader.saved_user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.saved_user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.session_leader.saved_user.entity.id:
-  dashed_name: process-session-leader-saved-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.session_leader.saved_user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.session_leader.saved_user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-saved-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.session_leader.saved_user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.session_leader.saved_user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-saved-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.session_leader.saved_user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.session_leader.saved_user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-saved-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.session_leader.saved_user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.session_leader.saved_user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-saved-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.session_leader.saved_user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.saved_user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.session_leader.saved_user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-saved-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.session_leader.saved_user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.session_leader.saved_user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-saved-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.session_leader.saved_user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.session_leader.saved_user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-saved-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.session_leader.saved_user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.session_leader.saved_user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-saved-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.session_leader.saved_user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.session_leader.saved_user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-saved-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.session_leader.saved_user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.session_leader.saved_user.full_name:
-  dashed_name: process-session-leader-saved-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.saved_user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.session_leader.saved_user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.session_leader.saved_user.group.domain:
-  dashed_name: process-session-leader-saved-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.saved_user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.saved_user.group.id:
-  dashed_name: process-session-leader-saved-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.saved_user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.session_leader.saved_user.group.name:
-  dashed_name: process-session-leader-saved-user-group-name
-  description: Name of the group.
-  flat_name: process.session_leader.saved_user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.session_leader.saved_user.hash:
-  dashed_name: process-session-leader-saved-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.saved_user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.saved_user.id:
-  dashed_name: process-session-leader-saved-user-id
-  description: Unique identifier of the user.
-  example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.saved_user.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: user
-  short: Unique identifier of the user.
-  type: keyword
-process.session_leader.saved_user.name:
-  dashed_name: process-session-leader-saved-user-name
-  description: Short name or login of the user.
-  example: a.einstein
-  flat_name: process.session_leader.saved_user.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.saved_user.name.text
-    name: text
-    type: match_only_text
-  name: name
-  normalize: []
-  original_fieldset: user
-  short: Short name or login of the user.
-  type: keyword
-process.session_leader.saved_user.risk.calculated_level:
-  dashed_name: process-session-leader-saved-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.saved_user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.session_leader.saved_user.risk.calculated_score:
-  dashed_name: process-session-leader-saved-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.saved_user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.saved_user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-saved-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.saved_user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.saved_user.risk.static_level:
-  dashed_name: process-session-leader-saved-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.saved_user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.saved_user.risk.static_score:
-  dashed_name: process-session-leader-saved-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.saved_user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.saved_user.risk.static_score_norm:
-  dashed_name: process-session-leader-saved-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.saved_user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.saved_user.roles:
-  dashed_name: process-session-leader-saved-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.saved_user.roles
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.session_leader.entity_id
   ignore_above: 1024
   level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
-process.session_leader.start:
-  dashed_name: process-session-leader-start
-  description: The time the process started.
-  example: '2016-05-23T08:05:34.853Z'
-  flat_name: process.session_leader.start
-  level: extended
-  name: start
+  name: entity_id
   normalize: []
   original_fieldset: process
-  short: The time the process started.
-  type: date
-process.session_leader.supplemental_groups.domain:
-  dashed_name: process-session-leader-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.supplemental_groups.domain
+  short: Unique identifier for the process.
+  type: keyword
+process.session_leader.executable:
+  dashed_name: process-session-leader-executable
+  description: Absolute path to the process executable.
+  example: /usr/bin/ssh
+  flat_name: process.session_leader.executable
   ignore_above: 1024
   level: extended
-  name: domain
+  multi_fields:
+  - flat_name: process.session_leader.executable.text
+    name: text
+    type: match_only_text
+  name: executable
   normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
+  original_fieldset: process
+  short: Absolute path to the process executable.
   type: keyword
-process.session_leader.supplemental_groups.id:
-  dashed_name: process-session-leader-supplemental-groups-id
+process.session_leader.group.id:
+  dashed_name: process-session-leader-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.supplemental_groups.id
+  flat_name: process.session_leader.group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -58454,10 +13535,10 @@ process.session_leader.supplemental_groups.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.supplemental_groups.name:
-  dashed_name: process-session-leader-supplemental-groups-name
+process.session_leader.group.name:
+  dashed_name: process-session-leader-group-name
   description: Name of the group.
-  flat_name: process.session_leader.supplemental_groups.name
+  flat_name: process.session_leader.group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -58465,465 +13546,262 @@ process.session_leader.supplemental_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.session_leader.thread.capabilities.effective:
-  dashed_name: process-session-leader-thread-capabilities-effective
-  description: This is the set of capabilities used by the kernel to perform permission
-    checks for the thread.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.session_leader.thread.capabilities.effective
+process.session_leader.interactive:
+  dashed_name: process-session-leader-interactive
+  description: 'Whether the process is connected to an interactive shell.
+
+    Process interactivity is inferred from the processes file descriptors. If the
+    character device for the controlling tty is the same as stdin and stderr for the
+    process, the process is considered interactive.
+
+    Note: A non-interactive process can belong to an interactive session and is simply
+    one that does not have open file descriptors reading the controlling TTY on FD
+    0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process
+    is still considered interactive if stdin and stderr are connected to the controlling
+    TTY.'
+  example: true
+  flat_name: process.session_leader.interactive
+  level: extended
+  name: interactive
+  normalize: []
+  original_fieldset: process
+  short: Whether the process is connected to an interactive shell.
+  type: boolean
+process.session_leader.name:
+  dashed_name: process-session-leader-name
+  description: 'Process name.
+
+    Sometimes called program name or similar.'
+  example: ssh
+  flat_name: process.session_leader.name
   ignore_above: 1024
   level: extended
-  name: thread.capabilities.effective
-  normalize:
-  - array
+  multi_fields:
+  - flat_name: process.session_leader.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
   original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities used for permission checks.
-  synthetic_source_keep: none
+  short: Process name.
   type: keyword
-process.session_leader.thread.capabilities.permitted:
-  dashed_name: process-session-leader-thread-capabilities-permitted
-  description: This is a limiting superset for the effective capabilities that the
-    thread may assume.
-  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-  flat_name: process.session_leader.thread.capabilities.permitted
+process.session_leader.parent.entity_id:
+  dashed_name: process-session-leader-parent-entity-id
+  description: 'Unique identifier for the process.
+
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.session_leader.parent.entity_id
   ignore_above: 1024
   level: extended
-  name: thread.capabilities.permitted
-  normalize:
-  - array
+  name: entity_id
+  normalize: []
   original_fieldset: process
-  pattern: ^(CAP_[A-Z_]+|\d+)$
-  short: Array of capabilities a thread could assume.
-  synthetic_source_keep: none
+  short: Unique identifier for the process.
   type: keyword
-process.session_leader.thread.id:
-  dashed_name: process-session-leader-thread-id
-  description: Thread ID.
+process.session_leader.parent.pid:
+  dashed_name: process-session-leader-parent-pid
+  description: Process id.
   example: 4242
-  flat_name: process.session_leader.thread.id
+  flat_name: process.session_leader.parent.pid
   format: string
-  level: extended
-  name: thread.id
+  level: core
+  name: pid
   normalize: []
   original_fieldset: process
-  short: Thread ID.
+  short: Process id.
   type: long
-process.session_leader.thread.name:
-  dashed_name: process-session-leader-thread-name
-  description: Thread name.
-  example: thread-0
-  flat_name: process.session_leader.thread.name
-  ignore_above: 1024
-  level: extended
-  name: thread.name
-  normalize: []
-  original_fieldset: process
-  short: Thread name.
-  type: keyword
-process.session_leader.title:
-  dashed_name: process-session-leader-title
-  description: 'Process title.
+process.session_leader.parent.session_leader.entity_id:
+  dashed_name: process-session-leader-parent-session-leader-entity-id
+  description: 'Unique identifier for the process.
 
-    The proctitle, some times the same as process name. Can also be different: for
-    example a browser setting its title to the web page currently opened.'
-  flat_name: process.session_leader.title
+    The implementation of this is specified by the data source, but some examples
+    of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+    or a hash of some uniquely identifying components of a process.
+
+    Constructing a globally unique identifier is a common practice to mitigate PID
+    reuse as well as to identify a specific process over time, across multiple monitored
+    hosts.'
+  example: c2c455d9f99375d
+  flat_name: process.session_leader.parent.session_leader.entity_id
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.session_leader.title.text
-    name: text
-    type: match_only_text
-  name: title
+  name: entity_id
   normalize: []
   original_fieldset: process
-  short: Process title.
+  short: Unique identifier for the process.
   type: keyword
-process.session_leader.tty:
-  dashed_name: process-session-leader-tty
-  description: Information about the controlling TTY device. If set, the process belongs
-    to an interactive session.
-  flat_name: process.session_leader.tty
-  level: extended
-  name: tty
+process.session_leader.parent.session_leader.pid:
+  dashed_name: process-session-leader-parent-session-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.session_leader.parent.session_leader.pid
+  format: string
+  level: core
+  name: pid
   normalize: []
   original_fieldset: process
-  short: Information about the controlling TTY device.
-  type: object
-process.session_leader.tty.char_device.major:
-  dashed_name: process-session-leader-tty-char-device-major
-  description: The major number identifies the driver associated with the device.
-    The character device's major and minor numbers can be algorithmically combined
-    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-    For more details, please refer to the Linux kernel documentation.
-  example: 4
-  flat_name: process.session_leader.tty.char_device.major
+  short: Process id.
+  type: long
+process.session_leader.parent.session_leader.start:
+  dashed_name: process-session-leader-parent-session-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.parent.session_leader.start
   level: extended
-  name: tty.char_device.major
+  name: start
   normalize: []
   original_fieldset: process
-  short: The TTY character device's major number.
-  type: long
-process.session_leader.tty.char_device.minor:
-  dashed_name: process-session-leader-tty-char-device-minor
-  description: The minor number is used only by the driver specified by the major
-    number; other parts of the kernel don’t use it, and merely pass it along to the
-    driver. It is common for a driver to control several devices; the minor number
-    provides a way for the driver to differentiate among them.
-  example: 1
-  flat_name: process.session_leader.tty.char_device.minor
-  level: extended
-  name: tty.char_device.minor
+  short: The time the process started.
+  type: date
+process.session_leader.parent.session_leader.vpid:
+  dashed_name: process-session-leader-parent-session-leader-vpid
+  description: 'Virtual process id.
+
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.parent.session_leader.vpid
+  format: string
+  level: core
+  name: vpid
   normalize: []
   original_fieldset: process
-  short: The TTY character device's minor number.
+  short: Virtual process id.
   type: long
-process.session_leader.tty.columns:
-  dashed_name: process-session-leader-tty-columns
-  description: 'The number of character columns per line. e.g terminal width
-
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 80
-  flat_name: process.session_leader.tty.columns
+process.session_leader.parent.start:
+  dashed_name: process-session-leader-parent-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.parent.start
   level: extended
-  name: tty.columns
+  name: start
   normalize: []
   original_fieldset: process
-  short: The number of character columns per line. e.g terminal width
-  type: long
-process.session_leader.tty.rows:
-  dashed_name: process-session-leader-tty-rows
-  description: 'The number of character rows in the terminal. e.g terminal height
+  short: The time the process started.
+  type: date
+process.session_leader.parent.vpid:
+  dashed_name: process-session-leader-parent-vpid
+  description: 'Virtual process id.
 
-    Terminal sizes can change, so this value reflects the maximum value for a given
-    IO event. i.e. where event.action = ''text_output'''
-  example: 24
-  flat_name: process.session_leader.tty.rows
-  level: extended
-  name: tty.rows
+    The process id within a pid namespace. This is not necessarily unique across all
+    processes on the host but it is unique within the process namespace that the process
+    exists within.'
+  example: 4242
+  flat_name: process.session_leader.parent.vpid
+  format: string
+  level: core
+  name: vpid
   normalize: []
   original_fieldset: process
-  short: The number of character rows in the terminal. e.g terminal height
+  short: Virtual process id.
   type: long
-process.session_leader.uptime:
-  dashed_name: process-session-leader-uptime
-  description: Seconds the process has been up.
-  example: 1325
-  flat_name: process.session_leader.uptime
-  level: extended
-  name: uptime
+process.session_leader.pid:
+  dashed_name: process-session-leader-pid
+  description: Process id.
+  example: 4242
+  flat_name: process.session_leader.pid
+  format: string
+  level: core
+  name: pid
   normalize: []
   original_fieldset: process
-  short: Seconds the process has been up.
+  otel:
+  - relation: match
+    stability: development
+  short: Process id.
   type: long
-process.session_leader.user.domain:
-  dashed_name: process-session-leader-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.session_leader.user.email:
-  dashed_name: process-session-leader-user-email
-  description: User email address.
-  flat_name: process.session_leader.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.session_leader.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.session_leader.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.session_leader.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.session_leader.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.session_leader.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.session_leader.user.entity.display_name
+process.session_leader.real_group.id:
+  dashed_name: process-session-leader-real-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.real_group.id
   ignore_above: 1024
   level: extended
-  multi_fields:
-  - flat_name: process.session_leader.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.session_leader.user.entity.id:
-  dashed_name: process-session-leader-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.session_leader.user.entity.id
-  ignore_above: 1024
-  level: core
   name: id
   normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.session_leader.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.session_leader.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.session_leader.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.session_leader.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.session_leader.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.session_leader.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.session_leader.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.session_leader.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.session_leader.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.session_leader.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.session_leader.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.session_leader.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.session_leader.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.session_leader.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.session_leader.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.session_leader.user.entity.sub_type
+process.session_leader.real_group.name:
+  dashed_name: process-session-leader-real-group-name
+  description: Name of the group.
+  flat_name: process.session_leader.real_group.name
   ignore_above: 1024
   level: extended
-  name: sub_type
+  name: name
   normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
+  original_fieldset: group
+  short: Name of the group.
   type: keyword
-process.session_leader.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-session-leader-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.session_leader.user.entity.type
+process.session_leader.real_user.id:
+  dashed_name: process-session-leader-real-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.real_user.id
   ignore_above: 1024
   level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
   type: keyword
-process.session_leader.user.full_name:
-  dashed_name: process-session-leader-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.session_leader.user.full_name
+process.session_leader.real_user.name:
+  dashed_name: process-session-leader-real-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.real_user.name
   ignore_above: 1024
-  level: extended
+  level: core
   multi_fields:
-  - flat_name: process.session_leader.user.full_name.text
+  - flat_name: process.session_leader.real_user.name.text
     name: text
     type: match_only_text
-  name: full_name
+  name: name
   normalize: []
   original_fieldset: user
-  short: User's full name, if available.
+  short: Short name or login of the user.
   type: keyword
-process.session_leader.user.group.domain:
-  dashed_name: process-session-leader-user-group-domain
-  description: 'Name of the directory the group is a member of.
+process.session_leader.same_as_process:
+  dashed_name: process-session-leader-same-as-process
+  description: 'This boolean is used to identify if a leader process is the same as
+    the top level process.
 
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.session_leader.user.group.domain
-  ignore_above: 1024
+    For example, if `process.group_leader.same_as_process = true`, it means the process
+    event in question is the leader of its process group. Details under `process.*`
+    like `pid` would be the same under `process.group_leader.*` The same applies for
+    both `process.session_leader` and `process.entry_leader`.
+
+    This field exists to the benefit of EQL and other rule engines since it''s not
+    possible to compare equality between two fields in a single document. e.g `process.entity_id`
+    = `process.group_leader.entity_id` (top level process is the process group leader)
+    OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is
+    the entry session leader)
+
+    Instead these rules could be written like: `process.group_leader.same_as_process:
+    true` OR `process.entry_leader.same_as_process: true`
+
+    Note: This field is only set on `process.entry_leader`, `process.session_leader`
+    and `process.group_leader`.'
+  example: true
+  flat_name: process.session_leader.same_as_process
   level: extended
-  name: domain
+  name: same_as_process
   normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.session_leader.user.group.id:
-  dashed_name: process-session-leader-user-group-id
+  original_fieldset: process
+  short: This boolean is used to identify if a leader process is the same as the top
+    level process.
+  type: boolean
+process.session_leader.saved_group.id:
+  dashed_name: process-session-leader-saved-group-id
   description: Unique identifier for the group on the system/platform.
-  flat_name: process.session_leader.user.group.id
+  flat_name: process.session_leader.saved_group.id
   ignore_above: 1024
   level: extended
   name: id
@@ -58931,10 +13809,10 @@ process.session_leader.user.group.id:
   original_fieldset: group
   short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.user.group.name:
-  dashed_name: process-session-leader-user-group-name
+process.session_leader.saved_group.name:
+  dashed_name: process-session-leader-saved-group-name
   description: Name of the group.
-  flat_name: process.session_leader.user.group.name
+  flat_name: process.session_leader.saved_group.name
   ignore_above: 1024
   level: extended
   name: name
@@ -58942,26 +13820,11 @@ process.session_leader.user.group.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
-process.session_leader.user.hash:
-  dashed_name: process-session-leader-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.session_leader.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
-process.session_leader.user.id:
-  dashed_name: process-session-leader-user-id
+process.session_leader.saved_user.id:
+  dashed_name: process-session-leader-saved-user-id
   description: Unique identifier of the user.
   example: S-1-5-21-202424912787-2692429404-2351956786-1000
-  flat_name: process.session_leader.user.id
+  flat_name: process.session_leader.saved_user.id
   ignore_above: 1024
   level: core
   name: id
@@ -58969,15 +13832,15 @@ process.session_leader.user.id:
   original_fieldset: user
   short: Unique identifier of the user.
   type: keyword
-process.session_leader.user.name:
-  dashed_name: process-session-leader-user-name
+process.session_leader.saved_user.name:
+  dashed_name: process-session-leader-saved-user-name
   description: Short name or login of the user.
   example: a.einstein
-  flat_name: process.session_leader.user.name
+  flat_name: process.session_leader.saved_user.name
   ignore_above: 1024
   level: core
   multi_fields:
-  - flat_name: process.session_leader.user.name.text
+  - flat_name: process.session_leader.saved_user.name.text
     name: text
     type: match_only_text
   name: name
@@ -58985,99 +13848,105 @@ process.session_leader.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-process.session_leader.user.risk.calculated_level:
-  dashed_name: process-session-leader-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.session_leader.user.risk.calculated_level
+process.session_leader.start:
+  dashed_name: process-session-leader-start
+  description: The time the process started.
+  example: '2016-05-23T08:05:34.853Z'
+  flat_name: process.session_leader.start
+  level: extended
+  name: start
+  normalize: []
+  original_fieldset: process
+  short: The time the process started.
+  type: date
+process.session_leader.supplemental_groups.id:
+  dashed_name: process-session-leader-supplemental-groups-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: process.session_leader.supplemental_groups.id
   ignore_above: 1024
   level: extended
-  name: calculated_level
+  name: id
   normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
   type: keyword
-process.session_leader.user.risk.calculated_score:
-  dashed_name: process-session-leader-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.session_leader.user.risk.calculated_score
+process.session_leader.supplemental_groups.name:
+  dashed_name: process-session-leader-supplemental-groups-name
+  description: Name of the group.
+  flat_name: process.session_leader.supplemental_groups.name
+  ignore_above: 1024
   level: extended
-  name: calculated_score
+  name: name
   normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.session_leader.user.risk.calculated_score_norm:
-  dashed_name: process-session-leader-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.session_leader.user.risk.calculated_score_norm
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+process.session_leader.tty:
+  dashed_name: process-session-leader-tty
+  description: Information about the controlling TTY device. If set, the process belongs
+    to an interactive session.
+  flat_name: process.session_leader.tty
   level: extended
-  name: calculated_score_norm
+  name: tty
   normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.session_leader.user.risk.static_level:
-  dashed_name: process-session-leader-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.session_leader.user.risk.static_level
-  ignore_above: 1024
+  original_fieldset: process
+  short: Information about the controlling TTY device.
+  type: object
+process.session_leader.tty.char_device.major:
+  dashed_name: process-session-leader-tty-char-device-major
+  description: The major number identifies the driver associated with the device.
+    The character device's major and minor numbers can be algorithmically combined
+    to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+    For more details, please refer to the Linux kernel documentation.
+  example: 4
+  flat_name: process.session_leader.tty.char_device.major
   level: extended
-  name: static_level
+  name: tty.char_device.major
   normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.session_leader.user.risk.static_score:
-  dashed_name: process-session-leader-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.session_leader.user.risk.static_score
+  original_fieldset: process
+  short: The TTY character device's major number.
+  type: long
+process.session_leader.tty.char_device.minor:
+  dashed_name: process-session-leader-tty-char-device-minor
+  description: The minor number is used only by the driver specified by the major
+    number; other parts of the kernel don’t use it, and merely pass it along to the
+    driver. It is common for a driver to control several devices; the minor number
+    provides a way for the driver to differentiate among them.
+  example: 1
+  flat_name: process.session_leader.tty.char_device.minor
   level: extended
-  name: static_score
+  name: tty.char_device.minor
   normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.session_leader.user.risk.static_score_norm:
-  dashed_name: process-session-leader-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.session_leader.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
+  original_fieldset: process
+  short: The TTY character device's minor number.
+  type: long
+process.session_leader.user.id:
+  dashed_name: process-session-leader-user-id
+  description: Unique identifier of the user.
+  example: S-1-5-21-202424912787-2692429404-2351956786-1000
+  flat_name: process.session_leader.user.id
+  ignore_above: 1024
+  level: core
+  name: id
   normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.session_leader.user.roles:
-  dashed_name: process-session-leader-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.session_leader.user.roles
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+process.session_leader.user.name:
+  dashed_name: process-session-leader-user-name
+  description: Short name or login of the user.
+  example: a.einstein
+  flat_name: process.session_leader.user.name
   ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
+  level: core
+  multi_fields:
+  - flat_name: process.session_leader.user.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
   original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
+  short: Short name or login of the user.
   type: keyword
 process.session_leader.vpid:
   dashed_name: process-session-leader-vpid
@@ -59121,19 +13990,6 @@ process.start:
   normalize: []
   short: The time the process started.
   type: date
-process.supplemental_groups.domain:
-  dashed_name: process-supplemental-groups-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.supplemental_groups.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
 process.supplemental_groups.id:
   dashed_name: process-supplemental-groups-id
   description: Unique identifier for the group on the system/platform.
@@ -59304,346 +14160,6 @@ process.uptime:
     stability: development
   short: Seconds the process has been up.
   type: long
-process.user.domain:
-  dashed_name: process-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-process.user.email:
-  dashed_name: process-user-email
-  description: User email address.
-  flat_name: process.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-process.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: process-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: process.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-process.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: process-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: process.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-process.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: process.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-process.user.entity.id:
-  dashed_name: process-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: process.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-process.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: process-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: process.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-process.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: process-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: process.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-process.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: process-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: process.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-process.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: process-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: process.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: process.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-process.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: process-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: process.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-process.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: process-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: process.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-process.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: process-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: process.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-process.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: process-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: process.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-process.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: process-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: process.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
-process.user.full_name:
-  dashed_name: process-user-full-name
-  description: User's full name, if available.
-  example: Albert Einstein
-  flat_name: process.user.full_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: process.user.full_name.text
-    name: text
-    type: match_only_text
-  name: full_name
-  normalize: []
-  original_fieldset: user
-  short: User's full name, if available.
-  type: keyword
-process.user.group.domain:
-  dashed_name: process-user-group-domain
-  description: 'Name of the directory the group is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: process.user.group.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: group
-  short: Name of the directory the group is a member of.
-  type: keyword
-process.user.group.id:
-  dashed_name: process-user-group-id
-  description: Unique identifier for the group on the system/platform.
-  flat_name: process.user.group.id
-  ignore_above: 1024
-  level: extended
-  name: id
-  normalize: []
-  original_fieldset: group
-  short: Unique identifier for the group on the system/platform.
-  type: keyword
-process.user.group.name:
-  dashed_name: process-user-group-name
-  description: Name of the group.
-  flat_name: process.user.group.name
-  ignore_above: 1024
-  level: extended
-  name: name
-  normalize: []
-  original_fieldset: group
-  short: Name of the group.
-  type: keyword
-process.user.hash:
-  dashed_name: process-user-hash
-  description: 'Unique user hash to correlate information for a user in anonymized
-    form.
-
-    Useful if `user.id` or `user.name` contain confidential information and cannot
-    be used.'
-  flat_name: process.user.hash
-  ignore_above: 1024
-  level: extended
-  name: hash
-  normalize: []
-  original_fieldset: user
-  short: Unique user hash to correlate information for a user in anonymized form.
-  type: keyword
 process.user.id:
   dashed_name: process-user-id
   description: Unique identifier of the user.
@@ -59678,100 +14194,6 @@ process.user.name:
     stability: development
   short: Short name or login of the user.
   type: keyword
-process.user.risk.calculated_level:
-  dashed_name: process-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: process.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-process.user.risk.calculated_score:
-  dashed_name: process-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: process.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-process.user.risk.calculated_score_norm:
-  dashed_name: process-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: process.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-process.user.risk.static_level:
-  dashed_name: process-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: process.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-process.user.risk.static_score:
-  dashed_name: process-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: process.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-process.user.risk.static_score_norm:
-  dashed_name: process-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: process.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
-process.user.roles:
-  dashed_name: process-user-roles
-  description: Array of user roles at the time of the event.
-  example: '["kibana_admin", "reporting_user"]'
-  flat_name: process.user.roles
-  ignore_above: 1024
-  level: extended
-  name: roles
-  normalize:
-  - array
-  original_fieldset: user
-  short: Array of user roles at the time of the event.
-  synthetic_source_keep: none
-  type: keyword
 process.vpid:
   dashed_name: process-vpid
   description: 'Virtual process id.
@@ -60409,283 +14831,33 @@ server.top_level_domain:
   flat_name: server.top_level_domain
   ignore_above: 1024
   level: extended
-  name: top_level_domain
-  normalize: []
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-server.user.domain:
-  dashed_name: server-user-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: server.user.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-server.user.email:
-  dashed_name: server-user-email
-  description: User email address.
-  flat_name: server.user.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-server.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: server-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: server.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-server.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: server-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: server.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-server.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: server-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: server.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: server.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-server.user.entity.id:
-  dashed_name: server-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: server.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-server.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: server-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: server.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-server.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: server-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: server.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-server.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: server-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: server.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-server.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: server-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: server.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: server.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-server.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: server-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: server.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-server.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: server-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: server.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-server.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: server-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: server.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-server.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: server-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: server.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-server.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: server-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: server.user.entity.type
+  name: top_level_domain
+  normalize: []
+  short: The effective top level domain (com, org, net, co.uk).
+  type: keyword
+server.user.domain:
+  dashed_name: server-user-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: server.user.domain
   ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+server.user.email:
+  dashed_name: server-user-email
+  description: User email address.
+  flat_name: server.user.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
   type: keyword
 server.user.full_name:
   dashed_name: server-user-full-name
@@ -60781,86 +14953,6 @@ server.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-server.user.risk.calculated_level:
-  dashed_name: server-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: server.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-server.user.risk.calculated_score:
-  dashed_name: server-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: server.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-server.user.risk.calculated_score_norm:
-  dashed_name: server-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: server.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-server.user.risk.static_level:
-  dashed_name: server-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: server.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-server.user.risk.static_score:
-  dashed_name: server-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: server.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-server.user.risk.static_score_norm:
-  dashed_name: server-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: server.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 server.user.roles:
   dashed_name: server-user-roles
   description: Array of user roles at the time of the event.
@@ -60889,256 +14981,6 @@ service.address:
   normalize: []
   short: Address of this service.
   type: keyword
-service.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: service-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: service.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-service.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: service-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: service.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-service.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: service-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: service.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: service.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-service.entity.id:
-  dashed_name: service-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: service.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-service.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: service-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: service.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-service.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: service-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: service.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-service.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: service-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: service.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-service.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: service-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: service.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: service.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-service.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: service-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: service.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-service.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: service-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: service.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-service.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: service-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: service.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-service.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: service-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: service.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-service.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: service-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: service.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
 service.environment:
   beta: This field is beta and subject to change.
   dashed_name: service-environment
@@ -61300,256 +15142,6 @@ service.origin.address:
   original_fieldset: service
   short: Address of this service.
   type: keyword
-service.origin.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: service-origin-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: service.origin.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-service.origin.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: service-origin-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: service.origin.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-service.origin.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: service-origin-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: service.origin.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: service.origin.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-service.origin.entity.id:
-  dashed_name: service-origin-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: service.origin.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-service.origin.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: service-origin-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: service.origin.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-service.origin.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: service-origin-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: service.origin.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-service.origin.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: service-origin-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: service.origin.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-service.origin.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: service-origin-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: service.origin.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: service.origin.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-service.origin.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: service-origin-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: service.origin.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-service.origin.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: service-origin-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: service.origin.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-service.origin.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: service-origin-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: service.origin.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-service.origin.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: service-origin-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: service.origin.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-service.origin.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: service-origin-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: service.origin.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
 service.origin.environment:
   beta: This field is beta and subject to change.
   dashed_name: service-origin-environment
@@ -62588,256 +16180,6 @@ source.user.email:
   original_fieldset: user
   short: User email address.
   type: keyword
-source.user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: source-user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: source.user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-source.user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: source-user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: source.user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-source.user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: source-user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: source.user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: source.user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-source.user.entity.id:
-  dashed_name: source-user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: source.user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-source.user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: source-user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: source.user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-source.user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: source-user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: source.user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-source.user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: source-user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: source.user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-source.user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: source-user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: source.user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: source.user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-source.user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: source-user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: source.user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-source.user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: source-user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: source.user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-source.user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: source-user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: source.user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-source.user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: source-user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: source.user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-source.user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: source-user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: source.user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
 source.user.full_name:
   dashed_name: source-user-full-name
   description: User's full name, if available.
@@ -62932,86 +16274,6 @@ source.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-source.user.risk.calculated_level:
-  dashed_name: source-user-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: source.user.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-source.user.risk.calculated_score:
-  dashed_name: source-user-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: source.user.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-source.user.risk.calculated_score_norm:
-  dashed_name: source-user-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: source.user.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-source.user.risk.static_level:
-  dashed_name: source-user-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: source.user.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-source.user.risk.static_score:
-  dashed_name: source-user-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: source.user.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-source.user.risk.static_score_norm:
-  dashed_name: source-user-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: source.user.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 source.user.roles:
   dashed_name: source-user-roles
   description: Array of user roles at the time of the event.
@@ -69951,348 +23213,98 @@ url.registered_domain:
   otel:
   - relation: match
     stability: development
-  short: The highest registered url domain, stripped of the subdomain.
-  type: keyword
-url.scheme:
-  dashed_name: url-scheme
-  description: 'Scheme of the request, such as "https".
-
-    Note: The `:` is not part of the scheme.'
-  example: https
-  flat_name: url.scheme
-  ignore_above: 1024
-  level: extended
-  name: scheme
-  normalize: []
-  otel:
-  - relation: match
-    stability: stable
-  short: Scheme of the url.
-  type: keyword
-url.subdomain:
-  dashed_name: url-subdomain
-  description: 'The subdomain portion of a fully qualified domain name includes all
-    of the names except the host name under the registered_domain.  In a partially
-    qualified domain, or if the the qualification level of the full name cannot be
-    determined, subdomain contains all of the names below the registered domain.
-
-    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
-    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
-    subdomain field should contain "sub2.sub1", with no trailing period.'
-  example: east
-  flat_name: url.subdomain
-  ignore_above: 1024
-  level: extended
-  name: subdomain
-  normalize: []
-  otel:
-  - relation: match
-    stability: development
-  short: The subdomain of the domain.
-  type: keyword
-url.top_level_domain:
-  dashed_name: url-top-level-domain
-  description: 'The effective top level domain (eTLD), also known as the domain suffix,
-    is the last part of the domain name. For example, the top level domain for example.com
-    is "com".
-
-    This value can be determined precisely with a list like the public suffix list
-    (https://publicsuffix.org). Trying to approximate this by simply taking the last
-    label will not work well for effective TLDs such as "co.uk".'
-  example: co.uk
-  flat_name: url.top_level_domain
-  ignore_above: 1024
-  level: extended
-  name: top_level_domain
-  normalize: []
-  otel:
-  - relation: match
-    stability: development
-  short: The effective top level domain (com, org, net, co.uk).
-  type: keyword
-url.username:
-  dashed_name: url-username
-  description: Username of the request.
-  flat_name: url.username
-  ignore_above: 1024
-  level: extended
-  name: username
-  normalize: []
-  short: Username of the request.
-  type: keyword
-user.changes.domain:
-  dashed_name: user-changes-domain
-  description: 'Name of the directory the user is a member of.
-
-    For example, an LDAP or Active Directory domain name.'
-  flat_name: user.changes.domain
-  ignore_above: 1024
-  level: extended
-  name: domain
-  normalize: []
-  original_fieldset: user
-  short: Name of the directory the user is a member of.
-  type: keyword
-user.changes.email:
-  dashed_name: user-changes-email
-  description: User email address.
-  flat_name: user.changes.email
-  ignore_above: 1024
-  level: extended
-  name: email
-  normalize: []
-  original_fieldset: user
-  short: User email address.
-  type: keyword
-user.changes.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: user-changes-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: user.changes.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-user.changes.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: user-changes-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: user.changes.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-user.changes.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: user-changes-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: user.changes.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: user.changes.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-user.changes.entity.id:
-  dashed_name: user-changes-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: user.changes.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-user.changes.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: user-changes-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: user.changes.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-user.changes.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: user-changes-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: user.changes.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-user.changes.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: user-changes-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: user.changes.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-user.changes.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: user-changes-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: user.changes.entity.name
+  short: The highest registered url domain, stripped of the subdomain.
+  type: keyword
+url.scheme:
+  dashed_name: url-scheme
+  description: 'Scheme of the request, such as "https".
+
+    Note: The `:` is not part of the scheme.'
+  example: https
+  flat_name: url.scheme
   ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: user.changes.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
+  level: extended
+  name: scheme
   normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
+  otel:
+  - relation: match
+    stability: stable
+  short: Scheme of the url.
   type: keyword
-user.changes.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: user-changes-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: user.changes.entity.raw
+url.subdomain:
+  dashed_name: url-subdomain
+  description: 'The subdomain portion of a fully qualified domain name includes all
+    of the names except the host name under the registered_domain.  In a partially
+    qualified domain, or if the the qualification level of the full name cannot be
+    determined, subdomain contains all of the names below the registered domain.
+
+    For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the
+    domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the
+    subdomain field should contain "sub2.sub1", with no trailing period.'
+  example: east
+  flat_name: url.subdomain
+  ignore_above: 1024
   level: extended
-  name: raw
+  name: subdomain
   normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-user.changes.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: user-changes-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: user.changes.entity.reference
+  otel:
+  - relation: match
+    stability: development
+  short: The subdomain of the domain.
+  type: keyword
+url.top_level_domain:
+  dashed_name: url-top-level-domain
+  description: 'The effective top level domain (eTLD), also known as the domain suffix,
+    is the last part of the domain name. For example, the top level domain for example.com
+    is "com".
+
+    This value can be determined precisely with a list like the public suffix list
+    (https://publicsuffix.org). Trying to approximate this by simply taking the last
+    label will not work well for effective TLDs such as "co.uk".'
+  example: co.uk
+  flat_name: url.top_level_domain
   ignore_above: 1024
   level: extended
-  name: reference
+  name: top_level_domain
   normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
+  otel:
+  - relation: match
+    stability: development
+  short: The effective top level domain (com, org, net, co.uk).
   type: keyword
-user.changes.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: user-changes-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: user.changes.entity.source
+url.username:
+  dashed_name: url-username
+  description: Username of the request.
+  flat_name: url.username
   ignore_above: 1024
-  level: core
-  name: source
+  level: extended
+  name: username
   normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
+  short: Username of the request.
   type: keyword
-user.changes.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: user-changes-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: user.changes.entity.sub_type
+user.changes.domain:
+  dashed_name: user-changes-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.changes.domain
   ignore_above: 1024
   level: extended
-  name: sub_type
+  name: domain
   normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
   type: keyword
-user.changes.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: user-changes-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: user.changes.entity.type
+user.changes.email:
+  dashed_name: user-changes-email
+  description: User email address.
+  flat_name: user.changes.email
   ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
   type: keyword
 user.changes.full_name:
   dashed_name: user-changes-full-name
@@ -70388,86 +23400,6 @@ user.changes.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-user.changes.risk.calculated_level:
-  dashed_name: user-changes-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: user.changes.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-user.changes.risk.calculated_score:
-  dashed_name: user-changes-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: user.changes.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-user.changes.risk.calculated_score_norm:
-  dashed_name: user-changes-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: user.changes.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-user.changes.risk.static_level:
-  dashed_name: user-changes-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: user.changes.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-user.changes.risk.static_score:
-  dashed_name: user-changes-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: user.changes.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-user.changes.risk.static_score_norm:
-  dashed_name: user-changes-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: user.changes.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 user.changes.roles:
   dashed_name: user-changes-roles
   description: Array of user roles at the time of the event.
@@ -70518,256 +23450,6 @@ user.effective.email:
   original_fieldset: user
   short: User email address.
   type: keyword
-user.effective.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: user-effective-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: user.effective.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-user.effective.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: user-effective-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: user.effective.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-user.effective.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: user-effective-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: user.effective.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: user.effective.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-user.effective.entity.id:
-  dashed_name: user-effective-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: user.effective.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-user.effective.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: user-effective-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: user.effective.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-user.effective.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: user-effective-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: user.effective.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-user.effective.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: user-effective-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: user.effective.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-user.effective.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: user-effective-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: user.effective.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: user.effective.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-user.effective.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: user-effective-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: user.effective.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-user.effective.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: user-effective-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: user.effective.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-user.effective.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: user-effective-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: user.effective.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-user.effective.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: user-effective-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: user.effective.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-user.effective.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: user-effective-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: user.effective.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
 user.effective.full_name:
   dashed_name: user-effective-full-name
   description: User's full name, if available.
@@ -70862,86 +23544,6 @@ user.effective.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-user.effective.risk.calculated_level:
-  dashed_name: user-effective-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: user.effective.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-user.effective.risk.calculated_score:
-  dashed_name: user-effective-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: user.effective.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-user.effective.risk.calculated_score_norm:
-  dashed_name: user-effective-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: user.effective.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-user.effective.risk.static_level:
-  dashed_name: user-effective-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: user.effective.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-user.effective.risk.static_score:
-  dashed_name: user-effective-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: user.effective.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-user.effective.risk.static_score_norm:
-  dashed_name: user-effective-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: user.effective.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 user.effective.roles:
   dashed_name: user-effective-roles
   description: Array of user roles at the time of the event.
@@ -70969,256 +23571,6 @@ user.email:
     stability: development
   short: User email address.
   type: keyword
-user.entity.attributes:
-  beta: This field is beta and subject to change.
-  dashed_name: user-entity-attributes
-  description: A set of static or semi-static attributes of the entity. Usually boolean
-    or keyword field data types. Use this field set when you need to track static
-    or semi-static characteristics of an entity for advanced searching and correlation
-    of normalized values across different providers/sources and entity types.
-  flat_name: user.entity.attributes
-  level: extended
-  name: attributes
-  normalize: []
-  original_fieldset: entity
-  short: A set of static or semi-static attributes of the entity.
-  type: object
-user.entity.behavior:
-  beta: This field is beta and subject to change.
-  dashed_name: user-entity-behavior
-  description: A set of ephemeral characteristics of the entity, derived from observed
-    behaviors during a specific time period. Usually boolean field data type. Use
-    this field set when you need to capture and track ephemeral characteristics of
-    an entity for advanced searching, correlation of normalized values across different
-    providers/sources and entity types.
-  flat_name: user.entity.behavior
-  level: extended
-  name: behavior
-  normalize: []
-  original_fieldset: entity
-  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
-    during a specific time period.
-  type: object
-user.entity.display_name:
-  beta: This field is beta and subject to change.
-  dashed_name: user-entity-display-name
-  description: An optional field used when a pretty name is desired for entity-centric
-    operations. This field should not be used for correlation with `*.name` fields
-    for entities with dedicated field sets (e.g., `host`).
-  flat_name: user.entity.display_name
-  ignore_above: 1024
-  level: extended
-  multi_fields:
-  - flat_name: user.entity.display_name.text
-    name: text
-    norms: false
-    type: text
-  name: display_name
-  normalize: []
-  original_fieldset: entity
-  short: An optional field used when a pretty name is desired for entity-centric operations.
-  type: keyword
-user.entity.id:
-  dashed_name: user-entity-id
-  description: 'A unique identifier for the entity. When multiple identifiers exist,
-    this should be the most stable and commonly used identifier that: 1) persists
-    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
-    commonly used for queries and correlation, and 4) is readily available in most
-    observations (logs/events). For entities with dedicated field sets (e.g., host,
-    user), this value should match the corresponding *.id field. Alternative identifiers
-    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
-  flat_name: user.entity.id
-  ignore_above: 1024
-  level: core
-  name: id
-  normalize: []
-  original_fieldset: entity
-  short: Unique identifier for the entity.
-  type: keyword
-user.entity.last_seen_timestamp:
-  beta: This field is beta and subject to change.
-  dashed_name: user-entity-last-seen-timestamp
-  description: Indicates the date/time when this entity was last "seen," usually based
-    upon the last event/log that is initiated by this entity.
-  flat_name: user.entity.last_seen_timestamp
-  level: extended
-  name: last_seen_timestamp
-  normalize: []
-  original_fieldset: entity
-  short: Indicates the date/time when this entity was last "seen."
-  type: date
-user.entity.lifecycle:
-  beta: This field is beta and subject to change.
-  dashed_name: user-entity-lifecycle
-  description: A set of temporal characteristics of the entity. Usually date field
-    data type. Use this field set when you need to track temporal characteristics
-    of an entity for advanced searching and correlation of normalized values across
-    different providers/sources and entity types.
-  flat_name: user.entity.lifecycle
-  level: extended
-  name: lifecycle
-  normalize: []
-  original_fieldset: entity
-  short: A set of temporal characteristics of the entity.
-  type: object
-user.entity.metrics:
-  beta: This field is beta and subject to change.
-  dashed_name: user-entity-metrics
-  description: Field set for any fields containing numeric entity metrics. These use
-    dynamic field data type mapping.
-  flat_name: user.entity.metrics
-  level: extended
-  name: metrics
-  normalize: []
-  original_fieldset: entity
-  short: Field set for any fields containing numeric entity metrics.
-  type: object
-user.entity.name:
-  beta: This field is beta and subject to change.
-  dashed_name: user-entity-name
-  description: The name of the entity. The keyword field enables exact matches for
-    filtering and aggregations, while the text field enables full-text search. For
-    entities with dedicated field sets (e.g., `host`), this field should mirrors the
-    corresponding *.name value.
-  flat_name: user.entity.name
-  ignore_above: 1024
-  level: core
-  multi_fields:
-  - flat_name: user.entity.name.text
-    name: text
-    norms: false
-    type: text
-  name: name
-  normalize: []
-  original_fieldset: entity
-  short: The name of the entity.
-  type: keyword
-user.entity.raw:
-  beta: This field is beta and subject to change.
-  dashed_name: user-entity-raw
-  description: Original, unmodified fields from the source system. Usually flattened
-    field data type. While the attributes field should be used for normalized fields
-    requiring advanced queries, this field preserves all source metadata with basic
-    search capabilities.
-  flat_name: user.entity.raw
-  level: extended
-  name: raw
-  normalize: []
-  original_fieldset: entity
-  short: Original, unmodified fields from the source system.
-  type: object
-user.entity.reference:
-  beta: This field is beta and subject to change.
-  dashed_name: user-entity-reference
-  description: A URI, URL, or other direct reference to access or locate the entity
-    in its source system. This could be an API endpoint, web console URL, or other
-    addressable location. Format may vary by entity type and source system.
-  flat_name: user.entity.reference
-  ignore_above: 1024
-  level: extended
-  name: reference
-  normalize: []
-  original_fieldset: entity
-  short: A URI, URL, or other direct reference to access or locate the entity.
-  type: keyword
-user.entity.source:
-  beta: This field is beta and subject to change.
-  dashed_name: user-entity-source
-  description: The module or integration that provided this entity data (similar to
-    event.module).
-  flat_name: user.entity.source
-  ignore_above: 1024
-  level: core
-  name: source
-  normalize: []
-  original_fieldset: entity
-  short: Source module or integration that provided the entity data.
-  type: keyword
-user.entity.sub_type:
-  beta: This field is beta and subject to change.
-  dashed_name: user-entity-sub-type
-  description: 'The specific type designation for the entity as defined by its provider
-    or system. This field provides more granular classification than the type field.
-    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
-    `node` , `cloud_instance` would all map to entity type `host`.'
-  example: aws_s3_bucket
-  flat_name: user.entity.sub_type
-  ignore_above: 1024
-  level: extended
-  name: sub_type
-  normalize: []
-  original_fieldset: entity
-  short: The specific type designation for the entity as defined by its provider or
-    system.
-  type: keyword
-user.entity.type:
-  allowed_values:
-  - description: Represents a storage container or bucket, typically used for object
-      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
-      Azure Blob containers, and other cloud storage services. Buckets are used to
-      organize and store files, objects, or data in cloud environments.
-    name: bucket
-  - description: Represents a database system or database instance. This includes
-      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-      Cassandra, DynamoDB), time-series databases, and other data storage systems.
-      The entity may represent the entire database system or a specific database instance.
-    name: database
-  - description: Represents a containerized application or process. This includes
-      Docker containers, Kubernetes pods, and other containerization technologies.
-      Containers encapsulate applications and their dependencies, providing isolation
-      and portability across different environments.
-    name: container
-  - description: Represents a serverless function or Function-as-a-Service (FaaS)
-      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-      Functions, and other serverless computing resources. Functions are typically
-      event-driven and execute code without managing the underlying infrastructure.
-    name: function
-  - description: Represents a message queue or messaging system. This includes message
-      brokers, event queues, and other messaging infrastructure components such as
-      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
-      asynchronous communication between applications and services.
-    name: queue
-  - description: Represents a computing host or machine. This includes physical servers,
-      virtual machines, cloud instances, and other computing resources that can run
-      applications or services. Hosts provide the fundamental computing infrastructure
-      for other entity types.
-    name: host
-  - description: Represents a user account or identity. This includes human users,
-      service accounts, system accounts, and other identity entities that can interact
-      with systems, applications, or services. Users may have various roles, permissions,
-      and attributes associated with their identity.
-    name: user
-  - description: Represents a software application or service. This includes web applications,
-      mobile applications, desktop applications, and other software components that
-      provide functionality to users or other systems. Applications may run on various
-      infrastructure components and can span multiple hosts or containers.
-    name: application
-  - description: Represents a service or microservice component. This includes web
-      services, APIs, background services, and other service-oriented architecture
-      components. Services provide specific functionality and may communicate with
-      other services to fulfill business requirements.
-    name: service
-  - description: Represents a user session or connection session. This includes user
-      login sessions, database connections, network sessions, and other temporary
-      interactive or persistent connections between users, applications, or systems.
-    name: session
-  beta: This field is beta and subject to change.
-  dashed_name: user-entity-type
-  description: 'A standardized high-level classification of the entity. This provides
-    a normalized way to group similar entities across different providers or systems.
-    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-    `user`, `application`, `session`, etc.'
-  example: host
-  flat_name: user.entity.type
-  ignore_above: 1024
-  level: core
-  name: type
-  normalize:
-  - array
-  original_fieldset: entity
-  short: Standardized high-level classification of the entity.
-  type: keyword
 user.full_name:
   dashed_name: user-full-name
   description: User's full name, if available.
@@ -71785,86 +24137,6 @@ user.target.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
-user.target.risk.calculated_level:
-  dashed_name: user-target-risk-calculated-level
-  description: A risk classification level calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: High
-  flat_name: user.target.risk.calculated_level
-  ignore_above: 1024
-  level: extended
-  name: calculated_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: keyword
-user.target.risk.calculated_score:
-  dashed_name: user-target-risk-calculated-score
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring.
-  example: 880.73
-  flat_name: user.target.risk.calculated_score
-  level: extended
-  name: calculated_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score calculated by an internal system as part of entity
-    analytics and entity risk scoring.
-  type: float
-user.target.risk.calculated_score_norm:
-  dashed_name: user-target-risk-calculated-score-norm
-  description: A risk classification score calculated by an internal system as part
-    of entity analytics and entity risk scoring, and normalized to a range of 0 to
-    100.
-  example: 88.73
-  flat_name: user.target.risk.calculated_score_norm
-  level: extended
-  name: calculated_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an internal system.
-  type: float
-user.target.risk.static_level:
-  dashed_name: user-target-risk-static-level
-  description: A risk classification level obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: High
-  flat_name: user.target.risk.static_level
-  ignore_above: 1024
-  level: extended
-  name: static_level
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification level obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: keyword
-user.target.risk.static_score:
-  dashed_name: user-target-risk-static-score
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform.
-  example: 830.0
-  flat_name: user.target.risk.static_score
-  level: extended
-  name: static_score
-  normalize: []
-  original_fieldset: risk
-  short: A risk classification score obtained from outside the system, such as from
-    some external Threat Intelligence Platform.
-  type: float
-user.target.risk.static_score_norm:
-  dashed_name: user-target-risk-static-score-norm
-  description: A risk classification score obtained from outside the system, such
-    as from some external Threat Intelligence Platform, and normalized to a range
-    of 0 to 100.
-  example: 83.0
-  flat_name: user.target.risk.static_score_norm
-  level: extended
-  name: static_score_norm
-  normalize: []
-  original_fieldset: risk
-  short: A normalized risk score calculated by an external system.
-  type: float
 user.target.roles:
   dashed_name: user-target-roles
   description: Array of user roles at the time of the event.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 5167c628ba..749922c0a1 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -641,261 +641,6 @@ client:
       original_fieldset: user
       short: User email address.
       type: keyword
-    client.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: client-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: client.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    client.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: client-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: client.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    client.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: client-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: client.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: client.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    client.user.entity.id:
-      dashed_name: client-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: client.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    client.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: client-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: client.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    client.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: client-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: client.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    client.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: client-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: client.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    client.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: client-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: client.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: client.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    client.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: client-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: client.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    client.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: client-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: client.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    client.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: client-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: client.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    client.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: client-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: client.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    client.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: client-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: client.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
     client.user.full_name:
       dashed_name: client-user-full-name
       description: User's full name, if available.
@@ -990,86 +735,6 @@ client:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    client.user.risk.calculated_level:
-      dashed_name: client-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: client.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    client.user.risk.calculated_score:
-      dashed_name: client-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: client.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    client.user.risk.calculated_score_norm:
-      dashed_name: client-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: client.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    client.user.risk.static_level:
-      dashed_name: client-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: client.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    client.user.risk.static_score:
-      dashed_name: client-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: client.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    client.user.risk.static_score_norm:
-      dashed_name: client-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: client.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     client.user.roles:
       dashed_name: client-user-roles
       description: Array of user roles at the time of the event.
@@ -1153,261 +818,6 @@ cloud:
         stability: development
       short: Availability zone in which this host, resource, or service is located.
       type: keyword
-    cloud.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: cloud.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    cloud.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: cloud.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    cloud.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: cloud.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: cloud.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    cloud.entity.id:
-      dashed_name: cloud-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: cloud.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    cloud.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: cloud.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    cloud.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: cloud.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    cloud.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: cloud.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    cloud.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: cloud.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: cloud.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    cloud.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: cloud.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    cloud.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: cloud.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    cloud.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: cloud.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    cloud.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: cloud.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    cloud.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: cloud.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
     cloud.instance.id:
       dashed_name: cloud-instance-id
       description: Instance ID of the host machine.
@@ -1482,269 +892,14 @@ cloud:
       original_fieldset: cloud
       short: Availability zone in which this host, resource, or service is located.
       type: keyword
-    cloud.origin.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-origin-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: cloud.origin.entity.attributes
+    cloud.origin.instance.id:
+      dashed_name: cloud-origin-instance-id
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+      flat_name: cloud.origin.instance.id
+      ignore_above: 1024
       level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    cloud.origin.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-origin-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: cloud.origin.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    cloud.origin.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-origin-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: cloud.origin.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: cloud.origin.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    cloud.origin.entity.id:
-      dashed_name: cloud-origin-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: cloud.origin.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    cloud.origin.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-origin-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: cloud.origin.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    cloud.origin.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-origin-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: cloud.origin.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    cloud.origin.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-origin-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: cloud.origin.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    cloud.origin.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-origin-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: cloud.origin.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: cloud.origin.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    cloud.origin.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-origin-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: cloud.origin.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    cloud.origin.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-origin-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: cloud.origin.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    cloud.origin.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-origin-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: cloud.origin.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    cloud.origin.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-origin-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: cloud.origin.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    cloud.origin.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: cloud-origin-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: cloud.origin.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    cloud.origin.instance.id:
-      dashed_name: cloud-origin-instance-id
-      description: Instance ID of the host machine.
-      example: i-1234567890abcdef0
-      flat_name: cloud.origin.instance.id
-      ignore_above: 1024
-      level: extended
-      name: instance.id
+      name: instance.id
       normalize: []
       original_fieldset: cloud
       short: Instance ID of the host machine.
@@ -3168,261 +2323,6 @@ destination:
       original_fieldset: user
       short: User email address.
       type: keyword
-    destination.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: destination-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: destination.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    destination.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: destination-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: destination.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    destination.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: destination-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: destination.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: destination.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    destination.user.entity.id:
-      dashed_name: destination-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: destination.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    destination.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: destination-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: destination.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    destination.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: destination-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: destination.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    destination.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: destination-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: destination.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    destination.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: destination-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: destination.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: destination.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    destination.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: destination-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: destination.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    destination.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: destination-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: destination.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    destination.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: destination-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: destination.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    destination.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: destination-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: destination.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    destination.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: destination-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: destination.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
     destination.user.full_name:
       dashed_name: destination-user-full-name
       description: User's full name, if available.
@@ -3517,86 +2417,6 @@ destination:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    destination.user.risk.calculated_level:
-      dashed_name: destination-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: destination.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    destination.user.risk.calculated_score:
-      dashed_name: destination-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: destination.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    destination.user.risk.calculated_score_norm:
-      dashed_name: destination-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: destination.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    destination.user.risk.static_level:
-      dashed_name: destination-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: destination.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    destination.user.risk.static_score:
-      dashed_name: destination-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: destination.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    destination.user.risk.static_score_norm:
-      dashed_name: destination-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: destination.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     destination.user.roles:
       dashed_name: destination-user-roles
       description: Array of user roles at the time of the event.
@@ -5511,279 +4331,6 @@ email:
   short: Describes an email transaction.
   title: Email
   type: group
-entity:
-  description: The entity fields provide a standardized way to represent and categorize
-    different types of components within an IT environment, including those that don't
-    have dedicated field sets in ECS. An entity represents a discrete, identifiable
-    component that can be described by a set of attributes and maintains its identity
-    over time.
-  fields:
-    entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    entity.id:
-      dashed_name: entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      short: Unique identifier for the entity.
-      type: keyword
-    entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      short: A set of temporal characteristics of the entity.
-      type: object
-    entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      short: The name of the entity.
-      type: keyword
-    entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      short: Original, unmodified fields from the source system.
-      type: object
-    entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      short: Standardized high-level classification of the entity.
-      type: keyword
-  group: 2
-  name: entity
-  prefix: entity.
-  reusable:
-    expected:
-    - as: entity
-      at: host
-      full: host.entity
-    - as: entity
-      at: user
-      full: user.target.entity
-      short_override: Entity information for the targeted user.
-    - as: entity
-      at: cloud
-      full: cloud.target.entity
-      short_override: Entity information for the target cloud entity.
-    - as: entity
-      at: service
-      full: service.target.entity
-      short_override: Entity information for the target service.
-    top_level: true
-  short: Fields to describe various types of entities across IT environments.
-  title: Entity
-  type: group
 error:
   description: 'These fields can represent errors of any kind.
 
@@ -12845,508 +11392,6 @@ process:
         stability: development
       short: Length of the process.args array.
       type: long
-    process.attested_groups.domain:
-      dashed_name: process-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.attested_groups.id:
-      dashed_name: process-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.attested_groups.name:
-      dashed_name: process-attested-groups-name
-      description: Name of the group.
-      flat_name: process.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.attested_user.domain:
-      dashed_name: process-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.attested_user.email:
-      dashed_name: process-attested-user-email
-      description: User email address.
-      flat_name: process.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.attested_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-attested-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.attested_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.attested_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-attested-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.attested_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.attested_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-attested-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.attested_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.attested_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.attested_user.entity.id:
-      dashed_name: process-attested-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.attested_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.attested_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-attested-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.attested_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.attested_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-attested-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.attested_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.attested_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-attested-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.attested_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.attested_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-attested-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.attested_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.attested_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.attested_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-attested-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.attested_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.attested_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-attested-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.attested_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.attested_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-attested-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.attested_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.attested_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-attested-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.attested_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.attested_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-attested-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.attested_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.attested_user.full_name:
-      dashed_name: process-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.attested_user.group.domain:
-      dashed_name: process-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.attested_user.group.id:
-      dashed_name: process-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.attested_user.group.name:
-      dashed_name: process-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.attested_user.hash:
-      dashed_name: process-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.attested_user.id:
-      dashed_name: process-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.attested_user.name:
-      dashed_name: process-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.attested_user.risk.calculated_level:
-      dashed_name: process-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.attested_user.risk.calculated_score:
-      dashed_name: process-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.attested_user.risk.calculated_score_norm:
-      dashed_name: process-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.attested_user.risk.static_level:
-      dashed_name: process-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.attested_user.risk.static_score:
-      dashed_name: process-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.attested_user.risk.static_score_norm:
-      dashed_name: process-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.attested_user.roles:
-      dashed_name: process-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
     process.code_signature.digest_algorithm:
       dashed_name: process-code-signature-digest-algorithm
       description: 'The hashing algorithm used to sign the process.
@@ -13971,17 +12016,6 @@ process:
       normalize: []
       short: The time the process ended.
       type: date
-    process.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
     process.entity_id:
       dashed_name: process-entity-id
       description: 'Unique identifier for the process.
@@ -14032,30 +12066,6 @@ process:
       original_fieldset: process
       short: Length of the process.args array.
       type: long
-    process.entry_leader.attested_groups.domain:
-      dashed_name: process-entry-leader-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.attested_groups.id:
-      dashed_name: process-entry-leader-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
     process.entry_leader.attested_groups.name:
       dashed_name: process-entry-leader-attested-groups-name
       description: Name of the group.
@@ -14067,318 +12077,387 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.entry_leader.attested_user.domain:
-      dashed_name: process-entry-leader-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.attested_user.domain
+    process.entry_leader.attested_user.id:
+      dashed_name: process-entry-leader-attested-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.attested_user.id
       ignore_above: 1024
-      level: extended
-      name: domain
+      level: core
+      name: id
       normalize: []
       original_fieldset: user
-      short: Name of the directory the user is a member of.
+      short: Unique identifier of the user.
       type: keyword
-    process.entry_leader.attested_user.email:
-      dashed_name: process-entry-leader-attested-user-email
-      description: User email address.
-      flat_name: process.entry_leader.attested_user.email
+    process.entry_leader.attested_user.name:
+      dashed_name: process-entry-leader-attested-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.attested_user.name
       ignore_above: 1024
-      level: extended
-      name: email
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.attested_user.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
       original_fieldset: user
-      short: User email address.
+      short: Short name or login of the user.
       type: keyword
-    process.entry_leader.attested_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-attested-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.entry_leader.attested_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.entry_leader.attested_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-attested-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.attested_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.entry_leader.attested_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-attested-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.entry_leader.attested_user.entity.display_name
-      ignore_above: 1024
+    process.entry_leader.command_line:
+      dashed_name: process-entry-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.entry_leader.command_line
       level: extended
       multi_fields:
-      - flat_name: process.entry_leader.attested_user.entity.display_name.text
+      - flat_name: process.entry_leader.command_line.text
         name: text
-        norms: false
-        type: text
-      name: display_name
+        type: match_only_text
+      name: command_line
       normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.entry_leader.attested_user.entity.id:
-      dashed_name: process-entry-leader-attested-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.entry_leader.attested_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.entry_leader.entity_id:
+      dashed_name: process-entry-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.entry_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
       normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
+      original_fieldset: process
+      short: Unique identifier for the process.
       type: keyword
-    process.entry_leader.attested_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-attested-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.entry_leader.attested_user.entity.last_seen_timestamp
+    process.entry_leader.entry_meta.source.ip:
+      dashed_name: process-entry-leader-entry-meta-source-ip
+      description: IP address of the source (IPv4 or IPv6).
+      flat_name: process.entry_leader.entry_meta.source.ip
+      level: core
+      name: ip
+      normalize: []
+      original_fieldset: source
+      short: IP address of the source.
+      type: ip
+    process.entry_leader.entry_meta.type:
+      dashed_name: process-entry-leader-entry-meta-type
+      description: 'The entry type for the entry session leader. Values include: init(e.g
+        systemd), sshd, ssm, kubelet, teleport, terminal, console
+
+        Note: This field is only set on process.session_leader.'
+      flat_name: process.entry_leader.entry_meta.type
+      ignore_above: 1024
       level: extended
-      name: last_seen_timestamp
+      name: entry_meta.type
       normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.entry_leader.attested_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-attested-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.attested_user.entity.lifecycle
+      original_fieldset: process
+      short: The entry type for the entry session leader.
+      type: keyword
+    process.entry_leader.executable:
+      dashed_name: process-entry-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.entry_leader.executable
+      ignore_above: 1024
       level: extended
-      name: lifecycle
+      multi_fields:
+      - flat_name: process.entry_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
       normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.entry_leader.attested_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-attested-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.entry_leader.attested_user.entity.metrics
+      original_fieldset: process
+      short: Absolute path to the process executable.
+      type: keyword
+    process.entry_leader.group.id:
+      dashed_name: process-entry-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.group.id
+      ignore_above: 1024
       level: extended
-      name: metrics
+      name: id
       normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.entry_leader.attested_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-attested-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.entry_leader.attested_user.entity.name
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.entry_leader.group.name:
+      dashed_name: process-entry-leader-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.group.name
       ignore_above: 1024
-      level: core
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.interactive:
+      dashed_name: process-entry-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.entry_leader.interactive
+      level: extended
+      name: interactive
+      normalize: []
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.entry_leader.name:
+      dashed_name: process-entry-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.entry_leader.name
+      ignore_above: 1024
+      level: extended
       multi_fields:
-      - flat_name: process.entry_leader.attested_user.entity.name.text
+      - flat_name: process.entry_leader.name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: name
       normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
+      original_fieldset: process
+      short: Process name.
       type: keyword
-    process.entry_leader.attested_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-attested-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.entry_leader.attested_user.entity.raw
+    process.entry_leader.parent.entity_id:
+      dashed_name: process-entry-leader-parent-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.entry_leader.parent.entity_id
+      ignore_above: 1024
       level: extended
-      name: raw
+      name: entity_id
       normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.entry_leader.attested_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-attested-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.entry_leader.attested_user.entity.reference
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.entry_leader.parent.pid:
+      dashed_name: process-entry-leader-parent-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.entry_leader.parent.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.entry_leader.parent.session_leader.entity_id:
+      dashed_name: process-entry-leader-parent-session-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.entry_leader.parent.session_leader.entity_id
       ignore_above: 1024
       level: extended
-      name: reference
+      name: entity_id
       normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
+      original_fieldset: process
+      short: Unique identifier for the process.
       type: keyword
-    process.entry_leader.attested_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-attested-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.entry_leader.attested_user.entity.source
-      ignore_above: 1024
+    process.entry_leader.parent.session_leader.pid:
+      dashed_name: process-entry-leader-parent-session-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.entry_leader.parent.session_leader.pid
+      format: string
       level: core
-      name: source
+      name: pid
       normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.entry_leader.parent.session_leader.start:
+      dashed_name: process-entry-leader-parent-session-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.parent.session_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.entry_leader.parent.session_leader.vpid:
+      dashed_name: process-entry-leader-parent-session-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.parent.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.entry_leader.parent.start:
+      dashed_name: process-entry-leader-parent-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.parent.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.entry_leader.parent.vpid:
+      dashed_name: process-entry-leader-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.entry_leader.pid:
+      dashed_name: process-entry-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.entry_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.entry_leader.real_group.id:
+      dashed_name: process-entry-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.real_group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.entry_leader.attested_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-attested-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.entry_leader.attested_user.entity.sub_type
+    process.entry_leader.real_group.name:
+      dashed_name: process-entry-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.entry_leader.real_group.name
       ignore_above: 1024
       level: extended
-      name: sub_type
+      name: name
       normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.entry_leader.attested_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-attested-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.entry_leader.attested_user.entity.type
+    process.entry_leader.real_user.id:
+      dashed_name: process-entry-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.real_user.id
       ignore_above: 1024
       level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
       type: keyword
-    process.entry_leader.attested_user.full_name:
-      dashed_name: process-entry-leader-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.attested_user.full_name
+    process.entry_leader.real_user.name:
+      dashed_name: process-entry-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.real_user.name
       ignore_above: 1024
-      level: extended
+      level: core
       multi_fields:
-      - flat_name: process.entry_leader.attested_user.full_name.text
+      - flat_name: process.entry_leader.real_user.name.text
         name: text
         type: match_only_text
-      name: full_name
+      name: name
       normalize: []
       original_fieldset: user
-      short: User's full name, if available.
+      short: Short name or login of the user.
       type: keyword
-    process.entry_leader.attested_user.group.domain:
-      dashed_name: process-entry-leader-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
+    process.entry_leader.same_as_process:
+      dashed_name: process-entry-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
 
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.attested_user.group.domain
-      ignore_above: 1024
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.entry_leader.same_as_process
       level: extended
-      name: domain
+      name: same_as_process
       normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.attested_user.group.id:
-      dashed_name: process-entry-leader-attested-user-group-id
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.entry_leader.saved_group.id:
+      dashed_name: process-entry-leader-saved-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.attested_user.group.id
+      flat_name: process.entry_leader.saved_group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -14386,10 +12465,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.entry_leader.attested_user.group.name:
-      dashed_name: process-entry-leader-attested-user-group-name
+    process.entry_leader.saved_group.name:
+      dashed_name: process-entry-leader-saved-group-name
       description: Name of the group.
-      flat_name: process.entry_leader.attested_user.group.name
+      flat_name: process.entry_leader.saved_group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -14397,26 +12476,11 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.entry_leader.attested_user.hash:
-      dashed_name: process-entry-leader-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.attested_user.id:
-      dashed_name: process-entry-leader-attested-user-id
+    process.entry_leader.saved_user.id:
+      dashed_name: process-entry-leader-saved-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.attested_user.id
+      flat_name: process.entry_leader.saved_user.id
       ignore_above: 1024
       level: core
       name: id
@@ -14424,15 +12488,15 @@ process:
       original_fieldset: user
       short: Unique identifier of the user.
       type: keyword
-    process.entry_leader.attested_user.name:
-      dashed_name: process-entry-leader-attested-user-name
+    process.entry_leader.saved_user.name:
+      dashed_name: process-entry-leader-saved-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.entry_leader.attested_user.name
+      flat_name: process.entry_leader.saved_user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.entry_leader.attested_user.name.text
+      - flat_name: process.entry_leader.saved_user.name.text
         name: text
         type: match_only_text
       name: name
@@ -14440,262 +12504,250 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.entry_leader.attested_user.risk.calculated_level:
-      dashed_name: process-entry-leader-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.attested_user.risk.calculated_level
+    process.entry_leader.start:
+      dashed_name: process-entry-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.entry_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.entry_leader.supplemental_groups.id:
+      dashed_name: process-entry-leader-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.entry_leader.supplemental_groups.id
       ignore_above: 1024
       level: extended
-      name: calculated_level
+      name: id
       normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.entry_leader.attested_user.risk.calculated_score:
-      dashed_name: process-entry-leader-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.attested_user.risk.calculated_score
+    process.entry_leader.supplemental_groups.name:
+      dashed_name: process-entry-leader-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.entry_leader.supplemental_groups.name
+      ignore_above: 1024
       level: extended
-      name: calculated_score
+      name: name
       normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.attested_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.attested_user.risk.static_level:
-      dashed_name: process-entry-leader-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.attested_user.risk.static_level
-      ignore_above: 1024
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.entry_leader.tty:
+      dashed_name: process-entry-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.entry_leader.tty
       level: extended
-      name: static_level
+      name: tty
       normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.attested_user.risk.static_score:
-      dashed_name: process-entry-leader-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.attested_user.risk.static_score
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.entry_leader.tty.char_device.major:
+      dashed_name: process-entry-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.entry_leader.tty.char_device.major
       level: extended
-      name: static_score
+      name: tty.char_device.major
       normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.attested_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.attested_user.risk.static_score_norm
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.entry_leader.tty.char_device.minor:
+      dashed_name: process-entry-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.entry_leader.tty.char_device.minor
       level: extended
-      name: static_score_norm
+      name: tty.char_device.minor
       normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.attested_user.roles:
-      dashed_name: process-entry-leader-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.attested_user.roles
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.entry_leader.user.id:
+      dashed_name: process-entry-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.entry_leader.user.id
       ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
+      level: core
+      name: id
+      normalize: []
       original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
+      short: Unique identifier of the user.
       type: keyword
-    process.entry_leader.code_signature.digest_algorithm:
-      dashed_name: process-entry-leader-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.entry_leader.code_signature.digest_algorithm
+    process.entry_leader.user.name:
+      dashed_name: process-entry-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.entry_leader.user.name
       ignore_above: 1024
-      level: extended
-      name: digest_algorithm
+      level: core
+      multi_fields:
+      - flat_name: process.entry_leader.user.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
+      original_fieldset: user
+      short: Short name or login of the user.
       type: keyword
-    process.entry_leader.code_signature.exists:
-      dashed_name: process-entry-leader-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.entry_leader.code_signature.exists
+    process.entry_leader.vpid:
+      dashed_name: process-entry-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.entry_leader.vpid
+      format: string
       level: core
-      name: exists
+      name: vpid
       normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.entry_leader.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.entry_leader.code_signature.flags
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.entry_leader.working_directory:
+      dashed_name: process-entry-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.entry_leader.working_directory
       ignore_above: 1024
       level: extended
-      name: flags
+      multi_fields:
+      - flat_name: process.entry_leader.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
       normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
+      original_fieldset: process
+      short: The working directory of the process.
       type: keyword
-    process.entry_leader.code_signature.signing_id:
-      dashed_name: process-entry-leader-code-signature-signing-id
-      description: 'The identifier used to sign the process.
+    process.env_vars:
+      dashed_name: process-env-vars
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
 
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.entry_leader.code_signature.signing_id
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
+      flat_name: process.env_vars
       ignore_above: 1024
       level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
+      name: env_vars
+      normalize:
+      - array
+      short: Array of environment variable bindings.
+      synthetic_source_keep: none
       type: keyword
-    process.entry_leader.code_signature.status:
-      dashed_name: process-entry-leader-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.entry_leader.code_signature.status
+    process.executable:
+      dashed_name: process-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.executable
       ignore_above: 1024
       level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.entry_leader.code_signature.subject_name:
-      dashed_name: process-entry-leader-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.entry_leader.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
+      multi_fields:
+      - flat_name: process.executable.text
+        name: text
+        type: match_only_text
+      name: executable
       normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
+      otel:
+      - attribute: process.executable.path
+        relation: equivalent
+        stability: development
+      short: Absolute path to the process executable.
       type: keyword
-    process.entry_leader.code_signature.team_id:
-      dashed_name: process-entry-leader-code-signature-team-id
-      description: 'The team identifier used to sign the process.
+    process.exit_code:
+      dashed_name: process-exit-code
+      description: 'The exit code of the process, if this is a termination event.
 
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.entry_leader.code_signature.team_id
-      ignore_above: 1024
+        The field should be absent if there is no exit code for the event (e.g. process
+        start).'
+      example: 137
+      flat_name: process.exit_code
       level: extended
-      name: team_id
+      name: exit_code
       normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.entry_leader.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.entry_leader.code_signature.thumbprint_sha256
-      ignore_above: 64
+      short: The exit code of the process.
+      type: long
+    process.group.id:
+      dashed_name: process-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group.id
+      ignore_above: 1024
       level: extended
-      name: thumbprint_sha256
+      name: id
       normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.entry_leader.code_signature.timestamp:
-      dashed_name: process-entry-leader-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.entry_leader.code_signature.timestamp
+    process.group.name:
+      dashed_name: process-group-name
+      description: Name of the group.
+      flat_name: process.group.name
+      ignore_above: 1024
       level: extended
-      name: timestamp
+      name: name
       normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.entry_leader.code_signature.trusted:
-      dashed_name: process-entry-leader-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.group_leader.args:
+      dashed_name: process-group-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
 
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.entry_leader.code_signature.trusted
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.group_leader.args
+      ignore_above: 1024
       level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.entry_leader.code_signature.valid:
-      dashed_name: process-entry-leader-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
+      type: keyword
+    process.group_leader.args_count:
+      dashed_name: process-group-leader-args-count
+      description: 'Length of the process.args array.
 
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.entry_leader.code_signature.valid
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.group_leader.args_count
       level: extended
-      name: valid
+      name: args_count
       normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.entry_leader.command_line:
-      dashed_name: process-entry-leader-command-line
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.group_leader.command_line:
+      dashed_name: process-group-leader-command-line
       description: 'Full command line that started the process, including the absolute
         path to the executable, and all arguments.
 
         Some arguments may be filtered to protect sensitive information.'
       example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.entry_leader.command_line
+      flat_name: process.group_leader.command_line
       level: extended
       multi_fields:
-      - flat_name: process.entry_leader.command_line.text
+      - flat_name: process.group_leader.command_line.text
         name: text
         type: match_only_text
       name: command_line
@@ -14703,1016 +12755,464 @@ process:
       original_fieldset: process
       short: Full command line that started the process.
       type: wildcard
-    process.entry_leader.elf.architecture:
-      dashed_name: process-entry-leader-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.entry_leader.elf.architecture
+    process.group_leader.entity_id:
+      dashed_name: process-group-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.group_leader.entity_id
       ignore_above: 1024
       level: extended
-      name: architecture
+      name: entity_id
       normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
+      original_fieldset: process
+      short: Unique identifier for the process.
       type: keyword
-    process.entry_leader.elf.byte_order:
-      dashed_name: process-entry-leader-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.entry_leader.elf.byte_order
+    process.group_leader.executable:
+      dashed_name: process-group-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.group_leader.executable
       ignore_above: 1024
       level: extended
-      name: byte_order
+      multi_fields:
+      - flat_name: process.group_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
       normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
+      original_fieldset: process
+      short: Absolute path to the process executable.
       type: keyword
-    process.entry_leader.elf.cpu_type:
-      dashed_name: process-entry-leader-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.entry_leader.elf.cpu_type
+    process.group_leader.group.id:
+      dashed_name: process-group-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.group.id
       ignore_above: 1024
       level: extended
-      name: cpu_type
+      name: id
       normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.entry_leader.elf.creation_date:
-      dashed_name: process-entry-leader-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.entry_leader.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.entry_leader.elf.exports:
-      dashed_name: process-entry-leader-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.entry_leader.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.entry_leader.elf.go_import_hash:
-      dashed_name: process-entry-leader-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.elf.go_import_hash
+    process.group_leader.group.name:
+      dashed_name: process-group-leader-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.group.name
       ignore_above: 1024
       level: extended
-      name: go_import_hash
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.entry_leader.elf.go_imports:
-      dashed_name: process-entry-leader-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.elf.go_imports_names_entropy:
-      dashed_name: process-entry-leader-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.elf.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.elf.go_stripped:
-      dashed_name: process-entry-leader-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.elf.go_stripped
+    process.group_leader.interactive:
+      dashed_name: process-group-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.group_leader.interactive
       level: extended
-      name: go_stripped
+      name: interactive
       normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
       type: boolean
-    process.entry_leader.elf.header.abi_version:
-      dashed_name: process-entry-leader-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.entry_leader.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.entry_leader.elf.header.class:
-      dashed_name: process-entry-leader-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.entry_leader.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.entry_leader.elf.header.data:
-      dashed_name: process-entry-leader-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.entry_leader.elf.header.data
+    process.group_leader.name:
+      dashed_name: process-group-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.group_leader.name
       ignore_above: 1024
       level: extended
-      name: header.data
+      multi_fields:
+      - flat_name: process.group_leader.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
+      original_fieldset: process
+      short: Process name.
       type: keyword
-    process.entry_leader.elf.header.entrypoint:
-      dashed_name: process-entry-leader-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.entry_leader.elf.header.entrypoint
+    process.group_leader.pid:
+      dashed_name: process-group-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.group_leader.pid
       format: string
-      level: extended
-      name: header.entrypoint
+      level: core
+      name: pid
       normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
+      original_fieldset: process
+      otel:
+      - relation: match
+        stability: development
+      short: Process id.
       type: long
-    process.entry_leader.elf.header.object_version:
-      dashed_name: process-entry-leader-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.entry_leader.elf.header.object_version
+    process.group_leader.real_group.id:
+      dashed_name: process-group-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.real_group.id
       ignore_above: 1024
       level: extended
-      name: header.object_version
+      name: id
       normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.entry_leader.elf.header.os_abi:
-      dashed_name: process-entry-leader-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.entry_leader.elf.header.os_abi
+    process.group_leader.real_group.name:
+      dashed_name: process-group-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.real_group.name
       ignore_above: 1024
       level: extended
-      name: header.os_abi
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.entry_leader.elf.header.type:
-      dashed_name: process-entry-leader-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.entry_leader.elf.header.type
+    process.group_leader.real_user.id:
+      dashed_name: process-group-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.real_user.id
       ignore_above: 1024
-      level: extended
-      name: header.type
+      level: core
+      name: id
       normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
+      original_fieldset: user
+      short: Unique identifier of the user.
       type: keyword
-    process.entry_leader.elf.header.version:
-      dashed_name: process-entry-leader-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.entry_leader.elf.header.version
+    process.group_leader.real_user.name:
+      dashed_name: process-group-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.real_user.name
       ignore_above: 1024
-      level: extended
-      name: header.version
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
+      original_fieldset: user
+      short: Short name or login of the user.
       type: keyword
-    process.entry_leader.elf.import_hash:
-      dashed_name: process-entry-leader-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
+    process.group_leader.same_as_process:
+      dashed_name: process-group-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
 
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.entry_leader.elf.imports:
-      dashed_name: process-entry-leader-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.elf.imports_names_entropy:
-      dashed_name: process-entry-leader-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.elf.imports_names_var_entropy:
-      dashed_name: process-entry-leader-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.elf.sections:
-      dashed_name: process-entry-leader-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
 
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.entry_leader.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.entry_leader.elf.sections.chi2:
-      dashed_name: process-entry-leader-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.entry_leader.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.entry_leader.elf.sections.entropy:
-      dashed_name: process-entry-leader-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.elf.sections.entropy
-      format: number
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.group_leader.same_as_process
       level: extended
-      name: sections.entropy
+      name: same_as_process
       normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.elf.sections.flags:
-      dashed_name: process-entry-leader-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.entry_leader.elf.sections.flags
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.group_leader.saved_group.id:
+      dashed_name: process-group-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.saved_group.id
       ignore_above: 1024
       level: extended
-      name: sections.flags
+      name: id
       normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.entry_leader.elf.sections.name:
-      dashed_name: process-entry-leader-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.entry_leader.elf.sections.name
+    process.group_leader.saved_group.name:
+      dashed_name: process-group-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.group_leader.saved_group.name
       ignore_above: 1024
       level: extended
-      name: sections.name
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.entry_leader.elf.sections.physical_offset:
-      dashed_name: process-entry-leader-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.entry_leader.elf.sections.physical_offset
+    process.group_leader.saved_user.id:
+      dashed_name: process-group-leader-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.saved_user.id
       ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
+      level: core
+      name: id
       normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
+      original_fieldset: user
+      short: Unique identifier of the user.
       type: keyword
-    process.entry_leader.elf.sections.physical_size:
-      dashed_name: process-entry-leader-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.entry_leader.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.entry_leader.elf.sections.type:
-      dashed_name: process-entry-leader-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.entry_leader.elf.sections.type
+    process.group_leader.saved_user.name:
+      dashed_name: process-group-leader-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.saved_user.name
       ignore_above: 1024
-      level: extended
-      name: sections.type
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
+      original_fieldset: user
+      short: Short name or login of the user.
       type: keyword
-    process.entry_leader.elf.sections.var_entropy:
-      dashed_name: process-entry-leader-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.elf.sections.virtual_address:
-      dashed_name: process-entry-leader-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.entry_leader.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.entry_leader.elf.sections.virtual_size:
-      dashed_name: process-entry-leader-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.entry_leader.elf.sections.virtual_size
-      format: string
+    process.group_leader.start:
+      dashed_name: process-group-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.group_leader.start
       level: extended
-      name: sections.virtual_size
+      name: start
       normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.entry_leader.elf.segments:
-      dashed_name: process-entry-leader-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.entry_leader.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.entry_leader.elf.segments.sections:
-      dashed_name: process-entry-leader-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.entry_leader.elf.segments.sections
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.group_leader.supplemental_groups.id:
+      dashed_name: process-group-leader-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.group_leader.supplemental_groups.id
       ignore_above: 1024
       level: extended
-      name: segments.sections
+      name: id
       normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.entry_leader.elf.segments.type:
-      dashed_name: process-entry-leader-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.entry_leader.elf.segments.type
+    process.group_leader.supplemental_groups.name:
+      dashed_name: process-group-leader-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.group_leader.supplemental_groups.name
       ignore_above: 1024
       level: extended
-      name: segments.type
+      name: name
       normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.entry_leader.elf.shared_libraries:
-      dashed_name: process-entry-leader-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.entry_leader.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.entry_leader.elf.telfhash:
-      dashed_name: process-entry-leader-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.entry_leader.elf.telfhash
-      ignore_above: 1024
+    process.group_leader.tty:
+      dashed_name: process-group-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.group_leader.tty
       level: extended
-      name: telfhash
+      name: tty
       normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.entry_leader.end:
-      dashed_name: process-entry-leader-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.end
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.group_leader.tty.char_device.major:
+      dashed_name: process-group-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.group_leader.tty.char_device.major
       level: extended
-      name: end
+      name: tty.char_device.major
       normalize: []
       original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.entry_leader.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.entry_leader.endpoint_security_client
+      short: The TTY character device's major number.
+      type: long
+    process.group_leader.tty.char_device.minor:
+      dashed_name: process-group-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.group_leader.tty.char_device.minor
       level: extended
-      name: endpoint_security_client
+      name: tty.char_device.minor
       normalize: []
       original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.entry_leader.entity_id:
-      dashed_name: process-entry-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.entry_leader.entity_id
+      short: The TTY character device's minor number.
+      type: long
+    process.group_leader.user.id:
+      dashed_name: process-group-leader-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.group_leader.user.id
       ignore_above: 1024
-      level: extended
-      name: entity_id
+      level: core
+      name: id
       normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
+      original_fieldset: user
+      short: Unique identifier of the user.
       type: keyword
-    process.entry_leader.entry_meta.source.address:
-      dashed_name: process-entry-leader-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.entry_leader.entry_meta.source.address
+    process.group_leader.user.name:
+      dashed_name: process-group-leader-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.group_leader.user.name
       ignore_above: 1024
-      level: extended
-      name: address
+      level: core
+      multi_fields:
+      - flat_name: process.group_leader.user.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
-      original_fieldset: source
-      short: Source network address.
+      original_fieldset: user
+      short: Short name or login of the user.
       type: keyword
-    process.entry_leader.entry_meta.source.as.number:
-      dashed_name: process-entry-leader-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.entry_leader.entry_meta.source.as.number
-      level: extended
-      name: number
+    process.group_leader.vpid:
+      dashed_name: process-group-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.group_leader.vpid
+      format: string
+      level: core
+      name: vpid
       normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
+      original_fieldset: process
+      short: Virtual process id.
       type: long
-    process.entry_leader.entry_meta.source.as.organization.name:
-      dashed_name: process-entry-leader-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.entry_leader.entry_meta.source.as.organization.name
+    process.group_leader.working_directory:
+      dashed_name: process-group-leader-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.group_leader.working_directory
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.entry_leader.entry_meta.source.as.organization.name.text
+      - flat_name: process.group_leader.working_directory.text
         name: text
         type: match_only_text
-      name: organization.name
+      name: working_directory
       normalize: []
-      original_fieldset: as
-      short: Organization name.
+      original_fieldset: process
+      short: The working directory of the process.
       type: keyword
-    process.entry_leader.entry_meta.source.bytes:
-      dashed_name: process-entry-leader-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.entry_leader.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.entry_leader.entry_meta.source.domain:
-      dashed_name: process-entry-leader-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.entry_leader.entry_meta.source.domain
+    process.hash.cdhash:
+      beta: This field is beta and subject to change.
+      dashed_name: process-hash-cdhash
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      flat_name: process.hash.cdhash
       ignore_above: 1024
-      level: core
-      name: domain
+      level: extended
+      name: cdhash
       normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
+      original_fieldset: hash
+      short: The Code Directory (CD) hash of an executable.
       type: keyword
-    process.entry_leader.entry_meta.source.geo.city_name:
-      dashed_name: process-entry-leader-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.entry_leader.entry_meta.source.geo.city_name
+    process.hash.md5:
+      dashed_name: process-hash-md5
+      description: MD5 hash.
+      flat_name: process.hash.md5
       ignore_above: 1024
-      level: core
-      name: city_name
+      level: extended
+      name: md5
       normalize: []
-      original_fieldset: geo
-      short: City name.
+      original_fieldset: hash
+      short: MD5 hash.
       type: keyword
-    process.entry_leader.entry_meta.source.geo.continent_code:
-      dashed_name: process-entry-leader-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.entry_leader.entry_meta.source.geo.continent_code
+    process.hash.sha1:
+      dashed_name: process-hash-sha1
+      description: SHA1 hash.
+      flat_name: process.hash.sha1
       ignore_above: 1024
-      level: core
-      name: continent_code
+      level: extended
+      name: sha1
       normalize: []
-      original_fieldset: geo
-      short: Continent code.
+      original_fieldset: hash
+      short: SHA1 hash.
       type: keyword
-    process.entry_leader.entry_meta.source.geo.continent_name:
-      dashed_name: process-entry-leader-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.entry_leader.entry_meta.source.geo.continent_name
+    process.hash.sha256:
+      dashed_name: process-hash-sha256
+      description: SHA256 hash.
+      flat_name: process.hash.sha256
       ignore_above: 1024
-      level: core
-      name: continent_name
+      level: extended
+      name: sha256
       normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
+      original_fieldset: hash
+      short: SHA256 hash.
       type: keyword
-    process.entry_leader.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-entry-leader-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.entry_leader.entry_meta.source.geo.country_iso_code
+    process.hash.sha384:
+      dashed_name: process-hash-sha384
+      description: SHA384 hash.
+      flat_name: process.hash.sha384
       ignore_above: 1024
-      level: core
-      name: country_iso_code
+      level: extended
+      name: sha384
       normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
+      original_fieldset: hash
+      short: SHA384 hash.
       type: keyword
-    process.entry_leader.entry_meta.source.geo.country_name:
-      dashed_name: process-entry-leader-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.entry_leader.entry_meta.source.geo.country_name
+    process.hash.sha512:
+      dashed_name: process-hash-sha512
+      description: SHA512 hash.
+      flat_name: process.hash.sha512
       ignore_above: 1024
-      level: core
-      name: country_name
+      level: extended
+      name: sha512
       normalize: []
-      original_fieldset: geo
-      short: Country name.
+      original_fieldset: hash
+      short: SHA512 hash.
       type: keyword
-    process.entry_leader.entry_meta.source.geo.location:
-      dashed_name: process-entry-leader-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.entry_leader.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.entry_leader.entry_meta.source.geo.name:
-      dashed_name: process-entry-leader-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.entry_leader.entry_meta.source.geo.name
+    process.hash.ssdeep:
+      dashed_name: process-hash-ssdeep
+      description: SSDEEP hash.
+      flat_name: process.hash.ssdeep
       ignore_above: 1024
       level: extended
-      name: name
+      name: ssdeep
       normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
+      original_fieldset: hash
+      short: SSDEEP hash.
       type: keyword
-    process.entry_leader.entry_meta.source.geo.postal_code:
-      dashed_name: process-entry-leader-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.entry_leader.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.entry_leader.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-entry-leader-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.entry_leader.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.entry_leader.entry_meta.source.geo.region_name:
-      dashed_name: process-entry-leader-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.entry_leader.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.entry_leader.entry_meta.source.geo.timezone:
-      dashed_name: process-entry-leader-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.entry_leader.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.entry_leader.entry_meta.source.ip:
-      dashed_name: process-entry-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.entry_leader.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.entry_leader.entry_meta.source.mac:
-      dashed_name: process-entry-leader-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.entry_leader.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.entry_leader.entry_meta.source.nat.ip:
-      dashed_name: process-entry-leader-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.entry_leader.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.entry_leader.entry_meta.source.nat.port:
-      dashed_name: process-entry-leader-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.entry_leader.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.entry_leader.entry_meta.source.packets:
-      dashed_name: process-entry-leader-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.entry_leader.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.entry_leader.entry_meta.source.port:
-      dashed_name: process-entry-leader-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.entry_leader.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.entry_leader.entry_meta.source.registered_domain:
-      dashed_name: process-entry-leader-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.entry_leader.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.entry_leader.entry_meta.source.subdomain:
-      dashed_name: process-entry-leader-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.entry_leader.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.entry_leader.entry_meta.source.top_level_domain:
-      dashed_name: process-entry-leader-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.entry_leader.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.entry_leader.entry_meta.type:
-      dashed_name: process-entry-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.entry_leader.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.entry_leader.env_vars:
-      dashed_name: process-entry-leader-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.entry_leader.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.executable:
-      dashed_name: process-entry-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.entry_leader.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.entry_leader.exit_code:
-      dashed_name: process-entry-leader-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.entry_leader.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.entry_leader.group.domain:
-      dashed_name: process-entry-leader-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.group.id:
-      dashed_name: process-entry-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.group.name:
-      dashed_name: process-entry-leader-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.entry_leader.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.entry_leader.hash.md5:
-      dashed_name: process-entry-leader-hash-md5
-      description: MD5 hash.
-      flat_name: process.entry_leader.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.entry_leader.hash.sha1:
-      dashed_name: process-entry-leader-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.entry_leader.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.entry_leader.hash.sha256:
-      dashed_name: process-entry-leader-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.entry_leader.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.entry_leader.hash.sha384:
-      dashed_name: process-entry-leader-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.entry_leader.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.entry_leader.hash.sha512:
-      dashed_name: process-entry-leader-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.entry_leader.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.entry_leader.hash.ssdeep:
-      dashed_name: process-entry-leader-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.entry_leader.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.entry_leader.hash.tlsh:
-      dashed_name: process-entry-leader-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.entry_leader.hash.tlsh
+    process.hash.tlsh:
+      dashed_name: process-hash-tlsh
+      description: TLSH hash.
+      flat_name: process.hash.tlsh
       ignore_above: 1024
       level: extended
       name: tlsh
@@ -15720,8 +13220,8 @@ process:
       original_fieldset: hash
       short: TLSH hash.
       type: keyword
-    process.entry_leader.interactive:
-      dashed_name: process-entry-leader-interactive
+    process.interactive:
+      dashed_name: process-interactive
       description: 'Whether the process is connected to an interactive shell.
 
         Process interactivity is inferred from the processes file descriptors. If
@@ -15734,75 +13234,72 @@ process:
         backgrounded process is still considered interactive if stdin and stderr are
         connected to the controlling TTY.'
       example: true
-      flat_name: process.entry_leader.interactive
+      flat_name: process.interactive
       level: extended
       name: interactive
       normalize: []
-      original_fieldset: process
+      otel:
+      - relation: match
+        stability: development
       short: Whether the process is connected to an interactive shell.
       type: boolean
-    process.entry_leader.io:
-      dashed_name: process-entry-leader-io
+    process.io:
+      dashed_name: process-io
       description: 'A chunk of input or output (IO) from a single process.
 
         This field only appears on the top level process object, which is the process
         that wrote the output or read the input.'
-      flat_name: process.entry_leader.io
+      flat_name: process.io
       level: extended
       name: io
       normalize: []
-      original_fieldset: process
       short: A chunk of input or output (IO) from a single process.
       type: object
-    process.entry_leader.io.bytes_skipped:
-      dashed_name: process-entry-leader-io-bytes-skipped
+    process.io.bytes_skipped:
+      dashed_name: process-io-bytes-skipped
       description: An array of byte offsets and lengths denoting where IO data has
         been skipped.
-      flat_name: process.entry_leader.io.bytes_skipped
+      flat_name: process.io.bytes_skipped
       level: extended
       name: io.bytes_skipped
       normalize:
       - array
-      original_fieldset: process
       short: An array of byte offsets and lengths denoting where IO data has been
         skipped.
       type: object
-    process.entry_leader.io.bytes_skipped.length:
-      dashed_name: process-entry-leader-io-bytes-skipped-length
+    process.io.bytes_skipped.length:
+      dashed_name: process-io-bytes-skipped-length
       description: The length of bytes skipped.
-      flat_name: process.entry_leader.io.bytes_skipped.length
+      flat_name: process.io.bytes_skipped.length
       level: extended
       name: io.bytes_skipped.length
       normalize: []
-      original_fieldset: process
       short: The length of bytes skipped.
       type: long
-    process.entry_leader.io.bytes_skipped.offset:
-      dashed_name: process-entry-leader-io-bytes-skipped-offset
+    process.io.bytes_skipped.offset:
+      dashed_name: process-io-bytes-skipped-offset
       description: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
-      flat_name: process.entry_leader.io.bytes_skipped.offset
+      flat_name: process.io.bytes_skipped.offset
       level: extended
       name: io.bytes_skipped.offset
       normalize: []
-      original_fieldset: process
       short: The byte offset into this event's io.text (or io.bytes in the future)
         where length bytes were skipped.
       type: long
-    process.entry_leader.io.max_bytes_per_process_exceeded:
-      dashed_name: process-entry-leader-io-max-bytes-per-process-exceeded
+    process.io.max_bytes_per_process_exceeded:
+      dashed_name: process-io-max-bytes-per-process-exceeded
       description: If true, the process producing the output has exceeded the max_kilobytes_per_process
         configuration setting.
-      flat_name: process.entry_leader.io.max_bytes_per_process_exceeded
+      flat_name: process.io.max_bytes_per_process_exceeded
       level: extended
       name: io.max_bytes_per_process_exceeded
       normalize: []
-      original_fieldset: process
       short: If true, the process producing the output has exceeded the max_kilobytes_per_process
         configuration setting.
       type: boolean
-    process.entry_leader.io.text:
-      dashed_name: process-entry-leader-io-text
+    process.io.text:
+      dashed_name: process-io-text
       description: 'A chunk of output or input sanitized to UTF-8.
 
         Best efforts are made to ensure complete lines are captured in these events.
@@ -15810,53 +13307,49 @@ process:
         event. TTY output may contain terminal control codes such as for cursor movement,
         so some string queries may not match due to terminal codes inserted between
         characters of a word.'
-      flat_name: process.entry_leader.io.text
+      flat_name: process.io.text
       level: extended
       name: io.text
       normalize: []
-      original_fieldset: process
       short: A chunk of output or input sanitized to UTF-8.
       type: wildcard
-    process.entry_leader.io.total_bytes_captured:
-      dashed_name: process-entry-leader-io-total-bytes-captured
+    process.io.total_bytes_captured:
+      dashed_name: process-io-total-bytes-captured
       description: The total number of bytes captured in this event.
-      flat_name: process.entry_leader.io.total_bytes_captured
+      flat_name: process.io.total_bytes_captured
       level: extended
       name: io.total_bytes_captured
       normalize: []
-      original_fieldset: process
       short: The total number of bytes captured in this event.
       type: long
-    process.entry_leader.io.total_bytes_skipped:
-      dashed_name: process-entry-leader-io-total-bytes-skipped
+    process.io.total_bytes_skipped:
+      dashed_name: process-io-total-bytes-skipped
       description: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits. Implementors should strive to ensure
         this value is always zero
-      flat_name: process.entry_leader.io.total_bytes_skipped
+      flat_name: process.io.total_bytes_skipped
       level: extended
       name: io.total_bytes_skipped
       normalize: []
-      original_fieldset: process
       short: The total number of bytes that were not captured due to implementation
         restrictions such as buffer size limits.
       type: long
-    process.entry_leader.io.type:
-      dashed_name: process-entry-leader-io-type
+    process.io.type:
+      dashed_name: process-io-type
       description: 'The type of object on which the IO action (read or write) was
         taken.
 
         Currently only ''tty'' is supported. Other types may be added in the future
         for ''file'' and ''socket'' support.'
-      flat_name: process.entry_leader.io.type
+      flat_name: process.io.type
       ignore_above: 1024
       level: extended
       name: io.type
       normalize: []
-      original_fieldset: process
       short: The type of object on which the IO action (read or write) was taken.
       type: keyword
-    process.entry_leader.macho.go_import_hash:
-      dashed_name: process-entry-leader-macho-go-import-hash
+    process.macho.go_import_hash:
+      dashed_name: process-macho-go-import-hash
       description: 'A hash of the Go language imports in a Mach-O file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
@@ -15865,7 +13358,7 @@ process:
         The algorithm used to calculate the Go symbol hash and a reference implementation
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.macho.go_import_hash
+      flat_name: process.macho.go_import_hash
       ignore_above: 1024
       level: extended
       name: go_import_hash
@@ -15873,20 +13366,20 @@ process:
       original_fieldset: macho
       short: A hash of the Go language imports in a Mach-O file.
       type: keyword
-    process.entry_leader.macho.go_imports:
-      dashed_name: process-entry-leader-macho-go-imports
+    process.macho.go_imports:
+      dashed_name: process-macho-go-imports
       description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.macho.go_imports
+      flat_name: process.macho.go_imports
       level: extended
       name: go_imports
       normalize: []
       original_fieldset: macho
       short: List of imported Go language element names and types.
       type: flattened
-    process.entry_leader.macho.go_imports_names_entropy:
-      dashed_name: process-entry-leader-macho-go-imports-names-entropy
+    process.macho.go_imports_names_entropy:
+      dashed_name: process-macho-go-imports-names-entropy
       description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.macho.go_imports_names_entropy
+      flat_name: process.macho.go_imports_names_entropy
       format: number
       level: extended
       name: go_imports_names_entropy
@@ -15894,10 +13387,10 @@ process:
       original_fieldset: macho
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.entry_leader.macho.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-macho-go-imports-names-var-entropy
+    process.macho.go_imports_names_var_entropy:
+      dashed_name: process-macho-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.macho.go_imports_names_var_entropy
+      flat_name: process.macho.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
@@ -15905,26 +13398,26 @@ process:
       original_fieldset: macho
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.entry_leader.macho.go_stripped:
-      dashed_name: process-entry-leader-macho-go-stripped
+    process.macho.go_stripped:
+      dashed_name: process-macho-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.macho.go_stripped
+      flat_name: process.macho.go_stripped
       level: extended
       name: go_stripped
       normalize: []
       original_fieldset: macho
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.entry_leader.macho.import_hash:
-      dashed_name: process-entry-leader-macho-import-hash
+    process.macho.import_hash:
+      dashed_name: process-macho-import-hash
       description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         This is a synonym for symhash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.macho.import_hash
+      flat_name: process.macho.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
@@ -15932,10 +13425,10 @@ process:
       original_fieldset: macho
       short: A hash of the imports in a Mach-O file.
       type: keyword
-    process.entry_leader.macho.imports:
-      dashed_name: process-entry-leader-macho-imports
+    process.macho.imports:
+      dashed_name: process-macho-imports
       description: List of imported element names and types.
-      flat_name: process.entry_leader.macho.imports
+      flat_name: process.macho.imports
       level: extended
       name: imports
       normalize:
@@ -15943,11 +13436,11 @@ process:
       original_fieldset: macho
       short: List of imported element names and types.
       type: flattened
-    process.entry_leader.macho.imports_names_entropy:
-      dashed_name: process-entry-leader-macho-imports-names-entropy
+    process.macho.imports_names_entropy:
+      dashed_name: process-macho-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.entry_leader.macho.imports_names_entropy
+      flat_name: process.macho.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
@@ -15956,11 +13449,11 @@ process:
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.entry_leader.macho.imports_names_var_entropy:
-      dashed_name: process-entry-leader-macho-imports-names-var-entropy
+    process.macho.imports_names_var_entropy:
+      dashed_name: process-macho-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.entry_leader.macho.imports_names_var_entropy
+      flat_name: process.macho.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
@@ -15969,13 +13462,13 @@ process:
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.entry_leader.macho.sections:
-      dashed_name: process-entry-leader-macho-sections
+    process.macho.sections:
+      dashed_name: process-macho-sections
       description: 'An array containing an object for each section of the Mach-O file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `macho.sections.*`.'
-      flat_name: process.entry_leader.macho.sections
+      flat_name: process.macho.sections
       level: extended
       name: sections
       normalize:
@@ -15983,10 +13476,10 @@ process:
       original_fieldset: macho
       short: Section information of the Mach-O file.
       type: nested
-    process.entry_leader.macho.sections.entropy:
-      dashed_name: process-entry-leader-macho-sections-entropy
+    process.macho.sections.entropy:
+      dashed_name: process-macho-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.macho.sections.entropy
+      flat_name: process.macho.sections.entropy
       format: number
       level: extended
       name: sections.entropy
@@ -15994,10 +13487,10 @@ process:
       original_fieldset: macho
       short: Shannon entropy calculation from the section.
       type: long
-    process.entry_leader.macho.sections.name:
-      dashed_name: process-entry-leader-macho-sections-name
+    process.macho.sections.name:
+      dashed_name: process-macho-sections-name
       description: Mach-O Section List name.
-      flat_name: process.entry_leader.macho.sections.name
+      flat_name: process.macho.sections.name
       ignore_above: 1024
       level: extended
       name: sections.name
@@ -16005,10 +13498,10 @@ process:
       original_fieldset: macho
       short: Mach-O Section List name.
       type: keyword
-    process.entry_leader.macho.sections.physical_size:
-      dashed_name: process-entry-leader-macho-sections-physical-size
+    process.macho.sections.physical_size:
+      dashed_name: process-macho-sections-physical-size
       description: Mach-O Section List physical size.
-      flat_name: process.entry_leader.macho.sections.physical_size
+      flat_name: process.macho.sections.physical_size
       format: bytes
       level: extended
       name: sections.physical_size
@@ -16016,10 +13509,10 @@ process:
       original_fieldset: macho
       short: Mach-O Section List physical size.
       type: long
-    process.entry_leader.macho.sections.var_entropy:
-      dashed_name: process-entry-leader-macho-sections-var-entropy
+    process.macho.sections.var_entropy:
+      dashed_name: process-macho-sections-var-entropy
       description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.macho.sections.var_entropy
+      flat_name: process.macho.sections.var_entropy
       format: number
       level: extended
       name: sections.var_entropy
@@ -16027,10 +13520,10 @@ process:
       original_fieldset: macho
       short: Variance for Shannon entropy calculation from the section.
       type: long
-    process.entry_leader.macho.sections.virtual_size:
-      dashed_name: process-entry-leader-macho-sections-virtual-size
+    process.macho.sections.virtual_size:
+      dashed_name: process-macho-sections-virtual-size
       description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.entry_leader.macho.sections.virtual_size
+      flat_name: process.macho.sections.virtual_size
       format: string
       level: extended
       name: sections.virtual_size
@@ -16038,15 +13531,15 @@ process:
       original_fieldset: macho
       short: Mach-O Section List virtual size. This is always the same as `physical_size`.
       type: long
-    process.entry_leader.macho.symhash:
-      dashed_name: process-entry-leader-macho-symhash
+    process.macho.symhash:
+      dashed_name: process-macho-symhash
       description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         This is a Mach-O implementation of the Windows PE imphash'
       example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.entry_leader.macho.symhash
+      flat_name: process.macho.symhash
       ignore_above: 1024
       level: extended
       name: symhash
@@ -16054,59 +13547,31 @@ process:
       original_fieldset: macho
       short: A hash of the imports in a Mach-O file.
       type: keyword
-    process.entry_leader.name:
-      dashed_name: process-entry-leader-name
+    process.name:
+      dashed_name: process-name
       description: 'Process name.
 
         Sometimes called program name or similar.'
       example: ssh
-      flat_name: process.entry_leader.name
+      flat_name: process.name
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.entry_leader.name.text
+      - flat_name: process.name.text
         name: text
         type: match_only_text
       name: name
       normalize: []
-      original_fieldset: process
       short: Process name.
       type: keyword
-    process.entry_leader.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.entry_leader.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.entry_leader.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.entry_leader.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.entry_leader.parent.args:
-      dashed_name: process-entry-leader-parent-args
+    process.parent.args:
+      dashed_name: process-parent-args
       description: 'Array of process arguments, starting with the absolute path to
         the executable.
 
         May be filtered to protect sensitive information.'
       example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.entry_leader.parent.args
+      flat_name: process.parent.args
       ignore_above: 1024
       level: extended
       name: args
@@ -16115,626 +13580,124 @@ process:
       original_fieldset: process
       short: Array of process arguments.
       type: keyword
-    process.entry_leader.parent.args_count:
-      dashed_name: process-entry-leader-parent-args-count
+    process.parent.args_count:
+      dashed_name: process-parent-args-count
       description: 'Length of the process.args array.
 
         This field can be useful for querying or performing bucket analysis on how
         many arguments were provided to start a process. More arguments may be an
         indication of suspicious activity.'
       example: 4
-      flat_name: process.entry_leader.parent.args_count
+      flat_name: process.parent.args_count
       level: extended
       name: args_count
       normalize: []
       original_fieldset: process
       short: Length of the process.args array.
       type: long
-    process.entry_leader.parent.attested_groups.domain:
-      dashed_name: process-entry-leader-parent-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
+    process.parent.code_signature.digest_algorithm:
+      dashed_name: process-parent-code-signature-digest-algorithm
+      description: 'The hashing algorithm used to sign the process.
 
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.attested_groups.domain
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      flat_name: process.parent.code_signature.digest_algorithm
       ignore_above: 1024
       level: extended
-      name: domain
+      name: digest_algorithm
       normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
+      original_fieldset: code_signature
+      short: Hashing algorithm used to sign the process.
       type: keyword
-    process.entry_leader.parent.attested_groups.id:
-      dashed_name: process-entry-leader-parent-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.attested_groups.id
+    process.parent.code_signature.exists:
+      dashed_name: process-parent-code-signature-exists
+      description: Boolean to capture if a signature is present.
+      example: 'true'
+      flat_name: process.parent.code_signature.exists
+      level: core
+      name: exists
+      normalize: []
+      original_fieldset: code_signature
+      short: Boolean to capture if a signature is present.
+      type: boolean
+    process.parent.code_signature.flags:
+      beta: This field is beta and subject to change.
+      dashed_name: process-parent-code-signature-flags
+      description: The flags used to sign the process.
+      example: 570522385
+      flat_name: process.parent.code_signature.flags
       ignore_above: 1024
       level: extended
-      name: id
+      name: flags
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: code_signature
+      short: Code signing flags of the process
       type: keyword
-    process.entry_leader.parent.attested_groups.name:
-      dashed_name: process-entry-leader-parent-attested-groups-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.attested_groups.name
+    process.parent.code_signature.signing_id:
+      dashed_name: process-parent-code-signature-signing-id
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      flat_name: process.parent.code_signature.signing_id
       ignore_above: 1024
       level: extended
-      name: name
+      name: signing_id
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: code_signature
+      short: The identifier used to sign the process.
       type: keyword
-    process.entry_leader.parent.attested_user.domain:
-      dashed_name: process-entry-leader-parent-attested-user-domain
-      description: 'Name of the directory the user is a member of.
+    process.parent.code_signature.status:
+      dashed_name: process-parent-code-signature-status
+      description: 'Additional information about the certificate status.
 
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.attested_user.domain
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status. Leave unpopulated if the validity or trust of the certificate
+        was unchecked.'
+      example: ERROR_UNTRUSTED_ROOT
+      flat_name: process.parent.code_signature.status
       ignore_above: 1024
       level: extended
-      name: domain
+      name: status
       normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
+      original_fieldset: code_signature
+      short: Additional information about the certificate status.
       type: keyword
-    process.entry_leader.parent.attested_user.email:
-      dashed_name: process-entry-leader-parent-attested-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.attested_user.email
+    process.parent.code_signature.subject_name:
+      dashed_name: process-parent-code-signature-subject-name
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      flat_name: process.parent.code_signature.subject_name
+      ignore_above: 1024
+      level: core
+      name: subject_name
+      normalize: []
+      original_fieldset: code_signature
+      short: Subject name of the code signer
+      type: keyword
+    process.parent.code_signature.team_id:
+      dashed_name: process-parent-code-signature-team-id
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      flat_name: process.parent.code_signature.team_id
       ignore_above: 1024
       level: extended
-      name: email
+      name: team_id
       normalize: []
-      original_fieldset: user
-      short: User email address.
+      original_fieldset: code_signature
+      short: The team identifier used to sign the process.
       type: keyword
-    process.entry_leader.parent.attested_user.entity.attributes:
+    process.parent.code_signature.thumbprint_sha256:
       beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-attested-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.entry_leader.parent.attested_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.entry_leader.parent.attested_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-attested-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.attested_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.entry_leader.parent.attested_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-attested-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.entry_leader.parent.attested_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.attested_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.entry_leader.parent.attested_user.entity.id:
-      dashed_name: process-entry-leader-parent-attested-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.entry_leader.parent.attested_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.entry_leader.parent.attested_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-attested-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.entry_leader.parent.attested_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.entry_leader.parent.attested_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-attested-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.attested_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.entry_leader.parent.attested_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-attested-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.entry_leader.parent.attested_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.entry_leader.parent.attested_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-attested-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.entry_leader.parent.attested_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.attested_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.entry_leader.parent.attested_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-attested-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.entry_leader.parent.attested_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.entry_leader.parent.attested_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-attested-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.entry_leader.parent.attested_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.entry_leader.parent.attested_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-attested-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.entry_leader.parent.attested_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.entry_leader.parent.attested_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-attested-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.entry_leader.parent.attested_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.entry_leader.parent.attested_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-attested-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.entry_leader.parent.attested_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.entry_leader.parent.attested_user.full_name:
-      dashed_name: process-entry-leader-parent-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.attested_user.group.domain:
-      dashed_name: process-entry-leader-parent-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.attested_user.group.id:
-      dashed_name: process-entry-leader-parent-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.attested_user.group.name:
-      dashed_name: process-entry-leader-parent-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.attested_user.hash:
-      dashed_name: process-entry-leader-parent-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.attested_user.id:
-      dashed_name: process-entry-leader-parent-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.attested_user.name:
-      dashed_name: process-entry-leader-parent-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.attested_user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.attested_user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.attested_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.attested_user.risk.static_level:
-      dashed_name: process-entry-leader-parent-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.attested_user.risk.static_score:
-      dashed_name: process-entry-leader-parent-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.attested_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.attested_user.roles:
-      dashed_name: process-entry-leader-parent-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.code_signature.digest_algorithm:
-      dashed_name: process-entry-leader-parent-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.entry_leader.parent.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.entry_leader.parent.code_signature.exists:
-      dashed_name: process-entry-leader-parent-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.entry_leader.parent.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.entry_leader.parent.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.entry_leader.parent.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.entry_leader.parent.code_signature.signing_id:
-      dashed_name: process-entry-leader-parent-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.entry_leader.parent.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.entry_leader.parent.code_signature.status:
-      dashed_name: process-entry-leader-parent-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.entry_leader.parent.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.entry_leader.parent.code_signature.subject_name:
-      dashed_name: process-entry-leader-parent-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.entry_leader.parent.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.entry_leader.parent.code_signature.team_id:
-      dashed_name: process-entry-leader-parent-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.entry_leader.parent.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.entry_leader.parent.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-code-signature-thumbprint-sha256
+      dashed_name: process-parent-code-signature-thumbprint-sha256
       description: Certificate SHA256 hash that uniquely identifies the code signer.
       example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.entry_leader.parent.code_signature.thumbprint_sha256
+      flat_name: process.parent.code_signature.thumbprint_sha256
       ignore_above: 64
       level: extended
       name: thumbprint_sha256
@@ -16743,39 +13706,39 @@ process:
       pattern: ^[0-9a-f]{64}$
       short: SHA256 hash of the certificate.
       type: keyword
-    process.entry_leader.parent.code_signature.timestamp:
-      dashed_name: process-entry-leader-parent-code-signature-timestamp
+    process.parent.code_signature.timestamp:
+      dashed_name: process-parent-code-signature-timestamp
       description: Date and time when the code signature was generated and signed.
       example: '2021-01-01T12:10:30Z'
-      flat_name: process.entry_leader.parent.code_signature.timestamp
+      flat_name: process.parent.code_signature.timestamp
       level: extended
       name: timestamp
       normalize: []
       original_fieldset: code_signature
       short: When the signature was generated and signed.
       type: date
-    process.entry_leader.parent.code_signature.trusted:
-      dashed_name: process-entry-leader-parent-code-signature-trusted
+    process.parent.code_signature.trusted:
+      dashed_name: process-parent-code-signature-trusted
       description: 'Stores the trust status of the certificate chain.
 
         Validating the trust of the certificate chain may be complicated, and this
         field should only be populated by tools that actively check the status.'
       example: 'true'
-      flat_name: process.entry_leader.parent.code_signature.trusted
+      flat_name: process.parent.code_signature.trusted
       level: extended
       name: trusted
       normalize: []
       original_fieldset: code_signature
       short: Stores the trust status of the certificate chain.
       type: boolean
-    process.entry_leader.parent.code_signature.valid:
-      dashed_name: process-entry-leader-parent-code-signature-valid
+    process.parent.code_signature.valid:
+      dashed_name: process-parent-code-signature-valid
       description: 'Boolean to capture if the digital signature is verified against
         the binary content.
 
         Leave unpopulated if a certificate was unchecked.'
       example: 'true'
-      flat_name: process.entry_leader.parent.code_signature.valid
+      flat_name: process.parent.code_signature.valid
       level: extended
       name: valid
       normalize: []
@@ -16783,17 +13746,17 @@ process:
       short: Boolean to capture if the digital signature is verified against the binary
         content.
       type: boolean
-    process.entry_leader.parent.command_line:
-      dashed_name: process-entry-leader-parent-command-line
+    process.parent.command_line:
+      dashed_name: process-parent-command-line
       description: 'Full command line that started the process, including the absolute
         path to the executable, and all arguments.
 
         Some arguments may be filtered to protect sensitive information.'
       example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.entry_leader.parent.command_line
+      flat_name: process.parent.command_line
       level: extended
       multi_fields:
-      - flat_name: process.entry_leader.parent.command_line.text
+      - flat_name: process.parent.command_line.text
         name: text
         type: match_only_text
       name: command_line
@@ -16801,11 +13764,11 @@ process:
       original_fieldset: process
       short: Full command line that started the process.
       type: wildcard
-    process.entry_leader.parent.elf.architecture:
-      dashed_name: process-entry-leader-parent-elf-architecture
+    process.parent.elf.architecture:
+      dashed_name: process-parent-elf-architecture
       description: Machine architecture of the ELF file.
       example: x86-64
-      flat_name: process.entry_leader.parent.elf.architecture
+      flat_name: process.parent.elf.architecture
       ignore_above: 1024
       level: extended
       name: architecture
@@ -16813,11 +13776,11 @@ process:
       original_fieldset: elf
       short: Machine architecture of the ELF file.
       type: keyword
-    process.entry_leader.parent.elf.byte_order:
-      dashed_name: process-entry-leader-parent-elf-byte-order
+    process.parent.elf.byte_order:
+      dashed_name: process-parent-elf-byte-order
       description: Byte sequence of ELF file.
       example: Little Endian
-      flat_name: process.entry_leader.parent.elf.byte_order
+      flat_name: process.parent.elf.byte_order
       ignore_above: 1024
       level: extended
       name: byte_order
@@ -16825,11 +13788,11 @@ process:
       original_fieldset: elf
       short: Byte sequence of ELF file.
       type: keyword
-    process.entry_leader.parent.elf.cpu_type:
-      dashed_name: process-entry-leader-parent-elf-cpu-type
+    process.parent.elf.cpu_type:
+      dashed_name: process-parent-elf-cpu-type
       description: CPU type of the ELF file.
       example: Intel
-      flat_name: process.entry_leader.parent.elf.cpu_type
+      flat_name: process.parent.elf.cpu_type
       ignore_above: 1024
       level: extended
       name: cpu_type
@@ -16837,21 +13800,21 @@ process:
       original_fieldset: elf
       short: CPU type of the ELF file.
       type: keyword
-    process.entry_leader.parent.elf.creation_date:
-      dashed_name: process-entry-leader-parent-elf-creation-date
+    process.parent.elf.creation_date:
+      dashed_name: process-parent-elf-creation-date
       description: Extracted when possible from the file's metadata. Indicates when
         it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.entry_leader.parent.elf.creation_date
+      flat_name: process.parent.elf.creation_date
       level: extended
       name: creation_date
       normalize: []
       original_fieldset: elf
       short: Build or compile date.
       type: date
-    process.entry_leader.parent.elf.exports:
-      dashed_name: process-entry-leader-parent-elf-exports
+    process.parent.elf.exports:
+      dashed_name: process-parent-elf-exports
       description: List of exported element names and types.
-      flat_name: process.entry_leader.parent.elf.exports
+      flat_name: process.parent.elf.exports
       level: extended
       name: exports
       normalize:
@@ -16859,8 +13822,8 @@ process:
       original_fieldset: elf
       short: List of exported element names and types.
       type: flattened
-    process.entry_leader.parent.elf.go_import_hash:
-      dashed_name: process-entry-leader-parent-elf-go-import-hash
+    process.parent.elf.go_import_hash:
+      dashed_name: process-parent-elf-go-import-hash
       description: 'A hash of the Go language imports in an ELF file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
@@ -16869,7 +13832,7 @@ process:
         The algorithm used to calculate the Go symbol hash and a reference implementation
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.parent.elf.go_import_hash
+      flat_name: process.parent.elf.go_import_hash
       ignore_above: 1024
       level: extended
       name: go_import_hash
@@ -16877,20 +13840,20 @@ process:
       original_fieldset: elf
       short: A hash of the Go language imports in an ELF file.
       type: keyword
-    process.entry_leader.parent.elf.go_imports:
-      dashed_name: process-entry-leader-parent-elf-go-imports
+    process.parent.elf.go_imports:
+      dashed_name: process-parent-elf-go-imports
       description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.parent.elf.go_imports
+      flat_name: process.parent.elf.go_imports
       level: extended
       name: go_imports
       normalize: []
       original_fieldset: elf
       short: List of imported Go language element names and types.
       type: flattened
-    process.entry_leader.parent.elf.go_imports_names_entropy:
-      dashed_name: process-entry-leader-parent-elf-go-imports-names-entropy
+    process.parent.elf.go_imports_names_entropy:
+      dashed_name: process-parent-elf-go-imports-names-entropy
       description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.elf.go_imports_names_entropy
+      flat_name: process.parent.elf.go_imports_names_entropy
       format: number
       level: extended
       name: go_imports_names_entropy
@@ -16898,10 +13861,10 @@ process:
       original_fieldset: elf
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.entry_leader.parent.elf.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-elf-go-imports-names-var-entropy
+    process.parent.elf.go_imports_names_var_entropy:
+      dashed_name: process-parent-elf-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.elf.go_imports_names_var_entropy
+      flat_name: process.parent.elf.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
@@ -16909,21 +13872,21 @@ process:
       original_fieldset: elf
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.entry_leader.parent.elf.go_stripped:
-      dashed_name: process-entry-leader-parent-elf-go-stripped
+    process.parent.elf.go_stripped:
+      dashed_name: process-parent-elf-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.parent.elf.go_stripped
+      flat_name: process.parent.elf.go_stripped
       level: extended
       name: go_stripped
       normalize: []
       original_fieldset: elf
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.entry_leader.parent.elf.header.abi_version:
-      dashed_name: process-entry-leader-parent-elf-header-abi-version
+    process.parent.elf.header.abi_version:
+      dashed_name: process-parent-elf-header-abi-version
       description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.entry_leader.parent.elf.header.abi_version
+      flat_name: process.parent.elf.header.abi_version
       ignore_above: 1024
       level: extended
       name: header.abi_version
@@ -16931,10 +13894,10 @@ process:
       original_fieldset: elf
       short: Version of the ELF Application Binary Interface (ABI).
       type: keyword
-    process.entry_leader.parent.elf.header.class:
-      dashed_name: process-entry-leader-parent-elf-header-class
+    process.parent.elf.header.class:
+      dashed_name: process-parent-elf-header-class
       description: Header class of the ELF file.
-      flat_name: process.entry_leader.parent.elf.header.class
+      flat_name: process.parent.elf.header.class
       ignore_above: 1024
       level: extended
       name: header.class
@@ -16942,10 +13905,10 @@ process:
       original_fieldset: elf
       short: Header class of the ELF file.
       type: keyword
-    process.entry_leader.parent.elf.header.data:
-      dashed_name: process-entry-leader-parent-elf-header-data
+    process.parent.elf.header.data:
+      dashed_name: process-parent-elf-header-data
       description: Data table of the ELF header.
-      flat_name: process.entry_leader.parent.elf.header.data
+      flat_name: process.parent.elf.header.data
       ignore_above: 1024
       level: extended
       name: header.data
@@ -16953,10 +13916,10 @@ process:
       original_fieldset: elf
       short: Data table of the ELF header.
       type: keyword
-    process.entry_leader.parent.elf.header.entrypoint:
-      dashed_name: process-entry-leader-parent-elf-header-entrypoint
+    process.parent.elf.header.entrypoint:
+      dashed_name: process-parent-elf-header-entrypoint
       description: Header entrypoint of the ELF file.
-      flat_name: process.entry_leader.parent.elf.header.entrypoint
+      flat_name: process.parent.elf.header.entrypoint
       format: string
       level: extended
       name: header.entrypoint
@@ -16964,10 +13927,10 @@ process:
       original_fieldset: elf
       short: Header entrypoint of the ELF file.
       type: long
-    process.entry_leader.parent.elf.header.object_version:
-      dashed_name: process-entry-leader-parent-elf-header-object-version
+    process.parent.elf.header.object_version:
+      dashed_name: process-parent-elf-header-object-version
       description: '"0x1" for original ELF files.'
-      flat_name: process.entry_leader.parent.elf.header.object_version
+      flat_name: process.parent.elf.header.object_version
       ignore_above: 1024
       level: extended
       name: header.object_version
@@ -16975,10 +13938,10 @@ process:
       original_fieldset: elf
       short: '"0x1" for original ELF files.'
       type: keyword
-    process.entry_leader.parent.elf.header.os_abi:
-      dashed_name: process-entry-leader-parent-elf-header-os-abi
+    process.parent.elf.header.os_abi:
+      dashed_name: process-parent-elf-header-os-abi
       description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.entry_leader.parent.elf.header.os_abi
+      flat_name: process.parent.elf.header.os_abi
       ignore_above: 1024
       level: extended
       name: header.os_abi
@@ -16986,10 +13949,10 @@ process:
       original_fieldset: elf
       short: Application Binary Interface (ABI) of the Linux OS.
       type: keyword
-    process.entry_leader.parent.elf.header.type:
-      dashed_name: process-entry-leader-parent-elf-header-type
+    process.parent.elf.header.type:
+      dashed_name: process-parent-elf-header-type
       description: Header type of the ELF file.
-      flat_name: process.entry_leader.parent.elf.header.type
+      flat_name: process.parent.elf.header.type
       ignore_above: 1024
       level: extended
       name: header.type
@@ -16997,10 +13960,10 @@ process:
       original_fieldset: elf
       short: Header type of the ELF file.
       type: keyword
-    process.entry_leader.parent.elf.header.version:
-      dashed_name: process-entry-leader-parent-elf-header-version
+    process.parent.elf.header.version:
+      dashed_name: process-parent-elf-header-version
       description: Version of the ELF header.
-      flat_name: process.entry_leader.parent.elf.header.version
+      flat_name: process.parent.elf.header.version
       ignore_above: 1024
       level: extended
       name: header.version
@@ -17008,15 +13971,15 @@ process:
       original_fieldset: elf
       short: Version of the ELF header.
       type: keyword
-    process.entry_leader.parent.elf.import_hash:
-      dashed_name: process-entry-leader-parent-elf-import-hash
+    process.parent.elf.import_hash:
+      dashed_name: process-parent-elf-import-hash
       description: 'A hash of the imports in an ELF file. An import hash can be used
         to fingerprint binaries even after recompilation or other code-level transformations
         have occurred, which would change more traditional hash values.
 
         This is an ELF implementation of the Windows PE imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.parent.elf.import_hash
+      flat_name: process.parent.elf.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
@@ -17024,10 +13987,10 @@ process:
       original_fieldset: elf
       short: A hash of the imports in an ELF file.
       type: keyword
-    process.entry_leader.parent.elf.imports:
-      dashed_name: process-entry-leader-parent-elf-imports
+    process.parent.elf.imports:
+      dashed_name: process-parent-elf-imports
       description: List of imported element names and types.
-      flat_name: process.entry_leader.parent.elf.imports
+      flat_name: process.parent.elf.imports
       level: extended
       name: imports
       normalize:
@@ -17035,11 +13998,11 @@ process:
       original_fieldset: elf
       short: List of imported element names and types.
       type: flattened
-    process.entry_leader.parent.elf.imports_names_entropy:
-      dashed_name: process-entry-leader-parent-elf-imports-names-entropy
+    process.parent.elf.imports_names_entropy:
+      dashed_name: process-parent-elf-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.entry_leader.parent.elf.imports_names_entropy
+      flat_name: process.parent.elf.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
@@ -17048,11 +14011,11 @@ process:
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.entry_leader.parent.elf.imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
+    process.parent.elf.imports_names_var_entropy:
+      dashed_name: process-parent-elf-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.entry_leader.parent.elf.imports_names_var_entropy
+      flat_name: process.parent.elf.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
@@ -17061,13 +14024,13 @@ process:
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.entry_leader.parent.elf.sections:
-      dashed_name: process-entry-leader-parent-elf-sections
+    process.parent.elf.sections:
+      dashed_name: process-parent-elf-sections
       description: 'An array containing an object for each section of the ELF file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `elf.sections.*`.'
-      flat_name: process.entry_leader.parent.elf.sections
+      flat_name: process.parent.elf.sections
       level: extended
       name: sections
       normalize:
@@ -17075,10 +14038,10 @@ process:
       original_fieldset: elf
       short: Section information of the ELF file.
       type: nested
-    process.entry_leader.parent.elf.sections.chi2:
-      dashed_name: process-entry-leader-parent-elf-sections-chi2
+    process.parent.elf.sections.chi2:
+      dashed_name: process-parent-elf-sections-chi2
       description: Chi-square probability distribution of the section.
-      flat_name: process.entry_leader.parent.elf.sections.chi2
+      flat_name: process.parent.elf.sections.chi2
       format: number
       level: extended
       name: sections.chi2
@@ -17086,10 +14049,10 @@ process:
       original_fieldset: elf
       short: Chi-square probability distribution of the section.
       type: long
-    process.entry_leader.parent.elf.sections.entropy:
-      dashed_name: process-entry-leader-parent-elf-sections-entropy
+    process.parent.elf.sections.entropy:
+      dashed_name: process-parent-elf-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.elf.sections.entropy
+      flat_name: process.parent.elf.sections.entropy
       format: number
       level: extended
       name: sections.entropy
@@ -17097,10 +14060,10 @@ process:
       original_fieldset: elf
       short: Shannon entropy calculation from the section.
       type: long
-    process.entry_leader.parent.elf.sections.flags:
-      dashed_name: process-entry-leader-parent-elf-sections-flags
+    process.parent.elf.sections.flags:
+      dashed_name: process-parent-elf-sections-flags
       description: ELF Section List flags.
-      flat_name: process.entry_leader.parent.elf.sections.flags
+      flat_name: process.parent.elf.sections.flags
       ignore_above: 1024
       level: extended
       name: sections.flags
@@ -17108,10 +14071,10 @@ process:
       original_fieldset: elf
       short: ELF Section List flags.
       type: keyword
-    process.entry_leader.parent.elf.sections.name:
-      dashed_name: process-entry-leader-parent-elf-sections-name
+    process.parent.elf.sections.name:
+      dashed_name: process-parent-elf-sections-name
       description: ELF Section List name.
-      flat_name: process.entry_leader.parent.elf.sections.name
+      flat_name: process.parent.elf.sections.name
       ignore_above: 1024
       level: extended
       name: sections.name
@@ -17119,10 +14082,10 @@ process:
       original_fieldset: elf
       short: ELF Section List name.
       type: keyword
-    process.entry_leader.parent.elf.sections.physical_offset:
-      dashed_name: process-entry-leader-parent-elf-sections-physical-offset
+    process.parent.elf.sections.physical_offset:
+      dashed_name: process-parent-elf-sections-physical-offset
       description: ELF Section List offset.
-      flat_name: process.entry_leader.parent.elf.sections.physical_offset
+      flat_name: process.parent.elf.sections.physical_offset
       ignore_above: 1024
       level: extended
       name: sections.physical_offset
@@ -17130,10 +14093,10 @@ process:
       original_fieldset: elf
       short: ELF Section List offset.
       type: keyword
-    process.entry_leader.parent.elf.sections.physical_size:
-      dashed_name: process-entry-leader-parent-elf-sections-physical-size
+    process.parent.elf.sections.physical_size:
+      dashed_name: process-parent-elf-sections-physical-size
       description: ELF Section List physical size.
-      flat_name: process.entry_leader.parent.elf.sections.physical_size
+      flat_name: process.parent.elf.sections.physical_size
       format: bytes
       level: extended
       name: sections.physical_size
@@ -17141,10 +14104,10 @@ process:
       original_fieldset: elf
       short: ELF Section List physical size.
       type: long
-    process.entry_leader.parent.elf.sections.type:
-      dashed_name: process-entry-leader-parent-elf-sections-type
+    process.parent.elf.sections.type:
+      dashed_name: process-parent-elf-sections-type
       description: ELF Section List type.
-      flat_name: process.entry_leader.parent.elf.sections.type
+      flat_name: process.parent.elf.sections.type
       ignore_above: 1024
       level: extended
       name: sections.type
@@ -17152,10 +14115,10 @@ process:
       original_fieldset: elf
       short: ELF Section List type.
       type: keyword
-    process.entry_leader.parent.elf.sections.var_entropy:
-      dashed_name: process-entry-leader-parent-elf-sections-var-entropy
+    process.parent.elf.sections.var_entropy:
+      dashed_name: process-parent-elf-sections-var-entropy
       description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.elf.sections.var_entropy
+      flat_name: process.parent.elf.sections.var_entropy
       format: number
       level: extended
       name: sections.var_entropy
@@ -17163,10 +14126,10 @@ process:
       original_fieldset: elf
       short: Variance for Shannon entropy calculation from the section.
       type: long
-    process.entry_leader.parent.elf.sections.virtual_address:
-      dashed_name: process-entry-leader-parent-elf-sections-virtual-address
+    process.parent.elf.sections.virtual_address:
+      dashed_name: process-parent-elf-sections-virtual-address
       description: ELF Section List virtual address.
-      flat_name: process.entry_leader.parent.elf.sections.virtual_address
+      flat_name: process.parent.elf.sections.virtual_address
       format: string
       level: extended
       name: sections.virtual_address
@@ -17174,10 +14137,10 @@ process:
       original_fieldset: elf
       short: ELF Section List virtual address.
       type: long
-    process.entry_leader.parent.elf.sections.virtual_size:
-      dashed_name: process-entry-leader-parent-elf-sections-virtual-size
+    process.parent.elf.sections.virtual_size:
+      dashed_name: process-parent-elf-sections-virtual-size
       description: ELF Section List virtual size.
-      flat_name: process.entry_leader.parent.elf.sections.virtual_size
+      flat_name: process.parent.elf.sections.virtual_size
       format: string
       level: extended
       name: sections.virtual_size
@@ -17185,13 +14148,13 @@ process:
       original_fieldset: elf
       short: ELF Section List virtual size.
       type: long
-    process.entry_leader.parent.elf.segments:
-      dashed_name: process-entry-leader-parent-elf-segments
+    process.parent.elf.segments:
+      dashed_name: process-parent-elf-segments
       description: 'An array containing an object for each segment of the ELF file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `elf.segments.*`.'
-      flat_name: process.entry_leader.parent.elf.segments
+      flat_name: process.parent.elf.segments
       level: extended
       name: segments
       normalize:
@@ -17199,10 +14162,10 @@ process:
       original_fieldset: elf
       short: ELF object segment list.
       type: nested
-    process.entry_leader.parent.elf.segments.sections:
-      dashed_name: process-entry-leader-parent-elf-segments-sections
+    process.parent.elf.segments.sections:
+      dashed_name: process-parent-elf-segments-sections
       description: ELF object segment sections.
-      flat_name: process.entry_leader.parent.elf.segments.sections
+      flat_name: process.parent.elf.segments.sections
       ignore_above: 1024
       level: extended
       name: segments.sections
@@ -17210,10 +14173,10 @@ process:
       original_fieldset: elf
       short: ELF object segment sections.
       type: keyword
-    process.entry_leader.parent.elf.segments.type:
-      dashed_name: process-entry-leader-parent-elf-segments-type
+    process.parent.elf.segments.type:
+      dashed_name: process-parent-elf-segments-type
       description: ELF object segment type.
-      flat_name: process.entry_leader.parent.elf.segments.type
+      flat_name: process.parent.elf.segments.type
       ignore_above: 1024
       level: extended
       name: segments.type
@@ -17221,10 +14184,10 @@ process:
       original_fieldset: elf
       short: ELF object segment type.
       type: keyword
-    process.entry_leader.parent.elf.shared_libraries:
-      dashed_name: process-entry-leader-parent-elf-shared-libraries
+    process.parent.elf.shared_libraries:
+      dashed_name: process-parent-elf-shared-libraries
       description: List of shared libraries used by this ELF object.
-      flat_name: process.entry_leader.parent.elf.shared_libraries
+      flat_name: process.parent.elf.shared_libraries
       ignore_above: 1024
       level: extended
       name: shared_libraries
@@ -17233,10 +14196,10 @@ process:
       original_fieldset: elf
       short: List of shared libraries used by this ELF object.
       type: keyword
-    process.entry_leader.parent.elf.telfhash:
-      dashed_name: process-entry-leader-parent-elf-telfhash
+    process.parent.elf.telfhash:
+      dashed_name: process-parent-elf-telfhash
       description: telfhash symbol hash for ELF file.
-      flat_name: process.entry_leader.parent.elf.telfhash
+      flat_name: process.parent.elf.telfhash
       ignore_above: 1024
       level: extended
       name: telfhash
@@ -17244,31 +14207,19 @@ process:
       original_fieldset: elf
       short: telfhash hash for ELF file.
       type: keyword
-    process.entry_leader.parent.end:
-      dashed_name: process-entry-leader-parent-end
+    process.parent.end:
+      dashed_name: process-parent-end
       description: The time the process ended.
       example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.parent.end
+      flat_name: process.parent.end
       level: extended
       name: end
       normalize: []
       original_fieldset: process
       short: The time the process ended.
       type: date
-    process.entry_leader.parent.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.entry_leader.parent.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.entry_leader.parent.entity_id:
-      dashed_name: process-entry-leader-parent-entity-id
+    process.parent.entity_id:
+      dashed_name: process-parent-entity-id
       description: 'Unique identifier for the process.
 
         The implementation of this is specified by the data source, but some examples
@@ -17279,7 +14230,7 @@ process:
         PID reuse as well as to identify a specific process over time, across multiple
         monitored hosts.'
       example: c2c455d9f99375d
-      flat_name: process.entry_leader.parent.entity_id
+      flat_name: process.parent.entity_id
       ignore_above: 1024
       level: extended
       name: entity_id
@@ -17287,390 +14238,15 @@ process:
       original_fieldset: process
       short: Unique identifier for the process.
       type: keyword
-    process.entry_leader.parent.entry_meta.source.address:
-      dashed_name: process-entry-leader-parent-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.entry_leader.parent.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.as.number:
-      dashed_name: process-entry-leader-parent-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.entry_leader.parent.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.entry_leader.parent.entry_meta.source.as.organization.name:
-      dashed_name: process-entry-leader-parent-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.bytes:
-      dashed_name: process-entry-leader-parent-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.entry_leader.parent.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.entry_leader.parent.entry_meta.source.domain:
-      dashed_name: process-entry-leader-parent-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.entry_leader.parent.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.city_name:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.continent_code:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.continent_name:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.country_name:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.location:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.entry_leader.parent.entry_meta.source.geo.name:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.postal_code:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.region_name:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.geo.timezone:
-      dashed_name: process-entry-leader-parent-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.entry_leader.parent.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.ip:
-      dashed_name: process-entry-leader-parent-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.entry_leader.parent.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.entry_leader.parent.entry_meta.source.mac:
-      dashed_name: process-entry-leader-parent-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.entry_leader.parent.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.nat.ip:
-      dashed_name: process-entry-leader-parent-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.entry_leader.parent.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.entry_leader.parent.entry_meta.source.nat.port:
-      dashed_name: process-entry-leader-parent-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.entry_leader.parent.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.entry_leader.parent.entry_meta.source.packets:
-      dashed_name: process-entry-leader-parent-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.entry_leader.parent.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.entry_leader.parent.entry_meta.source.port:
-      dashed_name: process-entry-leader-parent-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.entry_leader.parent.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.entry_leader.parent.entry_meta.source.registered_domain:
-      dashed_name: process-entry-leader-parent-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.entry_leader.parent.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.subdomain:
-      dashed_name: process-entry-leader-parent-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.entry_leader.parent.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.entry_leader.parent.entry_meta.source.top_level_domain:
-      dashed_name: process-entry-leader-parent-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.entry_leader.parent.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.entry_leader.parent.entry_meta.type:
-      dashed_name: process-entry-leader-parent-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.entry_leader.parent.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.entry_leader.parent.env_vars:
-      dashed_name: process-entry-leader-parent-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.entry_leader.parent.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.executable:
-      dashed_name: process-entry-leader-parent-executable
+    process.parent.executable:
+      dashed_name: process-parent-executable
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
-      flat_name: process.entry_leader.parent.executable
+      flat_name: process.parent.executable
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.entry_leader.parent.executable.text
+      - flat_name: process.parent.executable.text
         name: text
         type: match_only_text
       name: executable
@@ -17678,37 +14254,24 @@ process:
       original_fieldset: process
       short: Absolute path to the process executable.
       type: keyword
-    process.entry_leader.parent.exit_code:
-      dashed_name: process-entry-leader-parent-exit-code
+    process.parent.exit_code:
+      dashed_name: process-parent-exit-code
       description: 'The exit code of the process, if this is a termination event.
 
         The field should be absent if there is no exit code for the event (e.g. process
         start).'
       example: 137
-      flat_name: process.entry_leader.parent.exit_code
+      flat_name: process.parent.exit_code
       level: extended
       name: exit_code
       normalize: []
       original_fieldset: process
       short: The exit code of the process.
       type: long
-    process.entry_leader.parent.group.domain:
-      dashed_name: process-entry-leader-parent-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.group.id:
-      dashed_name: process-entry-leader-parent-group-id
+    process.parent.group.id:
+      dashed_name: process-parent-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.group.id
+      flat_name: process.parent.group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -17716,10 +14279,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.entry_leader.parent.group.name:
-      dashed_name: process-entry-leader-parent-group-name
+    process.parent.group.name:
+      dashed_name: process-parent-group-name
       description: Name of the group.
-      flat_name: process.entry_leader.parent.group.name
+      flat_name: process.parent.group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -17727,13 +14290,72 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.entry_leader.parent.hash.cdhash:
+    process.parent.group_leader.entity_id:
+      dashed_name: process-parent-group-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.parent.group_leader.entity_id
+      ignore_above: 1024
+      level: extended
+      name: entity_id
+      normalize: []
+      original_fieldset: process
+      short: Unique identifier for the process.
+      type: keyword
+    process.parent.group_leader.pid:
+      dashed_name: process-parent-group-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.parent.group_leader.pid
+      format: string
+      level: core
+      name: pid
+      normalize: []
+      original_fieldset: process
+      short: Process id.
+      type: long
+    process.parent.group_leader.start:
+      dashed_name: process-parent-group-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.parent.group_leader.start
+      level: extended
+      name: start
+      normalize: []
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.parent.group_leader.vpid:
+      dashed_name: process-parent-group-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.parent.group_leader.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.parent.hash.cdhash:
       beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-hash-cdhash
+      dashed_name: process-parent-hash-cdhash
       description: Code directory hash, utilized to uniquely identify and authenticate
         the integrity of the executable code.
       example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.entry_leader.parent.hash.cdhash
+      flat_name: process.parent.hash.cdhash
       ignore_above: 1024
       level: extended
       name: cdhash
@@ -17741,10 +14363,10 @@ process:
       original_fieldset: hash
       short: The Code Directory (CD) hash of an executable.
       type: keyword
-    process.entry_leader.parent.hash.md5:
-      dashed_name: process-entry-leader-parent-hash-md5
+    process.parent.hash.md5:
+      dashed_name: process-parent-hash-md5
       description: MD5 hash.
-      flat_name: process.entry_leader.parent.hash.md5
+      flat_name: process.parent.hash.md5
       ignore_above: 1024
       level: extended
       name: md5
@@ -17752,10 +14374,10 @@ process:
       original_fieldset: hash
       short: MD5 hash.
       type: keyword
-    process.entry_leader.parent.hash.sha1:
-      dashed_name: process-entry-leader-parent-hash-sha1
+    process.parent.hash.sha1:
+      dashed_name: process-parent-hash-sha1
       description: SHA1 hash.
-      flat_name: process.entry_leader.parent.hash.sha1
+      flat_name: process.parent.hash.sha1
       ignore_above: 1024
       level: extended
       name: sha1
@@ -17763,10 +14385,10 @@ process:
       original_fieldset: hash
       short: SHA1 hash.
       type: keyword
-    process.entry_leader.parent.hash.sha256:
-      dashed_name: process-entry-leader-parent-hash-sha256
+    process.parent.hash.sha256:
+      dashed_name: process-parent-hash-sha256
       description: SHA256 hash.
-      flat_name: process.entry_leader.parent.hash.sha256
+      flat_name: process.parent.hash.sha256
       ignore_above: 1024
       level: extended
       name: sha256
@@ -17774,10 +14396,10 @@ process:
       original_fieldset: hash
       short: SHA256 hash.
       type: keyword
-    process.entry_leader.parent.hash.sha384:
-      dashed_name: process-entry-leader-parent-hash-sha384
+    process.parent.hash.sha384:
+      dashed_name: process-parent-hash-sha384
       description: SHA384 hash.
-      flat_name: process.entry_leader.parent.hash.sha384
+      flat_name: process.parent.hash.sha384
       ignore_above: 1024
       level: extended
       name: sha384
@@ -17785,10 +14407,10 @@ process:
       original_fieldset: hash
       short: SHA384 hash.
       type: keyword
-    process.entry_leader.parent.hash.sha512:
-      dashed_name: process-entry-leader-parent-hash-sha512
+    process.parent.hash.sha512:
+      dashed_name: process-parent-hash-sha512
       description: SHA512 hash.
-      flat_name: process.entry_leader.parent.hash.sha512
+      flat_name: process.parent.hash.sha512
       ignore_above: 1024
       level: extended
       name: sha512
@@ -17796,10 +14418,10 @@ process:
       original_fieldset: hash
       short: SHA512 hash.
       type: keyword
-    process.entry_leader.parent.hash.ssdeep:
-      dashed_name: process-entry-leader-parent-hash-ssdeep
+    process.parent.hash.ssdeep:
+      dashed_name: process-parent-hash-ssdeep
       description: SSDEEP hash.
-      flat_name: process.entry_leader.parent.hash.ssdeep
+      flat_name: process.parent.hash.ssdeep
       ignore_above: 1024
       level: extended
       name: ssdeep
@@ -17807,10 +14429,10 @@ process:
       original_fieldset: hash
       short: SSDEEP hash.
       type: keyword
-    process.entry_leader.parent.hash.tlsh:
-      dashed_name: process-entry-leader-parent-hash-tlsh
+    process.parent.hash.tlsh:
+      dashed_name: process-parent-hash-tlsh
       description: TLSH hash.
-      flat_name: process.entry_leader.parent.hash.tlsh
+      flat_name: process.parent.hash.tlsh
       ignore_above: 1024
       level: extended
       name: tlsh
@@ -17818,8 +14440,8 @@ process:
       original_fieldset: hash
       short: TLSH hash.
       type: keyword
-    process.entry_leader.parent.interactive:
-      dashed_name: process-entry-leader-parent-interactive
+    process.parent.interactive:
+      dashed_name: process-parent-interactive
       description: 'Whether the process is connected to an interactive shell.
 
         Process interactivity is inferred from the processes file descriptors. If
@@ -17832,159 +14454,45 @@ process:
         backgrounded process is still considered interactive if stdin and stderr are
         connected to the controlling TTY.'
       example: true
-      flat_name: process.entry_leader.parent.interactive
+      flat_name: process.parent.interactive
       level: extended
       name: interactive
       normalize: []
       original_fieldset: process
       short: Whether the process is connected to an interactive shell.
       type: boolean
-    process.entry_leader.parent.io:
-      dashed_name: process-entry-leader-parent-io
-      description: 'A chunk of input or output (IO) from a single process.
+    process.parent.macho.go_import_hash:
+      dashed_name: process-parent-macho-go-import-hash
+      description: 'A hash of the Go language imports in a Mach-O file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
 
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.entry_leader.parent.io
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.parent.macho.go_import_hash
+      ignore_above: 1024
       level: extended
-      name: io
+      name: go_import_hash
       normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.entry_leader.parent.io.bytes_skipped:
-      dashed_name: process-entry-leader-parent-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.entry_leader.parent.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.entry_leader.parent.io.bytes_skipped.length:
-      dashed_name: process-entry-leader-parent-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.entry_leader.parent.io.bytes_skipped.length
+      original_fieldset: macho
+      short: A hash of the Go language imports in a Mach-O file.
+      type: keyword
+    process.parent.macho.go_imports:
+      dashed_name: process-parent-macho-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.parent.macho.go_imports
       level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.entry_leader.parent.io.bytes_skipped.offset:
-      dashed_name: process-entry-leader-parent-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.entry_leader.parent.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.entry_leader.parent.io.max_bytes_per_process_exceeded:
-      dashed_name: process-entry-leader-parent-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.entry_leader.parent.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.entry_leader.parent.io.text:
-      dashed_name: process-entry-leader-parent-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.entry_leader.parent.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.entry_leader.parent.io.total_bytes_captured:
-      dashed_name: process-entry-leader-parent-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.entry_leader.parent.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.entry_leader.parent.io.total_bytes_skipped:
-      dashed_name: process-entry-leader-parent-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.entry_leader.parent.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.entry_leader.parent.io.type:
-      dashed_name: process-entry-leader-parent-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.entry_leader.parent.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.entry_leader.parent.macho.go_import_hash:
-      dashed_name: process-entry-leader-parent-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.parent.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.entry_leader.parent.macho.go_imports:
-      dashed_name: process-entry-leader-parent-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.parent.macho.go_imports
-      level: extended
-      name: go_imports
+      name: go_imports
       normalize: []
       original_fieldset: macho
       short: List of imported Go language element names and types.
       type: flattened
-    process.entry_leader.parent.macho.go_imports_names_entropy:
-      dashed_name: process-entry-leader-parent-macho-go-imports-names-entropy
+    process.parent.macho.go_imports_names_entropy:
+      dashed_name: process-parent-macho-go-imports-names-entropy
       description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.macho.go_imports_names_entropy
+      flat_name: process.parent.macho.go_imports_names_entropy
       format: number
       level: extended
       name: go_imports_names_entropy
@@ -17992,10 +14500,10 @@ process:
       original_fieldset: macho
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.entry_leader.parent.macho.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-macho-go-imports-names-var-entropy
+    process.parent.macho.go_imports_names_var_entropy:
+      dashed_name: process-parent-macho-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.macho.go_imports_names_var_entropy
+      flat_name: process.parent.macho.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
@@ -18003,26 +14511,26 @@ process:
       original_fieldset: macho
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.entry_leader.parent.macho.go_stripped:
-      dashed_name: process-entry-leader-parent-macho-go-stripped
+    process.parent.macho.go_stripped:
+      dashed_name: process-parent-macho-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.parent.macho.go_stripped
+      flat_name: process.parent.macho.go_stripped
       level: extended
       name: go_stripped
       normalize: []
       original_fieldset: macho
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.entry_leader.parent.macho.import_hash:
-      dashed_name: process-entry-leader-parent-macho-import-hash
+    process.parent.macho.import_hash:
+      dashed_name: process-parent-macho-import-hash
       description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         This is a synonym for symhash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.parent.macho.import_hash
+      flat_name: process.parent.macho.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
@@ -18030,10 +14538,10 @@ process:
       original_fieldset: macho
       short: A hash of the imports in a Mach-O file.
       type: keyword
-    process.entry_leader.parent.macho.imports:
-      dashed_name: process-entry-leader-parent-macho-imports
+    process.parent.macho.imports:
+      dashed_name: process-parent-macho-imports
       description: List of imported element names and types.
-      flat_name: process.entry_leader.parent.macho.imports
+      flat_name: process.parent.macho.imports
       level: extended
       name: imports
       normalize:
@@ -18041,11 +14549,11 @@ process:
       original_fieldset: macho
       short: List of imported element names and types.
       type: flattened
-    process.entry_leader.parent.macho.imports_names_entropy:
-      dashed_name: process-entry-leader-parent-macho-imports-names-entropy
+    process.parent.macho.imports_names_entropy:
+      dashed_name: process-parent-macho-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.entry_leader.parent.macho.imports_names_entropy
+      flat_name: process.parent.macho.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
@@ -18054,11 +14562,11 @@ process:
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.entry_leader.parent.macho.imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-macho-imports-names-var-entropy
+    process.parent.macho.imports_names_var_entropy:
+      dashed_name: process-parent-macho-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.entry_leader.parent.macho.imports_names_var_entropy
+      flat_name: process.parent.macho.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
@@ -18067,13 +14575,13 @@ process:
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.entry_leader.parent.macho.sections:
-      dashed_name: process-entry-leader-parent-macho-sections
+    process.parent.macho.sections:
+      dashed_name: process-parent-macho-sections
       description: 'An array containing an object for each section of the Mach-O file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `macho.sections.*`.'
-      flat_name: process.entry_leader.parent.macho.sections
+      flat_name: process.parent.macho.sections
       level: extended
       name: sections
       normalize:
@@ -18081,10 +14589,10 @@ process:
       original_fieldset: macho
       short: Section information of the Mach-O file.
       type: nested
-    process.entry_leader.parent.macho.sections.entropy:
-      dashed_name: process-entry-leader-parent-macho-sections-entropy
+    process.parent.macho.sections.entropy:
+      dashed_name: process-parent-macho-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.macho.sections.entropy
+      flat_name: process.parent.macho.sections.entropy
       format: number
       level: extended
       name: sections.entropy
@@ -18092,10 +14600,10 @@ process:
       original_fieldset: macho
       short: Shannon entropy calculation from the section.
       type: long
-    process.entry_leader.parent.macho.sections.name:
-      dashed_name: process-entry-leader-parent-macho-sections-name
+    process.parent.macho.sections.name:
+      dashed_name: process-parent-macho-sections-name
       description: Mach-O Section List name.
-      flat_name: process.entry_leader.parent.macho.sections.name
+      flat_name: process.parent.macho.sections.name
       ignore_above: 1024
       level: extended
       name: sections.name
@@ -18103,10 +14611,10 @@ process:
       original_fieldset: macho
       short: Mach-O Section List name.
       type: keyword
-    process.entry_leader.parent.macho.sections.physical_size:
-      dashed_name: process-entry-leader-parent-macho-sections-physical-size
+    process.parent.macho.sections.physical_size:
+      dashed_name: process-parent-macho-sections-physical-size
       description: Mach-O Section List physical size.
-      flat_name: process.entry_leader.parent.macho.sections.physical_size
+      flat_name: process.parent.macho.sections.physical_size
       format: bytes
       level: extended
       name: sections.physical_size
@@ -18114,10 +14622,10 @@ process:
       original_fieldset: macho
       short: Mach-O Section List physical size.
       type: long
-    process.entry_leader.parent.macho.sections.var_entropy:
-      dashed_name: process-entry-leader-parent-macho-sections-var-entropy
+    process.parent.macho.sections.var_entropy:
+      dashed_name: process-parent-macho-sections-var-entropy
       description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.macho.sections.var_entropy
+      flat_name: process.parent.macho.sections.var_entropy
       format: number
       level: extended
       name: sections.var_entropy
@@ -18125,10 +14633,10 @@ process:
       original_fieldset: macho
       short: Variance for Shannon entropy calculation from the section.
       type: long
-    process.entry_leader.parent.macho.sections.virtual_size:
-      dashed_name: process-entry-leader-parent-macho-sections-virtual-size
+    process.parent.macho.sections.virtual_size:
+      dashed_name: process-parent-macho-sections-virtual-size
       description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.entry_leader.parent.macho.sections.virtual_size
+      flat_name: process.parent.macho.sections.virtual_size
       format: string
       level: extended
       name: sections.virtual_size
@@ -18136,15 +14644,15 @@ process:
       original_fieldset: macho
       short: Mach-O Section List virtual size. This is always the same as `physical_size`.
       type: long
-    process.entry_leader.parent.macho.symhash:
-      dashed_name: process-entry-leader-parent-macho-symhash
+    process.parent.macho.symhash:
+      dashed_name: process-parent-macho-symhash
       description: 'A hash of the imports in a Mach-O file. An import hash can be
         used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         This is a Mach-O implementation of the Windows PE imphash'
       example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.entry_leader.parent.macho.symhash
+      flat_name: process.parent.macho.symhash
       ignore_above: 1024
       level: extended
       name: symhash
@@ -18152,17 +14660,17 @@ process:
       original_fieldset: macho
       short: A hash of the imports in a Mach-O file.
       type: keyword
-    process.entry_leader.parent.name:
-      dashed_name: process-entry-leader-parent-name
+    process.parent.name:
+      dashed_name: process-parent-name
       description: 'Process name.
 
         Sometimes called program name or similar.'
       example: ssh
-      flat_name: process.entry_leader.parent.name
+      flat_name: process.parent.name
       ignore_above: 1024
       level: extended
       multi_fields:
-      - flat_name: process.entry_leader.parent.name.text
+      - flat_name: process.parent.name.text
         name: text
         type: match_only_text
       name: name
@@ -18170,38 +14678,11 @@ process:
       original_fieldset: process
       short: Process name.
       type: keyword
-    process.entry_leader.parent.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.entry_leader.parent.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.entry_leader.parent.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.entry_leader.parent.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.entry_leader.parent.pe.architecture:
-      dashed_name: process-entry-leader-parent-pe-architecture
+    process.parent.pe.architecture:
+      dashed_name: process-parent-pe-architecture
       description: CPU architecture target for the file.
       example: x64
-      flat_name: process.entry_leader.parent.pe.architecture
+      flat_name: process.parent.pe.architecture
       ignore_above: 1024
       level: extended
       name: architecture
@@ -18209,11 +14690,11 @@ process:
       original_fieldset: pe
       short: CPU architecture target for the file.
       type: keyword
-    process.entry_leader.parent.pe.company:
-      dashed_name: process-entry-leader-parent-pe-company
+    process.parent.pe.company:
+      dashed_name: process-parent-pe-company
       description: Internal company name of the file, provided at compile-time.
       example: Microsoft Corporation
-      flat_name: process.entry_leader.parent.pe.company
+      flat_name: process.parent.pe.company
       ignore_above: 1024
       level: extended
       name: company
@@ -18221,11 +14702,11 @@ process:
       original_fieldset: pe
       short: Internal company name of the file, provided at compile-time.
       type: keyword
-    process.entry_leader.parent.pe.description:
-      dashed_name: process-entry-leader-parent-pe-description
+    process.parent.pe.description:
+      dashed_name: process-parent-pe-description
       description: Internal description of the file, provided at compile-time.
       example: Paint
-      flat_name: process.entry_leader.parent.pe.description
+      flat_name: process.parent.pe.description
       ignore_above: 1024
       level: extended
       name: description
@@ -18233,11 +14714,11 @@ process:
       original_fieldset: pe
       short: Internal description of the file, provided at compile-time.
       type: keyword
-    process.entry_leader.parent.pe.file_version:
-      dashed_name: process-entry-leader-parent-pe-file-version
+    process.parent.pe.file_version:
+      dashed_name: process-parent-pe-file-version
       description: Internal version of the file, provided at compile-time.
       example: 6.3.9600.17415
-      flat_name: process.entry_leader.parent.pe.file_version
+      flat_name: process.parent.pe.file_version
       ignore_above: 1024
       level: extended
       name: file_version
@@ -18245,8 +14726,8 @@ process:
       original_fieldset: pe
       short: Process name.
       type: keyword
-    process.entry_leader.parent.pe.go_import_hash:
-      dashed_name: process-entry-leader-parent-pe-go-import-hash
+    process.parent.pe.go_import_hash:
+      dashed_name: process-parent-pe-go-import-hash
       description: 'A hash of the Go language imports in a PE file excluding standard
         library imports. An import hash can be used to fingerprint binaries even after
         recompilation or other code-level transformations have occurred, which would
@@ -18255,7 +14736,7 @@ process:
         The algorithm used to calculate the Go symbol hash and a reference implementation
         are available here: https://github.com/elastic/toutoumomoma'
       example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.parent.pe.go_import_hash
+      flat_name: process.parent.pe.go_import_hash
       ignore_above: 1024
       level: extended
       name: go_import_hash
@@ -18263,20 +14744,20 @@ process:
       original_fieldset: pe
       short: A hash of the Go language imports in a PE file.
       type: keyword
-    process.entry_leader.parent.pe.go_imports:
-      dashed_name: process-entry-leader-parent-pe-go-imports
+    process.parent.pe.go_imports:
+      dashed_name: process-parent-pe-go-imports
       description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.parent.pe.go_imports
+      flat_name: process.parent.pe.go_imports
       level: extended
       name: go_imports
       normalize: []
       original_fieldset: pe
       short: List of imported Go language element names and types.
       type: flattened
-    process.entry_leader.parent.pe.go_imports_names_entropy:
-      dashed_name: process-entry-leader-parent-pe-go-imports-names-entropy
+    process.parent.pe.go_imports_names_entropy:
+      dashed_name: process-parent-pe-go-imports-names-entropy
       description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.pe.go_imports_names_entropy
+      flat_name: process.parent.pe.go_imports_names_entropy
       format: number
       level: extended
       name: go_imports_names_entropy
@@ -18284,10 +14765,10 @@ process:
       original_fieldset: pe
       short: Shannon entropy calculation from the list of Go imports.
       type: long
-    process.entry_leader.parent.pe.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-pe-go-imports-names-var-entropy
+    process.parent.pe.go_imports_names_var_entropy:
+      dashed_name: process-parent-pe-go-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.pe.go_imports_names_var_entropy
+      flat_name: process.parent.pe.go_imports_names_var_entropy
       format: number
       level: extended
       name: go_imports_names_var_entropy
@@ -18295,26 +14776,26 @@ process:
       original_fieldset: pe
       short: Variance for Shannon entropy calculation from the list of Go imports.
       type: long
-    process.entry_leader.parent.pe.go_stripped:
-      dashed_name: process-entry-leader-parent-pe-go-stripped
+    process.parent.pe.go_stripped:
+      dashed_name: process-parent-pe-go-stripped
       description: Set to true if the file is a Go executable that has had its symbols
         stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.parent.pe.go_stripped
+      flat_name: process.parent.pe.go_stripped
       level: extended
       name: go_stripped
       normalize: []
       original_fieldset: pe
       short: Whether the file is a stripped or obfuscated Go executable.
       type: boolean
-    process.entry_leader.parent.pe.imphash:
-      dashed_name: process-entry-leader-parent-pe-imphash
+    process.parent.pe.imphash:
+      dashed_name: process-parent-pe-imphash
       description: 'A hash of the imports in a PE file. An imphash -- or import hash
         -- can be used to fingerprint binaries even after recompilation or other code-level
         transformations have occurred, which would change more traditional hash values.
 
         Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
       example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.entry_leader.parent.pe.imphash
+      flat_name: process.parent.pe.imphash
       ignore_above: 1024
       level: extended
       name: imphash
@@ -18322,15 +14803,15 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
-    process.entry_leader.parent.pe.import_hash:
-      dashed_name: process-entry-leader-parent-pe-import-hash
+    process.parent.pe.import_hash:
+      dashed_name: process-parent-pe-import-hash
       description: 'A hash of the imports in a PE file. An import hash can be used
         to fingerprint binaries even after recompilation or other code-level transformations
         have occurred, which would change more traditional hash values.
 
         This is a synonym for imphash.'
       example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.parent.pe.import_hash
+      flat_name: process.parent.pe.import_hash
       ignore_above: 1024
       level: extended
       name: import_hash
@@ -18338,10 +14819,10 @@ process:
       original_fieldset: pe
       short: A hash of the imports in a PE file.
       type: keyword
-    process.entry_leader.parent.pe.imports:
-      dashed_name: process-entry-leader-parent-pe-imports
+    process.parent.pe.imports:
+      dashed_name: process-parent-pe-imports
       description: List of imported element names and types.
-      flat_name: process.entry_leader.parent.pe.imports
+      flat_name: process.parent.pe.imports
       level: extended
       name: imports
       normalize:
@@ -18349,11 +14830,11 @@ process:
       original_fieldset: pe
       short: List of imported element names and types.
       type: flattened
-    process.entry_leader.parent.pe.imports_names_entropy:
-      dashed_name: process-entry-leader-parent-pe-imports-names-entropy
+    process.parent.pe.imports_names_entropy:
+      dashed_name: process-parent-pe-imports-names-entropy
       description: Shannon entropy calculation from the list of imported element names
         and types.
-      flat_name: process.entry_leader.parent.pe.imports_names_entropy
+      flat_name: process.parent.pe.imports_names_entropy
       format: number
       level: extended
       name: imports_names_entropy
@@ -18362,11 +14843,11 @@ process:
       short: Shannon entropy calculation from the list of imported element names and
         types.
       type: long
-    process.entry_leader.parent.pe.imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-pe-imports-names-var-entropy
+    process.parent.pe.imports_names_var_entropy:
+      dashed_name: process-parent-pe-imports-names-var-entropy
       description: Variance for Shannon entropy calculation from the list of imported
         element names and types.
-      flat_name: process.entry_leader.parent.pe.imports_names_var_entropy
+      flat_name: process.parent.pe.imports_names_var_entropy
       format: number
       level: extended
       name: imports_names_var_entropy
@@ -18375,11 +14856,11 @@ process:
       short: Variance for Shannon entropy calculation from the list of imported element
         names and types.
       type: long
-    process.entry_leader.parent.pe.original_file_name:
-      dashed_name: process-entry-leader-parent-pe-original-file-name
+    process.parent.pe.original_file_name:
+      dashed_name: process-parent-pe-original-file-name
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
-      flat_name: process.entry_leader.parent.pe.original_file_name
+      flat_name: process.parent.pe.original_file_name
       ignore_above: 1024
       level: extended
       name: original_file_name
@@ -18387,15 +14868,15 @@ process:
       original_fieldset: pe
       short: Internal name of the file, provided at compile-time.
       type: keyword
-    process.entry_leader.parent.pe.pehash:
-      dashed_name: process-entry-leader-parent-pe-pehash
+    process.parent.pe.pehash:
+      dashed_name: process-parent-pe-pehash
       description: 'A hash of the PE header and data from one or more PE sections.
         An pehash can be used to cluster files by transforming structural information
         about a file into a hash value.
 
         Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
       example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.entry_leader.parent.pe.pehash
+      flat_name: process.parent.pe.pehash
       ignore_above: 1024
       level: extended
       name: pehash
@@ -18403,11 +14884,11 @@ process:
       original_fieldset: pe
       short: A hash of the PE header and data from one or more PE sections.
       type: keyword
-    process.entry_leader.parent.pe.product:
-      dashed_name: process-entry-leader-parent-pe-product
+    process.parent.pe.product:
+      dashed_name: process-parent-pe-product
       description: Internal product name of the file, provided at compile-time.
       example: Microsoft® Windows® Operating System
-      flat_name: process.entry_leader.parent.pe.product
+      flat_name: process.parent.pe.product
       ignore_above: 1024
       level: extended
       name: product
@@ -18415,13 +14896,13 @@ process:
       original_fieldset: pe
       short: Internal product name of the file, provided at compile-time.
       type: keyword
-    process.entry_leader.parent.pe.sections:
-      dashed_name: process-entry-leader-parent-pe-sections
+    process.parent.pe.sections:
+      dashed_name: process-parent-pe-sections
       description: 'An array containing an object for each section of the PE file.
 
         The keys that should be present in these objects are defined by sub-fields
         underneath `pe.sections.*`.'
-      flat_name: process.entry_leader.parent.pe.sections
+      flat_name: process.parent.pe.sections
       level: extended
       name: sections
       normalize:
@@ -18429,10 +14910,10 @@ process:
       original_fieldset: pe
       short: Section information of the PE file.
       type: nested
-    process.entry_leader.parent.pe.sections.entropy:
-      dashed_name: process-entry-leader-parent-pe-sections-entropy
+    process.parent.pe.sections.entropy:
+      dashed_name: process-parent-pe-sections-entropy
       description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.pe.sections.entropy
+      flat_name: process.parent.pe.sections.entropy
       format: number
       level: extended
       name: sections.entropy
@@ -18440,10 +14921,10 @@ process:
       original_fieldset: pe
       short: Shannon entropy calculation from the section.
       type: long
-    process.entry_leader.parent.pe.sections.name:
-      dashed_name: process-entry-leader-parent-pe-sections-name
+    process.parent.pe.sections.name:
+      dashed_name: process-parent-pe-sections-name
       description: PE Section List name.
-      flat_name: process.entry_leader.parent.pe.sections.name
+      flat_name: process.parent.pe.sections.name
       ignore_above: 1024
       level: extended
       name: sections.name
@@ -18451,10 +14932,10 @@ process:
       original_fieldset: pe
       short: PE Section List name.
       type: keyword
-    process.entry_leader.parent.pe.sections.physical_size:
-      dashed_name: process-entry-leader-parent-pe-sections-physical-size
+    process.parent.pe.sections.physical_size:
+      dashed_name: process-parent-pe-sections-physical-size
       description: PE Section List physical size.
-      flat_name: process.entry_leader.parent.pe.sections.physical_size
+      flat_name: process.parent.pe.sections.physical_size
       format: bytes
       level: extended
       name: sections.physical_size
@@ -18462,10 +14943,10 @@ process:
       original_fieldset: pe
       short: PE Section List physical size.
       type: long
-    process.entry_leader.parent.pe.sections.var_entropy:
-      dashed_name: process-entry-leader-parent-pe-sections-var-entropy
+    process.parent.pe.sections.var_entropy:
+      dashed_name: process-parent-pe-sections-var-entropy
       description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.pe.sections.var_entropy
+      flat_name: process.parent.pe.sections.var_entropy
       format: number
       level: extended
       name: sections.var_entropy
@@ -18473,10 +14954,10 @@ process:
       original_fieldset: pe
       short: Variance for Shannon entropy calculation from the section.
       type: long
-    process.entry_leader.parent.pe.sections.virtual_size:
-      dashed_name: process-entry-leader-parent-pe-sections-virtual-size
+    process.parent.pe.sections.virtual_size:
+      dashed_name: process-parent-pe-sections-virtual-size
       description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.entry_leader.parent.pe.sections.virtual_size
+      flat_name: process.parent.pe.sections.virtual_size
       format: string
       level: extended
       name: sections.virtual_size
@@ -18484,11 +14965,11 @@ process:
       original_fieldset: pe
       short: PE Section List virtual size. This is always the same as `physical_size`.
       type: long
-    process.entry_leader.parent.pid:
-      dashed_name: process-entry-leader-parent-pid
+    process.parent.pid:
+      dashed_name: process-parent-pid
       description: Process id.
       example: 4242
-      flat_name: process.entry_leader.parent.pid
+      flat_name: process.parent.pid
       format: string
       level: core
       name: pid
@@ -18496,36 +14977,60 @@ process:
       original_fieldset: process
       short: Process id.
       type: long
-    process.entry_leader.parent.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.entry_leader.parent.platform_binary
+    process.parent.real_group.id:
+      dashed_name: process-parent-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.real_group.id
+      ignore_above: 1024
       level: extended
-      name: platform_binary
+      name: id
       normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.entry_leader.parent.real_group.domain:
-      dashed_name: process-entry-leader-parent-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.real_group.domain
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.real_group.name:
+      dashed_name: process-parent-real-group-name
+      description: Name of the group.
+      flat_name: process.parent.real_group.name
       ignore_above: 1024
       level: extended
-      name: domain
+      name: name
       normalize: []
       original_fieldset: group
-      short: Name of the directory the group is a member of.
+      short: Name of the group.
+      type: keyword
+    process.parent.real_user.id:
+      dashed_name: process-parent-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.real_user.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    process.parent.real_user.name:
+      dashed_name: process-parent-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.real_user.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: process.parent.real_user.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
       type: keyword
-    process.entry_leader.parent.real_group.id:
-      dashed_name: process-entry-leader-parent-real-group-id
+    process.parent.saved_group.id:
+      dashed_name: process-parent-saved-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.real_group.id
+      flat_name: process.parent.saved_group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -18533,10 +15038,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.entry_leader.parent.real_group.name:
-      dashed_name: process-entry-leader-parent-real-group-name
+    process.parent.saved_group.name:
+      dashed_name: process-parent-saved-group-name
       description: Name of the group.
-      flat_name: process.entry_leader.parent.real_group.name
+      flat_name: process.parent.saved_group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -18544,356 +15049,196 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.entry_leader.parent.real_user.domain:
-      dashed_name: process-entry-leader-parent-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.real_user.domain
+    process.parent.saved_user.id:
+      dashed_name: process-parent-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.parent.saved_user.id
       ignore_above: 1024
-      level: extended
-      name: domain
+      level: core
+      name: id
       normalize: []
       original_fieldset: user
-      short: Name of the directory the user is a member of.
+      short: Unique identifier of the user.
       type: keyword
-    process.entry_leader.parent.real_user.email:
-      dashed_name: process-entry-leader-parent-real-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.real_user.email
+    process.parent.saved_user.name:
+      dashed_name: process-parent-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.parent.saved_user.name
       ignore_above: 1024
-      level: extended
-      name: email
+      level: core
+      multi_fields:
+      - flat_name: process.parent.saved_user.name.text
+        name: text
+        type: match_only_text
+      name: name
       normalize: []
       original_fieldset: user
-      short: User email address.
+      short: Short name or login of the user.
       type: keyword
-    process.entry_leader.parent.real_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-real-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.entry_leader.parent.real_user.entity.attributes
+    process.parent.start:
+      dashed_name: process-parent-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.parent.start
       level: extended
-      name: attributes
+      name: start
       normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.entry_leader.parent.real_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-real-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.real_user.entity.behavior
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.parent.supplemental_groups.id:
+      dashed_name: process-parent-supplemental-groups-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.parent.supplemental_groups.id
+      ignore_above: 1024
       level: extended
-      name: behavior
+      name: id
       normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.entry_leader.parent.real_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-real-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.entry_leader.parent.real_user.entity.display_name
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    process.parent.supplemental_groups.name:
+      dashed_name: process-parent-supplemental-groups-name
+      description: Name of the group.
+      flat_name: process.parent.supplemental_groups.name
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.real_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
+      name: name
       normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.entry_leader.parent.real_user.entity.id:
-      dashed_name: process-entry-leader-parent-real-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.entry_leader.parent.real_user.entity.id
+    process.parent.thread.capabilities.effective:
+      dashed_name: process-parent-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.thread.capabilities.effective
       ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      synthetic_source_keep: none
       type: keyword
-    process.entry_leader.parent.real_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-real-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.entry_leader.parent.real_user.entity.last_seen_timestamp
+    process.parent.thread.capabilities.permitted:
+      dashed_name: process-parent-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.thread.capabilities.permitted
+      ignore_above: 1024
       level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.entry_leader.parent.real_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-real-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.real_user.entity.lifecycle
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      synthetic_source_keep: none
+      type: keyword
+    process.parent.thread.id:
+      dashed_name: process-parent-thread-id
+      description: Thread ID.
+      example: 4242
+      flat_name: process.parent.thread.id
+      format: string
       level: extended
-      name: lifecycle
+      name: thread.id
       normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.entry_leader.parent.real_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-real-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.entry_leader.parent.real_user.entity.metrics
+      original_fieldset: process
+      short: Thread ID.
+      type: long
+    process.parent.thread.name:
+      dashed_name: process-parent-thread-name
+      description: Thread name.
+      example: thread-0
+      flat_name: process.parent.thread.name
+      ignore_above: 1024
       level: extended
-      name: metrics
+      name: thread.name
       normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.entry_leader.parent.real_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-real-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.entry_leader.parent.real_user.entity.name
+      original_fieldset: process
+      short: Thread name.
+      type: keyword
+    process.parent.title:
+      dashed_name: process-parent-title
+      description: 'Process title.
+
+        The proctitle, some times the same as process name. Can also be different:
+        for example a browser setting its title to the web page currently opened.'
+      flat_name: process.parent.title
       ignore_above: 1024
-      level: core
+      level: extended
       multi_fields:
-      - flat_name: process.entry_leader.parent.real_user.entity.name.text
+      - flat_name: process.parent.title.text
         name: text
-        norms: false
-        type: text
-      name: name
+        type: match_only_text
+      name: title
       normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
+      original_fieldset: process
+      short: Process title.
       type: keyword
-    process.entry_leader.parent.real_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-real-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.entry_leader.parent.real_user.entity.raw
+    process.parent.tty:
+      dashed_name: process-parent-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.parent.tty
       level: extended
-      name: raw
+      name: tty
       normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
+      original_fieldset: process
+      short: Information about the controlling TTY device.
       type: object
-    process.entry_leader.parent.real_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-real-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.entry_leader.parent.real_user.entity.reference
-      ignore_above: 1024
+    process.parent.tty.char_device.major:
+      dashed_name: process-parent-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.parent.tty.char_device.major
       level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.entry_leader.parent.real_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-real-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.entry_leader.parent.real_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
+      name: tty.char_device.major
       normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.entry_leader.parent.real_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-real-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.entry_leader.parent.real_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.entry_leader.parent.real_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-real-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.entry_leader.parent.real_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.entry_leader.parent.real_user.full_name:
-      dashed_name: process-entry-leader-parent-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.real_user.group.domain:
-      dashed_name: process-entry-leader-parent-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.real_user.group.id:
-      dashed_name: process-entry-leader-parent-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.real_user.group.name:
-      dashed_name: process-entry-leader-parent-real-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.real_user.group.name
-      ignore_above: 1024
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.parent.tty.char_device.minor:
+      dashed_name: process-parent-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.parent.tty.char_device.minor
       level: extended
-      name: name
+      name: tty.char_device.minor
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.real_user.hash:
-      dashed_name: process-entry-leader-parent-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.real_user.hash
-      ignore_above: 1024
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
+    process.parent.uptime:
+      dashed_name: process-parent-uptime
+      description: Seconds the process has been up.
+      example: 1325
+      flat_name: process.parent.uptime
       level: extended
-      name: hash
+      name: uptime
       normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.real_user.id:
-      dashed_name: process-entry-leader-parent-real-user-id
+      original_fieldset: process
+      short: Seconds the process has been up.
+      type: long
+    process.parent.user.id:
+      dashed_name: process-parent-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.real_user.id
+      flat_name: process.parent.user.id
       ignore_above: 1024
       level: core
       name: id
@@ -18901,15 +15246,15 @@ process:
       original_fieldset: user
       short: Unique identifier of the user.
       type: keyword
-    process.entry_leader.parent.real_user.name:
-      dashed_name: process-entry-leader-parent-real-user-name
+    process.parent.user.name:
+      dashed_name: process-parent-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.entry_leader.parent.real_user.name
+      flat_name: process.parent.user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.entry_leader.parent.real_user.name.text
+      - flat_name: process.parent.user.name.text
         name: text
         type: match_only_text
       name: name
@@ -18917,42053 +15262,446 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.entry_leader.parent.real_user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.real_user.risk.calculated_level
+    process.parent.vpid:
+      dashed_name: process-parent-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.parent.vpid
+      format: string
+      level: core
+      name: vpid
+      normalize: []
+      original_fieldset: process
+      short: Virtual process id.
+      type: long
+    process.parent.working_directory:
+      dashed_name: process-parent-working-directory
+      description: The working directory of the process.
+      example: /home/alice
+      flat_name: process.parent.working_directory
       ignore_above: 1024
       level: extended
-      name: calculated_level
+      multi_fields:
+      - flat_name: process.parent.working_directory.text
+        name: text
+        type: match_only_text
+      name: working_directory
       normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
+      original_fieldset: process
+      short: The working directory of the process.
       type: keyword
-    process.entry_leader.parent.real_user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.real_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.real_user.risk.calculated_score_norm
+    process.pe.architecture:
+      dashed_name: process-pe-architecture
+      description: CPU architecture target for the file.
+      example: x64
+      flat_name: process.pe.architecture
+      ignore_above: 1024
       level: extended
-      name: calculated_score_norm
+      name: architecture
       normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.real_user.risk.static_level:
-      dashed_name: process-entry-leader-parent-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.real_user.risk.static_level
+      original_fieldset: pe
+      short: CPU architecture target for the file.
+      type: keyword
+    process.pe.company:
+      dashed_name: process-pe-company
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      flat_name: process.pe.company
       ignore_above: 1024
       level: extended
-      name: static_level
+      name: company
       normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
+      original_fieldset: pe
+      short: Internal company name of the file, provided at compile-time.
       type: keyword
-    process.entry_leader.parent.real_user.risk.static_score:
-      dashed_name: process-entry-leader-parent-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.real_user.risk.static_score
+    process.pe.description:
+      dashed_name: process-pe-description
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      flat_name: process.pe.description
+      ignore_above: 1024
       level: extended
-      name: static_score
+      name: description
       normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.real_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.real_user.risk.static_score_norm
+      original_fieldset: pe
+      short: Internal description of the file, provided at compile-time.
+      type: keyword
+    process.pe.file_version:
+      dashed_name: process-pe-file-version
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      flat_name: process.pe.file_version
+      ignore_above: 1024
       level: extended
-      name: static_score_norm
+      name: file_version
       normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.real_user.roles:
-      dashed_name: process-entry-leader-parent-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.real_user.roles
+      original_fieldset: pe
+      short: Process name.
+      type: keyword
+    process.pe.go_import_hash:
+      dashed_name: process-pe-go-import-hash
+      description: 'A hash of the Go language imports in a PE file excluding standard
+        library imports. An import hash can be used to fingerprint binaries even after
+        recompilation or other code-level transformations have occurred, which would
+        change more traditional hash values.
+
+        The algorithm used to calculate the Go symbol hash and a reference implementation
+        are available here: https://github.com/elastic/toutoumomoma'
+      example: 10bddcb4cee42080f76c88d9ff964491
+      flat_name: process.pe.go_import_hash
       ignore_above: 1024
       level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
+      name: go_import_hash
+      normalize: []
+      original_fieldset: pe
+      short: A hash of the Go language imports in a PE file.
       type: keyword
-    process.entry_leader.parent.same_as_process:
-      dashed_name: process-entry-leader-parent-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.entry_leader.parent.same_as_process
+    process.pe.go_imports:
+      dashed_name: process-pe-go-imports
+      description: List of imported Go language element names and types.
+      flat_name: process.pe.go_imports
       level: extended
-      name: same_as_process
+      name: go_imports
       normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.entry_leader.parent.saved_group.domain:
-      dashed_name: process-entry-leader-parent-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.saved_group.domain
-      ignore_above: 1024
+      original_fieldset: pe
+      short: List of imported Go language element names and types.
+      type: flattened
+    process.pe.go_imports_names_entropy:
+      dashed_name: process-pe-go-imports-names-entropy
+      description: Shannon entropy calculation from the list of Go imports.
+      flat_name: process.pe.go_imports_names_entropy
+      format: number
       level: extended
-      name: domain
+      name: go_imports_names_entropy
       normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.saved_group.id:
-      dashed_name: process-entry-leader-parent-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.saved_group.id
-      ignore_above: 1024
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.pe.go_imports_names_var_entropy:
+      dashed_name: process-pe-go-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of Go imports.
+      flat_name: process.pe.go_imports_names_var_entropy
+      format: number
       level: extended
-      name: id
+      name: go_imports_names_var_entropy
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.saved_group.name:
-      dashed_name: process-entry-leader-parent-saved-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.saved_group.name
-      ignore_above: 1024
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of Go imports.
+      type: long
+    process.pe.go_stripped:
+      dashed_name: process-pe-go-stripped
+      description: Set to true if the file is a Go executable that has had its symbols
+        stripped or obfuscated and false if an unobfuscated Go executable.
+      flat_name: process.pe.go_stripped
       level: extended
-      name: name
+      name: go_stripped
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.saved_user.domain:
-      dashed_name: process-entry-leader-parent-saved-user-domain
-      description: 'Name of the directory the user is a member of.
+      original_fieldset: pe
+      short: Whether the file is a stripped or obfuscated Go executable.
+      type: boolean
+    process.pe.imphash:
+      dashed_name: process-pe-imphash
+      description: 'A hash of the imports in a PE file. An imphash -- or import hash
+        -- can be used to fingerprint binaries even after recompilation or other code-level
+        transformations have occurred, which would change more traditional hash values.
 
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.saved_user.domain
+        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
+      example: 0c6803c4e922103c4dca5963aad36ddf
+      flat_name: process.pe.imphash
       ignore_above: 1024
       level: extended
-      name: domain
+      name: imphash
       normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
       type: keyword
-    process.entry_leader.parent.saved_user.email:
-      dashed_name: process-entry-leader-parent-saved-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.saved_user.email
+    process.pe.import_hash:
+      dashed_name: process-pe-import-hash
+      description: 'A hash of the imports in a PE file. An import hash can be used
+        to fingerprint binaries even after recompilation or other code-level transformations
+        have occurred, which would change more traditional hash values.
+
+        This is a synonym for imphash.'
+      example: d41d8cd98f00b204e9800998ecf8427e
+      flat_name: process.pe.import_hash
       ignore_above: 1024
       level: extended
-      name: email
+      name: import_hash
       normalize: []
-      original_fieldset: user
-      short: User email address.
+      original_fieldset: pe
+      short: A hash of the imports in a PE file.
       type: keyword
-    process.entry_leader.parent.saved_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-saved-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.entry_leader.parent.saved_user.entity.attributes
+    process.pe.imports:
+      dashed_name: process-pe-imports
+      description: List of imported element names and types.
+      flat_name: process.pe.imports
       level: extended
-      name: attributes
+      name: imports
+      normalize:
+      - array
+      original_fieldset: pe
+      short: List of imported element names and types.
+      type: flattened
+    process.pe.imports_names_entropy:
+      dashed_name: process-pe-imports-names-entropy
+      description: Shannon entropy calculation from the list of imported element names
+        and types.
+      flat_name: process.pe.imports_names_entropy
+      format: number
+      level: extended
+      name: imports_names_entropy
       normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.entry_leader.parent.saved_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-saved-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.saved_user.entity.behavior
+      original_fieldset: pe
+      short: Shannon entropy calculation from the list of imported element names and
+        types.
+      type: long
+    process.pe.imports_names_var_entropy:
+      dashed_name: process-pe-imports-names-var-entropy
+      description: Variance for Shannon entropy calculation from the list of imported
+        element names and types.
+      flat_name: process.pe.imports_names_var_entropy
+      format: number
       level: extended
-      name: behavior
+      name: imports_names_var_entropy
       normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.entry_leader.parent.saved_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-saved-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.entry_leader.parent.saved_user.entity.display_name
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the list of imported element
+        names and types.
+      type: long
+    process.pe.original_file_name:
+      dashed_name: process-pe-original-file-name
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      flat_name: process.pe.original_file_name
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.saved_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
+      name: original_file_name
       normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
+      original_fieldset: pe
+      short: Internal name of the file, provided at compile-time.
       type: keyword
-    process.entry_leader.parent.saved_user.entity.id:
-      dashed_name: process-entry-leader-parent-saved-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.entry_leader.parent.saved_user.entity.id
+    process.pe.pehash:
+      dashed_name: process-pe-pehash
+      description: 'A hash of the PE header and data from one or more PE sections.
+        An pehash can be used to cluster files by transforming structural information
+        about a file into a hash value.
+
+        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
+      example: 73ff189b63cd6be375a7ff25179a38d347651975
+      flat_name: process.pe.pehash
       ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.entry_leader.parent.saved_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-saved-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.entry_leader.parent.saved_user.entity.last_seen_timestamp
       level: extended
-      name: last_seen_timestamp
+      name: pehash
       normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.entry_leader.parent.saved_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-saved-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.saved_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.entry_leader.parent.saved_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-saved-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.entry_leader.parent.saved_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.entry_leader.parent.saved_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-saved-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.entry_leader.parent.saved_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.saved_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.entry_leader.parent.saved_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-saved-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.entry_leader.parent.saved_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.entry_leader.parent.saved_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-saved-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.entry_leader.parent.saved_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.entry_leader.parent.saved_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-saved-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.entry_leader.parent.saved_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.entry_leader.parent.saved_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-saved-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.entry_leader.parent.saved_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.entry_leader.parent.saved_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-saved-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.entry_leader.parent.saved_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.entry_leader.parent.saved_user.full_name:
-      dashed_name: process-entry-leader-parent-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.saved_user.group.domain:
-      dashed_name: process-entry-leader-parent-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.saved_user.group.id:
-      dashed_name: process-entry-leader-parent-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.saved_user.group.name:
-      dashed_name: process-entry-leader-parent-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.saved_user.hash:
-      dashed_name: process-entry-leader-parent-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.saved_user.id:
-      dashed_name: process-entry-leader-parent-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.saved_user.name:
-      dashed_name: process-entry-leader-parent-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.saved_user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.saved_user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.saved_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.saved_user.risk.static_level:
-      dashed_name: process-entry-leader-parent-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.saved_user.risk.static_score:
-      dashed_name: process-entry-leader-parent-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.saved_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.saved_user.roles:
-      dashed_name: process-entry-leader-parent-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.args:
-      dashed_name: process-entry-leader-parent-session-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.entry_leader.parent.session_leader.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.entry_leader.parent.session_leader.args_count:
-      dashed_name: process-entry-leader-parent-session-leader-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.entry_leader.parent.session_leader.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.entry_leader.parent.session_leader.attested_groups.domain:
-      dashed_name: process-entry-leader-parent-session-leader-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_groups.id:
-      dashed_name: process-entry-leader-parent-session-leader-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_groups.name:
-      dashed_name: process-entry-leader-parent-session-leader-attested-groups-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.domain:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.email:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.entry_leader.parent.session_leader.attested_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.entry_leader.parent.session_leader.attested_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.entity.id:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.entry_leader.parent.session_leader.attested_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.entry_leader.parent.session_leader.attested_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.entry_leader.parent.session_leader.attested_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.attested_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.entry_leader.parent.session_leader.attested_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.entry_leader.parent.session_leader.attested_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.full_name:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.session_leader.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.group.id:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.group.name:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.hash:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.session_leader.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.id:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.session_leader.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.name:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.session_leader.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.session_leader.attested_user.risk.static_level:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.attested_user.risk.static_score:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.session_leader.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.session_leader.attested_user.roles:
-      dashed_name: process-entry-leader-parent-session-leader-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.session_leader.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.digest_algorithm:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.entry_leader.parent.session_leader.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.exists:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.entry_leader.parent.session_leader.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.entry_leader.parent.session_leader.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.entry_leader.parent.session_leader.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.signing_id:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.entry_leader.parent.session_leader.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.status:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.entry_leader.parent.session_leader.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.subject_name:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.entry_leader.parent.session_leader.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.team_id:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.entry_leader.parent.session_leader.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.entry_leader.parent.session_leader.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.entry_leader.parent.session_leader.code_signature.timestamp:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.entry_leader.parent.session_leader.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.entry_leader.parent.session_leader.code_signature.trusted:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.entry_leader.parent.session_leader.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.entry_leader.parent.session_leader.code_signature.valid:
-      dashed_name: process-entry-leader-parent-session-leader-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.entry_leader.parent.session_leader.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.entry_leader.parent.session_leader.command_line:
-      dashed_name: process-entry-leader-parent-session-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.entry_leader.parent.session_leader.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.entry_leader.parent.session_leader.elf.architecture:
-      dashed_name: process-entry-leader-parent-session-leader-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.entry_leader.parent.session_leader.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.byte_order:
-      dashed_name: process-entry-leader-parent-session-leader-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.entry_leader.parent.session_leader.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.cpu_type:
-      dashed_name: process-entry-leader-parent-session-leader-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.entry_leader.parent.session_leader.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.creation_date:
-      dashed_name: process-entry-leader-parent-session-leader-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.entry_leader.parent.session_leader.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.entry_leader.parent.session_leader.elf.exports:
-      dashed_name: process-entry-leader-parent-session-leader-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.entry_leader.parent.session_leader.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.elf.go_import_hash:
-      dashed_name: process-entry-leader-parent-session-leader-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.parent.session_leader.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.go_imports:
-      dashed_name: process-entry-leader-parent-session-leader-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.parent.session_leader.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.elf.go_imports_names_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.session_leader.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.session_leader.elf.go_stripped:
-      dashed_name: process-entry-leader-parent-session-leader-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.parent.session_leader.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.entry_leader.parent.session_leader.elf.header.abi_version:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.entry_leader.parent.session_leader.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.header.class:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.entry_leader.parent.session_leader.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.header.data:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.entry_leader.parent.session_leader.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.header.entrypoint:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.entry_leader.parent.session_leader.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.entry_leader.parent.session_leader.elf.header.object_version:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.entry_leader.parent.session_leader.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.header.os_abi:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.entry_leader.parent.session_leader.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.header.type:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.entry_leader.parent.session_leader.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.header.version:
-      dashed_name: process-entry-leader-parent-session-leader-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.entry_leader.parent.session_leader.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.import_hash:
-      dashed_name: process-entry-leader-parent-session-leader-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.parent.session_leader.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.imports:
-      dashed_name: process-entry-leader-parent-session-leader-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.parent.session_leader.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.elf.imports_names_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.parent.session_leader.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.parent.session_leader.elf.imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.parent.session_leader.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.parent.session_leader.elf.sections:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.entry_leader.parent.session_leader.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.entry_leader.parent.session_leader.elf.sections.chi2:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.entry_leader.parent.session_leader.elf.sections.entropy:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.session_leader.elf.sections.flags:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.sections.name:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.sections.physical_offset:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.sections.physical_size:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.entry_leader.parent.session_leader.elf.sections.type:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.sections.var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.session_leader.elf.sections.virtual_address:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.entry_leader.parent.session_leader.elf.sections.virtual_size:
-      dashed_name: process-entry-leader-parent-session-leader-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.entry_leader.parent.session_leader.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.entry_leader.parent.session_leader.elf.segments:
-      dashed_name: process-entry-leader-parent-session-leader-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.entry_leader.parent.session_leader.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.entry_leader.parent.session_leader.elf.segments.sections:
-      dashed_name: process-entry-leader-parent-session-leader-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.entry_leader.parent.session_leader.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.segments.type:
-      dashed_name: process-entry-leader-parent-session-leader-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.entry_leader.parent.session_leader.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.shared_libraries:
-      dashed_name: process-entry-leader-parent-session-leader-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.entry_leader.parent.session_leader.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.entry_leader.parent.session_leader.elf.telfhash:
-      dashed_name: process-entry-leader-parent-session-leader-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.entry_leader.parent.session_leader.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.entry_leader.parent.session_leader.end:
-      dashed_name: process-entry-leader-parent-session-leader-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.parent.session_leader.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.entry_leader.parent.session_leader.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.entry_leader.parent.session_leader.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.entry_leader.parent.session_leader.entity_id:
-      dashed_name: process-entry-leader-parent-session-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.entry_leader.parent.session_leader.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.address:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.as.number:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.bytes:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.entry_leader.parent.session_leader.entry_meta.source.domain:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.location:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.name:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.ip:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.entry_leader.parent.session_leader.entry_meta.source.mac:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.nat.ip:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.entry_leader.parent.session_leader.entry_meta.source.nat.port:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.entry_leader.parent.session_leader.entry_meta.source.packets:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.entry_leader.parent.session_leader.entry_meta.source.port:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.entry_leader.parent.session_leader.entry_meta.source.registered_domain:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.subdomain:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.entry_leader.parent.session_leader.entry_meta.type:
-      dashed_name: process-entry-leader-parent-session-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.entry_leader.parent.session_leader.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.entry_leader.parent.session_leader.env_vars:
-      dashed_name: process-entry-leader-parent-session-leader-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.entry_leader.parent.session_leader.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.executable:
-      dashed_name: process-entry-leader-parent-session-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.entry_leader.parent.session_leader.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.entry_leader.parent.session_leader.exit_code:
-      dashed_name: process-entry-leader-parent-session-leader-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.entry_leader.parent.session_leader.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.entry_leader.parent.session_leader.group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.group.id:
-      dashed_name: process-entry-leader-parent-session-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.group.name:
-      dashed_name: process-entry-leader-parent-session-leader-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.entry_leader.parent.session_leader.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.md5:
-      dashed_name: process-entry-leader-parent-session-leader-hash-md5
-      description: MD5 hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.sha1:
-      dashed_name: process-entry-leader-parent-session-leader-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.sha256:
-      dashed_name: process-entry-leader-parent-session-leader-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.sha384:
-      dashed_name: process-entry-leader-parent-session-leader-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.sha512:
-      dashed_name: process-entry-leader-parent-session-leader-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.ssdeep:
-      dashed_name: process-entry-leader-parent-session-leader-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.hash.tlsh:
-      dashed_name: process-entry-leader-parent-session-leader-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.entry_leader.parent.session_leader.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.entry_leader.parent.session_leader.interactive:
-      dashed_name: process-entry-leader-parent-session-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.entry_leader.parent.session_leader.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.entry_leader.parent.session_leader.io:
-      dashed_name: process-entry-leader-parent-session-leader-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.entry_leader.parent.session_leader.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.entry_leader.parent.session_leader.io.bytes_skipped:
-      dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.entry_leader.parent.session_leader.io.bytes_skipped.length:
-      dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.entry_leader.parent.session_leader.io.bytes_skipped.offset:
-      dashed_name: process-entry-leader-parent-session-leader-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.entry_leader.parent.session_leader.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
-      dashed_name: process-entry-leader-parent-session-leader-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.entry_leader.parent.session_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.entry_leader.parent.session_leader.io.text:
-      dashed_name: process-entry-leader-parent-session-leader-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.entry_leader.parent.session_leader.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.entry_leader.parent.session_leader.io.total_bytes_captured:
-      dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.entry_leader.parent.session_leader.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.entry_leader.parent.session_leader.io.total_bytes_skipped:
-      dashed_name: process-entry-leader-parent-session-leader-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.entry_leader.parent.session_leader.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.entry_leader.parent.session_leader.io.type:
-      dashed_name: process-entry-leader-parent-session-leader-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.entry_leader.parent.session_leader.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.entry_leader.parent.session_leader.macho.go_import_hash:
-      dashed_name: process-entry-leader-parent-session-leader-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.parent.session_leader.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.entry_leader.parent.session_leader.macho.go_imports:
-      dashed_name: process-entry-leader-parent-session-leader-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.parent.session_leader.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.macho.go_imports_names_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.session_leader.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.session_leader.macho.go_stripped:
-      dashed_name: process-entry-leader-parent-session-leader-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.parent.session_leader.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.entry_leader.parent.session_leader.macho.import_hash:
-      dashed_name: process-entry-leader-parent-session-leader-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.parent.session_leader.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.entry_leader.parent.session_leader.macho.imports:
-      dashed_name: process-entry-leader-parent-session-leader-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.parent.session_leader.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.macho.imports_names_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.parent.session_leader.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.parent.session_leader.macho.imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.parent.session_leader.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.parent.session_leader.macho.sections:
-      dashed_name: process-entry-leader-parent-session-leader-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.entry_leader.parent.session_leader.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.entry_leader.parent.session_leader.macho.sections.entropy:
-      dashed_name: process-entry-leader-parent-session-leader-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.session_leader.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.session_leader.macho.sections.name:
-      dashed_name: process-entry-leader-parent-session-leader-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.entry_leader.parent.session_leader.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.entry_leader.parent.session_leader.macho.sections.physical_size:
-      dashed_name: process-entry-leader-parent-session-leader-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.entry_leader.parent.session_leader.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.entry_leader.parent.session_leader.macho.sections.var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.session_leader.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.session_leader.macho.sections.virtual_size:
-      dashed_name: process-entry-leader-parent-session-leader-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.entry_leader.parent.session_leader.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.entry_leader.parent.session_leader.macho.symhash:
-      dashed_name: process-entry-leader-parent-session-leader-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.entry_leader.parent.session_leader.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.entry_leader.parent.session_leader.name:
-      dashed_name: process-entry-leader-parent-session-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.entry_leader.parent.session_leader.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.entry_leader.parent.session_leader.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.entry_leader.parent.session_leader.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.entry_leader.parent.session_leader.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.entry_leader.parent.session_leader.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.architecture:
-      dashed_name: process-entry-leader-parent-session-leader-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.entry_leader.parent.session_leader.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.company:
-      dashed_name: process-entry-leader-parent-session-leader-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.entry_leader.parent.session_leader.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.description:
-      dashed_name: process-entry-leader-parent-session-leader-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.entry_leader.parent.session_leader.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.file_version:
-      dashed_name: process-entry-leader-parent-session-leader-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.entry_leader.parent.session_leader.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.go_import_hash:
-      dashed_name: process-entry-leader-parent-session-leader-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.parent.session_leader.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.go_imports:
-      dashed_name: process-entry-leader-parent-session-leader-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.parent.session_leader.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.pe.go_imports_names_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.parent.session_leader.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.parent.session_leader.pe.go_stripped:
-      dashed_name: process-entry-leader-parent-session-leader-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.parent.session_leader.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.entry_leader.parent.session_leader.pe.imphash:
-      dashed_name: process-entry-leader-parent-session-leader-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.entry_leader.parent.session_leader.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.import_hash:
-      dashed_name: process-entry-leader-parent-session-leader-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.parent.session_leader.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.imports:
-      dashed_name: process-entry-leader-parent-session-leader-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.parent.session_leader.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.parent.session_leader.pe.imports_names_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.parent.session_leader.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.parent.session_leader.pe.imports_names_var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.parent.session_leader.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.parent.session_leader.pe.original_file_name:
-      dashed_name: process-entry-leader-parent-session-leader-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.entry_leader.parent.session_leader.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.pehash:
-      dashed_name: process-entry-leader-parent-session-leader-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.entry_leader.parent.session_leader.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.product:
-      dashed_name: process-entry-leader-parent-session-leader-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.entry_leader.parent.session_leader.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.sections:
-      dashed_name: process-entry-leader-parent-session-leader-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.entry_leader.parent.session_leader.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.entry_leader.parent.session_leader.pe.sections.entropy:
-      dashed_name: process-entry-leader-parent-session-leader-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.session_leader.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.session_leader.pe.sections.name:
-      dashed_name: process-entry-leader-parent-session-leader-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.entry_leader.parent.session_leader.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.entry_leader.parent.session_leader.pe.sections.physical_size:
-      dashed_name: process-entry-leader-parent-session-leader-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.entry_leader.parent.session_leader.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.entry_leader.parent.session_leader.pe.sections.var_entropy:
-      dashed_name: process-entry-leader-parent-session-leader-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.parent.session_leader.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.parent.session_leader.pe.sections.virtual_size:
-      dashed_name: process-entry-leader-parent-session-leader-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.entry_leader.parent.session_leader.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.entry_leader.parent.session_leader.pid:
-      dashed_name: process-entry-leader-parent-session-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.entry_leader.parent.session_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.entry_leader.parent.session_leader.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.entry_leader.parent.session_leader.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.entry_leader.parent.session_leader.real_group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_group.id:
-      dashed_name: process-entry-leader-parent-session-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_group.name:
-      dashed_name: process-entry-leader-parent-session-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.domain:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.email:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.session_leader.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.entry_leader.parent.session_leader.real_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.entry_leader.parent.session_leader.real_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.session_leader.real_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.entry_leader.parent.session_leader.real_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.real_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.entity.id:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.entry_leader.parent.session_leader.real_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.entry_leader.parent.session_leader.real_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.entry_leader.parent.session_leader.real_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.session_leader.real_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.entry_leader.parent.session_leader.real_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.entry_leader.parent.session_leader.real_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.entry_leader.parent.session_leader.real_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.entry_leader.parent.session_leader.real_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.real_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.entry_leader.parent.session_leader.real_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.entry_leader.parent.session_leader.real_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.entry_leader.parent.session_leader.real_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.entry_leader.parent.session_leader.real_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.entry_leader.parent.session_leader.real_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-real-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.entry_leader.parent.session_leader.real_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.full_name:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.session_leader.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.group.id:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.group.name:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.hash:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.session_leader.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.id:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.session_leader.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.name:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.session_leader.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.session_leader.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.session_leader.real_user.risk.static_level:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.real_user.risk.static_score:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.session_leader.real_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.session_leader.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.session_leader.real_user.roles:
-      dashed_name: process-entry-leader-parent-session-leader-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.session_leader.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.same_as_process:
-      dashed_name: process-entry-leader-parent-session-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.entry_leader.parent.session_leader.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.entry_leader.parent.session_leader.saved_group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_group.id:
-      dashed_name: process-entry-leader-parent-session-leader-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_group.name:
-      dashed_name: process-entry-leader-parent-session-leader-saved-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.domain:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.email:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.entry_leader.parent.session_leader.saved_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.entry_leader.parent.session_leader.saved_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.entity.id:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.entry_leader.parent.session_leader.saved_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.entry_leader.parent.session_leader.saved_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.entry_leader.parent.session_leader.saved_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.saved_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.entry_leader.parent.session_leader.saved_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.entry_leader.parent.session_leader.saved_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.full_name:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.session_leader.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.group.id:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.group.name:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.hash:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.session_leader.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.id:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.session_leader.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.name:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.session_leader.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.session_leader.saved_user.risk.static_level:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.saved_user.risk.static_score:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.session_leader.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.session_leader.saved_user.roles:
-      dashed_name: process-entry-leader-parent-session-leader-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.session_leader.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.start:
-      dashed_name: process-entry-leader-parent-session-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.parent.session_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.entry_leader.parent.session_leader.supplemental_groups.domain:
-      dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.supplemental_groups.id:
-      dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.supplemental_groups.name:
-      dashed_name: process-entry-leader-parent-session-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.thread.capabilities.effective:
-      dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.entry_leader.parent.session_leader.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.thread.capabilities.permitted:
-      dashed_name: process-entry-leader-parent-session-leader-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.entry_leader.parent.session_leader.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.thread.id:
-      dashed_name: process-entry-leader-parent-session-leader-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.entry_leader.parent.session_leader.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.entry_leader.parent.session_leader.thread.name:
-      dashed_name: process-entry-leader-parent-session-leader-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.entry_leader.parent.session_leader.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.entry_leader.parent.session_leader.title:
-      dashed_name: process-entry-leader-parent-session-leader-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.entry_leader.parent.session_leader.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.entry_leader.parent.session_leader.tty:
-      dashed_name: process-entry-leader-parent-session-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.entry_leader.parent.session_leader.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.entry_leader.parent.session_leader.tty.char_device.major:
-      dashed_name: process-entry-leader-parent-session-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.entry_leader.parent.session_leader.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.entry_leader.parent.session_leader.tty.char_device.minor:
-      dashed_name: process-entry-leader-parent-session-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.entry_leader.parent.session_leader.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.entry_leader.parent.session_leader.tty.columns:
-      dashed_name: process-entry-leader-parent-session-leader-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.entry_leader.parent.session_leader.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.entry_leader.parent.session_leader.tty.rows:
-      dashed_name: process-entry-leader-parent-session-leader-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.entry_leader.parent.session_leader.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.entry_leader.parent.session_leader.uptime:
-      dashed_name: process-entry-leader-parent-session-leader-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.entry_leader.parent.session_leader.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.entry_leader.parent.session_leader.user.domain:
-      dashed_name: process-entry-leader-parent-session-leader-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.email:
-      dashed_name: process-entry-leader-parent-session-leader-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.session_leader.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.entry_leader.parent.session_leader.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.entry_leader.parent.session_leader.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.session_leader.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.entry_leader.parent.session_leader.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.entry_leader.parent.session_leader.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.entity.id:
-      dashed_name: process-entry-leader-parent-session-leader-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.entry_leader.parent.session_leader.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.entry_leader.parent.session_leader.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.entry_leader.parent.session_leader.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.session_leader.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.entry_leader.parent.session_leader.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.entry_leader.parent.session_leader.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.entry_leader.parent.session_leader.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.entry_leader.parent.session_leader.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.entry_leader.parent.session_leader.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.entry_leader.parent.session_leader.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.entry_leader.parent.session_leader.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.entry_leader.parent.session_leader.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.entry_leader.parent.session_leader.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-session-leader-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.entry_leader.parent.session_leader.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.full_name:
-      dashed_name: process-entry-leader-parent-session-leader-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.session_leader.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.group.domain:
-      dashed_name: process-entry-leader-parent-session-leader-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.session_leader.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.group.id:
-      dashed_name: process-entry-leader-parent-session-leader-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.session_leader.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.group.name:
-      dashed_name: process-entry-leader-parent-session-leader-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.session_leader.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.hash:
-      dashed_name: process-entry-leader-parent-session-leader-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.session_leader.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.id:
-      dashed_name: process-entry-leader-parent-session-leader-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.session_leader.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.name:
-      dashed_name: process-entry-leader-parent-session-leader-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.session_leader.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.session_leader.user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.session_leader.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.session_leader.user.risk.static_level:
-      dashed_name: process-entry-leader-parent-session-leader-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.session_leader.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.session_leader.user.risk.static_score:
-      dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.session_leader.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.session_leader.user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-session-leader-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.session_leader.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.session_leader.user.roles:
-      dashed_name: process-entry-leader-parent-session-leader-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.session_leader.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.session_leader.vpid:
-      dashed_name: process-entry-leader-parent-session-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.entry_leader.parent.session_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.entry_leader.parent.session_leader.working_directory:
-      dashed_name: process-entry-leader-parent-session-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.entry_leader.parent.session_leader.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.session_leader.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.entry_leader.parent.start:
-      dashed_name: process-entry-leader-parent-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.parent.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.entry_leader.parent.supplemental_groups.domain:
-      dashed_name: process-entry-leader-parent-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.supplemental_groups.id:
-      dashed_name: process-entry-leader-parent-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.supplemental_groups.name:
-      dashed_name: process-entry-leader-parent-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.thread.capabilities.effective:
-      dashed_name: process-entry-leader-parent-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.entry_leader.parent.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.thread.capabilities.permitted:
-      dashed_name: process-entry-leader-parent-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.entry_leader.parent.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.thread.id:
-      dashed_name: process-entry-leader-parent-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.entry_leader.parent.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.entry_leader.parent.thread.name:
-      dashed_name: process-entry-leader-parent-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.entry_leader.parent.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.entry_leader.parent.title:
-      dashed_name: process-entry-leader-parent-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.entry_leader.parent.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.entry_leader.parent.tty:
-      dashed_name: process-entry-leader-parent-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.entry_leader.parent.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.entry_leader.parent.tty.char_device.major:
-      dashed_name: process-entry-leader-parent-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.entry_leader.parent.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.entry_leader.parent.tty.char_device.minor:
-      dashed_name: process-entry-leader-parent-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.entry_leader.parent.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.entry_leader.parent.tty.columns:
-      dashed_name: process-entry-leader-parent-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.entry_leader.parent.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.entry_leader.parent.tty.rows:
-      dashed_name: process-entry-leader-parent-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.entry_leader.parent.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.entry_leader.parent.uptime:
-      dashed_name: process-entry-leader-parent-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.entry_leader.parent.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.entry_leader.parent.user.domain:
-      dashed_name: process-entry-leader-parent-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.parent.user.email:
-      dashed_name: process-entry-leader-parent-user-email
-      description: User email address.
-      flat_name: process.entry_leader.parent.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.parent.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.entry_leader.parent.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.entry_leader.parent.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.entry_leader.parent.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.entry_leader.parent.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.entry_leader.parent.user.entity.id:
-      dashed_name: process-entry-leader-parent-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.entry_leader.parent.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.entry_leader.parent.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.entry_leader.parent.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.entry_leader.parent.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.parent.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.entry_leader.parent.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.entry_leader.parent.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.entry_leader.parent.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.entry_leader.parent.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.entry_leader.parent.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.entry_leader.parent.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.entry_leader.parent.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.entry_leader.parent.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.entry_leader.parent.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.entry_leader.parent.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.entry_leader.parent.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.entry_leader.parent.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.entry_leader.parent.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-parent-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.entry_leader.parent.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.entry_leader.parent.user.full_name:
-      dashed_name: process-entry-leader-parent-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.parent.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.parent.user.group.domain:
-      dashed_name: process-entry-leader-parent-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.parent.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.parent.user.group.id:
-      dashed_name: process-entry-leader-parent-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.parent.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.parent.user.group.name:
-      dashed_name: process-entry-leader-parent-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.parent.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.parent.user.hash:
-      dashed_name: process-entry-leader-parent-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.parent.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.parent.user.id:
-      dashed_name: process-entry-leader-parent-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.parent.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.parent.user.name:
-      dashed_name: process-entry-leader-parent-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.parent.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.parent.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.parent.user.risk.calculated_level:
-      dashed_name: process-entry-leader-parent-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.parent.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.parent.user.risk.calculated_score:
-      dashed_name: process-entry-leader-parent-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.parent.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.parent.user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-parent-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.parent.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.parent.user.risk.static_level:
-      dashed_name: process-entry-leader-parent-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.parent.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.parent.user.risk.static_score:
-      dashed_name: process-entry-leader-parent-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.parent.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.parent.user.risk.static_score_norm:
-      dashed_name: process-entry-leader-parent-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.parent.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.parent.user.roles:
-      dashed_name: process-entry-leader-parent-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.parent.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.parent.vpid:
-      dashed_name: process-entry-leader-parent-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.entry_leader.parent.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.entry_leader.parent.working_directory:
-      dashed_name: process-entry-leader-parent-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.entry_leader.parent.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.parent.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.entry_leader.pe.architecture:
-      dashed_name: process-entry-leader-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.entry_leader.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.entry_leader.pe.company:
-      dashed_name: process-entry-leader-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.entry_leader.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.pe.description:
-      dashed_name: process-entry-leader-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.entry_leader.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.pe.file_version:
-      dashed_name: process-entry-leader-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.entry_leader.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.entry_leader.pe.go_import_hash:
-      dashed_name: process-entry-leader-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.entry_leader.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.entry_leader.pe.go_imports:
-      dashed_name: process-entry-leader-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.entry_leader.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.entry_leader.pe.go_imports_names_entropy:
-      dashed_name: process-entry-leader-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.pe.go_imports_names_var_entropy:
-      dashed_name: process-entry-leader-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.entry_leader.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.entry_leader.pe.go_stripped:
-      dashed_name: process-entry-leader-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.entry_leader.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.entry_leader.pe.imphash:
-      dashed_name: process-entry-leader-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.entry_leader.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.entry_leader.pe.import_hash:
-      dashed_name: process-entry-leader-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.entry_leader.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.entry_leader.pe.imports:
-      dashed_name: process-entry-leader-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.entry_leader.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.entry_leader.pe.imports_names_entropy:
-      dashed_name: process-entry-leader-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.entry_leader.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.entry_leader.pe.imports_names_var_entropy:
-      dashed_name: process-entry-leader-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.entry_leader.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.entry_leader.pe.original_file_name:
-      dashed_name: process-entry-leader-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.entry_leader.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.pe.pehash:
-      dashed_name: process-entry-leader-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.entry_leader.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.entry_leader.pe.product:
-      dashed_name: process-entry-leader-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.entry_leader.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.entry_leader.pe.sections:
-      dashed_name: process-entry-leader-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.entry_leader.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.entry_leader.pe.sections.entropy:
-      dashed_name: process-entry-leader-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.pe.sections.name:
-      dashed_name: process-entry-leader-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.entry_leader.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.entry_leader.pe.sections.physical_size:
-      dashed_name: process-entry-leader-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.entry_leader.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.entry_leader.pe.sections.var_entropy:
-      dashed_name: process-entry-leader-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.entry_leader.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.entry_leader.pe.sections.virtual_size:
-      dashed_name: process-entry-leader-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.entry_leader.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.entry_leader.pid:
-      dashed_name: process-entry-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.entry_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.entry_leader.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.entry_leader.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.entry_leader.real_group.domain:
-      dashed_name: process-entry-leader-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.real_group.id:
-      dashed_name: process-entry-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.real_group.name:
-      dashed_name: process-entry-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.real_user.domain:
-      dashed_name: process-entry-leader-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.real_user.email:
-      dashed_name: process-entry-leader-real-user-email
-      description: User email address.
-      flat_name: process.entry_leader.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.real_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-real-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.entry_leader.real_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.entry_leader.real_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-real-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.real_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.entry_leader.real_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-real-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.entry_leader.real_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.real_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.entry_leader.real_user.entity.id:
-      dashed_name: process-entry-leader-real-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.entry_leader.real_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.entry_leader.real_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-real-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.entry_leader.real_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.entry_leader.real_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-real-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.real_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.entry_leader.real_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-real-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.entry_leader.real_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.entry_leader.real_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-real-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.entry_leader.real_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.real_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.entry_leader.real_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-real-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.entry_leader.real_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.entry_leader.real_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-real-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.entry_leader.real_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.entry_leader.real_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-real-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.entry_leader.real_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.entry_leader.real_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-real-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.entry_leader.real_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.entry_leader.real_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-real-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.entry_leader.real_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.entry_leader.real_user.full_name:
-      dashed_name: process-entry-leader-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.real_user.group.domain:
-      dashed_name: process-entry-leader-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.real_user.group.id:
-      dashed_name: process-entry-leader-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.real_user.group.name:
-      dashed_name: process-entry-leader-real-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.real_user.hash:
-      dashed_name: process-entry-leader-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.real_user.id:
-      dashed_name: process-entry-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.real_user.name:
-      dashed_name: process-entry-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.real_user.risk.calculated_level:
-      dashed_name: process-entry-leader-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.real_user.risk.calculated_score:
-      dashed_name: process-entry-leader-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.real_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.real_user.risk.static_level:
-      dashed_name: process-entry-leader-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.real_user.risk.static_score:
-      dashed_name: process-entry-leader-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.real_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.real_user.roles:
-      dashed_name: process-entry-leader-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.same_as_process:
-      dashed_name: process-entry-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.entry_leader.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.entry_leader.saved_group.domain:
-      dashed_name: process-entry-leader-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.saved_group.id:
-      dashed_name: process-entry-leader-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.saved_group.name:
-      dashed_name: process-entry-leader-saved-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.saved_user.domain:
-      dashed_name: process-entry-leader-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.saved_user.email:
-      dashed_name: process-entry-leader-saved-user-email
-      description: User email address.
-      flat_name: process.entry_leader.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.saved_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-saved-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.entry_leader.saved_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.entry_leader.saved_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-saved-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.saved_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.entry_leader.saved_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-saved-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.entry_leader.saved_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.saved_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.entry_leader.saved_user.entity.id:
-      dashed_name: process-entry-leader-saved-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.entry_leader.saved_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.entry_leader.saved_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-saved-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.entry_leader.saved_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.entry_leader.saved_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-saved-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.saved_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.entry_leader.saved_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-saved-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.entry_leader.saved_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.entry_leader.saved_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-saved-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.entry_leader.saved_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.saved_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.entry_leader.saved_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-saved-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.entry_leader.saved_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.entry_leader.saved_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-saved-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.entry_leader.saved_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.entry_leader.saved_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-saved-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.entry_leader.saved_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.entry_leader.saved_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-saved-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.entry_leader.saved_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.entry_leader.saved_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-saved-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.entry_leader.saved_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.entry_leader.saved_user.full_name:
-      dashed_name: process-entry-leader-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.saved_user.group.domain:
-      dashed_name: process-entry-leader-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.saved_user.group.id:
-      dashed_name: process-entry-leader-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.saved_user.group.name:
-      dashed_name: process-entry-leader-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.saved_user.hash:
-      dashed_name: process-entry-leader-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.saved_user.id:
-      dashed_name: process-entry-leader-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.saved_user.name:
-      dashed_name: process-entry-leader-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.saved_user.risk.calculated_level:
-      dashed_name: process-entry-leader-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.saved_user.risk.calculated_score:
-      dashed_name: process-entry-leader-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.saved_user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.saved_user.risk.static_level:
-      dashed_name: process-entry-leader-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.saved_user.risk.static_score:
-      dashed_name: process-entry-leader-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.saved_user.risk.static_score_norm:
-      dashed_name: process-entry-leader-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.saved_user.roles:
-      dashed_name: process-entry-leader-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.start:
-      dashed_name: process-entry-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.entry_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.entry_leader.supplemental_groups.domain:
-      dashed_name: process-entry-leader-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.supplemental_groups.id:
-      dashed_name: process-entry-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.supplemental_groups.name:
-      dashed_name: process-entry-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.entry_leader.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.thread.capabilities.effective:
-      dashed_name: process-entry-leader-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.entry_leader.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.thread.capabilities.permitted:
-      dashed_name: process-entry-leader-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.entry_leader.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.thread.id:
-      dashed_name: process-entry-leader-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.entry_leader.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.entry_leader.thread.name:
-      dashed_name: process-entry-leader-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.entry_leader.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.entry_leader.title:
-      dashed_name: process-entry-leader-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.entry_leader.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.entry_leader.tty:
-      dashed_name: process-entry-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.entry_leader.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.entry_leader.tty.char_device.major:
-      dashed_name: process-entry-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.entry_leader.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.entry_leader.tty.char_device.minor:
-      dashed_name: process-entry-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.entry_leader.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.entry_leader.tty.columns:
-      dashed_name: process-entry-leader-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.entry_leader.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.entry_leader.tty.rows:
-      dashed_name: process-entry-leader-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.entry_leader.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.entry_leader.uptime:
-      dashed_name: process-entry-leader-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.entry_leader.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.entry_leader.user.domain:
-      dashed_name: process-entry-leader-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.entry_leader.user.email:
-      dashed_name: process-entry-leader-user-email
-      description: User email address.
-      flat_name: process.entry_leader.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.entry_leader.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.entry_leader.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.entry_leader.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.entry_leader.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.entry_leader.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.entry_leader.user.entity.id:
-      dashed_name: process-entry-leader-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.entry_leader.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.entry_leader.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.entry_leader.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.entry_leader.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.entry_leader.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.entry_leader.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.entry_leader.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.entry_leader.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.entry_leader.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.entry_leader.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.entry_leader.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.entry_leader.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.entry_leader.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.entry_leader.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.entry_leader.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.entry_leader.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.entry_leader.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.entry_leader.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-entry-leader-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.entry_leader.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.entry_leader.user.full_name:
-      dashed_name: process-entry-leader-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.entry_leader.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.entry_leader.user.group.domain:
-      dashed_name: process-entry-leader-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.entry_leader.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.entry_leader.user.group.id:
-      dashed_name: process-entry-leader-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.entry_leader.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.entry_leader.user.group.name:
-      dashed_name: process-entry-leader-user-group-name
-      description: Name of the group.
-      flat_name: process.entry_leader.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.entry_leader.user.hash:
-      dashed_name: process-entry-leader-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.entry_leader.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.entry_leader.user.id:
-      dashed_name: process-entry-leader-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.entry_leader.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.entry_leader.user.name:
-      dashed_name: process-entry-leader-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.entry_leader.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.entry_leader.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.entry_leader.user.risk.calculated_level:
-      dashed_name: process-entry-leader-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.entry_leader.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.entry_leader.user.risk.calculated_score:
-      dashed_name: process-entry-leader-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.entry_leader.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.entry_leader.user.risk.calculated_score_norm:
-      dashed_name: process-entry-leader-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.entry_leader.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.entry_leader.user.risk.static_level:
-      dashed_name: process-entry-leader-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.entry_leader.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.entry_leader.user.risk.static_score:
-      dashed_name: process-entry-leader-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.entry_leader.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.entry_leader.user.risk.static_score_norm:
-      dashed_name: process-entry-leader-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.entry_leader.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.entry_leader.user.roles:
-      dashed_name: process-entry-leader-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.entry_leader.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.entry_leader.vpid:
-      dashed_name: process-entry-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.entry_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.entry_leader.working_directory:
-      dashed_name: process-entry-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.entry_leader.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_leader.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.entry_meta.source.address:
-      dashed_name: process-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.entry_meta.source.as.number:
-      dashed_name: process-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.entry_meta.source.as.organization.name:
-      dashed_name: process-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.entry_meta.source.bytes:
-      dashed_name: process-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.entry_meta.source.domain:
-      dashed_name: process-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.entry_meta.source.geo.city_name:
-      dashed_name: process-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.entry_meta.source.geo.continent_code:
-      dashed_name: process-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.entry_meta.source.geo.continent_name:
-      dashed_name: process-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.entry_meta.source.geo.country_name:
-      dashed_name: process-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.entry_meta.source.geo.location:
-      dashed_name: process-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.entry_meta.source.geo.name:
-      dashed_name: process-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.entry_meta.source.geo.postal_code:
-      dashed_name: process-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.entry_meta.source.geo.region_name:
-      dashed_name: process-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.entry_meta.source.geo.timezone:
-      dashed_name: process-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.entry_meta.source.ip:
-      dashed_name: process-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.entry_meta.source.mac:
-      dashed_name: process-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.entry_meta.source.nat.ip:
-      dashed_name: process-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.entry_meta.source.nat.port:
-      dashed_name: process-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.entry_meta.source.packets:
-      dashed_name: process-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.entry_meta.source.port:
-      dashed_name: process-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.entry_meta.source.registered_domain:
-      dashed_name: process-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.entry_meta.source.subdomain:
-      dashed_name: process-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.entry_meta.source.top_level_domain:
-      dashed_name: process-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.entry_meta.type:
-      dashed_name: process-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.env_vars:
-      dashed_name: process-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.executable:
-      dashed_name: process-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      otel:
-      - attribute: process.executable.path
-        relation: equivalent
-        stability: development
-      short: Absolute path to the process executable.
-      type: keyword
-    process.exit_code:
-      dashed_name: process-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      short: The exit code of the process.
-      type: long
-    process.group.domain:
-      dashed_name: process-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group.id:
-      dashed_name: process-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group.name:
-      dashed_name: process-group-name
-      description: Name of the group.
-      flat_name: process.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.args:
-      dashed_name: process-group-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.group_leader.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.group_leader.args_count:
-      dashed_name: process-group-leader-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.group_leader.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.group_leader.attested_groups.domain:
-      dashed_name: process-group-leader-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.attested_groups.id:
-      dashed_name: process-group-leader-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.attested_groups.name:
-      dashed_name: process-group-leader-attested-groups-name
-      description: Name of the group.
-      flat_name: process.group_leader.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.attested_user.domain:
-      dashed_name: process-group-leader-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.group_leader.attested_user.email:
-      dashed_name: process-group-leader-attested-user-email
-      description: User email address.
-      flat_name: process.group_leader.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.group_leader.attested_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-attested-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.group_leader.attested_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.group_leader.attested_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-attested-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.group_leader.attested_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.group_leader.attested_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-attested-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.group_leader.attested_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.attested_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.group_leader.attested_user.entity.id:
-      dashed_name: process-group-leader-attested-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.group_leader.attested_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.group_leader.attested_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-attested-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.group_leader.attested_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.group_leader.attested_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-attested-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.group_leader.attested_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.group_leader.attested_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-attested-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.group_leader.attested_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.group_leader.attested_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-attested-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.group_leader.attested_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.attested_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.group_leader.attested_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-attested-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.group_leader.attested_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.group_leader.attested_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-attested-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.group_leader.attested_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.group_leader.attested_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-attested-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.group_leader.attested_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.group_leader.attested_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-attested-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.group_leader.attested_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.group_leader.attested_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-attested-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.group_leader.attested_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.group_leader.attested_user.full_name:
-      dashed_name: process-group-leader-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.group_leader.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.group_leader.attested_user.group.domain:
-      dashed_name: process-group-leader-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.attested_user.group.id:
-      dashed_name: process-group-leader-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.attested_user.group.name:
-      dashed_name: process-group-leader-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.attested_user.hash:
-      dashed_name: process-group-leader-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.group_leader.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.group_leader.attested_user.id:
-      dashed_name: process-group-leader-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.group_leader.attested_user.name:
-      dashed_name: process-group-leader-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.group_leader.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.group_leader.attested_user.risk.calculated_level:
-      dashed_name: process-group-leader-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.group_leader.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.group_leader.attested_user.risk.calculated_score:
-      dashed_name: process-group-leader-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.group_leader.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.group_leader.attested_user.risk.calculated_score_norm:
-      dashed_name: process-group-leader-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.group_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.group_leader.attested_user.risk.static_level:
-      dashed_name: process-group-leader-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.group_leader.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.group_leader.attested_user.risk.static_score:
-      dashed_name: process-group-leader-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.group_leader.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.group_leader.attested_user.risk.static_score_norm:
-      dashed_name: process-group-leader-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.group_leader.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.group_leader.attested_user.roles:
-      dashed_name: process-group-leader-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.group_leader.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.code_signature.digest_algorithm:
-      dashed_name: process-group-leader-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.group_leader.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.group_leader.code_signature.exists:
-      dashed_name: process-group-leader-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.group_leader.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.group_leader.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.group_leader.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.group_leader.code_signature.signing_id:
-      dashed_name: process-group-leader-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.group_leader.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.group_leader.code_signature.status:
-      dashed_name: process-group-leader-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.group_leader.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.group_leader.code_signature.subject_name:
-      dashed_name: process-group-leader-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.group_leader.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.group_leader.code_signature.team_id:
-      dashed_name: process-group-leader-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.group_leader.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.group_leader.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.group_leader.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.group_leader.code_signature.timestamp:
-      dashed_name: process-group-leader-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.group_leader.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.group_leader.code_signature.trusted:
-      dashed_name: process-group-leader-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.group_leader.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.group_leader.code_signature.valid:
-      dashed_name: process-group-leader-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.group_leader.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.group_leader.command_line:
-      dashed_name: process-group-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.group_leader.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.group_leader.elf.architecture:
-      dashed_name: process-group-leader-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.group_leader.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.group_leader.elf.byte_order:
-      dashed_name: process-group-leader-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.group_leader.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.group_leader.elf.cpu_type:
-      dashed_name: process-group-leader-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.group_leader.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.group_leader.elf.creation_date:
-      dashed_name: process-group-leader-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.group_leader.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.group_leader.elf.exports:
-      dashed_name: process-group-leader-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.group_leader.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.group_leader.elf.go_import_hash:
-      dashed_name: process-group-leader-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.group_leader.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.group_leader.elf.go_imports:
-      dashed_name: process-group-leader-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.group_leader.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.group_leader.elf.go_imports_names_entropy:
-      dashed_name: process-group-leader-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.group_leader.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.group_leader.elf.go_imports_names_var_entropy:
-      dashed_name: process-group-leader-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.group_leader.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.group_leader.elf.go_stripped:
-      dashed_name: process-group-leader-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.group_leader.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.group_leader.elf.header.abi_version:
-      dashed_name: process-group-leader-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.group_leader.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.group_leader.elf.header.class:
-      dashed_name: process-group-leader-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.group_leader.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.group_leader.elf.header.data:
-      dashed_name: process-group-leader-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.group_leader.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.group_leader.elf.header.entrypoint:
-      dashed_name: process-group-leader-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.group_leader.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.group_leader.elf.header.object_version:
-      dashed_name: process-group-leader-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.group_leader.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.group_leader.elf.header.os_abi:
-      dashed_name: process-group-leader-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.group_leader.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.group_leader.elf.header.type:
-      dashed_name: process-group-leader-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.group_leader.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.group_leader.elf.header.version:
-      dashed_name: process-group-leader-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.group_leader.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.group_leader.elf.import_hash:
-      dashed_name: process-group-leader-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.group_leader.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.group_leader.elf.imports:
-      dashed_name: process-group-leader-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.group_leader.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.group_leader.elf.imports_names_entropy:
-      dashed_name: process-group-leader-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.group_leader.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.group_leader.elf.imports_names_var_entropy:
-      dashed_name: process-group-leader-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.group_leader.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.group_leader.elf.sections:
-      dashed_name: process-group-leader-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.group_leader.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.group_leader.elf.sections.chi2:
-      dashed_name: process-group-leader-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.group_leader.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.group_leader.elf.sections.entropy:
-      dashed_name: process-group-leader-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.group_leader.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.group_leader.elf.sections.flags:
-      dashed_name: process-group-leader-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.group_leader.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.group_leader.elf.sections.name:
-      dashed_name: process-group-leader-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.group_leader.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.group_leader.elf.sections.physical_offset:
-      dashed_name: process-group-leader-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.group_leader.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.group_leader.elf.sections.physical_size:
-      dashed_name: process-group-leader-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.group_leader.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.group_leader.elf.sections.type:
-      dashed_name: process-group-leader-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.group_leader.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.group_leader.elf.sections.var_entropy:
-      dashed_name: process-group-leader-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.group_leader.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.group_leader.elf.sections.virtual_address:
-      dashed_name: process-group-leader-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.group_leader.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.group_leader.elf.sections.virtual_size:
-      dashed_name: process-group-leader-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.group_leader.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.group_leader.elf.segments:
-      dashed_name: process-group-leader-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.group_leader.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.group_leader.elf.segments.sections:
-      dashed_name: process-group-leader-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.group_leader.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.group_leader.elf.segments.type:
-      dashed_name: process-group-leader-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.group_leader.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.group_leader.elf.shared_libraries:
-      dashed_name: process-group-leader-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.group_leader.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.group_leader.elf.telfhash:
-      dashed_name: process-group-leader-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.group_leader.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.group_leader.end:
-      dashed_name: process-group-leader-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.group_leader.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.group_leader.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.group_leader.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.group_leader.entity_id:
-      dashed_name: process-group-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.group_leader.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.group_leader.entry_meta.source.address:
-      dashed_name: process-group-leader-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.group_leader.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.group_leader.entry_meta.source.as.number:
-      dashed_name: process-group-leader-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.group_leader.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.group_leader.entry_meta.source.as.organization.name:
-      dashed_name: process-group-leader-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.group_leader.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.group_leader.entry_meta.source.bytes:
-      dashed_name: process-group-leader-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.group_leader.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.group_leader.entry_meta.source.domain:
-      dashed_name: process-group-leader-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.group_leader.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.city_name:
-      dashed_name: process-group-leader-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.group_leader.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.continent_code:
-      dashed_name: process-group-leader-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.group_leader.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.continent_name:
-      dashed_name: process-group-leader-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.group_leader.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-group-leader-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.group_leader.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.country_name:
-      dashed_name: process-group-leader-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.group_leader.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.location:
-      dashed_name: process-group-leader-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.group_leader.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.group_leader.entry_meta.source.geo.name:
-      dashed_name: process-group-leader-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.group_leader.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.postal_code:
-      dashed_name: process-group-leader-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.group_leader.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-group-leader-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.group_leader.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.region_name:
-      dashed_name: process-group-leader-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.group_leader.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.group_leader.entry_meta.source.geo.timezone:
-      dashed_name: process-group-leader-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.group_leader.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.group_leader.entry_meta.source.ip:
-      dashed_name: process-group-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.group_leader.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.group_leader.entry_meta.source.mac:
-      dashed_name: process-group-leader-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.group_leader.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.group_leader.entry_meta.source.nat.ip:
-      dashed_name: process-group-leader-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.group_leader.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.group_leader.entry_meta.source.nat.port:
-      dashed_name: process-group-leader-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.group_leader.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.group_leader.entry_meta.source.packets:
-      dashed_name: process-group-leader-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.group_leader.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.group_leader.entry_meta.source.port:
-      dashed_name: process-group-leader-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.group_leader.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.group_leader.entry_meta.source.registered_domain:
-      dashed_name: process-group-leader-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.group_leader.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.group_leader.entry_meta.source.subdomain:
-      dashed_name: process-group-leader-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.group_leader.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.group_leader.entry_meta.source.top_level_domain:
-      dashed_name: process-group-leader-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.group_leader.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.group_leader.entry_meta.type:
-      dashed_name: process-group-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.group_leader.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.group_leader.env_vars:
-      dashed_name: process-group-leader-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.group_leader.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.executable:
-      dashed_name: process-group-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.group_leader.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.group_leader.exit_code:
-      dashed_name: process-group-leader-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.group_leader.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.group_leader.group.domain:
-      dashed_name: process-group-leader-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.group.id:
-      dashed_name: process-group-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.group.name:
-      dashed_name: process-group-leader-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.group_leader.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.group_leader.hash.md5:
-      dashed_name: process-group-leader-hash-md5
-      description: MD5 hash.
-      flat_name: process.group_leader.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.group_leader.hash.sha1:
-      dashed_name: process-group-leader-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.group_leader.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.group_leader.hash.sha256:
-      dashed_name: process-group-leader-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.group_leader.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.group_leader.hash.sha384:
-      dashed_name: process-group-leader-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.group_leader.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.group_leader.hash.sha512:
-      dashed_name: process-group-leader-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.group_leader.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.group_leader.hash.ssdeep:
-      dashed_name: process-group-leader-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.group_leader.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.group_leader.hash.tlsh:
-      dashed_name: process-group-leader-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.group_leader.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.group_leader.interactive:
-      dashed_name: process-group-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.group_leader.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.group_leader.io:
-      dashed_name: process-group-leader-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.group_leader.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.group_leader.io.bytes_skipped:
-      dashed_name: process-group-leader-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.group_leader.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.group_leader.io.bytes_skipped.length:
-      dashed_name: process-group-leader-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.group_leader.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.group_leader.io.bytes_skipped.offset:
-      dashed_name: process-group-leader-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.group_leader.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.group_leader.io.max_bytes_per_process_exceeded:
-      dashed_name: process-group-leader-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.group_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.group_leader.io.text:
-      dashed_name: process-group-leader-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.group_leader.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.group_leader.io.total_bytes_captured:
-      dashed_name: process-group-leader-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.group_leader.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.group_leader.io.total_bytes_skipped:
-      dashed_name: process-group-leader-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.group_leader.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.group_leader.io.type:
-      dashed_name: process-group-leader-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.group_leader.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.group_leader.macho.go_import_hash:
-      dashed_name: process-group-leader-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.group_leader.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.group_leader.macho.go_imports:
-      dashed_name: process-group-leader-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.group_leader.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.group_leader.macho.go_imports_names_entropy:
-      dashed_name: process-group-leader-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.group_leader.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.group_leader.macho.go_imports_names_var_entropy:
-      dashed_name: process-group-leader-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.group_leader.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.group_leader.macho.go_stripped:
-      dashed_name: process-group-leader-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.group_leader.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.group_leader.macho.import_hash:
-      dashed_name: process-group-leader-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.group_leader.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.group_leader.macho.imports:
-      dashed_name: process-group-leader-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.group_leader.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.group_leader.macho.imports_names_entropy:
-      dashed_name: process-group-leader-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.group_leader.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.group_leader.macho.imports_names_var_entropy:
-      dashed_name: process-group-leader-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.group_leader.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.group_leader.macho.sections:
-      dashed_name: process-group-leader-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.group_leader.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.group_leader.macho.sections.entropy:
-      dashed_name: process-group-leader-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.group_leader.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.group_leader.macho.sections.name:
-      dashed_name: process-group-leader-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.group_leader.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.group_leader.macho.sections.physical_size:
-      dashed_name: process-group-leader-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.group_leader.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.group_leader.macho.sections.var_entropy:
-      dashed_name: process-group-leader-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.group_leader.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.group_leader.macho.sections.virtual_size:
-      dashed_name: process-group-leader-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.group_leader.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.group_leader.macho.symhash:
-      dashed_name: process-group-leader-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.group_leader.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.group_leader.name:
-      dashed_name: process-group-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.group_leader.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.group_leader.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.group_leader.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.group_leader.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.group_leader.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.group_leader.pe.architecture:
-      dashed_name: process-group-leader-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.group_leader.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.group_leader.pe.company:
-      dashed_name: process-group-leader-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.group_leader.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.group_leader.pe.description:
-      dashed_name: process-group-leader-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.group_leader.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.group_leader.pe.file_version:
-      dashed_name: process-group-leader-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.group_leader.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.group_leader.pe.go_import_hash:
-      dashed_name: process-group-leader-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.group_leader.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.group_leader.pe.go_imports:
-      dashed_name: process-group-leader-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.group_leader.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.group_leader.pe.go_imports_names_entropy:
-      dashed_name: process-group-leader-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.group_leader.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.group_leader.pe.go_imports_names_var_entropy:
-      dashed_name: process-group-leader-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.group_leader.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.group_leader.pe.go_stripped:
-      dashed_name: process-group-leader-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.group_leader.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.group_leader.pe.imphash:
-      dashed_name: process-group-leader-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.group_leader.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.group_leader.pe.import_hash:
-      dashed_name: process-group-leader-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.group_leader.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.group_leader.pe.imports:
-      dashed_name: process-group-leader-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.group_leader.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.group_leader.pe.imports_names_entropy:
-      dashed_name: process-group-leader-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.group_leader.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.group_leader.pe.imports_names_var_entropy:
-      dashed_name: process-group-leader-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.group_leader.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.group_leader.pe.original_file_name:
-      dashed_name: process-group-leader-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.group_leader.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.group_leader.pe.pehash:
-      dashed_name: process-group-leader-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.group_leader.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.group_leader.pe.product:
-      dashed_name: process-group-leader-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.group_leader.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.group_leader.pe.sections:
-      dashed_name: process-group-leader-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.group_leader.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.group_leader.pe.sections.entropy:
-      dashed_name: process-group-leader-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.group_leader.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.group_leader.pe.sections.name:
-      dashed_name: process-group-leader-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.group_leader.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.group_leader.pe.sections.physical_size:
-      dashed_name: process-group-leader-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.group_leader.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.group_leader.pe.sections.var_entropy:
-      dashed_name: process-group-leader-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.group_leader.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.group_leader.pe.sections.virtual_size:
-      dashed_name: process-group-leader-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.group_leader.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.group_leader.pid:
-      dashed_name: process-group-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.group_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      otel:
-      - relation: match
-        stability: development
-      short: Process id.
-      type: long
-    process.group_leader.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.group_leader.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.group_leader.real_group.domain:
-      dashed_name: process-group-leader-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.real_group.id:
-      dashed_name: process-group-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.real_group.name:
-      dashed_name: process-group-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.real_user.domain:
-      dashed_name: process-group-leader-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.group_leader.real_user.email:
-      dashed_name: process-group-leader-real-user-email
-      description: User email address.
-      flat_name: process.group_leader.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.group_leader.real_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-real-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.group_leader.real_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.group_leader.real_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-real-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.group_leader.real_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.group_leader.real_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-real-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.group_leader.real_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.real_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.group_leader.real_user.entity.id:
-      dashed_name: process-group-leader-real-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.group_leader.real_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.group_leader.real_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-real-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.group_leader.real_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.group_leader.real_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-real-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.group_leader.real_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.group_leader.real_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-real-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.group_leader.real_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.group_leader.real_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-real-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.group_leader.real_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.real_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.group_leader.real_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-real-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.group_leader.real_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.group_leader.real_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-real-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.group_leader.real_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.group_leader.real_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-real-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.group_leader.real_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.group_leader.real_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-real-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.group_leader.real_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.group_leader.real_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-real-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.group_leader.real_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.group_leader.real_user.full_name:
-      dashed_name: process-group-leader-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.group_leader.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.group_leader.real_user.group.domain:
-      dashed_name: process-group-leader-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.real_user.group.id:
-      dashed_name: process-group-leader-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.real_user.group.name:
-      dashed_name: process-group-leader-real-user-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.real_user.hash:
-      dashed_name: process-group-leader-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.group_leader.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.group_leader.real_user.id:
-      dashed_name: process-group-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.group_leader.real_user.name:
-      dashed_name: process-group-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.group_leader.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.group_leader.real_user.risk.calculated_level:
-      dashed_name: process-group-leader-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.group_leader.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.group_leader.real_user.risk.calculated_score:
-      dashed_name: process-group-leader-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.group_leader.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.group_leader.real_user.risk.calculated_score_norm:
-      dashed_name: process-group-leader-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.group_leader.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.group_leader.real_user.risk.static_level:
-      dashed_name: process-group-leader-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.group_leader.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.group_leader.real_user.risk.static_score:
-      dashed_name: process-group-leader-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.group_leader.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.group_leader.real_user.risk.static_score_norm:
-      dashed_name: process-group-leader-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.group_leader.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.group_leader.real_user.roles:
-      dashed_name: process-group-leader-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.group_leader.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.same_as_process:
-      dashed_name: process-group-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.group_leader.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.group_leader.saved_group.domain:
-      dashed_name: process-group-leader-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.saved_group.id:
-      dashed_name: process-group-leader-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.saved_group.name:
-      dashed_name: process-group-leader-saved-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.saved_user.domain:
-      dashed_name: process-group-leader-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.group_leader.saved_user.email:
-      dashed_name: process-group-leader-saved-user-email
-      description: User email address.
-      flat_name: process.group_leader.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.group_leader.saved_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-saved-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.group_leader.saved_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.group_leader.saved_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-saved-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.group_leader.saved_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.group_leader.saved_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-saved-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.group_leader.saved_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.saved_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.group_leader.saved_user.entity.id:
-      dashed_name: process-group-leader-saved-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.group_leader.saved_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.group_leader.saved_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-saved-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.group_leader.saved_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.group_leader.saved_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-saved-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.group_leader.saved_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.group_leader.saved_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-saved-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.group_leader.saved_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.group_leader.saved_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-saved-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.group_leader.saved_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.saved_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.group_leader.saved_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-saved-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.group_leader.saved_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.group_leader.saved_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-saved-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.group_leader.saved_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.group_leader.saved_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-saved-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.group_leader.saved_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.group_leader.saved_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-saved-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.group_leader.saved_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.group_leader.saved_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-saved-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.group_leader.saved_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.group_leader.saved_user.full_name:
-      dashed_name: process-group-leader-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.group_leader.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.group_leader.saved_user.group.domain:
-      dashed_name: process-group-leader-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.saved_user.group.id:
-      dashed_name: process-group-leader-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.saved_user.group.name:
-      dashed_name: process-group-leader-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.saved_user.hash:
-      dashed_name: process-group-leader-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.group_leader.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.group_leader.saved_user.id:
-      dashed_name: process-group-leader-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.group_leader.saved_user.name:
-      dashed_name: process-group-leader-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.group_leader.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.group_leader.saved_user.risk.calculated_level:
-      dashed_name: process-group-leader-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.group_leader.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.group_leader.saved_user.risk.calculated_score:
-      dashed_name: process-group-leader-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.group_leader.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.group_leader.saved_user.risk.calculated_score_norm:
-      dashed_name: process-group-leader-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.group_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.group_leader.saved_user.risk.static_level:
-      dashed_name: process-group-leader-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.group_leader.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.group_leader.saved_user.risk.static_score:
-      dashed_name: process-group-leader-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.group_leader.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.group_leader.saved_user.risk.static_score_norm:
-      dashed_name: process-group-leader-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.group_leader.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.group_leader.saved_user.roles:
-      dashed_name: process-group-leader-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.group_leader.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.start:
-      dashed_name: process-group-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.group_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.group_leader.supplemental_groups.domain:
-      dashed_name: process-group-leader-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.supplemental_groups.id:
-      dashed_name: process-group-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.supplemental_groups.name:
-      dashed_name: process-group-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.group_leader.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.thread.capabilities.effective:
-      dashed_name: process-group-leader-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.group_leader.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.thread.capabilities.permitted:
-      dashed_name: process-group-leader-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.group_leader.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.thread.id:
-      dashed_name: process-group-leader-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.group_leader.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.group_leader.thread.name:
-      dashed_name: process-group-leader-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.group_leader.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.group_leader.title:
-      dashed_name: process-group-leader-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.group_leader.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.group_leader.tty:
-      dashed_name: process-group-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.group_leader.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.group_leader.tty.char_device.major:
-      dashed_name: process-group-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.group_leader.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.group_leader.tty.char_device.minor:
-      dashed_name: process-group-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.group_leader.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.group_leader.tty.columns:
-      dashed_name: process-group-leader-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.group_leader.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.group_leader.tty.rows:
-      dashed_name: process-group-leader-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.group_leader.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.group_leader.uptime:
-      dashed_name: process-group-leader-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.group_leader.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.group_leader.user.domain:
-      dashed_name: process-group-leader-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.group_leader.user.email:
-      dashed_name: process-group-leader-user-email
-      description: User email address.
-      flat_name: process.group_leader.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.group_leader.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.group_leader.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.group_leader.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.group_leader.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.group_leader.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.group_leader.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.group_leader.user.entity.id:
-      dashed_name: process-group-leader-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.group_leader.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.group_leader.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.group_leader.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.group_leader.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.group_leader.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.group_leader.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.group_leader.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.group_leader.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.group_leader.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.group_leader.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.group_leader.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.group_leader.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.group_leader.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.group_leader.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.group_leader.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.group_leader.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.group_leader.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.group_leader.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-group-leader-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.group_leader.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.group_leader.user.full_name:
-      dashed_name: process-group-leader-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.group_leader.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.group_leader.user.group.domain:
-      dashed_name: process-group-leader-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.group_leader.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.group_leader.user.group.id:
-      dashed_name: process-group-leader-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.group_leader.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.group_leader.user.group.name:
-      dashed_name: process-group-leader-user-group-name
-      description: Name of the group.
-      flat_name: process.group_leader.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.group_leader.user.hash:
-      dashed_name: process-group-leader-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.group_leader.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.group_leader.user.id:
-      dashed_name: process-group-leader-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.group_leader.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.group_leader.user.name:
-      dashed_name: process-group-leader-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.group_leader.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.group_leader.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.group_leader.user.risk.calculated_level:
-      dashed_name: process-group-leader-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.group_leader.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.group_leader.user.risk.calculated_score:
-      dashed_name: process-group-leader-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.group_leader.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.group_leader.user.risk.calculated_score_norm:
-      dashed_name: process-group-leader-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.group_leader.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.group_leader.user.risk.static_level:
-      dashed_name: process-group-leader-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.group_leader.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.group_leader.user.risk.static_score:
-      dashed_name: process-group-leader-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.group_leader.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.group_leader.user.risk.static_score_norm:
-      dashed_name: process-group-leader-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.group_leader.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.group_leader.user.roles:
-      dashed_name: process-group-leader-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.group_leader.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.group_leader.vpid:
-      dashed_name: process-group-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.group_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.group_leader.working_directory:
-      dashed_name: process-group-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.group_leader.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.group_leader.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.hash.md5:
-      dashed_name: process-hash-md5
-      description: MD5 hash.
-      flat_name: process.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.hash.sha1:
-      dashed_name: process-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.hash.sha256:
-      dashed_name: process-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.hash.sha384:
-      dashed_name: process-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.hash.sha512:
-      dashed_name: process-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.hash.ssdeep:
-      dashed_name: process-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.hash.tlsh:
-      dashed_name: process-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.interactive:
-      dashed_name: process-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      otel:
-      - relation: match
-        stability: development
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.io:
-      dashed_name: process-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.io
-      level: extended
-      name: io
-      normalize: []
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.io.bytes_skipped:
-      dashed_name: process-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.io.bytes_skipped.length:
-      dashed_name: process-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      short: The length of bytes skipped.
-      type: long
-    process.io.bytes_skipped.offset:
-      dashed_name: process-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.io.max_bytes_per_process_exceeded:
-      dashed_name: process-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.io.text:
-      dashed_name: process-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.io.total_bytes_captured:
-      dashed_name: process-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      short: The total number of bytes captured in this event.
-      type: long
-    process.io.total_bytes_skipped:
-      dashed_name: process-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.io.type:
-      dashed_name: process-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.macho.go_import_hash:
-      dashed_name: process-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.macho.go_imports:
-      dashed_name: process-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.macho.go_imports_names_entropy:
-      dashed_name: process-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.macho.go_imports_names_var_entropy:
-      dashed_name: process-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.macho.go_stripped:
-      dashed_name: process-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.macho.import_hash:
-      dashed_name: process-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.macho.imports:
-      dashed_name: process-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.macho.imports_names_entropy:
-      dashed_name: process-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.macho.imports_names_var_entropy:
-      dashed_name: process-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.macho.sections:
-      dashed_name: process-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.macho.sections.entropy:
-      dashed_name: process-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.macho.sections.name:
-      dashed_name: process-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.macho.sections.physical_size:
-      dashed_name: process-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.macho.sections.var_entropy:
-      dashed_name: process-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.macho.sections.virtual_size:
-      dashed_name: process-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.macho.symhash:
-      dashed_name: process-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.name:
-      dashed_name: process-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      short: Process name.
-      type: keyword
-    process.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.parent.args:
-      dashed_name: process-parent-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.parent.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.parent.args_count:
-      dashed_name: process-parent-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.parent.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.parent.attested_groups.domain:
-      dashed_name: process-parent-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.attested_groups.id:
-      dashed_name: process-parent-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.attested_groups.name:
-      dashed_name: process-parent-attested-groups-name
-      description: Name of the group.
-      flat_name: process.parent.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.attested_user.domain:
-      dashed_name: process-parent-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.attested_user.email:
-      dashed_name: process-parent-attested-user-email
-      description: User email address.
-      flat_name: process.parent.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.attested_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-attested-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.parent.attested_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.parent.attested_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-attested-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.attested_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.parent.attested_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-attested-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.parent.attested_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.attested_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.parent.attested_user.entity.id:
-      dashed_name: process-parent-attested-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.parent.attested_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.parent.attested_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-attested-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.parent.attested_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.parent.attested_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-attested-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.attested_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.parent.attested_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-attested-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.parent.attested_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.parent.attested_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-attested-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.parent.attested_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.attested_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.parent.attested_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-attested-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.parent.attested_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.parent.attested_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-attested-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.parent.attested_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.parent.attested_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-attested-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.parent.attested_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.parent.attested_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-attested-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.parent.attested_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.parent.attested_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-attested-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.parent.attested_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.parent.attested_user.full_name:
-      dashed_name: process-parent-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.attested_user.group.domain:
-      dashed_name: process-parent-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.attested_user.group.id:
-      dashed_name: process-parent-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.attested_user.group.name:
-      dashed_name: process-parent-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.attested_user.hash:
-      dashed_name: process-parent-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.attested_user.id:
-      dashed_name: process-parent-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.attested_user.name:
-      dashed_name: process-parent-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.attested_user.risk.calculated_level:
-      dashed_name: process-parent-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.attested_user.risk.calculated_score:
-      dashed_name: process-parent-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.attested_user.risk.calculated_score_norm:
-      dashed_name: process-parent-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.attested_user.risk.static_level:
-      dashed_name: process-parent-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.attested_user.risk.static_score:
-      dashed_name: process-parent-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.attested_user.risk.static_score_norm:
-      dashed_name: process-parent-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.attested_user.roles:
-      dashed_name: process-parent-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.code_signature.digest_algorithm:
-      dashed_name: process-parent-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.parent.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.parent.code_signature.exists:
-      dashed_name: process-parent-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.parent.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.parent.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.parent.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.parent.code_signature.signing_id:
-      dashed_name: process-parent-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.parent.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.parent.code_signature.status:
-      dashed_name: process-parent-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.parent.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.parent.code_signature.subject_name:
-      dashed_name: process-parent-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.parent.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.parent.code_signature.team_id:
-      dashed_name: process-parent-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.parent.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.parent.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.parent.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.parent.code_signature.timestamp:
-      dashed_name: process-parent-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.parent.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.parent.code_signature.trusted:
-      dashed_name: process-parent-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.parent.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.parent.code_signature.valid:
-      dashed_name: process-parent-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.parent.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.parent.command_line:
-      dashed_name: process-parent-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.parent.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.parent.elf.architecture:
-      dashed_name: process-parent-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.parent.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.parent.elf.byte_order:
-      dashed_name: process-parent-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.parent.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.parent.elf.cpu_type:
-      dashed_name: process-parent-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.parent.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.parent.elf.creation_date:
-      dashed_name: process-parent-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.parent.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.parent.elf.exports:
-      dashed_name: process-parent-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.parent.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.parent.elf.go_import_hash:
-      dashed_name: process-parent-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.parent.elf.go_imports:
-      dashed_name: process-parent-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.parent.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.parent.elf.go_imports_names_entropy:
-      dashed_name: process-parent-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.elf.go_imports_names_var_entropy:
-      dashed_name: process-parent-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.elf.go_stripped:
-      dashed_name: process-parent-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.parent.elf.header.abi_version:
-      dashed_name: process-parent-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.parent.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.parent.elf.header.class:
-      dashed_name: process-parent-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.parent.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.parent.elf.header.data:
-      dashed_name: process-parent-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.parent.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.parent.elf.header.entrypoint:
-      dashed_name: process-parent-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.parent.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.parent.elf.header.object_version:
-      dashed_name: process-parent-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.parent.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.parent.elf.header.os_abi:
-      dashed_name: process-parent-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.parent.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.parent.elf.header.type:
-      dashed_name: process-parent-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.parent.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.parent.elf.header.version:
-      dashed_name: process-parent-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.parent.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.parent.elf.import_hash:
-      dashed_name: process-parent-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.parent.elf.imports:
-      dashed_name: process-parent-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.parent.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.parent.elf.imports_names_entropy:
-      dashed_name: process-parent-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.parent.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.parent.elf.imports_names_var_entropy:
-      dashed_name: process-parent-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.parent.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.parent.elf.sections:
-      dashed_name: process-parent-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.parent.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.parent.elf.sections.chi2:
-      dashed_name: process-parent-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.parent.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.parent.elf.sections.entropy:
-      dashed_name: process-parent-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.parent.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.parent.elf.sections.flags:
-      dashed_name: process-parent-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.parent.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.parent.elf.sections.name:
-      dashed_name: process-parent-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.parent.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.parent.elf.sections.physical_offset:
-      dashed_name: process-parent-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.parent.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.parent.elf.sections.physical_size:
-      dashed_name: process-parent-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.parent.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.parent.elf.sections.type:
-      dashed_name: process-parent-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.parent.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.parent.elf.sections.var_entropy:
-      dashed_name: process-parent-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.parent.elf.sections.virtual_address:
-      dashed_name: process-parent-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.parent.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.parent.elf.sections.virtual_size:
-      dashed_name: process-parent-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.parent.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.parent.elf.segments:
-      dashed_name: process-parent-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.parent.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.parent.elf.segments.sections:
-      dashed_name: process-parent-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.parent.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.parent.elf.segments.type:
-      dashed_name: process-parent-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.parent.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.parent.elf.shared_libraries:
-      dashed_name: process-parent-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.parent.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.parent.elf.telfhash:
-      dashed_name: process-parent-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.parent.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.parent.end:
-      dashed_name: process-parent-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.parent.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.parent.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.parent.entity_id:
-      dashed_name: process-parent-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.parent.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.parent.entry_meta.source.address:
-      dashed_name: process-parent-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.parent.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.parent.entry_meta.source.as.number:
-      dashed_name: process-parent-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.parent.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.parent.entry_meta.source.as.organization.name:
-      dashed_name: process-parent-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.parent.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.parent.entry_meta.source.bytes:
-      dashed_name: process-parent-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.parent.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.parent.entry_meta.source.domain:
-      dashed_name: process-parent-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.parent.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.parent.entry_meta.source.geo.city_name:
-      dashed_name: process-parent-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.parent.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.parent.entry_meta.source.geo.continent_code:
-      dashed_name: process-parent-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.parent.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.parent.entry_meta.source.geo.continent_name:
-      dashed_name: process-parent-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.parent.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.parent.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-parent-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.parent.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.parent.entry_meta.source.geo.country_name:
-      dashed_name: process-parent-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.parent.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.parent.entry_meta.source.geo.location:
-      dashed_name: process-parent-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.parent.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.parent.entry_meta.source.geo.name:
-      dashed_name: process-parent-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.parent.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.parent.entry_meta.source.geo.postal_code:
-      dashed_name: process-parent-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.parent.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.parent.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-parent-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.parent.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.parent.entry_meta.source.geo.region_name:
-      dashed_name: process-parent-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.parent.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.parent.entry_meta.source.geo.timezone:
-      dashed_name: process-parent-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.parent.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.parent.entry_meta.source.ip:
-      dashed_name: process-parent-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.parent.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.parent.entry_meta.source.mac:
-      dashed_name: process-parent-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.parent.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.parent.entry_meta.source.nat.ip:
-      dashed_name: process-parent-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.parent.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.parent.entry_meta.source.nat.port:
-      dashed_name: process-parent-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.parent.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.parent.entry_meta.source.packets:
-      dashed_name: process-parent-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.parent.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.parent.entry_meta.source.port:
-      dashed_name: process-parent-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.parent.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.parent.entry_meta.source.registered_domain:
-      dashed_name: process-parent-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.parent.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.parent.entry_meta.source.subdomain:
-      dashed_name: process-parent-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.parent.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.parent.entry_meta.source.top_level_domain:
-      dashed_name: process-parent-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.parent.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.parent.entry_meta.type:
-      dashed_name: process-parent-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.parent.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.parent.env_vars:
-      dashed_name: process-parent-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.parent.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.executable:
-      dashed_name: process-parent-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.parent.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.parent.exit_code:
-      dashed_name: process-parent-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.parent.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.parent.group.domain:
-      dashed_name: process-parent-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group.id:
-      dashed_name: process-parent-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group.name:
-      dashed_name: process-parent-group-name
-      description: Name of the group.
-      flat_name: process.parent.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.args:
-      dashed_name: process-parent-group-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.parent.group_leader.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.parent.group_leader.args_count:
-      dashed_name: process-parent-group-leader-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.parent.group_leader.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.parent.group_leader.attested_groups.domain:
-      dashed_name: process-parent-group-leader-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.attested_groups.id:
-      dashed_name: process-parent-group-leader-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.attested_groups.name:
-      dashed_name: process-parent-group-leader-attested-groups-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.attested_user.domain:
-      dashed_name: process-parent-group-leader-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.group_leader.attested_user.email:
-      dashed_name: process-parent-group-leader-attested-user-email
-      description: User email address.
-      flat_name: process.parent.group_leader.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.group_leader.attested_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-attested-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.parent.group_leader.attested_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.parent.group_leader.attested_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-attested-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.group_leader.attested_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.parent.group_leader.attested_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-attested-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.parent.group_leader.attested_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.attested_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.parent.group_leader.attested_user.entity.id:
-      dashed_name: process-parent-group-leader-attested-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.parent.group_leader.attested_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.parent.group_leader.attested_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-attested-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.parent.group_leader.attested_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.parent.group_leader.attested_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-attested-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.group_leader.attested_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.parent.group_leader.attested_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-attested-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.parent.group_leader.attested_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.parent.group_leader.attested_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-attested-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.parent.group_leader.attested_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.group_leader.attested_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.parent.group_leader.attested_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-attested-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.parent.group_leader.attested_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.parent.group_leader.attested_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-attested-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.parent.group_leader.attested_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.parent.group_leader.attested_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-attested-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.parent.group_leader.attested_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.parent.group_leader.attested_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-attested-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.parent.group_leader.attested_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.parent.group_leader.attested_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-attested-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.parent.group_leader.attested_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.parent.group_leader.attested_user.full_name:
-      dashed_name: process-parent-group-leader-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.group_leader.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.group_leader.attested_user.group.domain:
-      dashed_name: process-parent-group-leader-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.attested_user.group.id:
-      dashed_name: process-parent-group-leader-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.attested_user.group.name:
-      dashed_name: process-parent-group-leader-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.attested_user.hash:
-      dashed_name: process-parent-group-leader-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.group_leader.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.group_leader.attested_user.id:
-      dashed_name: process-parent-group-leader-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.group_leader.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.group_leader.attested_user.name:
-      dashed_name: process-parent-group-leader-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.group_leader.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.group_leader.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.group_leader.attested_user.risk.calculated_level:
-      dashed_name: process-parent-group-leader-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.group_leader.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.group_leader.attested_user.risk.calculated_score:
-      dashed_name: process-parent-group-leader-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.group_leader.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.group_leader.attested_user.risk.calculated_score_norm:
-      dashed_name: process-parent-group-leader-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.group_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.group_leader.attested_user.risk.static_level:
-      dashed_name: process-parent-group-leader-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.group_leader.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.group_leader.attested_user.risk.static_score:
-      dashed_name: process-parent-group-leader-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.group_leader.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.group_leader.attested_user.risk.static_score_norm:
-      dashed_name: process-parent-group-leader-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.group_leader.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.group_leader.attested_user.roles:
-      dashed_name: process-parent-group-leader-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.group_leader.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.code_signature.digest_algorithm:
-      dashed_name: process-parent-group-leader-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.parent.group_leader.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.parent.group_leader.code_signature.exists:
-      dashed_name: process-parent-group-leader-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.parent.group_leader.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.parent.group_leader.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.parent.group_leader.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.parent.group_leader.code_signature.signing_id:
-      dashed_name: process-parent-group-leader-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.parent.group_leader.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.parent.group_leader.code_signature.status:
-      dashed_name: process-parent-group-leader-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.parent.group_leader.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.parent.group_leader.code_signature.subject_name:
-      dashed_name: process-parent-group-leader-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.parent.group_leader.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.parent.group_leader.code_signature.team_id:
-      dashed_name: process-parent-group-leader-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.parent.group_leader.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.parent.group_leader.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.parent.group_leader.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.parent.group_leader.code_signature.timestamp:
-      dashed_name: process-parent-group-leader-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.parent.group_leader.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.parent.group_leader.code_signature.trusted:
-      dashed_name: process-parent-group-leader-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.parent.group_leader.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.parent.group_leader.code_signature.valid:
-      dashed_name: process-parent-group-leader-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.parent.group_leader.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.parent.group_leader.command_line:
-      dashed_name: process-parent-group-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.parent.group_leader.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.parent.group_leader.elf.architecture:
-      dashed_name: process-parent-group-leader-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.parent.group_leader.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.parent.group_leader.elf.byte_order:
-      dashed_name: process-parent-group-leader-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.parent.group_leader.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.parent.group_leader.elf.cpu_type:
-      dashed_name: process-parent-group-leader-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.parent.group_leader.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.parent.group_leader.elf.creation_date:
-      dashed_name: process-parent-group-leader-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.parent.group_leader.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.parent.group_leader.elf.exports:
-      dashed_name: process-parent-group-leader-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.parent.group_leader.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.parent.group_leader.elf.go_import_hash:
-      dashed_name: process-parent-group-leader-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.group_leader.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.parent.group_leader.elf.go_imports:
-      dashed_name: process-parent-group-leader-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.parent.group_leader.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.parent.group_leader.elf.go_imports_names_entropy:
-      dashed_name: process-parent-group-leader-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.group_leader.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.group_leader.elf.go_imports_names_var_entropy:
-      dashed_name: process-parent-group-leader-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.group_leader.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.group_leader.elf.go_stripped:
-      dashed_name: process-parent-group-leader-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.group_leader.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.parent.group_leader.elf.header.abi_version:
-      dashed_name: process-parent-group-leader-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.parent.group_leader.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.parent.group_leader.elf.header.class:
-      dashed_name: process-parent-group-leader-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.parent.group_leader.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.parent.group_leader.elf.header.data:
-      dashed_name: process-parent-group-leader-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.parent.group_leader.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.parent.group_leader.elf.header.entrypoint:
-      dashed_name: process-parent-group-leader-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.parent.group_leader.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.parent.group_leader.elf.header.object_version:
-      dashed_name: process-parent-group-leader-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.parent.group_leader.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.parent.group_leader.elf.header.os_abi:
-      dashed_name: process-parent-group-leader-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.parent.group_leader.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.parent.group_leader.elf.header.type:
-      dashed_name: process-parent-group-leader-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.parent.group_leader.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.parent.group_leader.elf.header.version:
-      dashed_name: process-parent-group-leader-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.parent.group_leader.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.parent.group_leader.elf.import_hash:
-      dashed_name: process-parent-group-leader-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.group_leader.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.parent.group_leader.elf.imports:
-      dashed_name: process-parent-group-leader-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.parent.group_leader.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.parent.group_leader.elf.imports_names_entropy:
-      dashed_name: process-parent-group-leader-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.parent.group_leader.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.parent.group_leader.elf.imports_names_var_entropy:
-      dashed_name: process-parent-group-leader-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.parent.group_leader.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.parent.group_leader.elf.sections:
-      dashed_name: process-parent-group-leader-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.parent.group_leader.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.parent.group_leader.elf.sections.chi2:
-      dashed_name: process-parent-group-leader-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.parent.group_leader.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.parent.group_leader.elf.sections.entropy:
-      dashed_name: process-parent-group-leader-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.parent.group_leader.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.parent.group_leader.elf.sections.flags:
-      dashed_name: process-parent-group-leader-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.parent.group_leader.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.parent.group_leader.elf.sections.name:
-      dashed_name: process-parent-group-leader-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.parent.group_leader.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.parent.group_leader.elf.sections.physical_offset:
-      dashed_name: process-parent-group-leader-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.parent.group_leader.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.parent.group_leader.elf.sections.physical_size:
-      dashed_name: process-parent-group-leader-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.parent.group_leader.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.parent.group_leader.elf.sections.type:
-      dashed_name: process-parent-group-leader-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.parent.group_leader.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.parent.group_leader.elf.sections.var_entropy:
-      dashed_name: process-parent-group-leader-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.group_leader.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.parent.group_leader.elf.sections.virtual_address:
-      dashed_name: process-parent-group-leader-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.parent.group_leader.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.parent.group_leader.elf.sections.virtual_size:
-      dashed_name: process-parent-group-leader-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.parent.group_leader.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.parent.group_leader.elf.segments:
-      dashed_name: process-parent-group-leader-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.parent.group_leader.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.parent.group_leader.elf.segments.sections:
-      dashed_name: process-parent-group-leader-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.parent.group_leader.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.parent.group_leader.elf.segments.type:
-      dashed_name: process-parent-group-leader-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.parent.group_leader.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.parent.group_leader.elf.shared_libraries:
-      dashed_name: process-parent-group-leader-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.parent.group_leader.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.parent.group_leader.elf.telfhash:
-      dashed_name: process-parent-group-leader-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.parent.group_leader.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.parent.group_leader.end:
-      dashed_name: process-parent-group-leader-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.group_leader.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.parent.group_leader.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.parent.group_leader.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.parent.group_leader.entity_id:
-      dashed_name: process-parent-group-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.parent.group_leader.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.address:
-      dashed_name: process-parent-group-leader-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.parent.group_leader.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.as.number:
-      dashed_name: process-parent-group-leader-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.parent.group_leader.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.parent.group_leader.entry_meta.source.as.organization.name:
-      dashed_name: process-parent-group-leader-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.parent.group_leader.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.bytes:
-      dashed_name: process-parent-group-leader-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.parent.group_leader.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.parent.group_leader.entry_meta.source.domain:
-      dashed_name: process-parent-group-leader-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.parent.group_leader.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.city_name:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.parent.group_leader.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.continent_code:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.parent.group_leader.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.continent_name:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.parent.group_leader.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.parent.group_leader.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.country_name:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.parent.group_leader.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.location:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.parent.group_leader.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.parent.group_leader.entry_meta.source.geo.name:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.parent.group_leader.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.postal_code:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.parent.group_leader.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.parent.group_leader.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.region_name:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.parent.group_leader.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.geo.timezone:
-      dashed_name: process-parent-group-leader-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.parent.group_leader.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.ip:
-      dashed_name: process-parent-group-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.parent.group_leader.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.parent.group_leader.entry_meta.source.mac:
-      dashed_name: process-parent-group-leader-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.parent.group_leader.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.nat.ip:
-      dashed_name: process-parent-group-leader-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.parent.group_leader.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.parent.group_leader.entry_meta.source.nat.port:
-      dashed_name: process-parent-group-leader-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.parent.group_leader.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.parent.group_leader.entry_meta.source.packets:
-      dashed_name: process-parent-group-leader-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.parent.group_leader.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.parent.group_leader.entry_meta.source.port:
-      dashed_name: process-parent-group-leader-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.parent.group_leader.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.parent.group_leader.entry_meta.source.registered_domain:
-      dashed_name: process-parent-group-leader-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.parent.group_leader.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.subdomain:
-      dashed_name: process-parent-group-leader-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.parent.group_leader.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.parent.group_leader.entry_meta.source.top_level_domain:
-      dashed_name: process-parent-group-leader-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.parent.group_leader.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.parent.group_leader.entry_meta.type:
-      dashed_name: process-parent-group-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.parent.group_leader.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.parent.group_leader.env_vars:
-      dashed_name: process-parent-group-leader-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.parent.group_leader.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.executable:
-      dashed_name: process-parent-group-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.parent.group_leader.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.parent.group_leader.exit_code:
-      dashed_name: process-parent-group-leader-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.parent.group_leader.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.parent.group_leader.group.domain:
-      dashed_name: process-parent-group-leader-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.group.id:
-      dashed_name: process-parent-group-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.group.name:
-      dashed_name: process-parent-group-leader-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.parent.group_leader.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.parent.group_leader.hash.md5:
-      dashed_name: process-parent-group-leader-hash-md5
-      description: MD5 hash.
-      flat_name: process.parent.group_leader.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.parent.group_leader.hash.sha1:
-      dashed_name: process-parent-group-leader-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.parent.group_leader.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.parent.group_leader.hash.sha256:
-      dashed_name: process-parent-group-leader-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.parent.group_leader.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.parent.group_leader.hash.sha384:
-      dashed_name: process-parent-group-leader-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.parent.group_leader.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.parent.group_leader.hash.sha512:
-      dashed_name: process-parent-group-leader-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.parent.group_leader.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.parent.group_leader.hash.ssdeep:
-      dashed_name: process-parent-group-leader-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.parent.group_leader.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.parent.group_leader.hash.tlsh:
-      dashed_name: process-parent-group-leader-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.parent.group_leader.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.parent.group_leader.interactive:
-      dashed_name: process-parent-group-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.parent.group_leader.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.parent.group_leader.io:
-      dashed_name: process-parent-group-leader-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.parent.group_leader.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.parent.group_leader.io.bytes_skipped:
-      dashed_name: process-parent-group-leader-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.parent.group_leader.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.parent.group_leader.io.bytes_skipped.length:
-      dashed_name: process-parent-group-leader-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.parent.group_leader.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.parent.group_leader.io.bytes_skipped.offset:
-      dashed_name: process-parent-group-leader-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.parent.group_leader.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.parent.group_leader.io.max_bytes_per_process_exceeded:
-      dashed_name: process-parent-group-leader-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.parent.group_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.parent.group_leader.io.text:
-      dashed_name: process-parent-group-leader-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.parent.group_leader.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.parent.group_leader.io.total_bytes_captured:
-      dashed_name: process-parent-group-leader-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.parent.group_leader.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.parent.group_leader.io.total_bytes_skipped:
-      dashed_name: process-parent-group-leader-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.parent.group_leader.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.parent.group_leader.io.type:
-      dashed_name: process-parent-group-leader-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.parent.group_leader.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.parent.group_leader.macho.go_import_hash:
-      dashed_name: process-parent-group-leader-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.group_leader.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.parent.group_leader.macho.go_imports:
-      dashed_name: process-parent-group-leader-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.parent.group_leader.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.parent.group_leader.macho.go_imports_names_entropy:
-      dashed_name: process-parent-group-leader-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.group_leader.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.group_leader.macho.go_imports_names_var_entropy:
-      dashed_name: process-parent-group-leader-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.group_leader.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.group_leader.macho.go_stripped:
-      dashed_name: process-parent-group-leader-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.group_leader.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.parent.group_leader.macho.import_hash:
-      dashed_name: process-parent-group-leader-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.group_leader.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.parent.group_leader.macho.imports:
-      dashed_name: process-parent-group-leader-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.parent.group_leader.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.parent.group_leader.macho.imports_names_entropy:
-      dashed_name: process-parent-group-leader-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.parent.group_leader.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.parent.group_leader.macho.imports_names_var_entropy:
-      dashed_name: process-parent-group-leader-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.parent.group_leader.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.parent.group_leader.macho.sections:
-      dashed_name: process-parent-group-leader-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.parent.group_leader.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.parent.group_leader.macho.sections.entropy:
-      dashed_name: process-parent-group-leader-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.parent.group_leader.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.parent.group_leader.macho.sections.name:
-      dashed_name: process-parent-group-leader-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.parent.group_leader.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.parent.group_leader.macho.sections.physical_size:
-      dashed_name: process-parent-group-leader-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.parent.group_leader.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.parent.group_leader.macho.sections.var_entropy:
-      dashed_name: process-parent-group-leader-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.group_leader.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.parent.group_leader.macho.sections.virtual_size:
-      dashed_name: process-parent-group-leader-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.parent.group_leader.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.parent.group_leader.macho.symhash:
-      dashed_name: process-parent-group-leader-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.parent.group_leader.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.parent.group_leader.name:
-      dashed_name: process-parent-group-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.parent.group_leader.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.parent.group_leader.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.parent.group_leader.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.parent.group_leader.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.parent.group_leader.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.parent.group_leader.pe.architecture:
-      dashed_name: process-parent-group-leader-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.parent.group_leader.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.parent.group_leader.pe.company:
-      dashed_name: process-parent-group-leader-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.parent.group_leader.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.parent.group_leader.pe.description:
-      dashed_name: process-parent-group-leader-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.parent.group_leader.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.parent.group_leader.pe.file_version:
-      dashed_name: process-parent-group-leader-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.parent.group_leader.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.parent.group_leader.pe.go_import_hash:
-      dashed_name: process-parent-group-leader-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.group_leader.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.parent.group_leader.pe.go_imports:
-      dashed_name: process-parent-group-leader-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.parent.group_leader.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.parent.group_leader.pe.go_imports_names_entropy:
-      dashed_name: process-parent-group-leader-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.group_leader.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.group_leader.pe.go_imports_names_var_entropy:
-      dashed_name: process-parent-group-leader-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.group_leader.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.group_leader.pe.go_stripped:
-      dashed_name: process-parent-group-leader-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.group_leader.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.parent.group_leader.pe.imphash:
-      dashed_name: process-parent-group-leader-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.parent.group_leader.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.parent.group_leader.pe.import_hash:
-      dashed_name: process-parent-group-leader-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.group_leader.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.parent.group_leader.pe.imports:
-      dashed_name: process-parent-group-leader-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.parent.group_leader.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.parent.group_leader.pe.imports_names_entropy:
-      dashed_name: process-parent-group-leader-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.parent.group_leader.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.parent.group_leader.pe.imports_names_var_entropy:
-      dashed_name: process-parent-group-leader-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.parent.group_leader.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.parent.group_leader.pe.original_file_name:
-      dashed_name: process-parent-group-leader-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.parent.group_leader.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.parent.group_leader.pe.pehash:
-      dashed_name: process-parent-group-leader-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.parent.group_leader.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.parent.group_leader.pe.product:
-      dashed_name: process-parent-group-leader-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.parent.group_leader.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.parent.group_leader.pe.sections:
-      dashed_name: process-parent-group-leader-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.parent.group_leader.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.parent.group_leader.pe.sections.entropy:
-      dashed_name: process-parent-group-leader-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.parent.group_leader.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.parent.group_leader.pe.sections.name:
-      dashed_name: process-parent-group-leader-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.parent.group_leader.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.parent.group_leader.pe.sections.physical_size:
-      dashed_name: process-parent-group-leader-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.parent.group_leader.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.parent.group_leader.pe.sections.var_entropy:
-      dashed_name: process-parent-group-leader-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.group_leader.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.parent.group_leader.pe.sections.virtual_size:
-      dashed_name: process-parent-group-leader-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.parent.group_leader.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.parent.group_leader.pid:
-      dashed_name: process-parent-group-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.parent.group_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.parent.group_leader.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.parent.group_leader.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.parent.group_leader.real_group.domain:
-      dashed_name: process-parent-group-leader-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.real_group.id:
-      dashed_name: process-parent-group-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.real_group.name:
-      dashed_name: process-parent-group-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.real_user.domain:
-      dashed_name: process-parent-group-leader-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.group_leader.real_user.email:
-      dashed_name: process-parent-group-leader-real-user-email
-      description: User email address.
-      flat_name: process.parent.group_leader.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.group_leader.real_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-real-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.parent.group_leader.real_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.parent.group_leader.real_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-real-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.group_leader.real_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.parent.group_leader.real_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-real-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.parent.group_leader.real_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.real_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.parent.group_leader.real_user.entity.id:
-      dashed_name: process-parent-group-leader-real-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.parent.group_leader.real_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.parent.group_leader.real_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-real-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.parent.group_leader.real_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.parent.group_leader.real_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-real-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.group_leader.real_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.parent.group_leader.real_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-real-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.parent.group_leader.real_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.parent.group_leader.real_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-real-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.parent.group_leader.real_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.group_leader.real_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.parent.group_leader.real_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-real-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.parent.group_leader.real_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.parent.group_leader.real_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-real-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.parent.group_leader.real_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.parent.group_leader.real_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-real-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.parent.group_leader.real_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.parent.group_leader.real_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-real-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.parent.group_leader.real_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.parent.group_leader.real_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-real-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.parent.group_leader.real_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.parent.group_leader.real_user.full_name:
-      dashed_name: process-parent-group-leader-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.group_leader.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.group_leader.real_user.group.domain:
-      dashed_name: process-parent-group-leader-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.real_user.group.id:
-      dashed_name: process-parent-group-leader-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.real_user.group.name:
-      dashed_name: process-parent-group-leader-real-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.real_user.hash:
-      dashed_name: process-parent-group-leader-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.group_leader.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.group_leader.real_user.id:
-      dashed_name: process-parent-group-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.group_leader.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.group_leader.real_user.name:
-      dashed_name: process-parent-group-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.group_leader.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.group_leader.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.group_leader.real_user.risk.calculated_level:
-      dashed_name: process-parent-group-leader-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.group_leader.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.group_leader.real_user.risk.calculated_score:
-      dashed_name: process-parent-group-leader-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.group_leader.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.group_leader.real_user.risk.calculated_score_norm:
-      dashed_name: process-parent-group-leader-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.group_leader.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.group_leader.real_user.risk.static_level:
-      dashed_name: process-parent-group-leader-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.group_leader.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.group_leader.real_user.risk.static_score:
-      dashed_name: process-parent-group-leader-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.group_leader.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.group_leader.real_user.risk.static_score_norm:
-      dashed_name: process-parent-group-leader-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.group_leader.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.group_leader.real_user.roles:
-      dashed_name: process-parent-group-leader-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.group_leader.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.same_as_process:
-      dashed_name: process-parent-group-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.parent.group_leader.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.parent.group_leader.saved_group.domain:
-      dashed_name: process-parent-group-leader-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.saved_group.id:
-      dashed_name: process-parent-group-leader-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.saved_group.name:
-      dashed_name: process-parent-group-leader-saved-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.saved_user.domain:
-      dashed_name: process-parent-group-leader-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.group_leader.saved_user.email:
-      dashed_name: process-parent-group-leader-saved-user-email
-      description: User email address.
-      flat_name: process.parent.group_leader.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.group_leader.saved_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-saved-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.parent.group_leader.saved_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.parent.group_leader.saved_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-saved-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.group_leader.saved_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.parent.group_leader.saved_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-saved-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.parent.group_leader.saved_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.saved_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.parent.group_leader.saved_user.entity.id:
-      dashed_name: process-parent-group-leader-saved-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.parent.group_leader.saved_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.parent.group_leader.saved_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-saved-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.parent.group_leader.saved_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.parent.group_leader.saved_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-saved-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.group_leader.saved_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.parent.group_leader.saved_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-saved-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.parent.group_leader.saved_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.parent.group_leader.saved_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-saved-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.parent.group_leader.saved_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.group_leader.saved_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.parent.group_leader.saved_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-saved-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.parent.group_leader.saved_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.parent.group_leader.saved_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-saved-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.parent.group_leader.saved_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.parent.group_leader.saved_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-saved-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.parent.group_leader.saved_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.parent.group_leader.saved_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-saved-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.parent.group_leader.saved_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.parent.group_leader.saved_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-saved-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.parent.group_leader.saved_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.parent.group_leader.saved_user.full_name:
-      dashed_name: process-parent-group-leader-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.group_leader.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.group_leader.saved_user.group.domain:
-      dashed_name: process-parent-group-leader-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.saved_user.group.id:
-      dashed_name: process-parent-group-leader-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.saved_user.group.name:
-      dashed_name: process-parent-group-leader-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.saved_user.hash:
-      dashed_name: process-parent-group-leader-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.group_leader.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.group_leader.saved_user.id:
-      dashed_name: process-parent-group-leader-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.group_leader.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.group_leader.saved_user.name:
-      dashed_name: process-parent-group-leader-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.group_leader.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.group_leader.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.group_leader.saved_user.risk.calculated_level:
-      dashed_name: process-parent-group-leader-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.group_leader.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.group_leader.saved_user.risk.calculated_score:
-      dashed_name: process-parent-group-leader-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.group_leader.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.group_leader.saved_user.risk.calculated_score_norm:
-      dashed_name: process-parent-group-leader-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.group_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.group_leader.saved_user.risk.static_level:
-      dashed_name: process-parent-group-leader-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.group_leader.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.group_leader.saved_user.risk.static_score:
-      dashed_name: process-parent-group-leader-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.group_leader.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.group_leader.saved_user.risk.static_score_norm:
-      dashed_name: process-parent-group-leader-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.group_leader.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.group_leader.saved_user.roles:
-      dashed_name: process-parent-group-leader-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.group_leader.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.start:
-      dashed_name: process-parent-group-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.group_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.parent.group_leader.supplemental_groups.domain:
-      dashed_name: process-parent-group-leader-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.supplemental_groups.id:
-      dashed_name: process-parent-group-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.supplemental_groups.name:
-      dashed_name: process-parent-group-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.thread.capabilities.effective:
-      dashed_name: process-parent-group-leader-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.parent.group_leader.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.thread.capabilities.permitted:
-      dashed_name: process-parent-group-leader-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.parent.group_leader.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.thread.id:
-      dashed_name: process-parent-group-leader-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.parent.group_leader.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.parent.group_leader.thread.name:
-      dashed_name: process-parent-group-leader-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.parent.group_leader.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.parent.group_leader.title:
-      dashed_name: process-parent-group-leader-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.parent.group_leader.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.parent.group_leader.tty:
-      dashed_name: process-parent-group-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.parent.group_leader.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.parent.group_leader.tty.char_device.major:
-      dashed_name: process-parent-group-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.parent.group_leader.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.parent.group_leader.tty.char_device.minor:
-      dashed_name: process-parent-group-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.parent.group_leader.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.parent.group_leader.tty.columns:
-      dashed_name: process-parent-group-leader-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.parent.group_leader.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.parent.group_leader.tty.rows:
-      dashed_name: process-parent-group-leader-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.parent.group_leader.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.parent.group_leader.uptime:
-      dashed_name: process-parent-group-leader-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.parent.group_leader.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.parent.group_leader.user.domain:
-      dashed_name: process-parent-group-leader-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.group_leader.user.email:
-      dashed_name: process-parent-group-leader-user-email
-      description: User email address.
-      flat_name: process.parent.group_leader.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.group_leader.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.parent.group_leader.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.parent.group_leader.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.group_leader.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.parent.group_leader.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.parent.group_leader.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.parent.group_leader.user.entity.id:
-      dashed_name: process-parent-group-leader-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.parent.group_leader.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.parent.group_leader.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.parent.group_leader.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.parent.group_leader.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.group_leader.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.parent.group_leader.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.parent.group_leader.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.parent.group_leader.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.parent.group_leader.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.group_leader.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.parent.group_leader.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.parent.group_leader.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.parent.group_leader.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.parent.group_leader.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.parent.group_leader.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.parent.group_leader.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.parent.group_leader.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.parent.group_leader.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.parent.group_leader.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-group-leader-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.parent.group_leader.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.parent.group_leader.user.full_name:
-      dashed_name: process-parent-group-leader-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.group_leader.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.group_leader.user.group.domain:
-      dashed_name: process-parent-group-leader-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.group_leader.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.group_leader.user.group.id:
-      dashed_name: process-parent-group-leader-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.group_leader.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.group_leader.user.group.name:
-      dashed_name: process-parent-group-leader-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.group_leader.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.group_leader.user.hash:
-      dashed_name: process-parent-group-leader-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.group_leader.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.group_leader.user.id:
-      dashed_name: process-parent-group-leader-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.group_leader.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.group_leader.user.name:
-      dashed_name: process-parent-group-leader-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.group_leader.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.group_leader.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.group_leader.user.risk.calculated_level:
-      dashed_name: process-parent-group-leader-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.group_leader.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.group_leader.user.risk.calculated_score:
-      dashed_name: process-parent-group-leader-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.group_leader.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.group_leader.user.risk.calculated_score_norm:
-      dashed_name: process-parent-group-leader-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.group_leader.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.group_leader.user.risk.static_level:
-      dashed_name: process-parent-group-leader-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.group_leader.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.group_leader.user.risk.static_score:
-      dashed_name: process-parent-group-leader-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.group_leader.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.group_leader.user.risk.static_score_norm:
-      dashed_name: process-parent-group-leader-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.group_leader.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.group_leader.user.roles:
-      dashed_name: process-parent-group-leader-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.group_leader.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.group_leader.vpid:
-      dashed_name: process-parent-group-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.parent.group_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.parent.group_leader.working_directory:
-      dashed_name: process-parent-group-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.parent.group_leader.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.group_leader.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.parent.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.parent.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.parent.hash.md5:
-      dashed_name: process-parent-hash-md5
-      description: MD5 hash.
-      flat_name: process.parent.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.parent.hash.sha1:
-      dashed_name: process-parent-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.parent.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.parent.hash.sha256:
-      dashed_name: process-parent-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.parent.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.parent.hash.sha384:
-      dashed_name: process-parent-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.parent.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.parent.hash.sha512:
-      dashed_name: process-parent-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.parent.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.parent.hash.ssdeep:
-      dashed_name: process-parent-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.parent.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.parent.hash.tlsh:
-      dashed_name: process-parent-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.parent.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.parent.interactive:
-      dashed_name: process-parent-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.parent.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.parent.io:
-      dashed_name: process-parent-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.parent.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.parent.io.bytes_skipped:
-      dashed_name: process-parent-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.parent.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.parent.io.bytes_skipped.length:
-      dashed_name: process-parent-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.parent.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.parent.io.bytes_skipped.offset:
-      dashed_name: process-parent-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.parent.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.parent.io.max_bytes_per_process_exceeded:
-      dashed_name: process-parent-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.parent.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.parent.io.text:
-      dashed_name: process-parent-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.parent.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.parent.io.total_bytes_captured:
-      dashed_name: process-parent-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.parent.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.parent.io.total_bytes_skipped:
-      dashed_name: process-parent-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.parent.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.parent.io.type:
-      dashed_name: process-parent-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.parent.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.parent.macho.go_import_hash:
-      dashed_name: process-parent-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.parent.macho.go_imports:
-      dashed_name: process-parent-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.parent.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.parent.macho.go_imports_names_entropy:
-      dashed_name: process-parent-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.macho.go_imports_names_var_entropy:
-      dashed_name: process-parent-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.macho.go_stripped:
-      dashed_name: process-parent-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.parent.macho.import_hash:
-      dashed_name: process-parent-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.parent.macho.imports:
-      dashed_name: process-parent-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.parent.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.parent.macho.imports_names_entropy:
-      dashed_name: process-parent-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.parent.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.parent.macho.imports_names_var_entropy:
-      dashed_name: process-parent-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.parent.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.parent.macho.sections:
-      dashed_name: process-parent-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.parent.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.parent.macho.sections.entropy:
-      dashed_name: process-parent-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.parent.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.parent.macho.sections.name:
-      dashed_name: process-parent-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.parent.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.parent.macho.sections.physical_size:
-      dashed_name: process-parent-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.parent.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.parent.macho.sections.var_entropy:
-      dashed_name: process-parent-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.parent.macho.sections.virtual_size:
-      dashed_name: process-parent-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.parent.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.parent.macho.symhash:
-      dashed_name: process-parent-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.parent.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.parent.name:
-      dashed_name: process-parent-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.parent.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.parent.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.parent.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.parent.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.parent.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.parent.pe.architecture:
-      dashed_name: process-parent-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.parent.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.parent.pe.company:
-      dashed_name: process-parent-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.parent.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.parent.pe.description:
-      dashed_name: process-parent-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.parent.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.parent.pe.file_version:
-      dashed_name: process-parent-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.parent.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.parent.pe.go_import_hash:
-      dashed_name: process-parent-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.parent.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.parent.pe.go_imports:
-      dashed_name: process-parent-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.parent.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.parent.pe.go_imports_names_entropy:
-      dashed_name: process-parent-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.pe.go_imports_names_var_entropy:
-      dashed_name: process-parent-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.parent.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.parent.pe.go_stripped:
-      dashed_name: process-parent-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.parent.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.parent.pe.imphash:
-      dashed_name: process-parent-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.parent.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.parent.pe.import_hash:
-      dashed_name: process-parent-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.parent.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.parent.pe.imports:
-      dashed_name: process-parent-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.parent.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.parent.pe.imports_names_entropy:
-      dashed_name: process-parent-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.parent.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.parent.pe.imports_names_var_entropy:
-      dashed_name: process-parent-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.parent.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.parent.pe.original_file_name:
-      dashed_name: process-parent-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.parent.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.parent.pe.pehash:
-      dashed_name: process-parent-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.parent.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.parent.pe.product:
-      dashed_name: process-parent-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.parent.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.parent.pe.sections:
-      dashed_name: process-parent-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.parent.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.parent.pe.sections.entropy:
-      dashed_name: process-parent-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.parent.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.parent.pe.sections.name:
-      dashed_name: process-parent-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.parent.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.parent.pe.sections.physical_size:
-      dashed_name: process-parent-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.parent.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.parent.pe.sections.var_entropy:
-      dashed_name: process-parent-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.parent.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.parent.pe.sections.virtual_size:
-      dashed_name: process-parent-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.parent.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.parent.pid:
-      dashed_name: process-parent-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.parent.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.parent.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.parent.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.parent.real_group.domain:
-      dashed_name: process-parent-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.real_group.id:
-      dashed_name: process-parent-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.real_group.name:
-      dashed_name: process-parent-real-group-name
-      description: Name of the group.
-      flat_name: process.parent.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.real_user.domain:
-      dashed_name: process-parent-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.real_user.email:
-      dashed_name: process-parent-real-user-email
-      description: User email address.
-      flat_name: process.parent.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.real_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-real-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.parent.real_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.parent.real_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-real-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.real_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.parent.real_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-real-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.parent.real_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.real_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.parent.real_user.entity.id:
-      dashed_name: process-parent-real-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.parent.real_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.parent.real_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-real-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.parent.real_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.parent.real_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-real-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.real_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.parent.real_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-real-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.parent.real_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.parent.real_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-real-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.parent.real_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.real_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.parent.real_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-real-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.parent.real_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.parent.real_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-real-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.parent.real_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.parent.real_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-real-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.parent.real_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.parent.real_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-real-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.parent.real_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.parent.real_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-real-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.parent.real_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.parent.real_user.full_name:
-      dashed_name: process-parent-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.real_user.group.domain:
-      dashed_name: process-parent-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.real_user.group.id:
-      dashed_name: process-parent-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.real_user.group.name:
-      dashed_name: process-parent-real-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.real_user.hash:
-      dashed_name: process-parent-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.real_user.id:
-      dashed_name: process-parent-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.real_user.name:
-      dashed_name: process-parent-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.real_user.risk.calculated_level:
-      dashed_name: process-parent-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.real_user.risk.calculated_score:
-      dashed_name: process-parent-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.real_user.risk.calculated_score_norm:
-      dashed_name: process-parent-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.real_user.risk.static_level:
-      dashed_name: process-parent-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.real_user.risk.static_score:
-      dashed_name: process-parent-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.real_user.risk.static_score_norm:
-      dashed_name: process-parent-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.real_user.roles:
-      dashed_name: process-parent-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.same_as_process:
-      dashed_name: process-parent-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.parent.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.parent.saved_group.domain:
-      dashed_name: process-parent-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.saved_group.id:
-      dashed_name: process-parent-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.saved_group.name:
-      dashed_name: process-parent-saved-group-name
-      description: Name of the group.
-      flat_name: process.parent.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.saved_user.domain:
-      dashed_name: process-parent-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.saved_user.email:
-      dashed_name: process-parent-saved-user-email
-      description: User email address.
-      flat_name: process.parent.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.saved_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-saved-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.parent.saved_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.parent.saved_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-saved-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.saved_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.parent.saved_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-saved-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.parent.saved_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.saved_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.parent.saved_user.entity.id:
-      dashed_name: process-parent-saved-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.parent.saved_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.parent.saved_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-saved-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.parent.saved_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.parent.saved_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-saved-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.saved_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.parent.saved_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-saved-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.parent.saved_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.parent.saved_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-saved-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.parent.saved_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.saved_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.parent.saved_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-saved-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.parent.saved_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.parent.saved_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-saved-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.parent.saved_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.parent.saved_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-saved-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.parent.saved_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.parent.saved_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-saved-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.parent.saved_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.parent.saved_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-saved-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.parent.saved_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.parent.saved_user.full_name:
-      dashed_name: process-parent-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.saved_user.group.domain:
-      dashed_name: process-parent-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.saved_user.group.id:
-      dashed_name: process-parent-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.saved_user.group.name:
-      dashed_name: process-parent-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.saved_user.hash:
-      dashed_name: process-parent-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.saved_user.id:
-      dashed_name: process-parent-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.saved_user.name:
-      dashed_name: process-parent-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.saved_user.risk.calculated_level:
-      dashed_name: process-parent-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.saved_user.risk.calculated_score:
-      dashed_name: process-parent-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.saved_user.risk.calculated_score_norm:
-      dashed_name: process-parent-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.saved_user.risk.static_level:
-      dashed_name: process-parent-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.saved_user.risk.static_score:
-      dashed_name: process-parent-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.saved_user.risk.static_score_norm:
-      dashed_name: process-parent-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.saved_user.roles:
-      dashed_name: process-parent-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.start:
-      dashed_name: process-parent-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.parent.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.parent.supplemental_groups.domain:
-      dashed_name: process-parent-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.supplemental_groups.id:
-      dashed_name: process-parent-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.supplemental_groups.name:
-      dashed_name: process-parent-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.parent.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.thread.capabilities.effective:
-      dashed_name: process-parent-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.parent.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.thread.capabilities.permitted:
-      dashed_name: process-parent-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.parent.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.thread.id:
-      dashed_name: process-parent-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.parent.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.parent.thread.name:
-      dashed_name: process-parent-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.parent.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.parent.title:
-      dashed_name: process-parent-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.parent.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.parent.tty:
-      dashed_name: process-parent-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.parent.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.parent.tty.char_device.major:
-      dashed_name: process-parent-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.parent.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.parent.tty.char_device.minor:
-      dashed_name: process-parent-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.parent.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.parent.tty.columns:
-      dashed_name: process-parent-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.parent.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.parent.tty.rows:
-      dashed_name: process-parent-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.parent.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.parent.uptime:
-      dashed_name: process-parent-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.parent.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.parent.user.domain:
-      dashed_name: process-parent-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.parent.user.email:
-      dashed_name: process-parent-user-email
-      description: User email address.
-      flat_name: process.parent.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.parent.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.parent.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.parent.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.parent.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.parent.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.parent.user.entity.id:
-      dashed_name: process-parent-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.parent.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.parent.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.parent.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.parent.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.parent.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.parent.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.parent.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.parent.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.parent.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.parent.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.parent.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.parent.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.parent.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.parent.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.parent.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.parent.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.parent.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.parent.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-parent-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.parent.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.parent.user.full_name:
-      dashed_name: process-parent-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.parent.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.parent.user.group.domain:
-      dashed_name: process-parent-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.parent.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.parent.user.group.id:
-      dashed_name: process-parent-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.parent.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.parent.user.group.name:
-      dashed_name: process-parent-user-group-name
-      description: Name of the group.
-      flat_name: process.parent.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.parent.user.hash:
-      dashed_name: process-parent-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.parent.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.parent.user.id:
-      dashed_name: process-parent-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.parent.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.parent.user.name:
-      dashed_name: process-parent-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.parent.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.parent.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.parent.user.risk.calculated_level:
-      dashed_name: process-parent-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.parent.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.parent.user.risk.calculated_score:
-      dashed_name: process-parent-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.parent.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.parent.user.risk.calculated_score_norm:
-      dashed_name: process-parent-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.parent.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.parent.user.risk.static_level:
-      dashed_name: process-parent-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.parent.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.parent.user.risk.static_score:
-      dashed_name: process-parent-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.parent.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.parent.user.risk.static_score_norm:
-      dashed_name: process-parent-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.parent.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.parent.user.roles:
-      dashed_name: process-parent-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.parent.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.parent.vpid:
-      dashed_name: process-parent-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.parent.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.parent.working_directory:
-      dashed_name: process-parent-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.parent.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.parent.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.pe.architecture:
-      dashed_name: process-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.pe.company:
-      dashed_name: process-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.pe.description:
-      dashed_name: process-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.pe.file_version:
-      dashed_name: process-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.pe.go_import_hash:
-      dashed_name: process-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.pe.go_imports:
-      dashed_name: process-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.pe.go_imports_names_entropy:
-      dashed_name: process-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.pe.go_imports_names_var_entropy:
-      dashed_name: process-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.pe.go_stripped:
-      dashed_name: process-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.pe.imphash:
-      dashed_name: process-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.pe.import_hash:
-      dashed_name: process-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.pe.imports:
-      dashed_name: process-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.pe.imports_names_entropy:
-      dashed_name: process-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.pe.imports_names_var_entropy:
-      dashed_name: process-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.pe.original_file_name:
-      dashed_name: process-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.pe.pehash:
-      dashed_name: process-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.pe.product:
-      dashed_name: process-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.pe.sections:
-      dashed_name: process-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.pe.sections.entropy:
-      dashed_name: process-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.pe.sections.name:
-      dashed_name: process-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.pe.sections.physical_size:
-      dashed_name: process-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.pe.sections.var_entropy:
-      dashed_name: process-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.pe.sections.virtual_size:
-      dashed_name: process-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.pid:
-      dashed_name: process-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      otel:
-      - relation: match
-        stability: development
-      short: Process id.
-      type: long
-    process.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.previous.args:
-      dashed_name: process-previous-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.previous.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.previous.args_count:
-      dashed_name: process-previous-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.previous.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.previous.attested_groups.domain:
-      dashed_name: process-previous-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.attested_groups.id:
-      dashed_name: process-previous-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.attested_groups.name:
-      dashed_name: process-previous-attested-groups-name
-      description: Name of the group.
-      flat_name: process.previous.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.attested_user.domain:
-      dashed_name: process-previous-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.previous.attested_user.email:
-      dashed_name: process-previous-attested-user-email
-      description: User email address.
-      flat_name: process.previous.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.previous.attested_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-attested-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.previous.attested_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.previous.attested_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-attested-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.previous.attested_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.previous.attested_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-attested-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.previous.attested_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.attested_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.previous.attested_user.entity.id:
-      dashed_name: process-previous-attested-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.previous.attested_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.previous.attested_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-attested-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.previous.attested_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.previous.attested_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-attested-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.previous.attested_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.previous.attested_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-attested-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.previous.attested_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.previous.attested_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-attested-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.previous.attested_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.previous.attested_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.previous.attested_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-attested-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.previous.attested_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.previous.attested_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-attested-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.previous.attested_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.previous.attested_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-attested-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.previous.attested_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.previous.attested_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-attested-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.previous.attested_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.previous.attested_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-attested-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.previous.attested_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.previous.attested_user.full_name:
-      dashed_name: process-previous-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.previous.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.previous.attested_user.group.domain:
-      dashed_name: process-previous-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.attested_user.group.id:
-      dashed_name: process-previous-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.attested_user.group.name:
-      dashed_name: process-previous-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.previous.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.attested_user.hash:
-      dashed_name: process-previous-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.previous.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.previous.attested_user.id:
-      dashed_name: process-previous-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.previous.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.previous.attested_user.name:
-      dashed_name: process-previous-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.previous.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.previous.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.previous.attested_user.risk.calculated_level:
-      dashed_name: process-previous-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.previous.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.previous.attested_user.risk.calculated_score:
-      dashed_name: process-previous-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.previous.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.previous.attested_user.risk.calculated_score_norm:
-      dashed_name: process-previous-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.previous.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.previous.attested_user.risk.static_level:
-      dashed_name: process-previous-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.previous.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.previous.attested_user.risk.static_score:
-      dashed_name: process-previous-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.previous.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.previous.attested_user.risk.static_score_norm:
-      dashed_name: process-previous-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.previous.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.previous.attested_user.roles:
-      dashed_name: process-previous-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.previous.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.code_signature.digest_algorithm:
-      dashed_name: process-previous-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.previous.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.previous.code_signature.exists:
-      dashed_name: process-previous-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.previous.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.previous.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.previous.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.previous.code_signature.signing_id:
-      dashed_name: process-previous-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.previous.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.previous.code_signature.status:
-      dashed_name: process-previous-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.previous.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.previous.code_signature.subject_name:
-      dashed_name: process-previous-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.previous.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.previous.code_signature.team_id:
-      dashed_name: process-previous-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.previous.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.previous.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.previous.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.previous.code_signature.timestamp:
-      dashed_name: process-previous-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.previous.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.previous.code_signature.trusted:
-      dashed_name: process-previous-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.previous.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.previous.code_signature.valid:
-      dashed_name: process-previous-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.previous.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.previous.command_line:
-      dashed_name: process-previous-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.previous.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.previous.elf.architecture:
-      dashed_name: process-previous-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.previous.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.previous.elf.byte_order:
-      dashed_name: process-previous-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.previous.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.previous.elf.cpu_type:
-      dashed_name: process-previous-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.previous.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.previous.elf.creation_date:
-      dashed_name: process-previous-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.previous.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.previous.elf.exports:
-      dashed_name: process-previous-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.previous.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.previous.elf.go_import_hash:
-      dashed_name: process-previous-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.previous.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.previous.elf.go_imports:
-      dashed_name: process-previous-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.previous.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.previous.elf.go_imports_names_entropy:
-      dashed_name: process-previous-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.previous.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.previous.elf.go_imports_names_var_entropy:
-      dashed_name: process-previous-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.previous.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.previous.elf.go_stripped:
-      dashed_name: process-previous-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.previous.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.previous.elf.header.abi_version:
-      dashed_name: process-previous-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.previous.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.previous.elf.header.class:
-      dashed_name: process-previous-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.previous.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.previous.elf.header.data:
-      dashed_name: process-previous-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.previous.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.previous.elf.header.entrypoint:
-      dashed_name: process-previous-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.previous.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.previous.elf.header.object_version:
-      dashed_name: process-previous-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.previous.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.previous.elf.header.os_abi:
-      dashed_name: process-previous-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.previous.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.previous.elf.header.type:
-      dashed_name: process-previous-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.previous.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.previous.elf.header.version:
-      dashed_name: process-previous-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.previous.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.previous.elf.import_hash:
-      dashed_name: process-previous-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.previous.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.previous.elf.imports:
-      dashed_name: process-previous-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.previous.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.previous.elf.imports_names_entropy:
-      dashed_name: process-previous-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.previous.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.previous.elf.imports_names_var_entropy:
-      dashed_name: process-previous-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.previous.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.previous.elf.sections:
-      dashed_name: process-previous-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.previous.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.previous.elf.sections.chi2:
-      dashed_name: process-previous-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.previous.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.previous.elf.sections.entropy:
-      dashed_name: process-previous-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.previous.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.previous.elf.sections.flags:
-      dashed_name: process-previous-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.previous.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.previous.elf.sections.name:
-      dashed_name: process-previous-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.previous.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.previous.elf.sections.physical_offset:
-      dashed_name: process-previous-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.previous.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.previous.elf.sections.physical_size:
-      dashed_name: process-previous-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.previous.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.previous.elf.sections.type:
-      dashed_name: process-previous-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.previous.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.previous.elf.sections.var_entropy:
-      dashed_name: process-previous-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.previous.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.previous.elf.sections.virtual_address:
-      dashed_name: process-previous-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.previous.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.previous.elf.sections.virtual_size:
-      dashed_name: process-previous-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.previous.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.previous.elf.segments:
-      dashed_name: process-previous-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.previous.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.previous.elf.segments.sections:
-      dashed_name: process-previous-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.previous.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.previous.elf.segments.type:
-      dashed_name: process-previous-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.previous.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.previous.elf.shared_libraries:
-      dashed_name: process-previous-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.previous.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.previous.elf.telfhash:
-      dashed_name: process-previous-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.previous.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.previous.end:
-      dashed_name: process-previous-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.previous.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.previous.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.previous.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.previous.entity_id:
-      dashed_name: process-previous-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.previous.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.previous.entry_meta.source.address:
-      dashed_name: process-previous-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.previous.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.previous.entry_meta.source.as.number:
-      dashed_name: process-previous-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.previous.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.previous.entry_meta.source.as.organization.name:
-      dashed_name: process-previous-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.previous.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.previous.entry_meta.source.bytes:
-      dashed_name: process-previous-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.previous.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.previous.entry_meta.source.domain:
-      dashed_name: process-previous-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.previous.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.previous.entry_meta.source.geo.city_name:
-      dashed_name: process-previous-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.previous.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.previous.entry_meta.source.geo.continent_code:
-      dashed_name: process-previous-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.previous.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.previous.entry_meta.source.geo.continent_name:
-      dashed_name: process-previous-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.previous.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.previous.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-previous-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.previous.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.previous.entry_meta.source.geo.country_name:
-      dashed_name: process-previous-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.previous.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.previous.entry_meta.source.geo.location:
-      dashed_name: process-previous-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.previous.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.previous.entry_meta.source.geo.name:
-      dashed_name: process-previous-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.previous.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.previous.entry_meta.source.geo.postal_code:
-      dashed_name: process-previous-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.previous.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.previous.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-previous-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.previous.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.previous.entry_meta.source.geo.region_name:
-      dashed_name: process-previous-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.previous.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.previous.entry_meta.source.geo.timezone:
-      dashed_name: process-previous-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.previous.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.previous.entry_meta.source.ip:
-      dashed_name: process-previous-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.previous.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.previous.entry_meta.source.mac:
-      dashed_name: process-previous-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.previous.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.previous.entry_meta.source.nat.ip:
-      dashed_name: process-previous-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.previous.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.previous.entry_meta.source.nat.port:
-      dashed_name: process-previous-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.previous.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.previous.entry_meta.source.packets:
-      dashed_name: process-previous-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.previous.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.previous.entry_meta.source.port:
-      dashed_name: process-previous-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.previous.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.previous.entry_meta.source.registered_domain:
-      dashed_name: process-previous-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.previous.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.previous.entry_meta.source.subdomain:
-      dashed_name: process-previous-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.previous.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.previous.entry_meta.source.top_level_domain:
-      dashed_name: process-previous-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.previous.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.previous.entry_meta.type:
-      dashed_name: process-previous-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.previous.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.previous.env_vars:
-      dashed_name: process-previous-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.previous.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.executable:
-      dashed_name: process-previous-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.previous.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.previous.exit_code:
-      dashed_name: process-previous-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.previous.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.previous.group.domain:
-      dashed_name: process-previous-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.group.id:
-      dashed_name: process-previous-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.group.name:
-      dashed_name: process-previous-group-name
-      description: Name of the group.
-      flat_name: process.previous.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.previous.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.previous.hash.md5:
-      dashed_name: process-previous-hash-md5
-      description: MD5 hash.
-      flat_name: process.previous.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.previous.hash.sha1:
-      dashed_name: process-previous-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.previous.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.previous.hash.sha256:
-      dashed_name: process-previous-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.previous.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.previous.hash.sha384:
-      dashed_name: process-previous-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.previous.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.previous.hash.sha512:
-      dashed_name: process-previous-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.previous.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.previous.hash.ssdeep:
-      dashed_name: process-previous-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.previous.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.previous.hash.tlsh:
-      dashed_name: process-previous-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.previous.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.previous.interactive:
-      dashed_name: process-previous-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.previous.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.previous.io:
-      dashed_name: process-previous-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.previous.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.previous.io.bytes_skipped:
-      dashed_name: process-previous-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.previous.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.previous.io.bytes_skipped.length:
-      dashed_name: process-previous-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.previous.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.previous.io.bytes_skipped.offset:
-      dashed_name: process-previous-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.previous.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.previous.io.max_bytes_per_process_exceeded:
-      dashed_name: process-previous-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.previous.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.previous.io.text:
-      dashed_name: process-previous-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.previous.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.previous.io.total_bytes_captured:
-      dashed_name: process-previous-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.previous.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.previous.io.total_bytes_skipped:
-      dashed_name: process-previous-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.previous.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.previous.io.type:
-      dashed_name: process-previous-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.previous.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.previous.macho.go_import_hash:
-      dashed_name: process-previous-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.previous.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.previous.macho.go_imports:
-      dashed_name: process-previous-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.previous.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.previous.macho.go_imports_names_entropy:
-      dashed_name: process-previous-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.previous.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.previous.macho.go_imports_names_var_entropy:
-      dashed_name: process-previous-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.previous.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.previous.macho.go_stripped:
-      dashed_name: process-previous-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.previous.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.previous.macho.import_hash:
-      dashed_name: process-previous-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.previous.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.previous.macho.imports:
-      dashed_name: process-previous-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.previous.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.previous.macho.imports_names_entropy:
-      dashed_name: process-previous-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.previous.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.previous.macho.imports_names_var_entropy:
-      dashed_name: process-previous-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.previous.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.previous.macho.sections:
-      dashed_name: process-previous-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.previous.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.previous.macho.sections.entropy:
-      dashed_name: process-previous-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.previous.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.previous.macho.sections.name:
-      dashed_name: process-previous-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.previous.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.previous.macho.sections.physical_size:
-      dashed_name: process-previous-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.previous.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.previous.macho.sections.var_entropy:
-      dashed_name: process-previous-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.previous.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.previous.macho.sections.virtual_size:
-      dashed_name: process-previous-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.previous.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.previous.macho.symhash:
-      dashed_name: process-previous-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.previous.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.previous.name:
-      dashed_name: process-previous-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.previous.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.previous.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.previous.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.previous.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.previous.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.previous.pe.architecture:
-      dashed_name: process-previous-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.previous.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.previous.pe.company:
-      dashed_name: process-previous-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.previous.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.previous.pe.description:
-      dashed_name: process-previous-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.previous.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.previous.pe.file_version:
-      dashed_name: process-previous-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.previous.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.previous.pe.go_import_hash:
-      dashed_name: process-previous-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.previous.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.previous.pe.go_imports:
-      dashed_name: process-previous-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.previous.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.previous.pe.go_imports_names_entropy:
-      dashed_name: process-previous-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.previous.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.previous.pe.go_imports_names_var_entropy:
-      dashed_name: process-previous-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.previous.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.previous.pe.go_stripped:
-      dashed_name: process-previous-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.previous.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.previous.pe.imphash:
-      dashed_name: process-previous-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.previous.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.previous.pe.import_hash:
-      dashed_name: process-previous-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.previous.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.previous.pe.imports:
-      dashed_name: process-previous-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.previous.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.previous.pe.imports_names_entropy:
-      dashed_name: process-previous-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.previous.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.previous.pe.imports_names_var_entropy:
-      dashed_name: process-previous-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.previous.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.previous.pe.original_file_name:
-      dashed_name: process-previous-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.previous.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.previous.pe.pehash:
-      dashed_name: process-previous-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.previous.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.previous.pe.product:
-      dashed_name: process-previous-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.previous.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.previous.pe.sections:
-      dashed_name: process-previous-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.previous.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.previous.pe.sections.entropy:
-      dashed_name: process-previous-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.previous.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.previous.pe.sections.name:
-      dashed_name: process-previous-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.previous.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.previous.pe.sections.physical_size:
-      dashed_name: process-previous-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.previous.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.previous.pe.sections.var_entropy:
-      dashed_name: process-previous-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.previous.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.previous.pe.sections.virtual_size:
-      dashed_name: process-previous-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.previous.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.previous.pid:
-      dashed_name: process-previous-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.previous.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.previous.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.previous.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.previous.real_group.domain:
-      dashed_name: process-previous-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.real_group.id:
-      dashed_name: process-previous-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.real_group.name:
-      dashed_name: process-previous-real-group-name
-      description: Name of the group.
-      flat_name: process.previous.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.real_user.domain:
-      dashed_name: process-previous-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.previous.real_user.email:
-      dashed_name: process-previous-real-user-email
-      description: User email address.
-      flat_name: process.previous.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.previous.real_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-real-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.previous.real_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.previous.real_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-real-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.previous.real_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.previous.real_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-real-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.previous.real_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.real_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.previous.real_user.entity.id:
-      dashed_name: process-previous-real-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.previous.real_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.previous.real_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-real-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.previous.real_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.previous.real_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-real-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.previous.real_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.previous.real_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-real-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.previous.real_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.previous.real_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-real-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.previous.real_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.previous.real_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.previous.real_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-real-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.previous.real_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.previous.real_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-real-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.previous.real_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.previous.real_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-real-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.previous.real_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.previous.real_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-real-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.previous.real_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.previous.real_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-real-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.previous.real_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.previous.real_user.full_name:
-      dashed_name: process-previous-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.previous.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.previous.real_user.group.domain:
-      dashed_name: process-previous-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.real_user.group.id:
-      dashed_name: process-previous-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.real_user.group.name:
-      dashed_name: process-previous-real-user-group-name
-      description: Name of the group.
-      flat_name: process.previous.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.real_user.hash:
-      dashed_name: process-previous-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.previous.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.previous.real_user.id:
-      dashed_name: process-previous-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.previous.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.previous.real_user.name:
-      dashed_name: process-previous-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.previous.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.previous.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.previous.real_user.risk.calculated_level:
-      dashed_name: process-previous-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.previous.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.previous.real_user.risk.calculated_score:
-      dashed_name: process-previous-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.previous.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.previous.real_user.risk.calculated_score_norm:
-      dashed_name: process-previous-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.previous.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.previous.real_user.risk.static_level:
-      dashed_name: process-previous-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.previous.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.previous.real_user.risk.static_score:
-      dashed_name: process-previous-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.previous.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.previous.real_user.risk.static_score_norm:
-      dashed_name: process-previous-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.previous.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.previous.real_user.roles:
-      dashed_name: process-previous-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.previous.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.same_as_process:
-      dashed_name: process-previous-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.previous.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.previous.saved_group.domain:
-      dashed_name: process-previous-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.saved_group.id:
-      dashed_name: process-previous-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.saved_group.name:
-      dashed_name: process-previous-saved-group-name
-      description: Name of the group.
-      flat_name: process.previous.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.saved_user.domain:
-      dashed_name: process-previous-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.previous.saved_user.email:
-      dashed_name: process-previous-saved-user-email
-      description: User email address.
-      flat_name: process.previous.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.previous.saved_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-saved-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.previous.saved_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.previous.saved_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-saved-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.previous.saved_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.previous.saved_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-saved-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.previous.saved_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.saved_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.previous.saved_user.entity.id:
-      dashed_name: process-previous-saved-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.previous.saved_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.previous.saved_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-saved-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.previous.saved_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.previous.saved_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-saved-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.previous.saved_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.previous.saved_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-saved-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.previous.saved_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.previous.saved_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-saved-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.previous.saved_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.previous.saved_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.previous.saved_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-saved-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.previous.saved_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.previous.saved_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-saved-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.previous.saved_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.previous.saved_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-saved-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.previous.saved_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.previous.saved_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-saved-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.previous.saved_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.previous.saved_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-saved-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.previous.saved_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.previous.saved_user.full_name:
-      dashed_name: process-previous-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.previous.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.previous.saved_user.group.domain:
-      dashed_name: process-previous-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.saved_user.group.id:
-      dashed_name: process-previous-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.saved_user.group.name:
-      dashed_name: process-previous-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.previous.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.saved_user.hash:
-      dashed_name: process-previous-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.previous.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.previous.saved_user.id:
-      dashed_name: process-previous-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.previous.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.previous.saved_user.name:
-      dashed_name: process-previous-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.previous.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.previous.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.previous.saved_user.risk.calculated_level:
-      dashed_name: process-previous-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.previous.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.previous.saved_user.risk.calculated_score:
-      dashed_name: process-previous-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.previous.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.previous.saved_user.risk.calculated_score_norm:
-      dashed_name: process-previous-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.previous.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.previous.saved_user.risk.static_level:
-      dashed_name: process-previous-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.previous.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.previous.saved_user.risk.static_score:
-      dashed_name: process-previous-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.previous.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.previous.saved_user.risk.static_score_norm:
-      dashed_name: process-previous-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.previous.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.previous.saved_user.roles:
-      dashed_name: process-previous-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.previous.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.start:
-      dashed_name: process-previous-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.previous.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.previous.supplemental_groups.domain:
-      dashed_name: process-previous-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.supplemental_groups.id:
-      dashed_name: process-previous-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.supplemental_groups.name:
-      dashed_name: process-previous-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.previous.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.thread.capabilities.effective:
-      dashed_name: process-previous-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.previous.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.thread.capabilities.permitted:
-      dashed_name: process-previous-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.previous.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.thread.id:
-      dashed_name: process-previous-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.previous.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.previous.thread.name:
-      dashed_name: process-previous-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.previous.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.previous.title:
-      dashed_name: process-previous-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.previous.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.previous.tty:
-      dashed_name: process-previous-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.previous.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.previous.tty.char_device.major:
-      dashed_name: process-previous-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.previous.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.previous.tty.char_device.minor:
-      dashed_name: process-previous-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.previous.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.previous.tty.columns:
-      dashed_name: process-previous-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.previous.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.previous.tty.rows:
-      dashed_name: process-previous-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.previous.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.previous.uptime:
-      dashed_name: process-previous-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.previous.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.previous.user.domain:
-      dashed_name: process-previous-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.previous.user.email:
-      dashed_name: process-previous-user-email
-      description: User email address.
-      flat_name: process.previous.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.previous.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.previous.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.previous.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.previous.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.previous.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.previous.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.previous.user.entity.id:
-      dashed_name: process-previous-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.previous.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.previous.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.previous.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.previous.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.previous.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.previous.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.previous.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.previous.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.previous.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.previous.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.previous.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.previous.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.previous.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.previous.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.previous.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.previous.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.previous.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.previous.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.previous.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-previous-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.previous.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.previous.user.full_name:
-      dashed_name: process-previous-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.previous.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.previous.user.group.domain:
-      dashed_name: process-previous-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.previous.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.previous.user.group.id:
-      dashed_name: process-previous-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.previous.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.previous.user.group.name:
-      dashed_name: process-previous-user-group-name
-      description: Name of the group.
-      flat_name: process.previous.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.previous.user.hash:
-      dashed_name: process-previous-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.previous.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.previous.user.id:
-      dashed_name: process-previous-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.previous.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.previous.user.name:
-      dashed_name: process-previous-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.previous.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.previous.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.previous.user.risk.calculated_level:
-      dashed_name: process-previous-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.previous.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.previous.user.risk.calculated_score:
-      dashed_name: process-previous-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.previous.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.previous.user.risk.calculated_score_norm:
-      dashed_name: process-previous-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.previous.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.previous.user.risk.static_level:
-      dashed_name: process-previous-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.previous.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.previous.user.risk.static_score:
-      dashed_name: process-previous-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.previous.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.previous.user.risk.static_score_norm:
-      dashed_name: process-previous-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.previous.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.previous.user.roles:
-      dashed_name: process-previous-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.previous.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.previous.vpid:
-      dashed_name: process-previous-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.previous.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.previous.working_directory:
-      dashed_name: process-previous-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.previous.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.previous.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.real_group.domain:
-      dashed_name: process-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.real_group.id:
-      dashed_name: process-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.real_group.name:
-      dashed_name: process-real-group-name
-      description: Name of the group.
-      flat_name: process.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.real_user.domain:
-      dashed_name: process-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.real_user.email:
-      dashed_name: process-real-user-email
-      description: User email address.
-      flat_name: process.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.real_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-real-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.real_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.real_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-real-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.real_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.real_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-real-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.real_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.real_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.real_user.entity.id:
-      dashed_name: process-real-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.real_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.real_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-real-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.real_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.real_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-real-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.real_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.real_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-real-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.real_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.real_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-real-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.real_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.real_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.real_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-real-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.real_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.real_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-real-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.real_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.real_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-real-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.real_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.real_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-real-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.real_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.real_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-real-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.real_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.real_user.full_name:
-      dashed_name: process-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.real_user.group.domain:
-      dashed_name: process-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.real_user.group.id:
-      dashed_name: process-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.real_user.group.name:
-      dashed_name: process-real-user-group-name
-      description: Name of the group.
-      flat_name: process.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.real_user.hash:
-      dashed_name: process-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.real_user.id:
-      dashed_name: process-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
-      short: Unique identifier of the user.
-      type: keyword
-    process.real_user.name:
-      dashed_name: process-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
-      short: Short name or login of the user.
-      type: keyword
-    process.real_user.risk.calculated_level:
-      dashed_name: process-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.real_user.risk.calculated_score:
-      dashed_name: process-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.real_user.risk.calculated_score_norm:
-      dashed_name: process-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.real_user.risk.static_level:
-      dashed_name: process-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.real_user.risk.static_score:
-      dashed_name: process-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.real_user.risk.static_score_norm:
-      dashed_name: process-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.real_user.roles:
-      dashed_name: process-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.args:
-      dashed_name: process-responsible-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.responsible.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.responsible.args_count:
-      dashed_name: process-responsible-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.responsible.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.responsible.attested_groups.domain:
-      dashed_name: process-responsible-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.attested_groups.id:
-      dashed_name: process-responsible-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.attested_groups.name:
-      dashed_name: process-responsible-attested-groups-name
-      description: Name of the group.
-      flat_name: process.responsible.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.attested_user.domain:
-      dashed_name: process-responsible-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.responsible.attested_user.email:
-      dashed_name: process-responsible-attested-user-email
-      description: User email address.
-      flat_name: process.responsible.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.responsible.attested_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-attested-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.responsible.attested_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.responsible.attested_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-attested-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.responsible.attested_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.responsible.attested_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-attested-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.responsible.attested_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.attested_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.responsible.attested_user.entity.id:
-      dashed_name: process-responsible-attested-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.responsible.attested_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.responsible.attested_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-attested-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.responsible.attested_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.responsible.attested_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-attested-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.responsible.attested_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.responsible.attested_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-attested-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.responsible.attested_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.responsible.attested_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-attested-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.responsible.attested_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.responsible.attested_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.responsible.attested_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-attested-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.responsible.attested_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.responsible.attested_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-attested-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.responsible.attested_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.responsible.attested_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-attested-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.responsible.attested_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.responsible.attested_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-attested-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.responsible.attested_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.responsible.attested_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-attested-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.responsible.attested_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.responsible.attested_user.full_name:
-      dashed_name: process-responsible-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.responsible.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.responsible.attested_user.group.domain:
-      dashed_name: process-responsible-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.attested_user.group.id:
-      dashed_name: process-responsible-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.attested_user.group.name:
-      dashed_name: process-responsible-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.responsible.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.attested_user.hash:
-      dashed_name: process-responsible-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.responsible.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.responsible.attested_user.id:
-      dashed_name: process-responsible-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.responsible.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.responsible.attested_user.name:
-      dashed_name: process-responsible-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.responsible.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.responsible.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.responsible.attested_user.risk.calculated_level:
-      dashed_name: process-responsible-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.responsible.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.responsible.attested_user.risk.calculated_score:
-      dashed_name: process-responsible-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.responsible.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.responsible.attested_user.risk.calculated_score_norm:
-      dashed_name: process-responsible-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.responsible.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.responsible.attested_user.risk.static_level:
-      dashed_name: process-responsible-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.responsible.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.responsible.attested_user.risk.static_score:
-      dashed_name: process-responsible-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.responsible.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.responsible.attested_user.risk.static_score_norm:
-      dashed_name: process-responsible-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.responsible.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.responsible.attested_user.roles:
-      dashed_name: process-responsible-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.responsible.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.code_signature.digest_algorithm:
-      dashed_name: process-responsible-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.responsible.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.responsible.code_signature.exists:
-      dashed_name: process-responsible-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.responsible.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.responsible.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.responsible.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.responsible.code_signature.signing_id:
-      dashed_name: process-responsible-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.responsible.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.responsible.code_signature.status:
-      dashed_name: process-responsible-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.responsible.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.responsible.code_signature.subject_name:
-      dashed_name: process-responsible-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.responsible.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.responsible.code_signature.team_id:
-      dashed_name: process-responsible-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.responsible.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.responsible.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.responsible.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.responsible.code_signature.timestamp:
-      dashed_name: process-responsible-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.responsible.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.responsible.code_signature.trusted:
-      dashed_name: process-responsible-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.responsible.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.responsible.code_signature.valid:
-      dashed_name: process-responsible-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.responsible.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.responsible.command_line:
-      dashed_name: process-responsible-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.responsible.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.responsible.elf.architecture:
-      dashed_name: process-responsible-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.responsible.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.responsible.elf.byte_order:
-      dashed_name: process-responsible-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.responsible.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.responsible.elf.cpu_type:
-      dashed_name: process-responsible-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.responsible.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.responsible.elf.creation_date:
-      dashed_name: process-responsible-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.responsible.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.responsible.elf.exports:
-      dashed_name: process-responsible-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.responsible.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.responsible.elf.go_import_hash:
-      dashed_name: process-responsible-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.responsible.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.responsible.elf.go_imports:
-      dashed_name: process-responsible-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.responsible.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.responsible.elf.go_imports_names_entropy:
-      dashed_name: process-responsible-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.responsible.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.responsible.elf.go_imports_names_var_entropy:
-      dashed_name: process-responsible-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.responsible.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.responsible.elf.go_stripped:
-      dashed_name: process-responsible-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.responsible.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.responsible.elf.header.abi_version:
-      dashed_name: process-responsible-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.responsible.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.responsible.elf.header.class:
-      dashed_name: process-responsible-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.responsible.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.responsible.elf.header.data:
-      dashed_name: process-responsible-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.responsible.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.responsible.elf.header.entrypoint:
-      dashed_name: process-responsible-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.responsible.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.responsible.elf.header.object_version:
-      dashed_name: process-responsible-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.responsible.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.responsible.elf.header.os_abi:
-      dashed_name: process-responsible-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.responsible.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.responsible.elf.header.type:
-      dashed_name: process-responsible-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.responsible.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.responsible.elf.header.version:
-      dashed_name: process-responsible-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.responsible.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.responsible.elf.import_hash:
-      dashed_name: process-responsible-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.responsible.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.responsible.elf.imports:
-      dashed_name: process-responsible-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.responsible.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.responsible.elf.imports_names_entropy:
-      dashed_name: process-responsible-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.responsible.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.responsible.elf.imports_names_var_entropy:
-      dashed_name: process-responsible-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.responsible.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.responsible.elf.sections:
-      dashed_name: process-responsible-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.responsible.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.responsible.elf.sections.chi2:
-      dashed_name: process-responsible-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.responsible.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.responsible.elf.sections.entropy:
-      dashed_name: process-responsible-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.responsible.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.responsible.elf.sections.flags:
-      dashed_name: process-responsible-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.responsible.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.responsible.elf.sections.name:
-      dashed_name: process-responsible-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.responsible.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.responsible.elf.sections.physical_offset:
-      dashed_name: process-responsible-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.responsible.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.responsible.elf.sections.physical_size:
-      dashed_name: process-responsible-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.responsible.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.responsible.elf.sections.type:
-      dashed_name: process-responsible-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.responsible.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.responsible.elf.sections.var_entropy:
-      dashed_name: process-responsible-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.responsible.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.responsible.elf.sections.virtual_address:
-      dashed_name: process-responsible-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.responsible.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.responsible.elf.sections.virtual_size:
-      dashed_name: process-responsible-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.responsible.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.responsible.elf.segments:
-      dashed_name: process-responsible-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.responsible.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.responsible.elf.segments.sections:
-      dashed_name: process-responsible-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.responsible.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.responsible.elf.segments.type:
-      dashed_name: process-responsible-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.responsible.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.responsible.elf.shared_libraries:
-      dashed_name: process-responsible-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.responsible.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.responsible.elf.telfhash:
-      dashed_name: process-responsible-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.responsible.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.responsible.end:
-      dashed_name: process-responsible-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.responsible.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.responsible.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.responsible.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.responsible.entity_id:
-      dashed_name: process-responsible-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.responsible.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.responsible.entry_meta.source.address:
-      dashed_name: process-responsible-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.responsible.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.responsible.entry_meta.source.as.number:
-      dashed_name: process-responsible-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.responsible.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.responsible.entry_meta.source.as.organization.name:
-      dashed_name: process-responsible-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.responsible.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.responsible.entry_meta.source.bytes:
-      dashed_name: process-responsible-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.responsible.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.responsible.entry_meta.source.domain:
-      dashed_name: process-responsible-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.responsible.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.responsible.entry_meta.source.geo.city_name:
-      dashed_name: process-responsible-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.responsible.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.responsible.entry_meta.source.geo.continent_code:
-      dashed_name: process-responsible-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.responsible.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.responsible.entry_meta.source.geo.continent_name:
-      dashed_name: process-responsible-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.responsible.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.responsible.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-responsible-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.responsible.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.responsible.entry_meta.source.geo.country_name:
-      dashed_name: process-responsible-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.responsible.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.responsible.entry_meta.source.geo.location:
-      dashed_name: process-responsible-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.responsible.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.responsible.entry_meta.source.geo.name:
-      dashed_name: process-responsible-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.responsible.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.responsible.entry_meta.source.geo.postal_code:
-      dashed_name: process-responsible-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.responsible.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.responsible.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-responsible-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.responsible.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.responsible.entry_meta.source.geo.region_name:
-      dashed_name: process-responsible-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.responsible.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.responsible.entry_meta.source.geo.timezone:
-      dashed_name: process-responsible-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.responsible.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.responsible.entry_meta.source.ip:
-      dashed_name: process-responsible-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.responsible.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.responsible.entry_meta.source.mac:
-      dashed_name: process-responsible-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.responsible.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.responsible.entry_meta.source.nat.ip:
-      dashed_name: process-responsible-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.responsible.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.responsible.entry_meta.source.nat.port:
-      dashed_name: process-responsible-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.responsible.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.responsible.entry_meta.source.packets:
-      dashed_name: process-responsible-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.responsible.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.responsible.entry_meta.source.port:
-      dashed_name: process-responsible-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.responsible.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.responsible.entry_meta.source.registered_domain:
-      dashed_name: process-responsible-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.responsible.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.responsible.entry_meta.source.subdomain:
-      dashed_name: process-responsible-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.responsible.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.responsible.entry_meta.source.top_level_domain:
-      dashed_name: process-responsible-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.responsible.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.responsible.entry_meta.type:
-      dashed_name: process-responsible-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.responsible.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.responsible.env_vars:
-      dashed_name: process-responsible-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.responsible.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.executable:
-      dashed_name: process-responsible-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.responsible.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.responsible.exit_code:
-      dashed_name: process-responsible-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.responsible.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.responsible.group.domain:
-      dashed_name: process-responsible-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.group.id:
-      dashed_name: process-responsible-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.group.name:
-      dashed_name: process-responsible-group-name
-      description: Name of the group.
-      flat_name: process.responsible.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.responsible.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.responsible.hash.md5:
-      dashed_name: process-responsible-hash-md5
-      description: MD5 hash.
-      flat_name: process.responsible.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.responsible.hash.sha1:
-      dashed_name: process-responsible-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.responsible.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.responsible.hash.sha256:
-      dashed_name: process-responsible-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.responsible.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.responsible.hash.sha384:
-      dashed_name: process-responsible-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.responsible.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.responsible.hash.sha512:
-      dashed_name: process-responsible-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.responsible.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.responsible.hash.ssdeep:
-      dashed_name: process-responsible-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.responsible.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.responsible.hash.tlsh:
-      dashed_name: process-responsible-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.responsible.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.responsible.interactive:
-      dashed_name: process-responsible-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.responsible.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.responsible.io:
-      dashed_name: process-responsible-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.responsible.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.responsible.io.bytes_skipped:
-      dashed_name: process-responsible-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.responsible.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.responsible.io.bytes_skipped.length:
-      dashed_name: process-responsible-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.responsible.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.responsible.io.bytes_skipped.offset:
-      dashed_name: process-responsible-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.responsible.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.responsible.io.max_bytes_per_process_exceeded:
-      dashed_name: process-responsible-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.responsible.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.responsible.io.text:
-      dashed_name: process-responsible-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.responsible.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.responsible.io.total_bytes_captured:
-      dashed_name: process-responsible-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.responsible.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.responsible.io.total_bytes_skipped:
-      dashed_name: process-responsible-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.responsible.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.responsible.io.type:
-      dashed_name: process-responsible-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.responsible.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.responsible.macho.go_import_hash:
-      dashed_name: process-responsible-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.responsible.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.responsible.macho.go_imports:
-      dashed_name: process-responsible-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.responsible.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.responsible.macho.go_imports_names_entropy:
-      dashed_name: process-responsible-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.responsible.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.responsible.macho.go_imports_names_var_entropy:
-      dashed_name: process-responsible-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.responsible.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.responsible.macho.go_stripped:
-      dashed_name: process-responsible-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.responsible.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.responsible.macho.import_hash:
-      dashed_name: process-responsible-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.responsible.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.responsible.macho.imports:
-      dashed_name: process-responsible-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.responsible.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.responsible.macho.imports_names_entropy:
-      dashed_name: process-responsible-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.responsible.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.responsible.macho.imports_names_var_entropy:
-      dashed_name: process-responsible-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.responsible.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.responsible.macho.sections:
-      dashed_name: process-responsible-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.responsible.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.responsible.macho.sections.entropy:
-      dashed_name: process-responsible-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.responsible.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.responsible.macho.sections.name:
-      dashed_name: process-responsible-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.responsible.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.responsible.macho.sections.physical_size:
-      dashed_name: process-responsible-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.responsible.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.responsible.macho.sections.var_entropy:
-      dashed_name: process-responsible-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.responsible.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.responsible.macho.sections.virtual_size:
-      dashed_name: process-responsible-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.responsible.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.responsible.macho.symhash:
-      dashed_name: process-responsible-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.responsible.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.responsible.name:
-      dashed_name: process-responsible-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.responsible.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.responsible.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.responsible.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.responsible.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.responsible.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.responsible.pe.architecture:
-      dashed_name: process-responsible-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.responsible.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.responsible.pe.company:
-      dashed_name: process-responsible-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.responsible.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.responsible.pe.description:
-      dashed_name: process-responsible-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.responsible.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.responsible.pe.file_version:
-      dashed_name: process-responsible-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.responsible.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.responsible.pe.go_import_hash:
-      dashed_name: process-responsible-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.responsible.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.responsible.pe.go_imports:
-      dashed_name: process-responsible-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.responsible.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.responsible.pe.go_imports_names_entropy:
-      dashed_name: process-responsible-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.responsible.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.responsible.pe.go_imports_names_var_entropy:
-      dashed_name: process-responsible-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.responsible.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.responsible.pe.go_stripped:
-      dashed_name: process-responsible-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.responsible.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.responsible.pe.imphash:
-      dashed_name: process-responsible-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.responsible.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.responsible.pe.import_hash:
-      dashed_name: process-responsible-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.responsible.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.responsible.pe.imports:
-      dashed_name: process-responsible-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.responsible.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.responsible.pe.imports_names_entropy:
-      dashed_name: process-responsible-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.responsible.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.responsible.pe.imports_names_var_entropy:
-      dashed_name: process-responsible-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.responsible.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.responsible.pe.original_file_name:
-      dashed_name: process-responsible-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.responsible.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.responsible.pe.pehash:
-      dashed_name: process-responsible-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.responsible.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.responsible.pe.product:
-      dashed_name: process-responsible-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.responsible.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.responsible.pe.sections:
-      dashed_name: process-responsible-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.responsible.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.responsible.pe.sections.entropy:
-      dashed_name: process-responsible-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.responsible.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.responsible.pe.sections.name:
-      dashed_name: process-responsible-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.responsible.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.responsible.pe.sections.physical_size:
-      dashed_name: process-responsible-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.responsible.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.responsible.pe.sections.var_entropy:
-      dashed_name: process-responsible-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.responsible.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.responsible.pe.sections.virtual_size:
-      dashed_name: process-responsible-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.responsible.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.responsible.pid:
-      dashed_name: process-responsible-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.responsible.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.responsible.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.responsible.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.responsible.real_group.domain:
-      dashed_name: process-responsible-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.real_group.id:
-      dashed_name: process-responsible-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.real_group.name:
-      dashed_name: process-responsible-real-group-name
-      description: Name of the group.
-      flat_name: process.responsible.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.real_user.domain:
-      dashed_name: process-responsible-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.responsible.real_user.email:
-      dashed_name: process-responsible-real-user-email
-      description: User email address.
-      flat_name: process.responsible.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.responsible.real_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-real-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.responsible.real_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.responsible.real_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-real-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.responsible.real_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.responsible.real_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-real-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.responsible.real_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.real_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.responsible.real_user.entity.id:
-      dashed_name: process-responsible-real-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.responsible.real_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.responsible.real_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-real-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.responsible.real_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.responsible.real_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-real-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.responsible.real_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.responsible.real_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-real-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.responsible.real_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.responsible.real_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-real-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.responsible.real_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.responsible.real_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.responsible.real_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-real-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.responsible.real_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.responsible.real_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-real-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.responsible.real_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.responsible.real_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-real-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.responsible.real_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.responsible.real_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-real-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.responsible.real_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.responsible.real_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-real-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.responsible.real_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.responsible.real_user.full_name:
-      dashed_name: process-responsible-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.responsible.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.responsible.real_user.group.domain:
-      dashed_name: process-responsible-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.real_user.group.id:
-      dashed_name: process-responsible-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.real_user.group.name:
-      dashed_name: process-responsible-real-user-group-name
-      description: Name of the group.
-      flat_name: process.responsible.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.real_user.hash:
-      dashed_name: process-responsible-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.responsible.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.responsible.real_user.id:
-      dashed_name: process-responsible-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.responsible.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.responsible.real_user.name:
-      dashed_name: process-responsible-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.responsible.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.responsible.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.responsible.real_user.risk.calculated_level:
-      dashed_name: process-responsible-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.responsible.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.responsible.real_user.risk.calculated_score:
-      dashed_name: process-responsible-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.responsible.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.responsible.real_user.risk.calculated_score_norm:
-      dashed_name: process-responsible-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.responsible.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.responsible.real_user.risk.static_level:
-      dashed_name: process-responsible-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.responsible.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.responsible.real_user.risk.static_score:
-      dashed_name: process-responsible-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.responsible.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.responsible.real_user.risk.static_score_norm:
-      dashed_name: process-responsible-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.responsible.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.responsible.real_user.roles:
-      dashed_name: process-responsible-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.responsible.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.same_as_process:
-      dashed_name: process-responsible-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.responsible.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.responsible.saved_group.domain:
-      dashed_name: process-responsible-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.saved_group.id:
-      dashed_name: process-responsible-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.saved_group.name:
-      dashed_name: process-responsible-saved-group-name
-      description: Name of the group.
-      flat_name: process.responsible.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.saved_user.domain:
-      dashed_name: process-responsible-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.responsible.saved_user.email:
-      dashed_name: process-responsible-saved-user-email
-      description: User email address.
-      flat_name: process.responsible.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.responsible.saved_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-saved-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.responsible.saved_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.responsible.saved_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-saved-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.responsible.saved_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.responsible.saved_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-saved-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.responsible.saved_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.saved_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.responsible.saved_user.entity.id:
-      dashed_name: process-responsible-saved-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.responsible.saved_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.responsible.saved_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-saved-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.responsible.saved_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.responsible.saved_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-saved-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.responsible.saved_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.responsible.saved_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-saved-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.responsible.saved_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.responsible.saved_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-saved-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.responsible.saved_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.responsible.saved_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.responsible.saved_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-saved-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.responsible.saved_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.responsible.saved_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-saved-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.responsible.saved_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.responsible.saved_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-saved-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.responsible.saved_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.responsible.saved_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-saved-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.responsible.saved_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.responsible.saved_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-saved-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.responsible.saved_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.responsible.saved_user.full_name:
-      dashed_name: process-responsible-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.responsible.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.responsible.saved_user.group.domain:
-      dashed_name: process-responsible-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.saved_user.group.id:
-      dashed_name: process-responsible-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.saved_user.group.name:
-      dashed_name: process-responsible-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.responsible.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.saved_user.hash:
-      dashed_name: process-responsible-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.responsible.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.responsible.saved_user.id:
-      dashed_name: process-responsible-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.responsible.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.responsible.saved_user.name:
-      dashed_name: process-responsible-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.responsible.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.responsible.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.responsible.saved_user.risk.calculated_level:
-      dashed_name: process-responsible-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.responsible.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.responsible.saved_user.risk.calculated_score:
-      dashed_name: process-responsible-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.responsible.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.responsible.saved_user.risk.calculated_score_norm:
-      dashed_name: process-responsible-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.responsible.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.responsible.saved_user.risk.static_level:
-      dashed_name: process-responsible-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.responsible.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.responsible.saved_user.risk.static_score:
-      dashed_name: process-responsible-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.responsible.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.responsible.saved_user.risk.static_score_norm:
-      dashed_name: process-responsible-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.responsible.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.responsible.saved_user.roles:
-      dashed_name: process-responsible-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.responsible.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.start:
-      dashed_name: process-responsible-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.responsible.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.responsible.supplemental_groups.domain:
-      dashed_name: process-responsible-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.supplemental_groups.id:
-      dashed_name: process-responsible-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.supplemental_groups.name:
-      dashed_name: process-responsible-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.responsible.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.thread.capabilities.effective:
-      dashed_name: process-responsible-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.responsible.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.thread.capabilities.permitted:
-      dashed_name: process-responsible-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.responsible.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.thread.id:
-      dashed_name: process-responsible-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.responsible.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.responsible.thread.name:
-      dashed_name: process-responsible-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.responsible.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.responsible.title:
-      dashed_name: process-responsible-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.responsible.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.responsible.tty:
-      dashed_name: process-responsible-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.responsible.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.responsible.tty.char_device.major:
-      dashed_name: process-responsible-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.responsible.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.responsible.tty.char_device.minor:
-      dashed_name: process-responsible-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.responsible.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.responsible.tty.columns:
-      dashed_name: process-responsible-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.responsible.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.responsible.tty.rows:
-      dashed_name: process-responsible-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.responsible.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.responsible.uptime:
-      dashed_name: process-responsible-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.responsible.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.responsible.user.domain:
-      dashed_name: process-responsible-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.responsible.user.email:
-      dashed_name: process-responsible-user-email
-      description: User email address.
-      flat_name: process.responsible.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.responsible.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.responsible.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.responsible.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.responsible.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.responsible.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.responsible.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.responsible.user.entity.id:
-      dashed_name: process-responsible-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.responsible.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.responsible.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.responsible.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.responsible.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.responsible.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.responsible.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.responsible.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.responsible.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.responsible.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.responsible.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.responsible.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.responsible.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.responsible.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.responsible.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.responsible.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.responsible.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.responsible.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.responsible.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.responsible.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-responsible-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.responsible.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.responsible.user.full_name:
-      dashed_name: process-responsible-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.responsible.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.responsible.user.group.domain:
-      dashed_name: process-responsible-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.responsible.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.responsible.user.group.id:
-      dashed_name: process-responsible-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.responsible.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.responsible.user.group.name:
-      dashed_name: process-responsible-user-group-name
-      description: Name of the group.
-      flat_name: process.responsible.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.responsible.user.hash:
-      dashed_name: process-responsible-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.responsible.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.responsible.user.id:
-      dashed_name: process-responsible-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.responsible.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.responsible.user.name:
-      dashed_name: process-responsible-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.responsible.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.responsible.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.responsible.user.risk.calculated_level:
-      dashed_name: process-responsible-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.responsible.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.responsible.user.risk.calculated_score:
-      dashed_name: process-responsible-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.responsible.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.responsible.user.risk.calculated_score_norm:
-      dashed_name: process-responsible-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.responsible.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.responsible.user.risk.static_level:
-      dashed_name: process-responsible-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.responsible.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.responsible.user.risk.static_score:
-      dashed_name: process-responsible-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.responsible.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.responsible.user.risk.static_score_norm:
-      dashed_name: process-responsible-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.responsible.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.responsible.user.roles:
-      dashed_name: process-responsible-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.responsible.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.responsible.vpid:
-      dashed_name: process-responsible-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.responsible.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.responsible.working_directory:
-      dashed_name: process-responsible-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.responsible.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.responsible.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.same_as_process:
-      dashed_name: process-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.saved_group.domain:
-      dashed_name: process-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.saved_group.id:
-      dashed_name: process-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.saved_group.name:
-      dashed_name: process-saved-group-name
-      description: Name of the group.
-      flat_name: process.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.saved_user.domain:
-      dashed_name: process-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.saved_user.email:
-      dashed_name: process-saved-user-email
-      description: User email address.
-      flat_name: process.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.saved_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-saved-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.saved_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.saved_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-saved-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.saved_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.saved_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-saved-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.saved_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.saved_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.saved_user.entity.id:
-      dashed_name: process-saved-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.saved_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.saved_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-saved-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.saved_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.saved_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-saved-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.saved_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.saved_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-saved-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.saved_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.saved_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-saved-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.saved_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.saved_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.saved_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-saved-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.saved_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.saved_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-saved-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.saved_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.saved_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-saved-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.saved_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.saved_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-saved-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.saved_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.saved_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-saved-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.saved_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.saved_user.full_name:
-      dashed_name: process-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.saved_user.group.domain:
-      dashed_name: process-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.saved_user.group.id:
-      dashed_name: process-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.saved_user.group.name:
-      dashed_name: process-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.saved_user.hash:
-      dashed_name: process-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.saved_user.id:
-      dashed_name: process-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
-      short: Unique identifier of the user.
-      type: keyword
-    process.saved_user.name:
-      dashed_name: process-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      otel:
-      - relation: match
-        stability: development
-      short: Short name or login of the user.
-      type: keyword
-    process.saved_user.risk.calculated_level:
-      dashed_name: process-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.saved_user.risk.calculated_score:
-      dashed_name: process-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.saved_user.risk.calculated_score_norm:
-      dashed_name: process-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.saved_user.risk.static_level:
-      dashed_name: process-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.saved_user.risk.static_score:
-      dashed_name: process-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.saved_user.risk.static_score_norm:
-      dashed_name: process-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.saved_user.roles:
-      dashed_name: process-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.args:
-      dashed_name: process-session-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.session_leader.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.session_leader.args_count:
-      dashed_name: process-session-leader-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.session_leader.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.session_leader.attested_groups.domain:
-      dashed_name: process-session-leader-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.attested_groups.id:
-      dashed_name: process-session-leader-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.attested_groups.name:
-      dashed_name: process-session-leader-attested-groups-name
-      description: Name of the group.
-      flat_name: process.session_leader.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.attested_user.domain:
-      dashed_name: process-session-leader-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.attested_user.email:
-      dashed_name: process-session-leader-attested-user-email
-      description: User email address.
-      flat_name: process.session_leader.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.attested_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-attested-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.session_leader.attested_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.session_leader.attested_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-attested-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.attested_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.session_leader.attested_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-attested-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.session_leader.attested_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.attested_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.session_leader.attested_user.entity.id:
-      dashed_name: process-session-leader-attested-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.session_leader.attested_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.session_leader.attested_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-attested-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.session_leader.attested_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.session_leader.attested_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-attested-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.attested_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.session_leader.attested_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-attested-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.session_leader.attested_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.session_leader.attested_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-attested-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.session_leader.attested_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.attested_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.session_leader.attested_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-attested-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.session_leader.attested_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.session_leader.attested_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-attested-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.session_leader.attested_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.session_leader.attested_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-attested-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.session_leader.attested_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.session_leader.attested_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-attested-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.session_leader.attested_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.session_leader.attested_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-attested-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.session_leader.attested_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.session_leader.attested_user.full_name:
-      dashed_name: process-session-leader-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.attested_user.group.domain:
-      dashed_name: process-session-leader-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.attested_user.group.id:
-      dashed_name: process-session-leader-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.attested_user.group.name:
-      dashed_name: process-session-leader-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.attested_user.hash:
-      dashed_name: process-session-leader-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.attested_user.id:
-      dashed_name: process-session-leader-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.attested_user.name:
-      dashed_name: process-session-leader-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.attested_user.risk.calculated_level:
-      dashed_name: process-session-leader-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.attested_user.risk.calculated_score:
-      dashed_name: process-session-leader-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.attested_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.attested_user.risk.static_level:
-      dashed_name: process-session-leader-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.attested_user.risk.static_score:
-      dashed_name: process-session-leader-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.attested_user.risk.static_score_norm:
-      dashed_name: process-session-leader-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.attested_user.roles:
-      dashed_name: process-session-leader-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.code_signature.digest_algorithm:
-      dashed_name: process-session-leader-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.session_leader.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.session_leader.code_signature.exists:
-      dashed_name: process-session-leader-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.session_leader.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.session_leader.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.session_leader.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.session_leader.code_signature.signing_id:
-      dashed_name: process-session-leader-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.session_leader.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.session_leader.code_signature.status:
-      dashed_name: process-session-leader-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.session_leader.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.session_leader.code_signature.subject_name:
-      dashed_name: process-session-leader-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.session_leader.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.session_leader.code_signature.team_id:
-      dashed_name: process-session-leader-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.session_leader.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.session_leader.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.session_leader.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.session_leader.code_signature.timestamp:
-      dashed_name: process-session-leader-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.session_leader.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.session_leader.code_signature.trusted:
-      dashed_name: process-session-leader-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.session_leader.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.session_leader.code_signature.valid:
-      dashed_name: process-session-leader-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.session_leader.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.session_leader.command_line:
-      dashed_name: process-session-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.session_leader.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.session_leader.elf.architecture:
-      dashed_name: process-session-leader-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.session_leader.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.session_leader.elf.byte_order:
-      dashed_name: process-session-leader-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.session_leader.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.session_leader.elf.cpu_type:
-      dashed_name: process-session-leader-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.session_leader.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.session_leader.elf.creation_date:
-      dashed_name: process-session-leader-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.session_leader.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.session_leader.elf.exports:
-      dashed_name: process-session-leader-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.session_leader.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.session_leader.elf.go_import_hash:
-      dashed_name: process-session-leader-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.session_leader.elf.go_imports:
-      dashed_name: process-session-leader-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.elf.go_imports_names_entropy:
-      dashed_name: process-session-leader-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.elf.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.elf.go_stripped:
-      dashed_name: process-session-leader-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.elf.header.abi_version:
-      dashed_name: process-session-leader-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.session_leader.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.session_leader.elf.header.class:
-      dashed_name: process-session-leader-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.session_leader.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.session_leader.elf.header.data:
-      dashed_name: process-session-leader-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.session_leader.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.session_leader.elf.header.entrypoint:
-      dashed_name: process-session-leader-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.session_leader.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.session_leader.elf.header.object_version:
-      dashed_name: process-session-leader-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.session_leader.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.session_leader.elf.header.os_abi:
-      dashed_name: process-session-leader-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.session_leader.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.session_leader.elf.header.type:
-      dashed_name: process-session-leader-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.session_leader.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.session_leader.elf.header.version:
-      dashed_name: process-session-leader-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.session_leader.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.session_leader.elf.import_hash:
-      dashed_name: process-session-leader-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.session_leader.elf.imports:
-      dashed_name: process-session-leader-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.elf.imports_names_entropy:
-      dashed_name: process-session-leader-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.elf.imports_names_var_entropy:
-      dashed_name: process-session-leader-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.elf.sections:
-      dashed_name: process-session-leader-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.session_leader.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.session_leader.elf.sections.chi2:
-      dashed_name: process-session-leader-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.session_leader.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.session_leader.elf.sections.entropy:
-      dashed_name: process-session-leader-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.elf.sections.flags:
-      dashed_name: process-session-leader-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.session_leader.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.session_leader.elf.sections.name:
-      dashed_name: process-session-leader-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.session_leader.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.session_leader.elf.sections.physical_offset:
-      dashed_name: process-session-leader-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.session_leader.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.session_leader.elf.sections.physical_size:
-      dashed_name: process-session-leader-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.session_leader.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.session_leader.elf.sections.type:
-      dashed_name: process-session-leader-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.session_leader.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.session_leader.elf.sections.var_entropy:
-      dashed_name: process-session-leader-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.elf.sections.virtual_address:
-      dashed_name: process-session-leader-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.session_leader.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.session_leader.elf.sections.virtual_size:
-      dashed_name: process-session-leader-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.session_leader.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.session_leader.elf.segments:
-      dashed_name: process-session-leader-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.session_leader.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.session_leader.elf.segments.sections:
-      dashed_name: process-session-leader-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.session_leader.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.session_leader.elf.segments.type:
-      dashed_name: process-session-leader-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.session_leader.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.session_leader.elf.shared_libraries:
-      dashed_name: process-session-leader-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.session_leader.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.session_leader.elf.telfhash:
-      dashed_name: process-session-leader-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.session_leader.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.session_leader.end:
-      dashed_name: process-session-leader-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.session_leader.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.session_leader.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.session_leader.entity_id:
-      dashed_name: process-session-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.session_leader.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.session_leader.entry_meta.source.address:
-      dashed_name: process-session-leader-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.session_leader.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.session_leader.entry_meta.source.as.number:
-      dashed_name: process-session-leader-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.session_leader.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.session_leader.entry_meta.source.as.organization.name:
-      dashed_name: process-session-leader-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.session_leader.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.session_leader.entry_meta.source.bytes:
-      dashed_name: process-session-leader-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.session_leader.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.session_leader.entry_meta.source.domain:
-      dashed_name: process-session-leader-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.session_leader.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.city_name:
-      dashed_name: process-session-leader-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.session_leader.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.continent_code:
-      dashed_name: process-session-leader-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.session_leader.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.continent_name:
-      dashed_name: process-session-leader-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.session_leader.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-session-leader-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.session_leader.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.country_name:
-      dashed_name: process-session-leader-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.session_leader.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.location:
-      dashed_name: process-session-leader-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.session_leader.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.session_leader.entry_meta.source.geo.name:
-      dashed_name: process-session-leader-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.session_leader.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.postal_code:
-      dashed_name: process-session-leader-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.session_leader.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-session-leader-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.session_leader.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.region_name:
-      dashed_name: process-session-leader-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.session_leader.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.session_leader.entry_meta.source.geo.timezone:
-      dashed_name: process-session-leader-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.session_leader.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.session_leader.entry_meta.source.ip:
-      dashed_name: process-session-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.session_leader.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.session_leader.entry_meta.source.mac:
-      dashed_name: process-session-leader-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.session_leader.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.session_leader.entry_meta.source.nat.ip:
-      dashed_name: process-session-leader-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.session_leader.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.session_leader.entry_meta.source.nat.port:
-      dashed_name: process-session-leader-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.session_leader.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.session_leader.entry_meta.source.packets:
-      dashed_name: process-session-leader-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.session_leader.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.session_leader.entry_meta.source.port:
-      dashed_name: process-session-leader-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.session_leader.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.session_leader.entry_meta.source.registered_domain:
-      dashed_name: process-session-leader-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.session_leader.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.session_leader.entry_meta.source.subdomain:
-      dashed_name: process-session-leader-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.session_leader.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.session_leader.entry_meta.source.top_level_domain:
-      dashed_name: process-session-leader-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.session_leader.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.session_leader.entry_meta.type:
-      dashed_name: process-session-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.session_leader.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.session_leader.env_vars:
-      dashed_name: process-session-leader-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.session_leader.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.executable:
-      dashed_name: process-session-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.session_leader.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.session_leader.exit_code:
-      dashed_name: process-session-leader-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.session_leader.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.session_leader.group.domain:
-      dashed_name: process-session-leader-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.group.id:
-      dashed_name: process-session-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.group.name:
-      dashed_name: process-session-leader-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.session_leader.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.session_leader.hash.md5:
-      dashed_name: process-session-leader-hash-md5
-      description: MD5 hash.
-      flat_name: process.session_leader.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.session_leader.hash.sha1:
-      dashed_name: process-session-leader-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.session_leader.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.session_leader.hash.sha256:
-      dashed_name: process-session-leader-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.session_leader.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.session_leader.hash.sha384:
-      dashed_name: process-session-leader-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.session_leader.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.session_leader.hash.sha512:
-      dashed_name: process-session-leader-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.session_leader.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.session_leader.hash.ssdeep:
-      dashed_name: process-session-leader-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.session_leader.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.session_leader.hash.tlsh:
-      dashed_name: process-session-leader-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.session_leader.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.session_leader.interactive:
-      dashed_name: process-session-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.session_leader.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.session_leader.io:
-      dashed_name: process-session-leader-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.session_leader.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.session_leader.io.bytes_skipped:
-      dashed_name: process-session-leader-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.session_leader.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.session_leader.io.bytes_skipped.length:
-      dashed_name: process-session-leader-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.session_leader.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.session_leader.io.bytes_skipped.offset:
-      dashed_name: process-session-leader-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.session_leader.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.session_leader.io.max_bytes_per_process_exceeded:
-      dashed_name: process-session-leader-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.session_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.session_leader.io.text:
-      dashed_name: process-session-leader-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.session_leader.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.session_leader.io.total_bytes_captured:
-      dashed_name: process-session-leader-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.session_leader.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.session_leader.io.total_bytes_skipped:
-      dashed_name: process-session-leader-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.session_leader.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.session_leader.io.type:
-      dashed_name: process-session-leader-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.session_leader.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.session_leader.macho.go_import_hash:
-      dashed_name: process-session-leader-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.session_leader.macho.go_imports:
-      dashed_name: process-session-leader-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.macho.go_imports_names_entropy:
-      dashed_name: process-session-leader-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.macho.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.macho.go_stripped:
-      dashed_name: process-session-leader-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.macho.import_hash:
-      dashed_name: process-session-leader-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.session_leader.macho.imports:
-      dashed_name: process-session-leader-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.macho.imports_names_entropy:
-      dashed_name: process-session-leader-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.macho.imports_names_var_entropy:
-      dashed_name: process-session-leader-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.macho.sections:
-      dashed_name: process-session-leader-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.session_leader.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.session_leader.macho.sections.entropy:
-      dashed_name: process-session-leader-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.macho.sections.name:
-      dashed_name: process-session-leader-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.session_leader.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.session_leader.macho.sections.physical_size:
-      dashed_name: process-session-leader-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.session_leader.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.session_leader.macho.sections.var_entropy:
-      dashed_name: process-session-leader-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.macho.sections.virtual_size:
-      dashed_name: process-session-leader-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.session_leader.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.session_leader.macho.symhash:
-      dashed_name: process-session-leader-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.session_leader.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.session_leader.name:
-      dashed_name: process-session-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.session_leader.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.session_leader.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.session_leader.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.session_leader.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.session_leader.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.session_leader.parent.args:
-      dashed_name: process-session-leader-parent-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.session_leader.parent.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.session_leader.parent.args_count:
-      dashed_name: process-session-leader-parent-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.session_leader.parent.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.session_leader.parent.attested_groups.domain:
-      dashed_name: process-session-leader-parent-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.attested_groups.id:
-      dashed_name: process-session-leader-parent-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.attested_groups.name:
-      dashed_name: process-session-leader-parent-attested-groups-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.attested_user.domain:
-      dashed_name: process-session-leader-parent-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.attested_user.email:
-      dashed_name: process-session-leader-parent-attested-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.attested_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-attested-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.session_leader.parent.attested_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.session_leader.parent.attested_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-attested-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.attested_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.session_leader.parent.attested_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-attested-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.session_leader.parent.attested_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.attested_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.session_leader.parent.attested_user.entity.id:
-      dashed_name: process-session-leader-parent-attested-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.session_leader.parent.attested_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.session_leader.parent.attested_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-attested-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.session_leader.parent.attested_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.session_leader.parent.attested_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-attested-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.attested_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.session_leader.parent.attested_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-attested-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.session_leader.parent.attested_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.session_leader.parent.attested_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-attested-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.session_leader.parent.attested_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.attested_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.session_leader.parent.attested_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-attested-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.session_leader.parent.attested_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.session_leader.parent.attested_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-attested-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.session_leader.parent.attested_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.session_leader.parent.attested_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-attested-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.session_leader.parent.attested_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.session_leader.parent.attested_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-attested-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.session_leader.parent.attested_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.session_leader.parent.attested_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-attested-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.session_leader.parent.attested_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.session_leader.parent.attested_user.full_name:
-      dashed_name: process-session-leader-parent-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.attested_user.group.domain:
-      dashed_name: process-session-leader-parent-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.attested_user.group.id:
-      dashed_name: process-session-leader-parent-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.attested_user.group.name:
-      dashed_name: process-session-leader-parent-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.attested_user.hash:
-      dashed_name: process-session-leader-parent-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.attested_user.id:
-      dashed_name: process-session-leader-parent-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.parent.attested_user.name:
-      dashed_name: process-session-leader-parent-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.parent.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.parent.attested_user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.attested_user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.attested_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.attested_user.risk.static_level:
-      dashed_name: process-session-leader-parent-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.attested_user.risk.static_score:
-      dashed_name: process-session-leader-parent-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.attested_user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.attested_user.roles:
-      dashed_name: process-session-leader-parent-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.code_signature.digest_algorithm:
-      dashed_name: process-session-leader-parent-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.session_leader.parent.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.session_leader.parent.code_signature.exists:
-      dashed_name: process-session-leader-parent-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.session_leader.parent.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.session_leader.parent.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.session_leader.parent.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.session_leader.parent.code_signature.signing_id:
-      dashed_name: process-session-leader-parent-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.session_leader.parent.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.session_leader.parent.code_signature.status:
-      dashed_name: process-session-leader-parent-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.session_leader.parent.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.session_leader.parent.code_signature.subject_name:
-      dashed_name: process-session-leader-parent-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.session_leader.parent.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.session_leader.parent.code_signature.team_id:
-      dashed_name: process-session-leader-parent-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.session_leader.parent.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.session_leader.parent.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.session_leader.parent.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.session_leader.parent.code_signature.timestamp:
-      dashed_name: process-session-leader-parent-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.session_leader.parent.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.session_leader.parent.code_signature.trusted:
-      dashed_name: process-session-leader-parent-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.session_leader.parent.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.session_leader.parent.code_signature.valid:
-      dashed_name: process-session-leader-parent-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.session_leader.parent.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.session_leader.parent.command_line:
-      dashed_name: process-session-leader-parent-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.session_leader.parent.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.session_leader.parent.elf.architecture:
-      dashed_name: process-session-leader-parent-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.session_leader.parent.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.session_leader.parent.elf.byte_order:
-      dashed_name: process-session-leader-parent-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.session_leader.parent.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.session_leader.parent.elf.cpu_type:
-      dashed_name: process-session-leader-parent-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.session_leader.parent.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.session_leader.parent.elf.creation_date:
-      dashed_name: process-session-leader-parent-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.session_leader.parent.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.session_leader.parent.elf.exports:
-      dashed_name: process-session-leader-parent-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.session_leader.parent.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.session_leader.parent.elf.go_import_hash:
-      dashed_name: process-session-leader-parent-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.parent.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.session_leader.parent.elf.go_imports:
-      dashed_name: process-session-leader-parent-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.parent.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.parent.elf.go_imports_names_entropy:
-      dashed_name: process-session-leader-parent-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.elf.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.elf.go_stripped:
-      dashed_name: process-session-leader-parent-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.parent.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.parent.elf.header.abi_version:
-      dashed_name: process-session-leader-parent-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.session_leader.parent.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.session_leader.parent.elf.header.class:
-      dashed_name: process-session-leader-parent-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.session_leader.parent.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.session_leader.parent.elf.header.data:
-      dashed_name: process-session-leader-parent-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.session_leader.parent.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.session_leader.parent.elf.header.entrypoint:
-      dashed_name: process-session-leader-parent-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.session_leader.parent.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.session_leader.parent.elf.header.object_version:
-      dashed_name: process-session-leader-parent-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.session_leader.parent.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.session_leader.parent.elf.header.os_abi:
-      dashed_name: process-session-leader-parent-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.session_leader.parent.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.session_leader.parent.elf.header.type:
-      dashed_name: process-session-leader-parent-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.session_leader.parent.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.session_leader.parent.elf.header.version:
-      dashed_name: process-session-leader-parent-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.session_leader.parent.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.session_leader.parent.elf.import_hash:
-      dashed_name: process-session-leader-parent-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.parent.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.session_leader.parent.elf.imports:
-      dashed_name: process-session-leader-parent-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.parent.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.parent.elf.imports_names_entropy:
-      dashed_name: process-session-leader-parent-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.parent.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.parent.elf.imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.parent.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.parent.elf.sections:
-      dashed_name: process-session-leader-parent-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.session_leader.parent.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.session_leader.parent.elf.sections.chi2:
-      dashed_name: process-session-leader-parent-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.session_leader.parent.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.session_leader.parent.elf.sections.entropy:
-      dashed_name: process-session-leader-parent-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.elf.sections.flags:
-      dashed_name: process-session-leader-parent-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.session_leader.parent.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.session_leader.parent.elf.sections.name:
-      dashed_name: process-session-leader-parent-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.session_leader.parent.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.session_leader.parent.elf.sections.physical_offset:
-      dashed_name: process-session-leader-parent-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.session_leader.parent.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.session_leader.parent.elf.sections.physical_size:
-      dashed_name: process-session-leader-parent-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.session_leader.parent.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.session_leader.parent.elf.sections.type:
-      dashed_name: process-session-leader-parent-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.session_leader.parent.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.session_leader.parent.elf.sections.var_entropy:
-      dashed_name: process-session-leader-parent-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.elf.sections.virtual_address:
-      dashed_name: process-session-leader-parent-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.session_leader.parent.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.session_leader.parent.elf.sections.virtual_size:
-      dashed_name: process-session-leader-parent-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.session_leader.parent.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.session_leader.parent.elf.segments:
-      dashed_name: process-session-leader-parent-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.session_leader.parent.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.session_leader.parent.elf.segments.sections:
-      dashed_name: process-session-leader-parent-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.session_leader.parent.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.session_leader.parent.elf.segments.type:
-      dashed_name: process-session-leader-parent-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.session_leader.parent.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.session_leader.parent.elf.shared_libraries:
-      dashed_name: process-session-leader-parent-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.session_leader.parent.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.session_leader.parent.elf.telfhash:
-      dashed_name: process-session-leader-parent-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.session_leader.parent.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.session_leader.parent.end:
-      dashed_name: process-session-leader-parent-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.parent.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.session_leader.parent.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.session_leader.parent.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.session_leader.parent.entity_id:
-      dashed_name: process-session-leader-parent-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.session_leader.parent.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.address:
-      dashed_name: process-session-leader-parent-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.session_leader.parent.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.as.number:
-      dashed_name: process-session-leader-parent-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.session_leader.parent.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.session_leader.parent.entry_meta.source.as.organization.name:
-      dashed_name: process-session-leader-parent-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.session_leader.parent.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.bytes:
-      dashed_name: process-session-leader-parent-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.session_leader.parent.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.session_leader.parent.entry_meta.source.domain:
-      dashed_name: process-session-leader-parent-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.session_leader.parent.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.city_name:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.session_leader.parent.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.continent_code:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.session_leader.parent.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.continent_name:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.session_leader.parent.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.session_leader.parent.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.country_name:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.session_leader.parent.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.location:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.session_leader.parent.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.session_leader.parent.entry_meta.source.geo.name:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.session_leader.parent.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.postal_code:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.session_leader.parent.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.session_leader.parent.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.region_name:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.session_leader.parent.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.geo.timezone:
-      dashed_name: process-session-leader-parent-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.session_leader.parent.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.ip:
-      dashed_name: process-session-leader-parent-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.session_leader.parent.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.session_leader.parent.entry_meta.source.mac:
-      dashed_name: process-session-leader-parent-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.session_leader.parent.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.nat.ip:
-      dashed_name: process-session-leader-parent-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.session_leader.parent.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.session_leader.parent.entry_meta.source.nat.port:
-      dashed_name: process-session-leader-parent-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.session_leader.parent.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.session_leader.parent.entry_meta.source.packets:
-      dashed_name: process-session-leader-parent-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.session_leader.parent.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.session_leader.parent.entry_meta.source.port:
-      dashed_name: process-session-leader-parent-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.session_leader.parent.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.session_leader.parent.entry_meta.source.registered_domain:
-      dashed_name: process-session-leader-parent-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.session_leader.parent.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.subdomain:
-      dashed_name: process-session-leader-parent-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.session_leader.parent.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.session_leader.parent.entry_meta.source.top_level_domain:
-      dashed_name: process-session-leader-parent-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.session_leader.parent.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.session_leader.parent.entry_meta.type:
-      dashed_name: process-session-leader-parent-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.session_leader.parent.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.session_leader.parent.env_vars:
-      dashed_name: process-session-leader-parent-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.session_leader.parent.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.executable:
-      dashed_name: process-session-leader-parent-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.session_leader.parent.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.session_leader.parent.exit_code:
-      dashed_name: process-session-leader-parent-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.session_leader.parent.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.session_leader.parent.group.domain:
-      dashed_name: process-session-leader-parent-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.group.id:
-      dashed_name: process-session-leader-parent-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.group.name:
-      dashed_name: process-session-leader-parent-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.session_leader.parent.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.session_leader.parent.hash.md5:
-      dashed_name: process-session-leader-parent-hash-md5
-      description: MD5 hash.
-      flat_name: process.session_leader.parent.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.session_leader.parent.hash.sha1:
-      dashed_name: process-session-leader-parent-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.session_leader.parent.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.session_leader.parent.hash.sha256:
-      dashed_name: process-session-leader-parent-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.session_leader.parent.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.session_leader.parent.hash.sha384:
-      dashed_name: process-session-leader-parent-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.session_leader.parent.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.session_leader.parent.hash.sha512:
-      dashed_name: process-session-leader-parent-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.session_leader.parent.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.session_leader.parent.hash.ssdeep:
-      dashed_name: process-session-leader-parent-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.session_leader.parent.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.session_leader.parent.hash.tlsh:
-      dashed_name: process-session-leader-parent-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.session_leader.parent.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.session_leader.parent.interactive:
-      dashed_name: process-session-leader-parent-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.session_leader.parent.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.session_leader.parent.io:
-      dashed_name: process-session-leader-parent-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.session_leader.parent.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.session_leader.parent.io.bytes_skipped:
-      dashed_name: process-session-leader-parent-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.session_leader.parent.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.session_leader.parent.io.bytes_skipped.length:
-      dashed_name: process-session-leader-parent-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.session_leader.parent.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.session_leader.parent.io.bytes_skipped.offset:
-      dashed_name: process-session-leader-parent-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.session_leader.parent.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.session_leader.parent.io.max_bytes_per_process_exceeded:
-      dashed_name: process-session-leader-parent-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.session_leader.parent.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.session_leader.parent.io.text:
-      dashed_name: process-session-leader-parent-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.session_leader.parent.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.session_leader.parent.io.total_bytes_captured:
-      dashed_name: process-session-leader-parent-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.session_leader.parent.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.session_leader.parent.io.total_bytes_skipped:
-      dashed_name: process-session-leader-parent-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.session_leader.parent.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.session_leader.parent.io.type:
-      dashed_name: process-session-leader-parent-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.session_leader.parent.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.session_leader.parent.macho.go_import_hash:
-      dashed_name: process-session-leader-parent-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.parent.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.session_leader.parent.macho.go_imports:
-      dashed_name: process-session-leader-parent-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.parent.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.parent.macho.go_imports_names_entropy:
-      dashed_name: process-session-leader-parent-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.macho.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.macho.go_stripped:
-      dashed_name: process-session-leader-parent-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.parent.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.parent.macho.import_hash:
-      dashed_name: process-session-leader-parent-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.parent.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.session_leader.parent.macho.imports:
-      dashed_name: process-session-leader-parent-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.parent.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.parent.macho.imports_names_entropy:
-      dashed_name: process-session-leader-parent-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.parent.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.parent.macho.imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.parent.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.parent.macho.sections:
-      dashed_name: process-session-leader-parent-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.session_leader.parent.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.session_leader.parent.macho.sections.entropy:
-      dashed_name: process-session-leader-parent-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.macho.sections.name:
-      dashed_name: process-session-leader-parent-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.session_leader.parent.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.session_leader.parent.macho.sections.physical_size:
-      dashed_name: process-session-leader-parent-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.session_leader.parent.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.session_leader.parent.macho.sections.var_entropy:
-      dashed_name: process-session-leader-parent-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.macho.sections.virtual_size:
-      dashed_name: process-session-leader-parent-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.session_leader.parent.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.session_leader.parent.macho.symhash:
-      dashed_name: process-session-leader-parent-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.session_leader.parent.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.session_leader.parent.name:
-      dashed_name: process-session-leader-parent-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.session_leader.parent.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.session_leader.parent.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.session_leader.parent.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.session_leader.parent.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.session_leader.parent.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.session_leader.parent.pe.architecture:
-      dashed_name: process-session-leader-parent-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.session_leader.parent.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.session_leader.parent.pe.company:
-      dashed_name: process-session-leader-parent-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.session_leader.parent.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.pe.description:
-      dashed_name: process-session-leader-parent-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.session_leader.parent.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.pe.file_version:
-      dashed_name: process-session-leader-parent-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.session_leader.parent.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.session_leader.parent.pe.go_import_hash:
-      dashed_name: process-session-leader-parent-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.parent.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.session_leader.parent.pe.go_imports:
-      dashed_name: process-session-leader-parent-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.parent.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.parent.pe.go_imports_names_entropy:
-      dashed_name: process-session-leader-parent-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.pe.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.pe.go_stripped:
-      dashed_name: process-session-leader-parent-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.parent.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.parent.pe.imphash:
-      dashed_name: process-session-leader-parent-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.session_leader.parent.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.session_leader.parent.pe.import_hash:
-      dashed_name: process-session-leader-parent-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.parent.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.session_leader.parent.pe.imports:
-      dashed_name: process-session-leader-parent-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.parent.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.parent.pe.imports_names_entropy:
-      dashed_name: process-session-leader-parent-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.parent.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.parent.pe.imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.parent.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.parent.pe.original_file_name:
-      dashed_name: process-session-leader-parent-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.session_leader.parent.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.pe.pehash:
-      dashed_name: process-session-leader-parent-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.session_leader.parent.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.session_leader.parent.pe.product:
-      dashed_name: process-session-leader-parent-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.session_leader.parent.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.pe.sections:
-      dashed_name: process-session-leader-parent-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.session_leader.parent.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.session_leader.parent.pe.sections.entropy:
-      dashed_name: process-session-leader-parent-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.pe.sections.name:
-      dashed_name: process-session-leader-parent-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.session_leader.parent.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.session_leader.parent.pe.sections.physical_size:
-      dashed_name: process-session-leader-parent-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.session_leader.parent.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.session_leader.parent.pe.sections.var_entropy:
-      dashed_name: process-session-leader-parent-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.pe.sections.virtual_size:
-      dashed_name: process-session-leader-parent-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.session_leader.parent.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.session_leader.parent.pid:
-      dashed_name: process-session-leader-parent-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.session_leader.parent.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.session_leader.parent.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.session_leader.parent.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.session_leader.parent.real_group.domain:
-      dashed_name: process-session-leader-parent-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.real_group.id:
-      dashed_name: process-session-leader-parent-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.real_group.name:
-      dashed_name: process-session-leader-parent-real-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.real_user.domain:
-      dashed_name: process-session-leader-parent-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.real_user.email:
-      dashed_name: process-session-leader-parent-real-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.real_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-real-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.session_leader.parent.real_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.session_leader.parent.real_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-real-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.real_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.session_leader.parent.real_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-real-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.session_leader.parent.real_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.real_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.session_leader.parent.real_user.entity.id:
-      dashed_name: process-session-leader-parent-real-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.session_leader.parent.real_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.session_leader.parent.real_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-real-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.session_leader.parent.real_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.session_leader.parent.real_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-real-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.real_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.session_leader.parent.real_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-real-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.session_leader.parent.real_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.session_leader.parent.real_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-real-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.session_leader.parent.real_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.real_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.session_leader.parent.real_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-real-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.session_leader.parent.real_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.session_leader.parent.real_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-real-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.session_leader.parent.real_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.session_leader.parent.real_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-real-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.session_leader.parent.real_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.session_leader.parent.real_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-real-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.session_leader.parent.real_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.session_leader.parent.real_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-real-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.session_leader.parent.real_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.session_leader.parent.real_user.full_name:
-      dashed_name: process-session-leader-parent-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.real_user.group.domain:
-      dashed_name: process-session-leader-parent-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.real_user.group.id:
-      dashed_name: process-session-leader-parent-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.real_user.group.name:
-      dashed_name: process-session-leader-parent-real-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.real_user.hash:
-      dashed_name: process-session-leader-parent-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.real_user.id:
-      dashed_name: process-session-leader-parent-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.parent.real_user.name:
-      dashed_name: process-session-leader-parent-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.parent.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.parent.real_user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.real_user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.real_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.real_user.risk.static_level:
-      dashed_name: process-session-leader-parent-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.real_user.risk.static_score:
-      dashed_name: process-session-leader-parent-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.real_user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.real_user.roles:
-      dashed_name: process-session-leader-parent-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.same_as_process:
-      dashed_name: process-session-leader-parent-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.session_leader.parent.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.session_leader.parent.saved_group.domain:
-      dashed_name: process-session-leader-parent-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.saved_group.id:
-      dashed_name: process-session-leader-parent-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.saved_group.name:
-      dashed_name: process-session-leader-parent-saved-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.saved_user.domain:
-      dashed_name: process-session-leader-parent-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.saved_user.email:
-      dashed_name: process-session-leader-parent-saved-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.saved_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-saved-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.session_leader.parent.saved_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.session_leader.parent.saved_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-saved-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.saved_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.session_leader.parent.saved_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-saved-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.session_leader.parent.saved_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.saved_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.session_leader.parent.saved_user.entity.id:
-      dashed_name: process-session-leader-parent-saved-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.session_leader.parent.saved_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.session_leader.parent.saved_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-saved-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.session_leader.parent.saved_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.session_leader.parent.saved_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-saved-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.saved_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.session_leader.parent.saved_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-saved-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.session_leader.parent.saved_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.session_leader.parent.saved_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-saved-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.session_leader.parent.saved_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.saved_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.session_leader.parent.saved_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-saved-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.session_leader.parent.saved_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.session_leader.parent.saved_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-saved-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.session_leader.parent.saved_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.session_leader.parent.saved_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-saved-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.session_leader.parent.saved_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.session_leader.parent.saved_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-saved-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.session_leader.parent.saved_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.session_leader.parent.saved_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-saved-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.session_leader.parent.saved_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.session_leader.parent.saved_user.full_name:
-      dashed_name: process-session-leader-parent-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.saved_user.group.domain:
-      dashed_name: process-session-leader-parent-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.saved_user.group.id:
-      dashed_name: process-session-leader-parent-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.saved_user.group.name:
-      dashed_name: process-session-leader-parent-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.saved_user.hash:
-      dashed_name: process-session-leader-parent-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.saved_user.id:
-      dashed_name: process-session-leader-parent-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.parent.saved_user.name:
-      dashed_name: process-session-leader-parent-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.parent.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.parent.saved_user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.saved_user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.saved_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.saved_user.risk.static_level:
-      dashed_name: process-session-leader-parent-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.saved_user.risk.static_score:
-      dashed_name: process-session-leader-parent-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.saved_user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.saved_user.roles:
-      dashed_name: process-session-leader-parent-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.args:
-      dashed_name: process-session-leader-parent-session-leader-args
-      description: 'Array of process arguments, starting with the absolute path to
-        the executable.
-
-        May be filtered to protect sensitive information.'
-      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
-      flat_name: process.session_leader.parent.session_leader.args
-      ignore_above: 1024
-      level: extended
-      name: args
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of process arguments.
-      type: keyword
-    process.session_leader.parent.session_leader.args_count:
-      dashed_name: process-session-leader-parent-session-leader-args-count
-      description: 'Length of the process.args array.
-
-        This field can be useful for querying or performing bucket analysis on how
-        many arguments were provided to start a process. More arguments may be an
-        indication of suspicious activity.'
-      example: 4
-      flat_name: process.session_leader.parent.session_leader.args_count
-      level: extended
-      name: args_count
-      normalize: []
-      original_fieldset: process
-      short: Length of the process.args array.
-      type: long
-    process.session_leader.parent.session_leader.attested_groups.domain:
-      dashed_name: process-session-leader-parent-session-leader-attested-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.attested_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_groups.id:
-      dashed_name: process-session-leader-parent-session-leader-attested-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.attested_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_groups.name:
-      dashed_name: process-session-leader-parent-session-leader-attested-groups-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.attested_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.domain:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.attested_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.email:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.session_leader.attested_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.session_leader.parent.session_leader.attested_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.session_leader.parent.session_leader.attested_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.session_leader.attested_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.session_leader.parent.session_leader.attested_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.attested_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.entity.id:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.session_leader.parent.session_leader.attested_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.session_leader.parent.session_leader.attested_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.session_leader.parent.session_leader.attested_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.session_leader.attested_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.session_leader.parent.session_leader.attested_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.session_leader.parent.session_leader.attested_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.session_leader.parent.session_leader.attested_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.session_leader.parent.session_leader.attested_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.attested_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.session_leader.parent.session_leader.attested_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.session_leader.parent.session_leader.attested_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.session_leader.parent.session_leader.attested_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.session_leader.parent.session_leader.attested_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.session_leader.parent.session_leader.attested_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-attested-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.session_leader.parent.session_leader.attested_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.full_name:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.session_leader.attested_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.attested_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.group.domain:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.attested_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.group.id:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.attested_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.group.name:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.attested_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.hash:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.session_leader.attested_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.id:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.session_leader.attested_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.name:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.parent.session_leader.attested_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.attested_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.session_leader.attested_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.session_leader.attested_user.risk.static_level:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.session_leader.attested_user.risk.static_score:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.session_leader.attested_user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.session_leader.attested_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.session_leader.attested_user.roles:
-      dashed_name: process-session-leader-parent-session-leader-attested-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.session_leader.attested_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.digest_algorithm:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-digest-algorithm
-      description: 'The hashing algorithm used to sign the process.
-
-        This value can distinguish signatures when a file is signed multiple times
-        by the same signer but with a different digest algorithm.'
-      example: sha256
-      flat_name: process.session_leader.parent.session_leader.code_signature.digest_algorithm
-      ignore_above: 1024
-      level: extended
-      name: digest_algorithm
-      normalize: []
-      original_fieldset: code_signature
-      short: Hashing algorithm used to sign the process.
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.exists:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-exists
-      description: Boolean to capture if a signature is present.
-      example: 'true'
-      flat_name: process.session_leader.parent.session_leader.code_signature.exists
-      level: core
-      name: exists
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if a signature is present.
-      type: boolean
-    process.session_leader.parent.session_leader.code_signature.flags:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-code-signature-flags
-      description: The flags used to sign the process.
-      example: 570522385
-      flat_name: process.session_leader.parent.session_leader.code_signature.flags
-      ignore_above: 1024
-      level: extended
-      name: flags
-      normalize: []
-      original_fieldset: code_signature
-      short: Code signing flags of the process
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.signing_id:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-signing-id
-      description: 'The identifier used to sign the process.
-
-        This is used to identify the application manufactured by a software vendor.
-        The field is relevant to Apple *OS only.'
-      example: com.apple.xpc.proxy
-      flat_name: process.session_leader.parent.session_leader.code_signature.signing_id
-      ignore_above: 1024
-      level: extended
-      name: signing_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The identifier used to sign the process.
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.status:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-status
-      description: 'Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity
-        or trust status. Leave unpopulated if the validity or trust of the certificate
-        was unchecked.'
-      example: ERROR_UNTRUSTED_ROOT
-      flat_name: process.session_leader.parent.session_leader.code_signature.status
-      ignore_above: 1024
-      level: extended
-      name: status
-      normalize: []
-      original_fieldset: code_signature
-      short: Additional information about the certificate status.
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.subject_name:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-subject-name
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-      flat_name: process.session_leader.parent.session_leader.code_signature.subject_name
-      ignore_above: 1024
-      level: core
-      name: subject_name
-      normalize: []
-      original_fieldset: code_signature
-      short: Subject name of the code signer
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.team_id:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-team-id
-      description: 'The team identifier used to sign the process.
-
-        This is used to identify the team or vendor of a software product. The field
-        is relevant to Apple *OS only.'
-      example: EQHXZ8M8AV
-      flat_name: process.session_leader.parent.session_leader.code_signature.team_id
-      ignore_above: 1024
-      level: extended
-      name: team_id
-      normalize: []
-      original_fieldset: code_signature
-      short: The team identifier used to sign the process.
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.thumbprint_sha256:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-code-signature-thumbprint-sha256
-      description: Certificate SHA256 hash that uniquely identifies the code signer.
-      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
-      flat_name: process.session_leader.parent.session_leader.code_signature.thumbprint_sha256
-      ignore_above: 64
-      level: extended
-      name: thumbprint_sha256
-      normalize: []
-      original_fieldset: code_signature
-      pattern: ^[0-9a-f]{64}$
-      short: SHA256 hash of the certificate.
-      type: keyword
-    process.session_leader.parent.session_leader.code_signature.timestamp:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-timestamp
-      description: Date and time when the code signature was generated and signed.
-      example: '2021-01-01T12:10:30Z'
-      flat_name: process.session_leader.parent.session_leader.code_signature.timestamp
-      level: extended
-      name: timestamp
-      normalize: []
-      original_fieldset: code_signature
-      short: When the signature was generated and signed.
-      type: date
-    process.session_leader.parent.session_leader.code_signature.trusted:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-trusted
-      description: 'Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this
-        field should only be populated by tools that actively check the status.'
-      example: 'true'
-      flat_name: process.session_leader.parent.session_leader.code_signature.trusted
-      level: extended
-      name: trusted
-      normalize: []
-      original_fieldset: code_signature
-      short: Stores the trust status of the certificate chain.
-      type: boolean
-    process.session_leader.parent.session_leader.code_signature.valid:
-      dashed_name: process-session-leader-parent-session-leader-code-signature-valid
-      description: 'Boolean to capture if the digital signature is verified against
-        the binary content.
-
-        Leave unpopulated if a certificate was unchecked.'
-      example: 'true'
-      flat_name: process.session_leader.parent.session_leader.code_signature.valid
-      level: extended
-      name: valid
-      normalize: []
-      original_fieldset: code_signature
-      short: Boolean to capture if the digital signature is verified against the binary
-        content.
-      type: boolean
-    process.session_leader.parent.session_leader.command_line:
-      dashed_name: process-session-leader-parent-session-leader-command-line
-      description: 'Full command line that started the process, including the absolute
-        path to the executable, and all arguments.
-
-        Some arguments may be filtered to protect sensitive information.'
-      example: /usr/bin/ssh -l user 10.0.0.16
-      flat_name: process.session_leader.parent.session_leader.command_line
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.command_line.text
-        name: text
-        type: match_only_text
-      name: command_line
-      normalize: []
-      original_fieldset: process
-      short: Full command line that started the process.
-      type: wildcard
-    process.session_leader.parent.session_leader.elf.architecture:
-      dashed_name: process-session-leader-parent-session-leader-elf-architecture
-      description: Machine architecture of the ELF file.
-      example: x86-64
-      flat_name: process.session_leader.parent.session_leader.elf.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: elf
-      short: Machine architecture of the ELF file.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.byte_order:
-      dashed_name: process-session-leader-parent-session-leader-elf-byte-order
-      description: Byte sequence of ELF file.
-      example: Little Endian
-      flat_name: process.session_leader.parent.session_leader.elf.byte_order
-      ignore_above: 1024
-      level: extended
-      name: byte_order
-      normalize: []
-      original_fieldset: elf
-      short: Byte sequence of ELF file.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.cpu_type:
-      dashed_name: process-session-leader-parent-session-leader-elf-cpu-type
-      description: CPU type of the ELF file.
-      example: Intel
-      flat_name: process.session_leader.parent.session_leader.elf.cpu_type
-      ignore_above: 1024
-      level: extended
-      name: cpu_type
-      normalize: []
-      original_fieldset: elf
-      short: CPU type of the ELF file.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.creation_date:
-      dashed_name: process-session-leader-parent-session-leader-elf-creation-date
-      description: Extracted when possible from the file's metadata. Indicates when
-        it was built or compiled. It can also be faked by malware creators.
-      flat_name: process.session_leader.parent.session_leader.elf.creation_date
-      level: extended
-      name: creation_date
-      normalize: []
-      original_fieldset: elf
-      short: Build or compile date.
-      type: date
-    process.session_leader.parent.session_leader.elf.exports:
-      dashed_name: process-session-leader-parent-session-leader-elf-exports
-      description: List of exported element names and types.
-      flat_name: process.session_leader.parent.session_leader.elf.exports
-      level: extended
-      name: exports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of exported element names and types.
-      type: flattened
-    process.session_leader.parent.session_leader.elf.go_import_hash:
-      dashed_name: process-session-leader-parent-session-leader-elf-go-import-hash
-      description: 'A hash of the Go language imports in an ELF file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.parent.session_leader.elf.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the Go language imports in an ELF file.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.go_imports:
-      dashed_name: process-session-leader-parent-session-leader-elf-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.parent.session_leader.elf.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: elf
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.parent.session_leader.elf.go_imports_names_entropy:
-      dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-elf-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.session_leader.elf.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.session_leader.elf.go_stripped:
-      dashed_name: process-session-leader-parent-session-leader-elf-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.parent.session_leader.elf.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: elf
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.parent.session_leader.elf.header.abi_version:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-abi-version
-      description: Version of the ELF Application Binary Interface (ABI).
-      flat_name: process.session_leader.parent.session_leader.elf.header.abi_version
-      ignore_above: 1024
-      level: extended
-      name: header.abi_version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF Application Binary Interface (ABI).
-      type: keyword
-    process.session_leader.parent.session_leader.elf.header.class:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-class
-      description: Header class of the ELF file.
-      flat_name: process.session_leader.parent.session_leader.elf.header.class
-      ignore_above: 1024
-      level: extended
-      name: header.class
-      normalize: []
-      original_fieldset: elf
-      short: Header class of the ELF file.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.header.data:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-data
-      description: Data table of the ELF header.
-      flat_name: process.session_leader.parent.session_leader.elf.header.data
-      ignore_above: 1024
-      level: extended
-      name: header.data
-      normalize: []
-      original_fieldset: elf
-      short: Data table of the ELF header.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.header.entrypoint:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-entrypoint
-      description: Header entrypoint of the ELF file.
-      flat_name: process.session_leader.parent.session_leader.elf.header.entrypoint
-      format: string
-      level: extended
-      name: header.entrypoint
-      normalize: []
-      original_fieldset: elf
-      short: Header entrypoint of the ELF file.
-      type: long
-    process.session_leader.parent.session_leader.elf.header.object_version:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-object-version
-      description: '"0x1" for original ELF files.'
-      flat_name: process.session_leader.parent.session_leader.elf.header.object_version
-      ignore_above: 1024
-      level: extended
-      name: header.object_version
-      normalize: []
-      original_fieldset: elf
-      short: '"0x1" for original ELF files.'
-      type: keyword
-    process.session_leader.parent.session_leader.elf.header.os_abi:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-os-abi
-      description: Application Binary Interface (ABI) of the Linux OS.
-      flat_name: process.session_leader.parent.session_leader.elf.header.os_abi
-      ignore_above: 1024
-      level: extended
-      name: header.os_abi
-      normalize: []
-      original_fieldset: elf
-      short: Application Binary Interface (ABI) of the Linux OS.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.header.type:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-type
-      description: Header type of the ELF file.
-      flat_name: process.session_leader.parent.session_leader.elf.header.type
-      ignore_above: 1024
-      level: extended
-      name: header.type
-      normalize: []
-      original_fieldset: elf
-      short: Header type of the ELF file.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.header.version:
-      dashed_name: process-session-leader-parent-session-leader-elf-header-version
-      description: Version of the ELF header.
-      flat_name: process.session_leader.parent.session_leader.elf.header.version
-      ignore_above: 1024
-      level: extended
-      name: header.version
-      normalize: []
-      original_fieldset: elf
-      short: Version of the ELF header.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.import_hash:
-      dashed_name: process-session-leader-parent-session-leader-elf-import-hash
-      description: 'A hash of the imports in an ELF file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is an ELF implementation of the Windows PE imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.parent.session_leader.elf.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: elf
-      short: A hash of the imports in an ELF file.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.imports:
-      dashed_name: process-session-leader-parent-session-leader-elf-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.parent.session_leader.elf.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.parent.session_leader.elf.imports_names_entropy:
-      dashed_name: process-session-leader-parent-session-leader-elf-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.parent.session_leader.elf.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.parent.session_leader.elf.imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-elf-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.parent.session_leader.elf.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.parent.session_leader.elf.sections:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections
-      description: 'An array containing an object for each section of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.sections.*`.'
-      flat_name: process.session_leader.parent.session_leader.elf.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: elf
-      short: Section information of the ELF file.
-      type: nested
-    process.session_leader.parent.session_leader.elf.sections.chi2:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-chi2
-      description: Chi-square probability distribution of the section.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.chi2
-      format: number
-      level: extended
-      name: sections.chi2
-      normalize: []
-      original_fieldset: elf
-      short: Chi-square probability distribution of the section.
-      type: long
-    process.session_leader.parent.session_leader.elf.sections.entropy:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: elf
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.session_leader.elf.sections.flags:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-flags
-      description: ELF Section List flags.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.flags
-      ignore_above: 1024
-      level: extended
-      name: sections.flags
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List flags.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.sections.name:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-name
-      description: ELF Section List name.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List name.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.sections.physical_offset:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-offset
-      description: ELF Section List offset.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.physical_offset
-      ignore_above: 1024
-      level: extended
-      name: sections.physical_offset
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List offset.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.sections.physical_size:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-physical-size
-      description: ELF Section List physical size.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List physical size.
-      type: long
-    process.session_leader.parent.session_leader.elf.sections.type:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-type
-      description: ELF Section List type.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.type
-      ignore_above: 1024
-      level: extended
-      name: sections.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List type.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.sections.var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: elf
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.session_leader.elf.sections.virtual_address:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-address
-      description: ELF Section List virtual address.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_address
-      format: string
-      level: extended
-      name: sections.virtual_address
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual address.
-      type: long
-    process.session_leader.parent.session_leader.elf.sections.virtual_size:
-      dashed_name: process-session-leader-parent-session-leader-elf-sections-virtual-size
-      description: ELF Section List virtual size.
-      flat_name: process.session_leader.parent.session_leader.elf.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: elf
-      short: ELF Section List virtual size.
-      type: long
-    process.session_leader.parent.session_leader.elf.segments:
-      dashed_name: process-session-leader-parent-session-leader-elf-segments
-      description: 'An array containing an object for each segment of the ELF file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `elf.segments.*`.'
-      flat_name: process.session_leader.parent.session_leader.elf.segments
-      level: extended
-      name: segments
-      normalize:
-      - array
-      original_fieldset: elf
-      short: ELF object segment list.
-      type: nested
-    process.session_leader.parent.session_leader.elf.segments.sections:
-      dashed_name: process-session-leader-parent-session-leader-elf-segments-sections
-      description: ELF object segment sections.
-      flat_name: process.session_leader.parent.session_leader.elf.segments.sections
-      ignore_above: 1024
-      level: extended
-      name: segments.sections
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment sections.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.segments.type:
-      dashed_name: process-session-leader-parent-session-leader-elf-segments-type
-      description: ELF object segment type.
-      flat_name: process.session_leader.parent.session_leader.elf.segments.type
-      ignore_above: 1024
-      level: extended
-      name: segments.type
-      normalize: []
-      original_fieldset: elf
-      short: ELF object segment type.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.shared_libraries:
-      dashed_name: process-session-leader-parent-session-leader-elf-shared-libraries
-      description: List of shared libraries used by this ELF object.
-      flat_name: process.session_leader.parent.session_leader.elf.shared_libraries
-      ignore_above: 1024
-      level: extended
-      name: shared_libraries
-      normalize:
-      - array
-      original_fieldset: elf
-      short: List of shared libraries used by this ELF object.
-      type: keyword
-    process.session_leader.parent.session_leader.elf.telfhash:
-      dashed_name: process-session-leader-parent-session-leader-elf-telfhash
-      description: telfhash symbol hash for ELF file.
-      flat_name: process.session_leader.parent.session_leader.elf.telfhash
-      ignore_above: 1024
-      level: extended
-      name: telfhash
-      normalize: []
-      original_fieldset: elf
-      short: telfhash hash for ELF file.
-      type: keyword
-    process.session_leader.parent.session_leader.end:
-      dashed_name: process-session-leader-parent-session-leader-end
-      description: The time the process ended.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.parent.session_leader.end
-      level: extended
-      name: end
-      normalize: []
-      original_fieldset: process
-      short: The time the process ended.
-      type: date
-    process.session_leader.parent.session_leader.endpoint_security_client:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-endpoint-security-client
-      description: Processes that have an endpoint security client must have the com.apple.endpointsecurity
-        entitlement and the value is set to true in the message.
-      flat_name: process.session_leader.parent.session_leader.endpoint_security_client
-      level: extended
-      name: endpoint_security_client
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is an Endpoint Security client.
-      type: boolean
-    process.session_leader.parent.session_leader.entity_id:
-      dashed_name: process-session-leader-parent-session-leader-entity-id
-      description: 'Unique identifier for the process.
-
-        The implementation of this is specified by the data source, but some examples
-        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
-        or a hash of some uniquely identifying components of a process.
-
-        Constructing a globally unique identifier is a common practice to mitigate
-        PID reuse as well as to identify a specific process over time, across multiple
-        monitored hosts.'
-      example: c2c455d9f99375d
-      flat_name: process.session_leader.parent.session_leader.entity_id
-      ignore_above: 1024
-      level: extended
-      name: entity_id
-      normalize: []
-      original_fieldset: process
-      short: Unique identifier for the process.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.address:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-address
-      description: 'Some event source addresses are defined ambiguously. The event
-        will sometimes list an IP, a domain or a unix socket.  You should always store
-        the raw address in the `.address` field.
-
-        Then it should be duplicated to `.ip` or `.domain`, depending on which one
-        it is.'
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.address
-      ignore_above: 1024
-      level: extended
-      name: address
-      normalize: []
-      original_fieldset: source
-      short: Source network address.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.as.number:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-number
-      description: Unique number allocated to the autonomous system. The autonomous
-        system number (ASN) uniquely identifies each network on the Internet.
-      example: 15169
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.number
-      level: extended
-      name: number
-      normalize: []
-      original_fieldset: as
-      short: Unique number allocated to the autonomous system.
-      type: long
-    process.session_leader.parent.session_leader.entry_meta.source.as.organization.name:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-as-organization-name
-      description: Organization name.
-      example: Google LLC
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.entry_meta.source.as.organization.name.text
-        name: text
-        type: match_only_text
-      name: organization.name
-      normalize: []
-      original_fieldset: as
-      short: Organization name.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.bytes:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-bytes
-      description: Bytes sent from the source to the destination.
-      example: 184
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.bytes
-      format: bytes
-      level: core
-      name: bytes
-      normalize: []
-      original_fieldset: source
-      short: Bytes sent from the source to the destination.
-      type: long
-    process.session_leader.parent.session_leader.entry_meta.source.domain:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-domain
-      description: 'The domain name of the source system.
-
-        This value may be a host name, a fully qualified domain name, or another host
-        naming format. The value may derive from the original event or be added from
-        enrichment.'
-      example: foo.example.com
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.domain
-      ignore_above: 1024
-      level: core
-      name: domain
-      normalize: []
-      original_fieldset: source
-      short: The domain name of the source.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.city_name:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-city-name
-      description: City name.
-      example: Montreal
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.city_name
-      ignore_above: 1024
-      level: core
-      name: city_name
-      normalize: []
-      original_fieldset: geo
-      short: City name.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-code
-      description: Two-letter code representing continent's name.
-      example: NA
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_code
-      ignore_above: 1024
-      level: core
-      name: continent_code
-      normalize: []
-      original_fieldset: geo
-      short: Continent code.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-continent-name
-      description: Name of the continent.
-      example: North America
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.continent_name
-      ignore_above: 1024
-      level: core
-      name: continent_name
-      normalize: []
-      original_fieldset: geo
-      short: Name of the continent.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-iso-code
-      description: Country ISO code.
-      example: CA
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_iso_code
-      ignore_above: 1024
-      level: core
-      name: country_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Country ISO code.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.country_name:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-country-name
-      description: Country name.
-      example: Canada
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.country_name
-      ignore_above: 1024
-      level: core
-      name: country_name
-      normalize: []
-      original_fieldset: geo
-      short: Country name.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.location:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-location
-      description: Longitude and latitude.
-      example: '{ "lon": -73.614830, "lat": 45.505918 }'
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.location
-      level: core
-      name: location
-      normalize: []
-      original_fieldset: geo
-      short: Longitude and latitude.
-      type: geo_point
-    process.session_leader.parent.session_leader.entry_meta.source.geo.name:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-name
-      description: 'User-defined description of a location, at the level of granularity
-        they care about.
-
-        Could be the name of their data centers, the floor number, if this describes
-        a local physical entity, city names.
-
-        Not typically used in automated geolocation.'
-      example: boston-dc
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: geo
-      short: User-defined description of a location.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-postal-code
-      description: 'Postal code associated with the location.
-
-        Values appropriate for this field may also be known as a postcode or ZIP code
-        and will vary widely from country to country.'
-      example: 94040
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.postal_code
-      ignore_above: 1024
-      level: core
-      name: postal_code
-      normalize: []
-      original_fieldset: geo
-      short: Postal code.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-iso-code
-      description: Region ISO code.
-      example: CA-QC
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_iso_code
-      ignore_above: 1024
-      level: core
-      name: region_iso_code
-      normalize: []
-      original_fieldset: geo
-      short: Region ISO code.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.region_name:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-region-name
-      description: Region name.
-      example: Quebec
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.region_name
-      ignore_above: 1024
-      level: core
-      name: region_name
-      normalize: []
-      original_fieldset: geo
-      short: Region name.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.geo.timezone:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-geo-timezone
-      description: The time zone of the location, such as IANA time zone name.
-      example: America/Argentina/Buenos_Aires
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.geo.timezone
-      ignore_above: 1024
-      level: core
-      name: timezone
-      normalize: []
-      original_fieldset: geo
-      short: Time zone.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.ip:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-ip
-      description: IP address of the source (IPv4 or IPv6).
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.ip
-      level: core
-      name: ip
-      normalize: []
-      original_fieldset: source
-      short: IP address of the source.
-      type: ip
-    process.session_leader.parent.session_leader.entry_meta.source.mac:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-mac
-      description: 'MAC address of the source.
-
-        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
-        byte) is represented by two [uppercase] hexadecimal digits giving the value
-        of the octet as an unsigned integer. Successive octets are separated by a
-        hyphen.'
-      example: 00-00-5E-00-53-23
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.mac
-      ignore_above: 1024
-      level: core
-      name: mac
-      normalize: []
-      original_fieldset: source
-      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
-      short: MAC address of the source.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.nat.ip:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-ip
-      description: 'Translated ip of source based NAT sessions (e.g. internal client
-        to internet)
-
-        Typically connections traversing load balancers, firewalls, or routers.'
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.ip
-      level: extended
-      name: nat.ip
-      normalize: []
-      original_fieldset: source
-      short: Source NAT ip
-      type: ip
-    process.session_leader.parent.session_leader.entry_meta.source.nat.port:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-nat-port
-      description: 'Translated port of source based NAT sessions. (e.g. internal client
-        to internet)
-
-        Typically used with load balancers, firewalls, or routers.'
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.nat.port
-      format: string
-      level: extended
-      name: nat.port
-      normalize: []
-      original_fieldset: source
-      short: Source NAT port
-      type: long
-    process.session_leader.parent.session_leader.entry_meta.source.packets:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-packets
-      description: Packets sent from the source to the destination.
-      example: 12
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.packets
-      level: core
-      name: packets
-      normalize: []
-      original_fieldset: source
-      short: Packets sent from the source to the destination.
-      type: long
-    process.session_leader.parent.session_leader.entry_meta.source.port:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-port
-      description: Port of the source.
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.port
-      format: string
-      level: core
-      name: port
-      normalize: []
-      original_fieldset: source
-      short: Port of the source.
-      type: long
-    process.session_leader.parent.session_leader.entry_meta.source.registered_domain:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-registered-domain
-      description: 'The highest registered source domain, stripped of the subdomain.
-
-        For example, the registered domain for "foo.example.com" is "example.com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last two labels will not work well for TLDs such as "co.uk".'
-      example: example.com
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.registered_domain
-      ignore_above: 1024
-      level: extended
-      name: registered_domain
-      normalize: []
-      original_fieldset: source
-      short: The highest registered source domain, stripped of the subdomain.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.subdomain:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      original_fieldset: source
-      short: The subdomain of the domain.
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.source.top_level_domain:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-source-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: process.session_leader.parent.session_leader.entry_meta.source.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      original_fieldset: source
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    process.session_leader.parent.session_leader.entry_meta.type:
-      dashed_name: process-session-leader-parent-session-leader-entry-meta-type
-      description: 'The entry type for the entry session leader. Values include: init(e.g
-        systemd), sshd, ssm, kubelet, teleport, terminal, console
-
-        Note: This field is only set on process.session_leader.'
-      flat_name: process.session_leader.parent.session_leader.entry_meta.type
-      ignore_above: 1024
-      level: extended
-      name: entry_meta.type
-      normalize: []
-      original_fieldset: process
-      short: The entry type for the entry session leader.
-      type: keyword
-    process.session_leader.parent.session_leader.env_vars:
-      dashed_name: process-session-leader-parent-session-leader-env-vars
-      description: 'Array of environment variable bindings. Captured from a snapshot
-        of the environment at the time of execution.
-
-        May be filtered to protect sensitive information.'
-      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
-      flat_name: process.session_leader.parent.session_leader.env_vars
-      ignore_above: 1024
-      level: extended
-      name: env_vars
-      normalize:
-      - array
-      original_fieldset: process
-      short: Array of environment variable bindings.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.executable:
-      dashed_name: process-session-leader-parent-session-leader-executable
-      description: Absolute path to the process executable.
-      example: /usr/bin/ssh
-      flat_name: process.session_leader.parent.session_leader.executable
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.executable.text
-        name: text
-        type: match_only_text
-      name: executable
-      normalize: []
-      original_fieldset: process
-      short: Absolute path to the process executable.
-      type: keyword
-    process.session_leader.parent.session_leader.exit_code:
-      dashed_name: process-session-leader-parent-session-leader-exit-code
-      description: 'The exit code of the process, if this is a termination event.
-
-        The field should be absent if there is no exit code for the event (e.g. process
-        start).'
-      example: 137
-      flat_name: process.session_leader.parent.session_leader.exit_code
-      level: extended
-      name: exit_code
-      normalize: []
-      original_fieldset: process
-      short: The exit code of the process.
-      type: long
-    process.session_leader.parent.session_leader.group.domain:
-      dashed_name: process-session-leader-parent-session-leader-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.group.id:
-      dashed_name: process-session-leader-parent-session-leader-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.group.name:
-      dashed_name: process-session-leader-parent-session-leader-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.hash.cdhash:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-hash-cdhash
-      description: Code directory hash, utilized to uniquely identify and authenticate
-        the integrity of the executable code.
-      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
-      flat_name: process.session_leader.parent.session_leader.hash.cdhash
-      ignore_above: 1024
-      level: extended
-      name: cdhash
-      normalize: []
-      original_fieldset: hash
-      short: The Code Directory (CD) hash of an executable.
-      type: keyword
-    process.session_leader.parent.session_leader.hash.md5:
-      dashed_name: process-session-leader-parent-session-leader-hash-md5
-      description: MD5 hash.
-      flat_name: process.session_leader.parent.session_leader.hash.md5
-      ignore_above: 1024
-      level: extended
-      name: md5
-      normalize: []
-      original_fieldset: hash
-      short: MD5 hash.
-      type: keyword
-    process.session_leader.parent.session_leader.hash.sha1:
-      dashed_name: process-session-leader-parent-session-leader-hash-sha1
-      description: SHA1 hash.
-      flat_name: process.session_leader.parent.session_leader.hash.sha1
-      ignore_above: 1024
-      level: extended
-      name: sha1
-      normalize: []
-      original_fieldset: hash
-      short: SHA1 hash.
-      type: keyword
-    process.session_leader.parent.session_leader.hash.sha256:
-      dashed_name: process-session-leader-parent-session-leader-hash-sha256
-      description: SHA256 hash.
-      flat_name: process.session_leader.parent.session_leader.hash.sha256
-      ignore_above: 1024
-      level: extended
-      name: sha256
-      normalize: []
-      original_fieldset: hash
-      short: SHA256 hash.
-      type: keyword
-    process.session_leader.parent.session_leader.hash.sha384:
-      dashed_name: process-session-leader-parent-session-leader-hash-sha384
-      description: SHA384 hash.
-      flat_name: process.session_leader.parent.session_leader.hash.sha384
-      ignore_above: 1024
-      level: extended
-      name: sha384
-      normalize: []
-      original_fieldset: hash
-      short: SHA384 hash.
-      type: keyword
-    process.session_leader.parent.session_leader.hash.sha512:
-      dashed_name: process-session-leader-parent-session-leader-hash-sha512
-      description: SHA512 hash.
-      flat_name: process.session_leader.parent.session_leader.hash.sha512
-      ignore_above: 1024
-      level: extended
-      name: sha512
-      normalize: []
-      original_fieldset: hash
-      short: SHA512 hash.
-      type: keyword
-    process.session_leader.parent.session_leader.hash.ssdeep:
-      dashed_name: process-session-leader-parent-session-leader-hash-ssdeep
-      description: SSDEEP hash.
-      flat_name: process.session_leader.parent.session_leader.hash.ssdeep
-      ignore_above: 1024
-      level: extended
-      name: ssdeep
-      normalize: []
-      original_fieldset: hash
-      short: SSDEEP hash.
-      type: keyword
-    process.session_leader.parent.session_leader.hash.tlsh:
-      dashed_name: process-session-leader-parent-session-leader-hash-tlsh
-      description: TLSH hash.
-      flat_name: process.session_leader.parent.session_leader.hash.tlsh
-      ignore_above: 1024
-      level: extended
-      name: tlsh
-      normalize: []
-      original_fieldset: hash
-      short: TLSH hash.
-      type: keyword
-    process.session_leader.parent.session_leader.interactive:
-      dashed_name: process-session-leader-parent-session-leader-interactive
-      description: 'Whether the process is connected to an interactive shell.
-
-        Process interactivity is inferred from the processes file descriptors. If
-        the character device for the controlling tty is the same as stdin and stderr
-        for the process, the process is considered interactive.
-
-        Note: A non-interactive process can belong to an interactive session and is
-        simply one that does not have open file descriptors reading the controlling
-        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
-        backgrounded process is still considered interactive if stdin and stderr are
-        connected to the controlling TTY.'
-      example: true
-      flat_name: process.session_leader.parent.session_leader.interactive
-      level: extended
-      name: interactive
-      normalize: []
-      original_fieldset: process
-      short: Whether the process is connected to an interactive shell.
-      type: boolean
-    process.session_leader.parent.session_leader.io:
-      dashed_name: process-session-leader-parent-session-leader-io
-      description: 'A chunk of input or output (IO) from a single process.
-
-        This field only appears on the top level process object, which is the process
-        that wrote the output or read the input.'
-      flat_name: process.session_leader.parent.session_leader.io
-      level: extended
-      name: io
-      normalize: []
-      original_fieldset: process
-      short: A chunk of input or output (IO) from a single process.
-      type: object
-    process.session_leader.parent.session_leader.io.bytes_skipped:
-      dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped
-      description: An array of byte offsets and lengths denoting where IO data has
-        been skipped.
-      flat_name: process.session_leader.parent.session_leader.io.bytes_skipped
-      level: extended
-      name: io.bytes_skipped
-      normalize:
-      - array
-      original_fieldset: process
-      short: An array of byte offsets and lengths denoting where IO data has been
-        skipped.
-      type: object
-    process.session_leader.parent.session_leader.io.bytes_skipped.length:
-      dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-length
-      description: The length of bytes skipped.
-      flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.length
-      level: extended
-      name: io.bytes_skipped.length
-      normalize: []
-      original_fieldset: process
-      short: The length of bytes skipped.
-      type: long
-    process.session_leader.parent.session_leader.io.bytes_skipped.offset:
-      dashed_name: process-session-leader-parent-session-leader-io-bytes-skipped-offset
-      description: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      flat_name: process.session_leader.parent.session_leader.io.bytes_skipped.offset
-      level: extended
-      name: io.bytes_skipped.offset
-      normalize: []
-      original_fieldset: process
-      short: The byte offset into this event's io.text (or io.bytes in the future)
-        where length bytes were skipped.
-      type: long
-    process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded:
-      dashed_name: process-session-leader-parent-session-leader-io-max-bytes-per-process-exceeded
-      description: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      flat_name: process.session_leader.parent.session_leader.io.max_bytes_per_process_exceeded
-      level: extended
-      name: io.max_bytes_per_process_exceeded
-      normalize: []
-      original_fieldset: process
-      short: If true, the process producing the output has exceeded the max_kilobytes_per_process
-        configuration setting.
-      type: boolean
-    process.session_leader.parent.session_leader.io.text:
-      dashed_name: process-session-leader-parent-session-leader-io-text
-      description: 'A chunk of output or input sanitized to UTF-8.
-
-        Best efforts are made to ensure complete lines are captured in these events.
-        Assumptions should NOT be made that multiple lines will appear in the same
-        event. TTY output may contain terminal control codes such as for cursor movement,
-        so some string queries may not match due to terminal codes inserted between
-        characters of a word.'
-      flat_name: process.session_leader.parent.session_leader.io.text
-      level: extended
-      name: io.text
-      normalize: []
-      original_fieldset: process
-      short: A chunk of output or input sanitized to UTF-8.
-      type: wildcard
-    process.session_leader.parent.session_leader.io.total_bytes_captured:
-      dashed_name: process-session-leader-parent-session-leader-io-total-bytes-captured
-      description: The total number of bytes captured in this event.
-      flat_name: process.session_leader.parent.session_leader.io.total_bytes_captured
-      level: extended
-      name: io.total_bytes_captured
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes captured in this event.
-      type: long
-    process.session_leader.parent.session_leader.io.total_bytes_skipped:
-      dashed_name: process-session-leader-parent-session-leader-io-total-bytes-skipped
-      description: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits. Implementors should strive to ensure
-        this value is always zero
-      flat_name: process.session_leader.parent.session_leader.io.total_bytes_skipped
-      level: extended
-      name: io.total_bytes_skipped
-      normalize: []
-      original_fieldset: process
-      short: The total number of bytes that were not captured due to implementation
-        restrictions such as buffer size limits.
-      type: long
-    process.session_leader.parent.session_leader.io.type:
-      dashed_name: process-session-leader-parent-session-leader-io-type
-      description: 'The type of object on which the IO action (read or write) was
-        taken.
-
-        Currently only ''tty'' is supported. Other types may be added in the future
-        for ''file'' and ''socket'' support.'
-      flat_name: process.session_leader.parent.session_leader.io.type
-      ignore_above: 1024
-      level: extended
-      name: io.type
-      normalize: []
-      original_fieldset: process
-      short: The type of object on which the IO action (read or write) was taken.
-      type: keyword
-    process.session_leader.parent.session_leader.macho.go_import_hash:
-      dashed_name: process-session-leader-parent-session-leader-macho-go-import-hash
-      description: 'A hash of the Go language imports in a Mach-O file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.parent.session_leader.macho.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the Go language imports in a Mach-O file.
-      type: keyword
-    process.session_leader.parent.session_leader.macho.go_imports:
-      dashed_name: process-session-leader-parent-session-leader-macho-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.parent.session_leader.macho.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: macho
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.parent.session_leader.macho.go_imports_names_entropy:
-      dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-macho-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.session_leader.macho.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.session_leader.macho.go_stripped:
-      dashed_name: process-session-leader-parent-session-leader-macho-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.parent.session_leader.macho.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: macho
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.parent.session_leader.macho.import_hash:
-      dashed_name: process-session-leader-parent-session-leader-macho-import-hash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a synonym for symhash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.parent.session_leader.macho.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.session_leader.parent.session_leader.macho.imports:
-      dashed_name: process-session-leader-parent-session-leader-macho-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.parent.session_leader.macho.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: macho
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.parent.session_leader.macho.imports_names_entropy:
-      dashed_name: process-session-leader-parent-session-leader-macho-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.parent.session_leader.macho.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.parent.session_leader.macho.imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-macho-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.parent.session_leader.macho.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.parent.session_leader.macho.sections:
-      dashed_name: process-session-leader-parent-session-leader-macho-sections
-      description: 'An array containing an object for each section of the Mach-O file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `macho.sections.*`.'
-      flat_name: process.session_leader.parent.session_leader.macho.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: macho
-      short: Section information of the Mach-O file.
-      type: nested
-    process.session_leader.parent.session_leader.macho.sections.entropy:
-      dashed_name: process-session-leader-parent-session-leader-macho-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.session_leader.macho.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: macho
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.session_leader.macho.sections.name:
-      dashed_name: process-session-leader-parent-session-leader-macho-sections-name
-      description: Mach-O Section List name.
-      flat_name: process.session_leader.parent.session_leader.macho.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List name.
-      type: keyword
-    process.session_leader.parent.session_leader.macho.sections.physical_size:
-      dashed_name: process-session-leader-parent-session-leader-macho-sections-physical-size
-      description: Mach-O Section List physical size.
-      flat_name: process.session_leader.parent.session_leader.macho.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List physical size.
-      type: long
-    process.session_leader.parent.session_leader.macho.sections.var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-macho-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.session_leader.macho.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: macho
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.session_leader.macho.sections.virtual_size:
-      dashed_name: process-session-leader-parent-session-leader-macho-sections-virtual-size
-      description: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.session_leader.parent.session_leader.macho.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: macho
-      short: Mach-O Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.session_leader.parent.session_leader.macho.symhash:
-      dashed_name: process-session-leader-parent-session-leader-macho-symhash
-      description: 'A hash of the imports in a Mach-O file. An import hash can be
-        used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        This is a Mach-O implementation of the Windows PE imphash'
-      example: d3ccf195b62a9279c3c19af1080497ec
-      flat_name: process.session_leader.parent.session_leader.macho.symhash
-      ignore_above: 1024
-      level: extended
-      name: symhash
-      normalize: []
-      original_fieldset: macho
-      short: A hash of the imports in a Mach-O file.
-      type: keyword
-    process.session_leader.parent.session_leader.name:
-      dashed_name: process-session-leader-parent-session-leader-name
-      description: 'Process name.
-
-        Sometimes called program name or similar.'
-      example: ssh
-      flat_name: process.session_leader.parent.session_leader.name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: process
-      short: Process name.
-      type: keyword
-    process.session_leader.parent.session_leader.origin_referrer_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-origin-referrer-url
-      description: The URL of the webpage that linked to the process's executable
-        file.
-      example: http://example.com/article1.html
-      flat_name: process.session_leader.parent.session_leader.origin_referrer_url
-      ignore_above: 8192
-      level: extended
-      name: origin_referrer_url
-      normalize: []
-      original_fieldset: process
-      short: The URL of the webpage that linked to the process's executable file.
-      type: keyword
-    process.session_leader.parent.session_leader.origin_url:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-origin-url
-      description: The URL where the process's executable file is hosted.
-      example: http://example.com/files/example.exe
-      flat_name: process.session_leader.parent.session_leader.origin_url
-      ignore_above: 8192
-      level: extended
-      name: origin_url
-      normalize: []
-      original_fieldset: process
-      short: The URL where the process's executable file is hosted.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.architecture:
-      dashed_name: process-session-leader-parent-session-leader-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.session_leader.parent.session_leader.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.company:
-      dashed_name: process-session-leader-parent-session-leader-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.session_leader.parent.session_leader.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.description:
-      dashed_name: process-session-leader-parent-session-leader-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.session_leader.parent.session_leader.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.file_version:
-      dashed_name: process-session-leader-parent-session-leader-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.session_leader.parent.session_leader.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.go_import_hash:
-      dashed_name: process-session-leader-parent-session-leader-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.parent.session_leader.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.go_imports:
-      dashed_name: process-session-leader-parent-session-leader-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.parent.session_leader.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.parent.session_leader.pe.go_imports_names_entropy:
-      dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.parent.session_leader.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.parent.session_leader.pe.go_stripped:
-      dashed_name: process-session-leader-parent-session-leader-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.parent.session_leader.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.parent.session_leader.pe.imphash:
-      dashed_name: process-session-leader-parent-session-leader-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.session_leader.parent.session_leader.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.import_hash:
-      dashed_name: process-session-leader-parent-session-leader-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.parent.session_leader.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.imports:
-      dashed_name: process-session-leader-parent-session-leader-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.parent.session_leader.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.parent.session_leader.pe.imports_names_entropy:
-      dashed_name: process-session-leader-parent-session-leader-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.parent.session_leader.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.parent.session_leader.pe.imports_names_var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.parent.session_leader.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.parent.session_leader.pe.original_file_name:
-      dashed_name: process-session-leader-parent-session-leader-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.session_leader.parent.session_leader.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.pehash:
-      dashed_name: process-session-leader-parent-session-leader-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.session_leader.parent.session_leader.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.product:
-      dashed_name: process-session-leader-parent-session-leader-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.session_leader.parent.session_leader.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.sections:
-      dashed_name: process-session-leader-parent-session-leader-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.session_leader.parent.session_leader.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.session_leader.parent.session_leader.pe.sections.entropy:
-      dashed_name: process-session-leader-parent-session-leader-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.session_leader.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.session_leader.pe.sections.name:
-      dashed_name: process-session-leader-parent-session-leader-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.session_leader.parent.session_leader.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.session_leader.parent.session_leader.pe.sections.physical_size:
-      dashed_name: process-session-leader-parent-session-leader-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.session_leader.parent.session_leader.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.session_leader.parent.session_leader.pe.sections.var_entropy:
-      dashed_name: process-session-leader-parent-session-leader-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.parent.session_leader.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.parent.session_leader.pe.sections.virtual_size:
-      dashed_name: process-session-leader-parent-session-leader-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.session_leader.parent.session_leader.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.session_leader.parent.session_leader.pid:
-      dashed_name: process-session-leader-parent-session-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.session_leader.parent.session_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      short: Process id.
-      type: long
-    process.session_leader.parent.session_leader.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.session_leader.parent.session_leader.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.session_leader.parent.session_leader.real_group.domain:
-      dashed_name: process-session-leader-parent-session-leader-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.real_group.id:
-      dashed_name: process-session-leader-parent-session-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.real_group.name:
-      dashed_name: process-session-leader-parent-session-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.domain:
-      dashed_name: process-session-leader-parent-session-leader-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.email:
-      dashed_name: process-session-leader-parent-session-leader-real-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.session_leader.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-real-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.session_leader.parent.session_leader.real_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.session_leader.parent.session_leader.real_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-real-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.session_leader.real_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.session_leader.parent.session_leader.real_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-real-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.real_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.entity.id:
-      dashed_name: process-session-leader-parent-session-leader-real-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.session_leader.parent.session_leader.real_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-real-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.session_leader.parent.session_leader.real_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.session_leader.parent.session_leader.real_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-real-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.session_leader.real_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.session_leader.parent.session_leader.real_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-real-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.session_leader.parent.session_leader.real_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.session_leader.parent.session_leader.real_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-real-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.session_leader.parent.session_leader.real_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.real_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-real-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.session_leader.parent.session_leader.real_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.session_leader.parent.session_leader.real_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-real-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.session_leader.parent.session_leader.real_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-real-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.session_leader.parent.session_leader.real_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-real-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.session_leader.parent.session_leader.real_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-real-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.session_leader.parent.session_leader.real_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.full_name:
-      dashed_name: process-session-leader-parent-session-leader-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.session_leader.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.group.domain:
-      dashed_name: process-session-leader-parent-session-leader-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.group.id:
-      dashed_name: process-session-leader-parent-session-leader-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.group.name:
-      dashed_name: process-session-leader-parent-session-leader-real-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.real_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.hash:
-      dashed_name: process-session-leader-parent-session-leader-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.session_leader.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.id:
-      dashed_name: process-session-leader-parent-session-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.session_leader.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.name:
-      dashed_name: process-session-leader-parent-session-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.parent.session_leader.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.session_leader.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.session_leader.real_user.risk.static_level:
-      dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.session_leader.real_user.risk.static_score:
-      dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.session_leader.real_user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.session_leader.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.session_leader.real_user.roles:
-      dashed_name: process-session-leader-parent-session-leader-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.session_leader.real_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.same_as_process:
-      dashed_name: process-session-leader-parent-session-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.session_leader.parent.session_leader.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.session_leader.parent.session_leader.saved_group.domain:
-      dashed_name: process-session-leader-parent-session-leader-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_group.id:
-      dashed_name: process-session-leader-parent-session-leader-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_group.name:
-      dashed_name: process-session-leader-parent-session-leader-saved-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.domain:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.email:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.session_leader.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.session_leader.parent.session_leader.saved_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.session_leader.parent.session_leader.saved_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.session_leader.saved_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.session_leader.parent.session_leader.saved_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.saved_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.entity.id:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.session_leader.parent.session_leader.saved_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.session_leader.parent.session_leader.saved_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.session_leader.parent.session_leader.saved_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.session_leader.saved_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.session_leader.parent.session_leader.saved_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.session_leader.parent.session_leader.saved_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.session_leader.parent.session_leader.saved_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.session_leader.parent.session_leader.saved_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.saved_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.session_leader.parent.session_leader.saved_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.session_leader.parent.session_leader.saved_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.session_leader.parent.session_leader.saved_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.session_leader.parent.session_leader.saved_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.session_leader.parent.session_leader.saved_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-saved-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.session_leader.parent.session_leader.saved_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.full_name:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.session_leader.saved_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.saved_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.group.domain:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.group.id:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.saved_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.group.name:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.saved_user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.hash:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.session_leader.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.id:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.session_leader.saved_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.name:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.parent.session_leader.saved_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.saved_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.session_leader.saved_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.session_leader.saved_user.risk.static_level:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.session_leader.saved_user.risk.static_score:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.session_leader.saved_user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.session_leader.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.session_leader.saved_user.roles:
-      dashed_name: process-session-leader-parent-session-leader-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.session_leader.saved_user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.start:
-      dashed_name: process-session-leader-parent-session-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.parent.session_leader.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.session_leader.parent.session_leader.supplemental_groups.domain:
-      dashed_name: process-session-leader-parent-session-leader-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.supplemental_groups.id:
-      dashed_name: process-session-leader-parent-session-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.supplemental_groups.name:
-      dashed_name: process-session-leader-parent-session-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.thread.capabilities.effective:
-      dashed_name: process-session-leader-parent-session-leader-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.session_leader.parent.session_leader.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.thread.capabilities.permitted:
-      dashed_name: process-session-leader-parent-session-leader-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.session_leader.parent.session_leader.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.thread.id:
-      dashed_name: process-session-leader-parent-session-leader-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.session_leader.parent.session_leader.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.session_leader.parent.session_leader.thread.name:
-      dashed_name: process-session-leader-parent-session-leader-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.session_leader.parent.session_leader.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.session_leader.parent.session_leader.title:
-      dashed_name: process-session-leader-parent-session-leader-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.session_leader.parent.session_leader.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.session_leader.parent.session_leader.tty:
-      dashed_name: process-session-leader-parent-session-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.session_leader.parent.session_leader.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.session_leader.parent.session_leader.tty.char_device.major:
-      dashed_name: process-session-leader-parent-session-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.session_leader.parent.session_leader.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.session_leader.parent.session_leader.tty.char_device.minor:
-      dashed_name: process-session-leader-parent-session-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.session_leader.parent.session_leader.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.session_leader.parent.session_leader.tty.columns:
-      dashed_name: process-session-leader-parent-session-leader-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.session_leader.parent.session_leader.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.session_leader.parent.session_leader.tty.rows:
-      dashed_name: process-session-leader-parent-session-leader-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.session_leader.parent.session_leader.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.session_leader.parent.session_leader.uptime:
-      dashed_name: process-session-leader-parent-session-leader-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.session_leader.parent.session_leader.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.session_leader.parent.session_leader.user.domain:
-      dashed_name: process-session-leader-parent-session-leader-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.user.email:
-      dashed_name: process-session-leader-parent-session-leader-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.session_leader.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.session_leader.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.session_leader.parent.session_leader.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.session_leader.parent.session_leader.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.session_leader.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.session_leader.parent.session_leader.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.session_leader.parent.session_leader.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.session_leader.parent.session_leader.user.entity.id:
-      dashed_name: process-session-leader-parent-session-leader-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.session_leader.parent.session_leader.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.session_leader.parent.session_leader.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.session_leader.parent.session_leader.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.session_leader.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.session_leader.parent.session_leader.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.session_leader.parent.session_leader.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.session_leader.parent.session_leader.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.session_leader.parent.session_leader.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.session_leader.parent.session_leader.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.session_leader.parent.session_leader.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.session_leader.parent.session_leader.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.session_leader.parent.session_leader.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.session_leader.parent.session_leader.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.session_leader.parent.session_leader.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.session_leader.parent.session_leader.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-session-leader-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.session_leader.parent.session_leader.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.session_leader.parent.session_leader.user.full_name:
-      dashed_name: process-session-leader-parent-session-leader-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.session_leader.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.session_leader.user.group.domain:
-      dashed_name: process-session-leader-parent-session-leader-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.session_leader.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.session_leader.user.group.id:
-      dashed_name: process-session-leader-parent-session-leader-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.session_leader.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.session_leader.user.group.name:
-      dashed_name: process-session-leader-parent-session-leader-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.session_leader.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.session_leader.user.hash:
-      dashed_name: process-session-leader-parent-session-leader-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.session_leader.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.session_leader.user.id:
-      dashed_name: process-session-leader-parent-session-leader-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.session_leader.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.parent.session_leader.user.name:
-      dashed_name: process-session-leader-parent-session-leader-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.parent.session_leader.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.parent.session_leader.user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.session_leader.user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.session_leader.user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.session_leader.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.session_leader.user.risk.static_level:
-      dashed_name: process-session-leader-parent-session-leader-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.session_leader.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.session_leader.user.risk.static_score:
-      dashed_name: process-session-leader-parent-session-leader-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.session_leader.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.session_leader.user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-session-leader-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.session_leader.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.session_leader.user.roles:
-      dashed_name: process-session-leader-parent-session-leader-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.session_leader.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.session_leader.vpid:
-      dashed_name: process-session-leader-parent-session-leader-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.session_leader.parent.session_leader.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.session_leader.parent.session_leader.working_directory:
-      dashed_name: process-session-leader-parent-session-leader-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.session_leader.parent.session_leader.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.session_leader.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.session_leader.parent.start:
-      dashed_name: process-session-leader-parent-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.parent.start
-      level: extended
-      name: start
-      normalize: []
-      original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.session_leader.parent.supplemental_groups.domain:
-      dashed_name: process-session-leader-parent-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.supplemental_groups.id:
-      dashed_name: process-session-leader-parent-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.supplemental_groups.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.supplemental_groups.name:
-      dashed_name: process-session-leader-parent-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.supplemental_groups.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.thread.capabilities.effective:
-      dashed_name: process-session-leader-parent-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.session_leader.parent.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.thread.capabilities.permitted:
-      dashed_name: process-session-leader-parent-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.session_leader.parent.thread.capabilities.permitted
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
-      original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.thread.id:
-      dashed_name: process-session-leader-parent-thread-id
-      description: Thread ID.
-      example: 4242
-      flat_name: process.session_leader.parent.thread.id
-      format: string
-      level: extended
-      name: thread.id
-      normalize: []
-      original_fieldset: process
-      short: Thread ID.
-      type: long
-    process.session_leader.parent.thread.name:
-      dashed_name: process-session-leader-parent-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.session_leader.parent.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.session_leader.parent.title:
-      dashed_name: process-session-leader-parent-title
-      description: 'Process title.
-
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.session_leader.parent.title
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.title.text
-        name: text
-        type: match_only_text
-      name: title
-      normalize: []
-      original_fieldset: process
-      short: Process title.
-      type: keyword
-    process.session_leader.parent.tty:
-      dashed_name: process-session-leader-parent-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.session_leader.parent.tty
-      level: extended
-      name: tty
-      normalize: []
-      original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.session_leader.parent.tty.char_device.major:
-      dashed_name: process-session-leader-parent-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.session_leader.parent.tty.char_device.major
-      level: extended
-      name: tty.char_device.major
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.session_leader.parent.tty.char_device.minor:
-      dashed_name: process-session-leader-parent-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.session_leader.parent.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
-      normalize: []
-      original_fieldset: process
-      short: The TTY character device's minor number.
-      type: long
-    process.session_leader.parent.tty.columns:
-      dashed_name: process-session-leader-parent-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.session_leader.parent.tty.columns
-      level: extended
-      name: tty.columns
-      normalize: []
-      original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.session_leader.parent.tty.rows:
-      dashed_name: process-session-leader-parent-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.session_leader.parent.tty.rows
-      level: extended
-      name: tty.rows
-      normalize: []
-      original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
-      type: long
-    process.session_leader.parent.uptime:
-      dashed_name: process-session-leader-parent-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.session_leader.parent.uptime
-      level: extended
-      name: uptime
-      normalize: []
-      original_fieldset: process
-      short: Seconds the process has been up.
-      type: long
-    process.session_leader.parent.user.domain:
-      dashed_name: process-session-leader-parent-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.parent.user.email:
-      dashed_name: process-session-leader-parent-user-email
-      description: User email address.
-      flat_name: process.session_leader.parent.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.parent.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.session_leader.parent.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.session_leader.parent.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.session_leader.parent.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.session_leader.parent.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.session_leader.parent.user.entity.id:
-      dashed_name: process-session-leader-parent-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.session_leader.parent.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.session_leader.parent.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.session_leader.parent.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.session_leader.parent.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.parent.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.session_leader.parent.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.session_leader.parent.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.session_leader.parent.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.session_leader.parent.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.session_leader.parent.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.session_leader.parent.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.session_leader.parent.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.session_leader.parent.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.session_leader.parent.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.session_leader.parent.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.session_leader.parent.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.session_leader.parent.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.session_leader.parent.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-parent-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.session_leader.parent.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.session_leader.parent.user.full_name:
-      dashed_name: process-session-leader-parent-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.parent.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.parent.user.group.domain:
-      dashed_name: process-session-leader-parent-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.parent.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.parent.user.group.id:
-      dashed_name: process-session-leader-parent-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.parent.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.parent.user.group.name:
-      dashed_name: process-session-leader-parent-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.parent.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.parent.user.hash:
-      dashed_name: process-session-leader-parent-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.parent.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.parent.user.id:
-      dashed_name: process-session-leader-parent-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.parent.user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.parent.user.name:
-      dashed_name: process-session-leader-parent-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.parent.user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.parent.user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.parent.user.risk.calculated_level:
-      dashed_name: process-session-leader-parent-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.parent.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.parent.user.risk.calculated_score:
-      dashed_name: process-session-leader-parent-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.parent.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.parent.user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-parent-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.parent.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.parent.user.risk.static_level:
-      dashed_name: process-session-leader-parent-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.parent.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.parent.user.risk.static_score:
-      dashed_name: process-session-leader-parent-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.parent.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.parent.user.risk.static_score_norm:
-      dashed_name: process-session-leader-parent-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.parent.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.parent.user.roles:
-      dashed_name: process-session-leader-parent-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.parent.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.parent.vpid:
-      dashed_name: process-session-leader-parent-vpid
-      description: 'Virtual process id.
-
-        The process id within a pid namespace. This is not necessarily unique across
-        all processes on the host but it is unique within the process namespace that
-        the process exists within.'
-      example: 4242
-      flat_name: process.session_leader.parent.vpid
-      format: string
-      level: core
-      name: vpid
-      normalize: []
-      original_fieldset: process
-      short: Virtual process id.
-      type: long
-    process.session_leader.parent.working_directory:
-      dashed_name: process-session-leader-parent-working-directory
-      description: The working directory of the process.
-      example: /home/alice
-      flat_name: process.session_leader.parent.working_directory
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.parent.working_directory.text
-        name: text
-        type: match_only_text
-      name: working_directory
-      normalize: []
-      original_fieldset: process
-      short: The working directory of the process.
-      type: keyword
-    process.session_leader.pe.architecture:
-      dashed_name: process-session-leader-pe-architecture
-      description: CPU architecture target for the file.
-      example: x64
-      flat_name: process.session_leader.pe.architecture
-      ignore_above: 1024
-      level: extended
-      name: architecture
-      normalize: []
-      original_fieldset: pe
-      short: CPU architecture target for the file.
-      type: keyword
-    process.session_leader.pe.company:
-      dashed_name: process-session-leader-pe-company
-      description: Internal company name of the file, provided at compile-time.
-      example: Microsoft Corporation
-      flat_name: process.session_leader.pe.company
-      ignore_above: 1024
-      level: extended
-      name: company
-      normalize: []
-      original_fieldset: pe
-      short: Internal company name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.pe.description:
-      dashed_name: process-session-leader-pe-description
-      description: Internal description of the file, provided at compile-time.
-      example: Paint
-      flat_name: process.session_leader.pe.description
-      ignore_above: 1024
-      level: extended
-      name: description
-      normalize: []
-      original_fieldset: pe
-      short: Internal description of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.pe.file_version:
-      dashed_name: process-session-leader-pe-file-version
-      description: Internal version of the file, provided at compile-time.
-      example: 6.3.9600.17415
-      flat_name: process.session_leader.pe.file_version
-      ignore_above: 1024
-      level: extended
-      name: file_version
-      normalize: []
-      original_fieldset: pe
-      short: Process name.
-      type: keyword
-    process.session_leader.pe.go_import_hash:
-      dashed_name: process-session-leader-pe-go-import-hash
-      description: 'A hash of the Go language imports in a PE file excluding standard
-        library imports. An import hash can be used to fingerprint binaries even after
-        recompilation or other code-level transformations have occurred, which would
-        change more traditional hash values.
-
-        The algorithm used to calculate the Go symbol hash and a reference implementation
-        are available here: https://github.com/elastic/toutoumomoma'
-      example: 10bddcb4cee42080f76c88d9ff964491
-      flat_name: process.session_leader.pe.go_import_hash
-      ignore_above: 1024
-      level: extended
-      name: go_import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the Go language imports in a PE file.
-      type: keyword
-    process.session_leader.pe.go_imports:
-      dashed_name: process-session-leader-pe-go-imports
-      description: List of imported Go language element names and types.
-      flat_name: process.session_leader.pe.go_imports
-      level: extended
-      name: go_imports
-      normalize: []
-      original_fieldset: pe
-      short: List of imported Go language element names and types.
-      type: flattened
-    process.session_leader.pe.go_imports_names_entropy:
-      dashed_name: process-session-leader-pe-go-imports-names-entropy
-      description: Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.pe.go_imports_names_entropy
-      format: number
-      level: extended
-      name: go_imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.pe.go_imports_names_var_entropy:
-      dashed_name: process-session-leader-pe-go-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of Go imports.
-      flat_name: process.session_leader.pe.go_imports_names_var_entropy
-      format: number
-      level: extended
-      name: go_imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of Go imports.
-      type: long
-    process.session_leader.pe.go_stripped:
-      dashed_name: process-session-leader-pe-go-stripped
-      description: Set to true if the file is a Go executable that has had its symbols
-        stripped or obfuscated and false if an unobfuscated Go executable.
-      flat_name: process.session_leader.pe.go_stripped
-      level: extended
-      name: go_stripped
-      normalize: []
-      original_fieldset: pe
-      short: Whether the file is a stripped or obfuscated Go executable.
-      type: boolean
-    process.session_leader.pe.imphash:
-      dashed_name: process-session-leader-pe-imphash
-      description: 'A hash of the imports in a PE file. An imphash -- or import hash
-        -- can be used to fingerprint binaries even after recompilation or other code-level
-        transformations have occurred, which would change more traditional hash values.
-
-        Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
-      example: 0c6803c4e922103c4dca5963aad36ddf
-      flat_name: process.session_leader.pe.imphash
-      ignore_above: 1024
-      level: extended
-      name: imphash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.session_leader.pe.import_hash:
-      dashed_name: process-session-leader-pe-import-hash
-      description: 'A hash of the imports in a PE file. An import hash can be used
-        to fingerprint binaries even after recompilation or other code-level transformations
-        have occurred, which would change more traditional hash values.
-
-        This is a synonym for imphash.'
-      example: d41d8cd98f00b204e9800998ecf8427e
-      flat_name: process.session_leader.pe.import_hash
-      ignore_above: 1024
-      level: extended
-      name: import_hash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the imports in a PE file.
-      type: keyword
-    process.session_leader.pe.imports:
-      dashed_name: process-session-leader-pe-imports
-      description: List of imported element names and types.
-      flat_name: process.session_leader.pe.imports
-      level: extended
-      name: imports
-      normalize:
-      - array
-      original_fieldset: pe
-      short: List of imported element names and types.
-      type: flattened
-    process.session_leader.pe.imports_names_entropy:
-      dashed_name: process-session-leader-pe-imports-names-entropy
-      description: Shannon entropy calculation from the list of imported element names
-        and types.
-      flat_name: process.session_leader.pe.imports_names_entropy
-      format: number
-      level: extended
-      name: imports_names_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the list of imported element names and
-        types.
-      type: long
-    process.session_leader.pe.imports_names_var_entropy:
-      dashed_name: process-session-leader-pe-imports-names-var-entropy
-      description: Variance for Shannon entropy calculation from the list of imported
-        element names and types.
-      flat_name: process.session_leader.pe.imports_names_var_entropy
-      format: number
-      level: extended
-      name: imports_names_var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the list of imported element
-        names and types.
-      type: long
-    process.session_leader.pe.original_file_name:
-      dashed_name: process-session-leader-pe-original-file-name
-      description: Internal name of the file, provided at compile-time.
-      example: MSPAINT.EXE
-      flat_name: process.session_leader.pe.original_file_name
-      ignore_above: 1024
-      level: extended
-      name: original_file_name
-      normalize: []
-      original_fieldset: pe
-      short: Internal name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.pe.pehash:
-      dashed_name: process-session-leader-pe-pehash
-      description: 'A hash of the PE header and data from one or more PE sections.
-        An pehash can be used to cluster files by transforming structural information
-        about a file into a hash value.
-
-        Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.'
-      example: 73ff189b63cd6be375a7ff25179a38d347651975
-      flat_name: process.session_leader.pe.pehash
-      ignore_above: 1024
-      level: extended
-      name: pehash
-      normalize: []
-      original_fieldset: pe
-      short: A hash of the PE header and data from one or more PE sections.
-      type: keyword
-    process.session_leader.pe.product:
-      dashed_name: process-session-leader-pe-product
-      description: Internal product name of the file, provided at compile-time.
-      example: Microsoft® Windows® Operating System
-      flat_name: process.session_leader.pe.product
-      ignore_above: 1024
-      level: extended
-      name: product
-      normalize: []
-      original_fieldset: pe
-      short: Internal product name of the file, provided at compile-time.
-      type: keyword
-    process.session_leader.pe.sections:
-      dashed_name: process-session-leader-pe-sections
-      description: 'An array containing an object for each section of the PE file.
-
-        The keys that should be present in these objects are defined by sub-fields
-        underneath `pe.sections.*`.'
-      flat_name: process.session_leader.pe.sections
-      level: extended
-      name: sections
-      normalize:
-      - array
-      original_fieldset: pe
-      short: Section information of the PE file.
-      type: nested
-    process.session_leader.pe.sections.entropy:
-      dashed_name: process-session-leader-pe-sections-entropy
-      description: Shannon entropy calculation from the section.
-      flat_name: process.session_leader.pe.sections.entropy
-      format: number
-      level: extended
-      name: sections.entropy
-      normalize: []
-      original_fieldset: pe
-      short: Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.pe.sections.name:
-      dashed_name: process-session-leader-pe-sections-name
-      description: PE Section List name.
-      flat_name: process.session_leader.pe.sections.name
-      ignore_above: 1024
-      level: extended
-      name: sections.name
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List name.
-      type: keyword
-    process.session_leader.pe.sections.physical_size:
-      dashed_name: process-session-leader-pe-sections-physical-size
-      description: PE Section List physical size.
-      flat_name: process.session_leader.pe.sections.physical_size
-      format: bytes
-      level: extended
-      name: sections.physical_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List physical size.
-      type: long
-    process.session_leader.pe.sections.var_entropy:
-      dashed_name: process-session-leader-pe-sections-var-entropy
-      description: Variance for Shannon entropy calculation from the section.
-      flat_name: process.session_leader.pe.sections.var_entropy
-      format: number
-      level: extended
-      name: sections.var_entropy
-      normalize: []
-      original_fieldset: pe
-      short: Variance for Shannon entropy calculation from the section.
-      type: long
-    process.session_leader.pe.sections.virtual_size:
-      dashed_name: process-session-leader-pe-sections-virtual-size
-      description: PE Section List virtual size. This is always the same as `physical_size`.
-      flat_name: process.session_leader.pe.sections.virtual_size
-      format: string
-      level: extended
-      name: sections.virtual_size
-      normalize: []
-      original_fieldset: pe
-      short: PE Section List virtual size. This is always the same as `physical_size`.
-      type: long
-    process.session_leader.pid:
-      dashed_name: process-session-leader-pid
-      description: Process id.
-      example: 4242
-      flat_name: process.session_leader.pid
-      format: string
-      level: core
-      name: pid
-      normalize: []
-      original_fieldset: process
-      otel:
-      - relation: match
-        stability: development
-      short: Process id.
-      type: long
-    process.session_leader.platform_binary:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-platform-binary
-      description: Binaries that are shipped by the operating system are defined as
-        platform binaries, this value is then set to true.
-      flat_name: process.session_leader.platform_binary
-      level: extended
-      name: platform_binary
-      normalize: []
-      original_fieldset: process
-      short: Indicates whether this process executable is a default platform binary
-        shipped with the operating system.
-      type: boolean
-    process.session_leader.real_group.domain:
-      dashed_name: process-session-leader-real-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.real_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.real_group.id:
-      dashed_name: process-session-leader-real-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.real_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.real_group.name:
-      dashed_name: process-session-leader-real-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.real_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.real_user.domain:
-      dashed_name: process-session-leader-real-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.real_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.real_user.email:
-      dashed_name: process-session-leader-real-user-email
-      description: User email address.
-      flat_name: process.session_leader.real_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.real_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-real-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.session_leader.real_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.session_leader.real_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-real-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.real_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.session_leader.real_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-real-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.session_leader.real_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.real_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.session_leader.real_user.entity.id:
-      dashed_name: process-session-leader-real-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.session_leader.real_user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.session_leader.real_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-real-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.session_leader.real_user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.session_leader.real_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-real-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.real_user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.session_leader.real_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-real-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.session_leader.real_user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.session_leader.real_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-real-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.session_leader.real_user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.real_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.session_leader.real_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-real-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.session_leader.real_user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.session_leader.real_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-real-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.session_leader.real_user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.session_leader.real_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-real-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.session_leader.real_user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.session_leader.real_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-real-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.session_leader.real_user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.session_leader.real_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-real-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.session_leader.real_user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.session_leader.real_user.full_name:
-      dashed_name: process-session-leader-real-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.real_user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.real_user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.real_user.group.domain:
-      dashed_name: process-session-leader-real-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.real_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.real_user.group.id:
-      dashed_name: process-session-leader-real-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.real_user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
+      original_fieldset: pe
+      short: A hash of the PE header and data from one or more PE sections.
       type: keyword
-    process.session_leader.real_user.group.name:
-      dashed_name: process-session-leader-real-user-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.real_user.group.name
+    process.pe.product:
+      dashed_name: process-pe-product
+      description: Internal product name of the file, provided at compile-time.
+      example: Microsoft® Windows® Operating System
+      flat_name: process.pe.product
       ignore_above: 1024
       level: extended
-      name: name
+      name: product
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
+      original_fieldset: pe
+      short: Internal product name of the file, provided at compile-time.
       type: keyword
-    process.session_leader.real_user.hash:
-      dashed_name: process-session-leader-real-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
+    process.pe.sections:
+      dashed_name: process-pe-sections
+      description: 'An array containing an object for each section of the PE file.
 
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.real_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.real_user.id:
-      dashed_name: process-session-leader-real-user-id
-      description: Unique identifier of the user.
-      example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.real_user.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: user
-      short: Unique identifier of the user.
-      type: keyword
-    process.session_leader.real_user.name:
-      dashed_name: process-session-leader-real-user-name
-      description: Short name or login of the user.
-      example: a.einstein
-      flat_name: process.session_leader.real_user.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.session_leader.real_user.name.text
-        name: text
-        type: match_only_text
-      name: name
-      normalize: []
-      original_fieldset: user
-      short: Short name or login of the user.
-      type: keyword
-    process.session_leader.real_user.risk.calculated_level:
-      dashed_name: process-session-leader-real-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.real_user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.real_user.risk.calculated_score:
-      dashed_name: process-session-leader-real-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.real_user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.real_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-real-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.real_user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.real_user.risk.static_level:
-      dashed_name: process-session-leader-real-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.real_user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.real_user.risk.static_score:
-      dashed_name: process-session-leader-real-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.real_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.real_user.risk.static_score_norm:
-      dashed_name: process-session-leader-real-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.real_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.real_user.roles:
-      dashed_name: process-session-leader-real-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.real_user.roles
-      ignore_above: 1024
+        The keys that should be present in these objects are defined by sub-fields
+        underneath `pe.sections.*`.'
+      flat_name: process.pe.sections
       level: extended
-      name: roles
+      name: sections
       normalize:
       - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.same_as_process:
-      dashed_name: process-session-leader-same-as-process
-      description: 'This boolean is used to identify if a leader process is the same
-        as the top level process.
-
-        For example, if `process.group_leader.same_as_process = true`, it means the
-        process event in question is the leader of its process group. Details under
-        `process.*` like `pid` would be the same under `process.group_leader.*` The
-        same applies for both `process.session_leader` and `process.entry_leader`.
-
-        This field exists to the benefit of EQL and other rule engines since it''s
-        not possible to compare equality between two fields in a single document.
-        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
-        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
-        (top level process is the entry session leader)
-
-        Instead these rules could be written like: `process.group_leader.same_as_process:
-        true` OR `process.entry_leader.same_as_process: true`
-
-        Note: This field is only set on `process.entry_leader`, `process.session_leader`
-        and `process.group_leader`.'
-      example: true
-      flat_name: process.session_leader.same_as_process
-      level: extended
-      name: same_as_process
-      normalize: []
-      original_fieldset: process
-      short: This boolean is used to identify if a leader process is the same as the
-        top level process.
-      type: boolean
-    process.session_leader.saved_group.domain:
-      dashed_name: process-session-leader-saved-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.saved_group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.saved_group.id:
-      dashed_name: process-session-leader-saved-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.saved_group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.saved_group.name:
-      dashed_name: process-session-leader-saved-group-name
-      description: Name of the group.
-      flat_name: process.session_leader.saved_group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.saved_user.domain:
-      dashed_name: process-session-leader-saved-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.saved_user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.saved_user.email:
-      dashed_name: process-session-leader-saved-user-email
-      description: User email address.
-      flat_name: process.session_leader.saved_user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.session_leader.saved_user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-saved-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.session_leader.saved_user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.session_leader.saved_user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-saved-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.saved_user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.session_leader.saved_user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-saved-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.session_leader.saved_user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.session_leader.saved_user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
+      original_fieldset: pe
+      short: Section information of the PE file.
+      type: nested
+    process.pe.sections.entropy:
+      dashed_name: process-pe-sections-entropy
+      description: Shannon entropy calculation from the section.
+      flat_name: process.pe.sections.entropy
+      format: number
+      level: extended
+      name: sections.entropy
       normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.session_leader.saved_user.entity.id:
-      dashed_name: process-session-leader-saved-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.session_leader.saved_user.entity.id
+      original_fieldset: pe
+      short: Shannon entropy calculation from the section.
+      type: long
+    process.pe.sections.name:
+      dashed_name: process-pe-sections-name
+      description: PE Section List name.
+      flat_name: process.pe.sections.name
       ignore_above: 1024
-      level: core
-      name: id
+      level: extended
+      name: sections.name
       normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
+      original_fieldset: pe
+      short: PE Section List name.
       type: keyword
-    process.session_leader.saved_user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-saved-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.session_leader.saved_user.entity.last_seen_timestamp
+    process.pe.sections.physical_size:
+      dashed_name: process-pe-sections-physical-size
+      description: PE Section List physical size.
+      flat_name: process.pe.sections.physical_size
+      format: bytes
       level: extended
-      name: last_seen_timestamp
+      name: sections.physical_size
       normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.session_leader.saved_user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-saved-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.saved_user.entity.lifecycle
+      original_fieldset: pe
+      short: PE Section List physical size.
+      type: long
+    process.pe.sections.var_entropy:
+      dashed_name: process-pe-sections-var-entropy
+      description: Variance for Shannon entropy calculation from the section.
+      flat_name: process.pe.sections.var_entropy
+      format: number
       level: extended
-      name: lifecycle
+      name: sections.var_entropy
       normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.session_leader.saved_user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-saved-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.session_leader.saved_user.entity.metrics
+      original_fieldset: pe
+      short: Variance for Shannon entropy calculation from the section.
+      type: long
+    process.pe.sections.virtual_size:
+      dashed_name: process-pe-sections-virtual-size
+      description: PE Section List virtual size. This is always the same as `physical_size`.
+      flat_name: process.pe.sections.virtual_size
+      format: string
       level: extended
-      name: metrics
+      name: sections.virtual_size
       normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.session_leader.saved_user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-saved-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.session_leader.saved_user.entity.name
-      ignore_above: 1024
+      original_fieldset: pe
+      short: PE Section List virtual size. This is always the same as `physical_size`.
+      type: long
+    process.pid:
+      dashed_name: process-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.pid
+      format: string
       level: core
-      multi_fields:
-      - flat_name: process.session_leader.saved_user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
+      name: pid
       normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
+      otel:
+      - relation: match
+        stability: development
+      short: Process id.
+      type: long
+    process.previous.args:
+      dashed_name: process-previous-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.previous.args
+      ignore_above: 1024
+      level: extended
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
       type: keyword
-    process.session_leader.saved_user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-saved-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.session_leader.saved_user.entity.raw
+    process.previous.args_count:
+      dashed_name: process-previous-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.previous.args_count
       level: extended
-      name: raw
+      name: args_count
       normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.session_leader.saved_user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-saved-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.session_leader.saved_user.entity.reference
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.previous.executable:
+      dashed_name: process-previous-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.previous.executable
       ignore_above: 1024
       level: extended
-      name: reference
+      multi_fields:
+      - flat_name: process.previous.executable.text
+        name: text
+        type: match_only_text
+      name: executable
       normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
+      original_fieldset: process
+      short: Absolute path to the process executable.
       type: keyword
-    process.session_leader.saved_user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-saved-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.session_leader.saved_user.entity.source
+    process.real_group.id:
+      dashed_name: process-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.real_group.id
       ignore_above: 1024
-      level: core
-      name: source
+      level: extended
+      name: id
       normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.saved_user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-saved-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.session_leader.saved_user.entity.sub_type
+    process.real_group.name:
+      dashed_name: process-real-group-name
+      description: Name of the group.
+      flat_name: process.real_group.name
       ignore_above: 1024
       level: extended
-      name: sub_type
+      name: name
       normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.session_leader.saved_user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-saved-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.session_leader.saved_user.entity.type
+    process.real_user.id:
+      dashed_name: process-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.real_user.id
       ignore_above: 1024
       level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
+      name: id
+      normalize: []
+      original_fieldset: user
+      otel:
+      - relation: match
+        stability: development
+      short: Unique identifier of the user.
       type: keyword
-    process.session_leader.saved_user.full_name:
-      dashed_name: process-session-leader-saved-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.saved_user.full_name
+    process.real_user.name:
+      dashed_name: process-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.real_user.name
       ignore_above: 1024
-      level: extended
+      level: core
       multi_fields:
-      - flat_name: process.session_leader.saved_user.full_name.text
+      - flat_name: process.real_user.name.text
         name: text
         type: match_only_text
-      name: full_name
+      name: name
       normalize: []
       original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.session_leader.saved_user.group.domain:
-      dashed_name: process-session-leader-saved-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.saved_user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
+      otel:
+      - relation: match
+        stability: development
+      short: Short name or login of the user.
       type: keyword
-    process.session_leader.saved_user.group.id:
-      dashed_name: process-session-leader-saved-user-group-id
+    process.saved_group.id:
+      dashed_name: process-saved-group-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.saved_user.group.id
+      flat_name: process.saved_group.id
       ignore_above: 1024
       level: extended
       name: id
@@ -60971,10 +15709,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.saved_user.group.name:
-      dashed_name: process-session-leader-saved-user-group-name
+    process.saved_group.name:
+      dashed_name: process-saved-group-name
       description: Name of the group.
-      flat_name: process.session_leader.saved_user.group.name
+      flat_name: process.saved_group.name
       ignore_above: 1024
       level: extended
       name: name
@@ -60982,653 +15720,464 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.session_leader.saved_user.hash:
-      dashed_name: process-session-leader-saved-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.saved_user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
-    process.session_leader.saved_user.id:
-      dashed_name: process-session-leader-saved-user-id
+    process.saved_user.id:
+      dashed_name: process-saved-user-id
       description: Unique identifier of the user.
       example: S-1-5-21-202424912787-2692429404-2351956786-1000
-      flat_name: process.session_leader.saved_user.id
+      flat_name: process.saved_user.id
       ignore_above: 1024
       level: core
       name: id
       normalize: []
       original_fieldset: user
+      otel:
+      - relation: match
+        stability: development
       short: Unique identifier of the user.
       type: keyword
-    process.session_leader.saved_user.name:
-      dashed_name: process-session-leader-saved-user-name
+    process.saved_user.name:
+      dashed_name: process-saved-user-name
       description: Short name or login of the user.
       example: a.einstein
-      flat_name: process.session_leader.saved_user.name
+      flat_name: process.saved_user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.session_leader.saved_user.name.text
+      - flat_name: process.saved_user.name.text
         name: text
         type: match_only_text
       name: name
       normalize: []
       original_fieldset: user
+      otel:
+      - relation: match
+        stability: development
       short: Short name or login of the user.
       type: keyword
-    process.session_leader.saved_user.risk.calculated_level:
-      dashed_name: process-session-leader-saved-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.saved_user.risk.calculated_level
+    process.session_leader.args:
+      dashed_name: process-session-leader-args
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
+
+        May be filtered to protect sensitive information.'
+      example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
+      flat_name: process.session_leader.args
       ignore_above: 1024
       level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
+      name: args
+      normalize:
+      - array
+      original_fieldset: process
+      short: Array of process arguments.
       type: keyword
-    process.session_leader.saved_user.risk.calculated_score:
-      dashed_name: process-session-leader-saved-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.saved_user.risk.calculated_score
+    process.session_leader.args_count:
+      dashed_name: process-session-leader-args-count
+      description: 'Length of the process.args array.
+
+        This field can be useful for querying or performing bucket analysis on how
+        many arguments were provided to start a process. More arguments may be an
+        indication of suspicious activity.'
+      example: 4
+      flat_name: process.session_leader.args_count
       level: extended
-      name: calculated_score
+      name: args_count
       normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.saved_user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-saved-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.saved_user.risk.calculated_score_norm
+      original_fieldset: process
+      short: Length of the process.args array.
+      type: long
+    process.session_leader.command_line:
+      dashed_name: process-session-leader-command-line
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.session_leader.command_line
       level: extended
-      name: calculated_score_norm
+      multi_fields:
+      - flat_name: process.session_leader.command_line.text
+        name: text
+        type: match_only_text
+      name: command_line
       normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.saved_user.risk.static_level:
-      dashed_name: process-session-leader-saved-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.saved_user.risk.static_level
+      original_fieldset: process
+      short: Full command line that started the process.
+      type: wildcard
+    process.session_leader.entity_id:
+      dashed_name: process-session-leader-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.session_leader.entity_id
       ignore_above: 1024
       level: extended
-      name: static_level
+      name: entity_id
       normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
+      original_fieldset: process
+      short: Unique identifier for the process.
       type: keyword
-    process.session_leader.saved_user.risk.static_score:
-      dashed_name: process-session-leader-saved-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.saved_user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.saved_user.risk.static_score_norm:
-      dashed_name: process-session-leader-saved-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.saved_user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.saved_user.roles:
-      dashed_name: process-session-leader-saved-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.saved_user.roles
+    process.session_leader.executable:
+      dashed_name: process-session-leader-executable
+      description: Absolute path to the process executable.
+      example: /usr/bin/ssh
+      flat_name: process.session_leader.executable
       ignore_above: 1024
       level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
-    process.session_leader.start:
-      dashed_name: process-session-leader-start
-      description: The time the process started.
-      example: '2016-05-23T08:05:34.853Z'
-      flat_name: process.session_leader.start
-      level: extended
-      name: start
+      multi_fields:
+      - flat_name: process.session_leader.executable.text
+        name: text
+        type: match_only_text
+      name: executable
       normalize: []
       original_fieldset: process
-      short: The time the process started.
-      type: date
-    process.session_leader.supplemental_groups.domain:
-      dashed_name: process-session-leader-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.supplemental_groups.domain
+      short: Absolute path to the process executable.
+      type: keyword
+    process.session_leader.group.id:
+      dashed_name: process-session-leader-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.group.id
       ignore_above: 1024
       level: extended
-      name: domain
+      name: id
       normalize: []
       original_fieldset: group
-      short: Name of the directory the group is a member of.
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.supplemental_groups.id:
-      dashed_name: process-session-leader-supplemental-groups-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.supplemental_groups.id
+    process.session_leader.group.name:
+      dashed_name: process-session-leader-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.group.name
       ignore_above: 1024
       level: extended
-      name: id
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    process.session_leader.interactive:
+      dashed_name: process-session-leader-interactive
+      description: 'Whether the process is connected to an interactive shell.
+
+        Process interactivity is inferred from the processes file descriptors. If
+        the character device for the controlling tty is the same as stdin and stderr
+        for the process, the process is considered interactive.
+
+        Note: A non-interactive process can belong to an interactive session and is
+        simply one that does not have open file descriptors reading the controlling
+        TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A
+        backgrounded process is still considered interactive if stdin and stderr are
+        connected to the controlling TTY.'
+      example: true
+      flat_name: process.session_leader.interactive
+      level: extended
+      name: interactive
       normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.session_leader.supplemental_groups.name:
-      dashed_name: process-session-leader-supplemental-groups-name
-      description: Name of the group.
-      flat_name: process.session_leader.supplemental_groups.name
+      original_fieldset: process
+      short: Whether the process is connected to an interactive shell.
+      type: boolean
+    process.session_leader.name:
+      dashed_name: process-session-leader-name
+      description: 'Process name.
+
+        Sometimes called program name or similar.'
+      example: ssh
+      flat_name: process.session_leader.name
       ignore_above: 1024
       level: extended
+      multi_fields:
+      - flat_name: process.session_leader.name.text
+        name: text
+        type: match_only_text
       name: name
       normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.session_leader.thread.capabilities.effective:
-      dashed_name: process-session-leader-thread-capabilities-effective
-      description: This is the set of capabilities used by the kernel to perform permission
-        checks for the thread.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.session_leader.thread.capabilities.effective
-      ignore_above: 1024
-      level: extended
-      name: thread.capabilities.effective
-      normalize:
-      - array
       original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities used for permission checks.
-      synthetic_source_keep: none
+      short: Process name.
       type: keyword
-    process.session_leader.thread.capabilities.permitted:
-      dashed_name: process-session-leader-thread-capabilities-permitted
-      description: This is a limiting superset for the effective capabilities that
-        the thread may assume.
-      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
-      flat_name: process.session_leader.thread.capabilities.permitted
+    process.session_leader.parent.entity_id:
+      dashed_name: process-session-leader-parent-entity-id
+      description: 'Unique identifier for the process.
+
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.session_leader.parent.entity_id
       ignore_above: 1024
       level: extended
-      name: thread.capabilities.permitted
-      normalize:
-      - array
+      name: entity_id
+      normalize: []
       original_fieldset: process
-      pattern: ^(CAP_[A-Z_]+|\d+)$
-      short: Array of capabilities a thread could assume.
-      synthetic_source_keep: none
+      short: Unique identifier for the process.
       type: keyword
-    process.session_leader.thread.id:
-      dashed_name: process-session-leader-thread-id
-      description: Thread ID.
+    process.session_leader.parent.pid:
+      dashed_name: process-session-leader-parent-pid
+      description: Process id.
       example: 4242
-      flat_name: process.session_leader.thread.id
+      flat_name: process.session_leader.parent.pid
       format: string
-      level: extended
-      name: thread.id
+      level: core
+      name: pid
       normalize: []
       original_fieldset: process
-      short: Thread ID.
+      short: Process id.
       type: long
-    process.session_leader.thread.name:
-      dashed_name: process-session-leader-thread-name
-      description: Thread name.
-      example: thread-0
-      flat_name: process.session_leader.thread.name
-      ignore_above: 1024
-      level: extended
-      name: thread.name
-      normalize: []
-      original_fieldset: process
-      short: Thread name.
-      type: keyword
-    process.session_leader.title:
-      dashed_name: process-session-leader-title
-      description: 'Process title.
+    process.session_leader.parent.session_leader.entity_id:
+      dashed_name: process-session-leader-parent-session-leader-entity-id
+      description: 'Unique identifier for the process.
 
-        The proctitle, some times the same as process name. Can also be different:
-        for example a browser setting its title to the web page currently opened.'
-      flat_name: process.session_leader.title
+        The implementation of this is specified by the data source, but some examples
+        of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
+        or a hash of some uniquely identifying components of a process.
+
+        Constructing a globally unique identifier is a common practice to mitigate
+        PID reuse as well as to identify a specific process over time, across multiple
+        monitored hosts.'
+      example: c2c455d9f99375d
+      flat_name: process.session_leader.parent.session_leader.entity_id
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.session_leader.title.text
-        name: text
-        type: match_only_text
-      name: title
+      name: entity_id
       normalize: []
       original_fieldset: process
-      short: Process title.
+      short: Unique identifier for the process.
       type: keyword
-    process.session_leader.tty:
-      dashed_name: process-session-leader-tty
-      description: Information about the controlling TTY device. If set, the process
-        belongs to an interactive session.
-      flat_name: process.session_leader.tty
-      level: extended
-      name: tty
+    process.session_leader.parent.session_leader.pid:
+      dashed_name: process-session-leader-parent-session-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.session_leader.parent.session_leader.pid
+      format: string
+      level: core
+      name: pid
       normalize: []
       original_fieldset: process
-      short: Information about the controlling TTY device.
-      type: object
-    process.session_leader.tty.char_device.major:
-      dashed_name: process-session-leader-tty-char-device-major
-      description: The major number identifies the driver associated with the device.
-        The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
-        For more details, please refer to the Linux kernel documentation.
-      example: 4
-      flat_name: process.session_leader.tty.char_device.major
+      short: Process id.
+      type: long
+    process.session_leader.parent.session_leader.start:
+      dashed_name: process-session-leader-parent-session-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.parent.session_leader.start
       level: extended
-      name: tty.char_device.major
+      name: start
       normalize: []
       original_fieldset: process
-      short: The TTY character device's major number.
-      type: long
-    process.session_leader.tty.char_device.minor:
-      dashed_name: process-session-leader-tty-char-device-minor
-      description: The minor number is used only by the driver specified by the major
-        number; other parts of the kernel don’t use it, and merely pass it along to
-        the driver. It is common for a driver to control several devices; the minor
-        number provides a way for the driver to differentiate among them.
-      example: 1
-      flat_name: process.session_leader.tty.char_device.minor
-      level: extended
-      name: tty.char_device.minor
+      short: The time the process started.
+      type: date
+    process.session_leader.parent.session_leader.vpid:
+      dashed_name: process-session-leader-parent-session-leader-vpid
+      description: 'Virtual process id.
+
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.parent.session_leader.vpid
+      format: string
+      level: core
+      name: vpid
       normalize: []
       original_fieldset: process
-      short: The TTY character device's minor number.
+      short: Virtual process id.
       type: long
-    process.session_leader.tty.columns:
-      dashed_name: process-session-leader-tty-columns
-      description: 'The number of character columns per line. e.g terminal width
-
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 80
-      flat_name: process.session_leader.tty.columns
+    process.session_leader.parent.start:
+      dashed_name: process-session-leader-parent-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.parent.start
       level: extended
-      name: tty.columns
+      name: start
       normalize: []
       original_fieldset: process
-      short: The number of character columns per line. e.g terminal width
-      type: long
-    process.session_leader.tty.rows:
-      dashed_name: process-session-leader-tty-rows
-      description: 'The number of character rows in the terminal. e.g terminal height
+      short: The time the process started.
+      type: date
+    process.session_leader.parent.vpid:
+      dashed_name: process-session-leader-parent-vpid
+      description: 'Virtual process id.
 
-        Terminal sizes can change, so this value reflects the maximum value for a
-        given IO event. i.e. where event.action = ''text_output'''
-      example: 24
-      flat_name: process.session_leader.tty.rows
-      level: extended
-      name: tty.rows
+        The process id within a pid namespace. This is not necessarily unique across
+        all processes on the host but it is unique within the process namespace that
+        the process exists within.'
+      example: 4242
+      flat_name: process.session_leader.parent.vpid
+      format: string
+      level: core
+      name: vpid
       normalize: []
       original_fieldset: process
-      short: The number of character rows in the terminal. e.g terminal height
+      short: Virtual process id.
       type: long
-    process.session_leader.uptime:
-      dashed_name: process-session-leader-uptime
-      description: Seconds the process has been up.
-      example: 1325
-      flat_name: process.session_leader.uptime
-      level: extended
-      name: uptime
+    process.session_leader.pid:
+      dashed_name: process-session-leader-pid
+      description: Process id.
+      example: 4242
+      flat_name: process.session_leader.pid
+      format: string
+      level: core
+      name: pid
       normalize: []
       original_fieldset: process
-      short: Seconds the process has been up.
+      otel:
+      - relation: match
+        stability: development
+      short: Process id.
       type: long
-    process.session_leader.user.domain:
-      dashed_name: process-session-leader-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.session_leader.user.email:
-      dashed_name: process-session-leader-user-email
-      description: User email address.
-      flat_name: process.session_leader.user.email
+    process.session_leader.real_group.id:
+      dashed_name: process-session-leader-real-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.real_group.id
       ignore_above: 1024
       level: extended
-      name: email
+      name: id
       normalize: []
-      original_fieldset: user
-      short: User email address.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.session_leader.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.session_leader.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.session_leader.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.session_leader.user.entity.display_name
+    process.session_leader.real_group.name:
+      dashed_name: process-session-leader-real-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.real_group.name
       ignore_above: 1024
       level: extended
-      multi_fields:
-      - flat_name: process.session_leader.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
+      name: name
       normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.session_leader.user.entity.id:
-      dashed_name: process-session-leader-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.session_leader.user.entity.id
+    process.session_leader.real_user.id:
+      dashed_name: process-session-leader-real-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.real_user.id
       ignore_above: 1024
       level: core
       name: id
       normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
+      original_fieldset: user
+      short: Unique identifier of the user.
       type: keyword
-    process.session_leader.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.session_leader.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.session_leader.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.session_leader.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.session_leader.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.session_leader.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.session_leader.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.session_leader.user.entity.name
+    process.session_leader.real_user.name:
+      dashed_name: process-session-leader-real-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.real_user.name
       ignore_above: 1024
       level: core
       multi_fields:
-      - flat_name: process.session_leader.user.entity.name.text
+      - flat_name: process.session_leader.real_user.name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: name
       normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
+      original_fieldset: user
+      short: Short name or login of the user.
       type: keyword
-    process.session_leader.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.session_leader.user.entity.raw
+    process.session_leader.same_as_process:
+      dashed_name: process-session-leader-same-as-process
+      description: 'This boolean is used to identify if a leader process is the same
+        as the top level process.
+
+        For example, if `process.group_leader.same_as_process = true`, it means the
+        process event in question is the leader of its process group. Details under
+        `process.*` like `pid` would be the same under `process.group_leader.*` The
+        same applies for both `process.session_leader` and `process.entry_leader`.
+
+        This field exists to the benefit of EQL and other rule engines since it''s
+        not possible to compare equality between two fields in a single document.
+        e.g `process.entity_id` = `process.group_leader.entity_id` (top level process
+        is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id`
+        (top level process is the entry session leader)
+
+        Instead these rules could be written like: `process.group_leader.same_as_process:
+        true` OR `process.entry_leader.same_as_process: true`
+
+        Note: This field is only set on `process.entry_leader`, `process.session_leader`
+        and `process.group_leader`.'
+      example: true
+      flat_name: process.session_leader.same_as_process
       level: extended
-      name: raw
+      name: same_as_process
       normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.session_leader.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.session_leader.user.entity.reference
+      original_fieldset: process
+      short: This boolean is used to identify if a leader process is the same as the
+        top level process.
+      type: boolean
+    process.session_leader.saved_group.id:
+      dashed_name: process-session-leader-saved-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: process.session_leader.saved_group.id
       ignore_above: 1024
       level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.session_leader.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.session_leader.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
+      name: id
       normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.session_leader.user.entity.sub_type
+    process.session_leader.saved_group.name:
+      dashed_name: process-session-leader-saved-group-name
+      description: Name of the group.
+      flat_name: process.session_leader.saved_group.name
       ignore_above: 1024
       level: extended
-      name: sub_type
+      name: name
       normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
+      original_fieldset: group
+      short: Name of the group.
       type: keyword
-    process.session_leader.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-session-leader-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.session_leader.user.entity.type
+    process.session_leader.saved_user.id:
+      dashed_name: process-session-leader-saved-user-id
+      description: Unique identifier of the user.
+      example: S-1-5-21-202424912787-2692429404-2351956786-1000
+      flat_name: process.session_leader.saved_user.id
       ignore_above: 1024
       level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
       type: keyword
-    process.session_leader.user.full_name:
-      dashed_name: process-session-leader-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.session_leader.user.full_name
+    process.session_leader.saved_user.name:
+      dashed_name: process-session-leader-saved-user-name
+      description: Short name or login of the user.
+      example: a.einstein
+      flat_name: process.session_leader.saved_user.name
       ignore_above: 1024
-      level: extended
+      level: core
       multi_fields:
-      - flat_name: process.session_leader.user.full_name.text
+      - flat_name: process.session_leader.saved_user.name.text
         name: text
         type: match_only_text
-      name: full_name
+      name: name
       normalize: []
       original_fieldset: user
-      short: User's full name, if available.
+      short: Short name or login of the user.
       type: keyword
-    process.session_leader.user.group.domain:
-      dashed_name: process-session-leader-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.session_leader.user.group.domain
-      ignore_above: 1024
+    process.session_leader.start:
+      dashed_name: process-session-leader-start
+      description: The time the process started.
+      example: '2016-05-23T08:05:34.853Z'
+      flat_name: process.session_leader.start
       level: extended
-      name: domain
+      name: start
       normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.session_leader.user.group.id:
-      dashed_name: process-session-leader-user-group-id
+      original_fieldset: process
+      short: The time the process started.
+      type: date
+    process.session_leader.supplemental_groups.id:
+      dashed_name: process-session-leader-supplemental-groups-id
       description: Unique identifier for the group on the system/platform.
-      flat_name: process.session_leader.user.group.id
+      flat_name: process.session_leader.supplemental_groups.id
       ignore_above: 1024
       level: extended
       name: id
@@ -61636,10 +16185,10 @@ process:
       original_fieldset: group
       short: Unique identifier for the group on the system/platform.
       type: keyword
-    process.session_leader.user.group.name:
-      dashed_name: process-session-leader-user-group-name
+    process.session_leader.supplemental_groups.name:
+      dashed_name: process-session-leader-supplemental-groups-name
       description: Name of the group.
-      flat_name: process.session_leader.user.group.name
+      flat_name: process.session_leader.supplemental_groups.name
       ignore_above: 1024
       level: extended
       name: name
@@ -61647,21 +16196,45 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
-    process.session_leader.user.hash:
-      dashed_name: process-session-leader-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.session_leader.user.hash
-      ignore_above: 1024
+    process.session_leader.tty:
+      dashed_name: process-session-leader-tty
+      description: Information about the controlling TTY device. If set, the process
+        belongs to an interactive session.
+      flat_name: process.session_leader.tty
       level: extended
-      name: hash
+      name: tty
       normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
+      original_fieldset: process
+      short: Information about the controlling TTY device.
+      type: object
+    process.session_leader.tty.char_device.major:
+      dashed_name: process-session-leader-tty-char-device-major
+      description: The major number identifies the driver associated with the device.
+        The character device's major and minor numbers can be algorithmically combined
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
+        For more details, please refer to the Linux kernel documentation.
+      example: 4
+      flat_name: process.session_leader.tty.char_device.major
+      level: extended
+      name: tty.char_device.major
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's major number.
+      type: long
+    process.session_leader.tty.char_device.minor:
+      dashed_name: process-session-leader-tty-char-device-minor
+      description: The minor number is used only by the driver specified by the major
+        number; other parts of the kernel don’t use it, and merely pass it along to
+        the driver. It is common for a driver to control several devices; the minor
+        number provides a way for the driver to differentiate among them.
+      example: 1
+      flat_name: process.session_leader.tty.char_device.minor
+      level: extended
+      name: tty.char_device.minor
+      normalize: []
+      original_fieldset: process
+      short: The TTY character device's minor number.
+      type: long
     process.session_leader.user.id:
       dashed_name: process-session-leader-user-id
       description: Unique identifier of the user.
@@ -61690,100 +16263,6 @@ process:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    process.session_leader.user.risk.calculated_level:
-      dashed_name: process-session-leader-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.session_leader.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.session_leader.user.risk.calculated_score:
-      dashed_name: process-session-leader-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.session_leader.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.session_leader.user.risk.calculated_score_norm:
-      dashed_name: process-session-leader-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.session_leader.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.session_leader.user.risk.static_level:
-      dashed_name: process-session-leader-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.session_leader.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.session_leader.user.risk.static_score:
-      dashed_name: process-session-leader-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.session_leader.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.session_leader.user.risk.static_score_norm:
-      dashed_name: process-session-leader-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.session_leader.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.session_leader.user.roles:
-      dashed_name: process-session-leader-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.session_leader.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
     process.session_leader.vpid:
       dashed_name: process-session-leader-vpid
       description: 'Virtual process id.
@@ -61826,19 +16305,6 @@ process:
       normalize: []
       short: The time the process started.
       type: date
-    process.supplemental_groups.domain:
-      dashed_name: process-supplemental-groups-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.supplemental_groups.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
     process.supplemental_groups.id:
       dashed_name: process-supplemental-groups-id
       description: Unique identifier for the group on the system/platform.
@@ -62009,351 +16475,6 @@ process:
         stability: development
       short: Seconds the process has been up.
       type: long
-    process.user.domain:
-      dashed_name: process-user-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.user.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    process.user.email:
-      dashed_name: process-user-email
-      description: User email address.
-      flat_name: process.user.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    process.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: process-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: process.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    process.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: process-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    process.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: process.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    process.user.entity.id:
-      dashed_name: process-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: process.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    process.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: process-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: process.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    process.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: process-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: process.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    process.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: process-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: process.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    process.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: process-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: process.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: process.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    process.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: process-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: process.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    process.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: process-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: process.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    process.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: process-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: process.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    process.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: process-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: process.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    process.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: process-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: process.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
-    process.user.full_name:
-      dashed_name: process-user-full-name
-      description: User's full name, if available.
-      example: Albert Einstein
-      flat_name: process.user.full_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: process.user.full_name.text
-        name: text
-        type: match_only_text
-      name: full_name
-      normalize: []
-      original_fieldset: user
-      short: User's full name, if available.
-      type: keyword
-    process.user.group.domain:
-      dashed_name: process-user-group-domain
-      description: 'Name of the directory the group is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: process.user.group.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: group
-      short: Name of the directory the group is a member of.
-      type: keyword
-    process.user.group.id:
-      dashed_name: process-user-group-id
-      description: Unique identifier for the group on the system/platform.
-      flat_name: process.user.group.id
-      ignore_above: 1024
-      level: extended
-      name: id
-      normalize: []
-      original_fieldset: group
-      short: Unique identifier for the group on the system/platform.
-      type: keyword
-    process.user.group.name:
-      dashed_name: process-user-group-name
-      description: Name of the group.
-      flat_name: process.user.group.name
-      ignore_above: 1024
-      level: extended
-      name: name
-      normalize: []
-      original_fieldset: group
-      short: Name of the group.
-      type: keyword
-    process.user.hash:
-      dashed_name: process-user-hash
-      description: 'Unique user hash to correlate information for a user in anonymized
-        form.
-
-        Useful if `user.id` or `user.name` contain confidential information and cannot
-        be used.'
-      flat_name: process.user.hash
-      ignore_above: 1024
-      level: extended
-      name: hash
-      normalize: []
-      original_fieldset: user
-      short: Unique user hash to correlate information for a user in anonymized form.
-      type: keyword
     process.user.id:
       dashed_name: process-user-id
       description: Unique identifier of the user.
@@ -62388,100 +16509,6 @@ process:
         stability: development
       short: Short name or login of the user.
       type: keyword
-    process.user.risk.calculated_level:
-      dashed_name: process-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: process.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    process.user.risk.calculated_score:
-      dashed_name: process-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: process.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    process.user.risk.calculated_score_norm:
-      dashed_name: process-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: process.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    process.user.risk.static_level:
-      dashed_name: process-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: process.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    process.user.risk.static_score:
-      dashed_name: process-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: process.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    process.user.risk.static_score_norm:
-      dashed_name: process-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: process.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
-    process.user.roles:
-      dashed_name: process-user-roles
-      description: Array of user roles at the time of the event.
-      example: '["kibana_admin", "reporting_user"]'
-      flat_name: process.user.roles
-      ignore_above: 1024
-      level: extended
-      name: roles
-      normalize:
-      - array
-      original_fieldset: user
-      short: Array of user roles at the time of the event.
-      synthetic_source_keep: none
-      type: keyword
     process.vpid:
       dashed_name: process-vpid
       description: 'Virtual process id.
@@ -63506,261 +17533,6 @@ server:
       original_fieldset: user
       short: User email address.
       type: keyword
-    server.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: server-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: server.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    server.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: server-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: server.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    server.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: server-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: server.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: server.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    server.user.entity.id:
-      dashed_name: server-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: server.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    server.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: server-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: server.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    server.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: server-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: server.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    server.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: server-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: server.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    server.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: server-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: server.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: server.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    server.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: server-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: server.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    server.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: server-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: server.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    server.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: server-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: server.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    server.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: server-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: server.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    server.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: server-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: server.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
     server.user.full_name:
       dashed_name: server-user-full-name
       description: User's full name, if available.
@@ -63855,86 +17627,6 @@ server:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    server.user.risk.calculated_level:
-      dashed_name: server-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: server.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    server.user.risk.calculated_score:
-      dashed_name: server-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: server.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    server.user.risk.calculated_score_norm:
-      dashed_name: server-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: server.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    server.user.risk.static_level:
-      dashed_name: server-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: server.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    server.user.risk.static_score:
-      dashed_name: server-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: server.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    server.user.risk.static_score_norm:
-      dashed_name: server-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: server.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     server.user.roles:
       dashed_name: server-user-roles
       description: Array of user roles at the time of the event.
@@ -63989,261 +17681,6 @@ service:
       normalize: []
       short: Address of this service.
       type: keyword
-    service.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: service-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: service.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    service.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: service-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: service.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    service.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: service-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: service.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: service.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    service.entity.id:
-      dashed_name: service-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: service.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    service.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: service-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: service.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    service.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: service-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: service.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    service.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: service-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: service.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    service.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: service-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: service.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: service.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    service.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: service-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: service.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    service.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: service-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: service.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    service.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: service-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: service.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    service.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: service-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: service.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    service.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: service-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: service.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
     service.environment:
       beta: This field is beta and subject to change.
       dashed_name: service-environment
@@ -64407,261 +17844,6 @@ service:
       original_fieldset: service
       short: Address of this service.
       type: keyword
-    service.origin.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: service-origin-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: service.origin.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    service.origin.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: service-origin-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: service.origin.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    service.origin.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: service-origin-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: service.origin.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: service.origin.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    service.origin.entity.id:
-      dashed_name: service-origin-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: service.origin.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    service.origin.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: service-origin-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: service.origin.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    service.origin.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: service-origin-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: service.origin.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    service.origin.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: service-origin-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: service.origin.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    service.origin.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: service-origin-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: service.origin.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: service.origin.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    service.origin.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: service-origin-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: service.origin.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    service.origin.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: service-origin-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: service.origin.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    service.origin.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: service-origin-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: service.origin.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    service.origin.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: service-origin-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: service.origin.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    service.origin.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: service-origin-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: service.origin.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
     service.origin.environment:
       beta: This field is beta and subject to change.
       dashed_name: service-origin-environment
@@ -65769,261 +18951,6 @@ source:
       original_fieldset: user
       short: User email address.
       type: keyword
-    source.user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: source-user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: source.user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    source.user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: source-user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: source.user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    source.user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: source-user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: source.user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: source.user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    source.user.entity.id:
-      dashed_name: source-user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: source.user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    source.user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: source-user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: source.user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    source.user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: source-user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: source.user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    source.user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: source-user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: source.user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    source.user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: source-user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: source.user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: source.user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    source.user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: source-user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: source.user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    source.user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: source-user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: source.user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    source.user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: source-user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: source.user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    source.user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: source-user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: source.user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    source.user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: source-user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: source.user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
     source.user.full_name:
       dashed_name: source-user-full-name
       description: User's full name, if available.
@@ -66118,86 +19045,6 @@ source:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    source.user.risk.calculated_level:
-      dashed_name: source-user-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: source.user.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    source.user.risk.calculated_score:
-      dashed_name: source-user-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: source.user.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    source.user.risk.calculated_score_norm:
-      dashed_name: source-user-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: source.user.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    source.user.risk.static_level:
-      dashed_name: source-user-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: source.user.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    source.user.risk.static_score:
-      dashed_name: source-user-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: source.user.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    source.user.risk.static_score_norm:
-      dashed_name: source-user-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: source.user.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     source.user.roles:
       dashed_name: source-user-roles
       description: Array of user roles at the time of the event.
@@ -73305,356 +26152,101 @@ url:
       short: Scheme of the url.
       type: keyword
     url.subdomain:
-      dashed_name: url-subdomain
-      description: 'The subdomain portion of a fully qualified domain name includes
-        all of the names except the host name under the registered_domain.  In a partially
-        qualified domain, or if the the qualification level of the full name cannot
-        be determined, subdomain contains all of the names below the registered domain.
-
-        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
-        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
-        the subdomain field should contain "sub2.sub1", with no trailing period.'
-      example: east
-      flat_name: url.subdomain
-      ignore_above: 1024
-      level: extended
-      name: subdomain
-      normalize: []
-      otel:
-      - relation: match
-        stability: development
-      short: The subdomain of the domain.
-      type: keyword
-    url.top_level_domain:
-      dashed_name: url-top-level-domain
-      description: 'The effective top level domain (eTLD), also known as the domain
-        suffix, is the last part of the domain name. For example, the top level domain
-        for example.com is "com".
-
-        This value can be determined precisely with a list like the public suffix
-        list (https://publicsuffix.org). Trying to approximate this by simply taking
-        the last label will not work well for effective TLDs such as "co.uk".'
-      example: co.uk
-      flat_name: url.top_level_domain
-      ignore_above: 1024
-      level: extended
-      name: top_level_domain
-      normalize: []
-      otel:
-      - relation: match
-        stability: development
-      short: The effective top level domain (com, org, net, co.uk).
-      type: keyword
-    url.username:
-      dashed_name: url-username
-      description: Username of the request.
-      flat_name: url.username
-      ignore_above: 1024
-      level: extended
-      name: username
-      normalize: []
-      short: Username of the request.
-      type: keyword
-  group: 2
-  name: url
-  prefix: url.
-  reusable:
-    expected:
-    - as: url
-      at: threat.indicator
-      full: threat.indicator.url
-    - as: url
-      at: threat.enrichments.indicator
-      full: threat.enrichments.indicator.url
-    top_level: true
-  short: Fields that let you store URLs in various forms.
-  title: URL
-  type: group
-user:
-  description: 'The user fields describe information about the user that is relevant
-    to the event.
-
-    Fields can have one entry or multiple entries. If a user has more than one id,
-    provide an array that includes all of them.'
-  fields:
-    user.changes.domain:
-      dashed_name: user-changes-domain
-      description: 'Name of the directory the user is a member of.
-
-        For example, an LDAP or Active Directory domain name.'
-      flat_name: user.changes.domain
-      ignore_above: 1024
-      level: extended
-      name: domain
-      normalize: []
-      original_fieldset: user
-      short: Name of the directory the user is a member of.
-      type: keyword
-    user.changes.email:
-      dashed_name: user-changes-email
-      description: User email address.
-      flat_name: user.changes.email
-      ignore_above: 1024
-      level: extended
-      name: email
-      normalize: []
-      original_fieldset: user
-      short: User email address.
-      type: keyword
-    user.changes.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: user-changes-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: user.changes.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    user.changes.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: user-changes-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: user.changes.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    user.changes.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: user-changes-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: user.changes.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: user.changes.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    user.changes.entity.id:
-      dashed_name: user-changes-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: user.changes.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    user.changes.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: user-changes-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: user.changes.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    user.changes.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: user-changes-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: user.changes.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    user.changes.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: user-changes-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: user.changes.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    user.changes.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: user-changes-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: user.changes.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: user.changes.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    user.changes.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: user-changes-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: user.changes.entity.raw
+      dashed_name: url-subdomain
+      description: 'The subdomain portion of a fully qualified domain name includes
+        all of the names except the host name under the registered_domain.  In a partially
+        qualified domain, or if the the qualification level of the full name cannot
+        be determined, subdomain contains all of the names below the registered domain.
+
+        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
+        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
+        the subdomain field should contain "sub2.sub1", with no trailing period.'
+      example: east
+      flat_name: url.subdomain
+      ignore_above: 1024
       level: extended
-      name: raw
+      name: subdomain
       normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    user.changes.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: user-changes-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: user.changes.entity.reference
+      otel:
+      - relation: match
+        stability: development
+      short: The subdomain of the domain.
+      type: keyword
+    url.top_level_domain:
+      dashed_name: url-top-level-domain
+      description: 'The effective top level domain (eTLD), also known as the domain
+        suffix, is the last part of the domain name. For example, the top level domain
+        for example.com is "com".
+
+        This value can be determined precisely with a list like the public suffix
+        list (https://publicsuffix.org). Trying to approximate this by simply taking
+        the last label will not work well for effective TLDs such as "co.uk".'
+      example: co.uk
+      flat_name: url.top_level_domain
       ignore_above: 1024
       level: extended
-      name: reference
+      name: top_level_domain
       normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
+      otel:
+      - relation: match
+        stability: development
+      short: The effective top level domain (com, org, net, co.uk).
       type: keyword
-    user.changes.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: user-changes-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: user.changes.entity.source
+    url.username:
+      dashed_name: url-username
+      description: Username of the request.
+      flat_name: url.username
       ignore_above: 1024
-      level: core
-      name: source
+      level: extended
+      name: username
       normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
+      short: Username of the request.
       type: keyword
-    user.changes.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: user-changes-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: user.changes.entity.sub_type
+  group: 2
+  name: url
+  prefix: url.
+  reusable:
+    expected:
+    - as: url
+      at: threat.indicator
+      full: threat.indicator.url
+    - as: url
+      at: threat.enrichments.indicator
+      full: threat.enrichments.indicator.url
+    top_level: true
+  short: Fields that let you store URLs in various forms.
+  title: URL
+  type: group
+user:
+  description: 'The user fields describe information about the user that is relevant
+    to the event.
+
+    Fields can have one entry or multiple entries. If a user has more than one id,
+    provide an array that includes all of them.'
+  fields:
+    user.changes.domain:
+      dashed_name: user-changes-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.changes.domain
       ignore_above: 1024
       level: extended
-      name: sub_type
+      name: domain
       normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
       type: keyword
-    user.changes.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: user-changes-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: user.changes.entity.type
+    user.changes.email:
+      dashed_name: user-changes-email
+      description: User email address.
+      flat_name: user.changes.email
       ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
       type: keyword
     user.changes.full_name:
       dashed_name: user-changes-full-name
@@ -73750,86 +26342,6 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    user.changes.risk.calculated_level:
-      dashed_name: user-changes-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: user.changes.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    user.changes.risk.calculated_score:
-      dashed_name: user-changes-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: user.changes.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    user.changes.risk.calculated_score_norm:
-      dashed_name: user-changes-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: user.changes.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    user.changes.risk.static_level:
-      dashed_name: user-changes-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: user.changes.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    user.changes.risk.static_score:
-      dashed_name: user-changes-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: user.changes.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    user.changes.risk.static_score_norm:
-      dashed_name: user-changes-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: user.changes.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     user.changes.roles:
       dashed_name: user-changes-roles
       description: Array of user roles at the time of the event.
@@ -73880,261 +26392,6 @@ user:
       original_fieldset: user
       short: User email address.
       type: keyword
-    user.effective.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: user-effective-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: user.effective.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    user.effective.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: user-effective-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: user.effective.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    user.effective.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: user-effective-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: user.effective.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: user.effective.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    user.effective.entity.id:
-      dashed_name: user-effective-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: user.effective.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    user.effective.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: user-effective-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: user.effective.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    user.effective.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: user-effective-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: user.effective.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    user.effective.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: user-effective-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: user.effective.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    user.effective.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: user-effective-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: user.effective.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: user.effective.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    user.effective.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: user-effective-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: user.effective.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    user.effective.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: user-effective-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: user.effective.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    user.effective.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: user-effective-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: user.effective.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    user.effective.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: user-effective-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: user.effective.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    user.effective.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: user-effective-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: user.effective.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
     user.effective.full_name:
       dashed_name: user-effective-full-name
       description: User's full name, if available.
@@ -74229,86 +26486,6 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    user.effective.risk.calculated_level:
-      dashed_name: user-effective-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: user.effective.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    user.effective.risk.calculated_score:
-      dashed_name: user-effective-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: user.effective.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    user.effective.risk.calculated_score_norm:
-      dashed_name: user-effective-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: user.effective.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    user.effective.risk.static_level:
-      dashed_name: user-effective-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: user.effective.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    user.effective.risk.static_score:
-      dashed_name: user-effective-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: user.effective.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    user.effective.risk.static_score_norm:
-      dashed_name: user-effective-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: user.effective.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     user.effective.roles:
       dashed_name: user-effective-roles
       description: Array of user roles at the time of the event.
@@ -74336,261 +26513,6 @@ user:
         stability: development
       short: User email address.
       type: keyword
-    user.entity.attributes:
-      beta: This field is beta and subject to change.
-      dashed_name: user-entity-attributes
-      description: A set of static or semi-static attributes of the entity. Usually
-        boolean or keyword field data types. Use this field set when you need to track
-        static or semi-static characteristics of an entity for advanced searching
-        and correlation of normalized values across different providers/sources and
-        entity types.
-      flat_name: user.entity.attributes
-      level: extended
-      name: attributes
-      normalize: []
-      original_fieldset: entity
-      short: A set of static or semi-static attributes of the entity.
-      type: object
-    user.entity.behavior:
-      beta: This field is beta and subject to change.
-      dashed_name: user-entity-behavior
-      description: A set of ephemeral characteristics of the entity, derived from
-        observed behaviors during a specific time period. Usually boolean field data
-        type. Use this field set when you need to capture and track ephemeral characteristics
-        of an entity for advanced searching, correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: user.entity.behavior
-      level: extended
-      name: behavior
-      normalize: []
-      original_fieldset: entity
-      short: A set of ephemeral characteristics of the entity, derived from observed
-        behaviors during a specific time period.
-      type: object
-    user.entity.display_name:
-      beta: This field is beta and subject to change.
-      dashed_name: user-entity-display-name
-      description: An optional field used when a pretty name is desired for entity-centric
-        operations. This field should not be used for correlation with `*.name` fields
-        for entities with dedicated field sets (e.g., `host`).
-      flat_name: user.entity.display_name
-      ignore_above: 1024
-      level: extended
-      multi_fields:
-      - flat_name: user.entity.display_name.text
-        name: text
-        norms: false
-        type: text
-      name: display_name
-      normalize: []
-      original_fieldset: entity
-      short: An optional field used when a pretty name is desired for entity-centric
-        operations.
-      type: keyword
-    user.entity.id:
-      dashed_name: user-entity-id
-      description: 'A unique identifier for the entity. When multiple identifiers
-        exist, this should be the most stable and commonly used identifier that: 1)
-        persists across the entity''s lifecycle, 2) ensures uniqueness within its
-        scope, 3) is commonly used for queries and correlation, and 4) is readily
-        available in most observations (logs/events). For entities with dedicated
-        field sets (e.g., host, user), this value should match the corresponding *.id
-        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
-        in the raw field.'
-      flat_name: user.entity.id
-      ignore_above: 1024
-      level: core
-      name: id
-      normalize: []
-      original_fieldset: entity
-      short: Unique identifier for the entity.
-      type: keyword
-    user.entity.last_seen_timestamp:
-      beta: This field is beta and subject to change.
-      dashed_name: user-entity-last-seen-timestamp
-      description: Indicates the date/time when this entity was last "seen," usually
-        based upon the last event/log that is initiated by this entity.
-      flat_name: user.entity.last_seen_timestamp
-      level: extended
-      name: last_seen_timestamp
-      normalize: []
-      original_fieldset: entity
-      short: Indicates the date/time when this entity was last "seen."
-      type: date
-    user.entity.lifecycle:
-      beta: This field is beta and subject to change.
-      dashed_name: user-entity-lifecycle
-      description: A set of temporal characteristics of the entity. Usually date field
-        data type. Use this field set when you need to track temporal characteristics
-        of an entity for advanced searching and correlation of normalized values across
-        different providers/sources and entity types.
-      flat_name: user.entity.lifecycle
-      level: extended
-      name: lifecycle
-      normalize: []
-      original_fieldset: entity
-      short: A set of temporal characteristics of the entity.
-      type: object
-    user.entity.metrics:
-      beta: This field is beta and subject to change.
-      dashed_name: user-entity-metrics
-      description: Field set for any fields containing numeric entity metrics. These
-        use dynamic field data type mapping.
-      flat_name: user.entity.metrics
-      level: extended
-      name: metrics
-      normalize: []
-      original_fieldset: entity
-      short: Field set for any fields containing numeric entity metrics.
-      type: object
-    user.entity.name:
-      beta: This field is beta and subject to change.
-      dashed_name: user-entity-name
-      description: The name of the entity. The keyword field enables exact matches
-        for filtering and aggregations, while the text field enables full-text search.
-        For entities with dedicated field sets (e.g., `host`), this field should mirrors
-        the corresponding *.name value.
-      flat_name: user.entity.name
-      ignore_above: 1024
-      level: core
-      multi_fields:
-      - flat_name: user.entity.name.text
-        name: text
-        norms: false
-        type: text
-      name: name
-      normalize: []
-      original_fieldset: entity
-      short: The name of the entity.
-      type: keyword
-    user.entity.raw:
-      beta: This field is beta and subject to change.
-      dashed_name: user-entity-raw
-      description: Original, unmodified fields from the source system. Usually flattened
-        field data type. While the attributes field should be used for normalized
-        fields requiring advanced queries, this field preserves all source metadata
-        with basic search capabilities.
-      flat_name: user.entity.raw
-      level: extended
-      name: raw
-      normalize: []
-      original_fieldset: entity
-      short: Original, unmodified fields from the source system.
-      type: object
-    user.entity.reference:
-      beta: This field is beta and subject to change.
-      dashed_name: user-entity-reference
-      description: A URI, URL, or other direct reference to access or locate the entity
-        in its source system. This could be an API endpoint, web console URL, or other
-        addressable location. Format may vary by entity type and source system.
-      flat_name: user.entity.reference
-      ignore_above: 1024
-      level: extended
-      name: reference
-      normalize: []
-      original_fieldset: entity
-      short: A URI, URL, or other direct reference to access or locate the entity.
-      type: keyword
-    user.entity.source:
-      beta: This field is beta and subject to change.
-      dashed_name: user-entity-source
-      description: The module or integration that provided this entity data (similar
-        to event.module).
-      flat_name: user.entity.source
-      ignore_above: 1024
-      level: core
-      name: source
-      normalize: []
-      original_fieldset: entity
-      short: Source module or integration that provided the entity data.
-      type: keyword
-    user.entity.sub_type:
-      beta: This field is beta and subject to change.
-      dashed_name: user-entity-sub-type
-      description: 'The specific type designation for the entity as defined by its
-        provider or system. This field provides more granular classification than
-        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
-        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
-        , `node` , `cloud_instance` would all map to entity type `host`.'
-      example: aws_s3_bucket
-      flat_name: user.entity.sub_type
-      ignore_above: 1024
-      level: extended
-      name: sub_type
-      normalize: []
-      original_fieldset: entity
-      short: The specific type designation for the entity as defined by its provider
-        or system.
-      type: keyword
-    user.entity.type:
-      allowed_values:
-      - description: Represents a storage container or bucket, typically used for
-          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
-          buckets, Azure Blob containers, and other cloud storage services. Buckets
-          are used to organize and store files, objects, or data in cloud environments.
-        name: bucket
-      - description: Represents a database system or database instance. This includes
-          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
-          Cassandra, DynamoDB), time-series databases, and other data storage systems.
-          The entity may represent the entire database system or a specific database
-          instance.
-        name: database
-      - description: Represents a containerized application or process. This includes
-          Docker containers, Kubernetes pods, and other containerization technologies.
-          Containers encapsulate applications and their dependencies, providing isolation
-          and portability across different environments.
-        name: container
-      - description: Represents a serverless function or Function-as-a-Service (FaaS)
-          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
-          Functions, and other serverless computing resources. Functions are typically
-          event-driven and execute code without managing the underlying infrastructure.
-        name: function
-      - description: Represents a message queue or messaging system. This includes
-          message brokers, event queues, and other messaging infrastructure components
-          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
-          facilitate asynchronous communication between applications and services.
-        name: queue
-      - description: Represents a computing host or machine. This includes physical
-          servers, virtual machines, cloud instances, and other computing resources
-          that can run applications or services. Hosts provide the fundamental computing
-          infrastructure for other entity types.
-        name: host
-      - description: Represents a user account or identity. This includes human users,
-          service accounts, system accounts, and other identity entities that can
-          interact with systems, applications, or services. Users may have various
-          roles, permissions, and attributes associated with their identity.
-        name: user
-      - description: Represents a software application or service. This includes web
-          applications, mobile applications, desktop applications, and other software
-          components that provide functionality to users or other systems. Applications
-          may run on various infrastructure components and can span multiple hosts
-          or containers.
-        name: application
-      - description: Represents a service or microservice component. This includes
-          web services, APIs, background services, and other service-oriented architecture
-          components. Services provide specific functionality and may communicate
-          with other services to fulfill business requirements.
-        name: service
-      - description: Represents a user session or connection session. This includes
-          user login sessions, database connections, network sessions, and other temporary
-          interactive or persistent connections between users, applications, or systems.
-        name: session
-      beta: This field is beta and subject to change.
-      dashed_name: user-entity-type
-      description: 'A standardized high-level classification of the entity. This provides
-        a normalized way to group similar entities across different providers or systems.
-        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
-        `user`, `application`, `session`, etc.'
-      example: host
-      flat_name: user.entity.type
-      ignore_above: 1024
-      level: core
-      name: type
-      normalize:
-      - array
-      original_fieldset: entity
-      short: Standardized high-level classification of the entity.
-      type: keyword
     user.full_name:
       dashed_name: user-full-name
       description: User's full name, if available.
@@ -75162,86 +27084,6 @@ user:
       original_fieldset: user
       short: Short name or login of the user.
       type: keyword
-    user.target.risk.calculated_level:
-      dashed_name: user-target-risk-calculated-level
-      description: A risk classification level calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: High
-      flat_name: user.target.risk.calculated_level
-      ignore_above: 1024
-      level: extended
-      name: calculated_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: keyword
-    user.target.risk.calculated_score:
-      dashed_name: user-target-risk-calculated-score
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring.
-      example: 880.73
-      flat_name: user.target.risk.calculated_score
-      level: extended
-      name: calculated_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score calculated by an internal system as part
-        of entity analytics and entity risk scoring.
-      type: float
-    user.target.risk.calculated_score_norm:
-      dashed_name: user-target-risk-calculated-score-norm
-      description: A risk classification score calculated by an internal system as
-        part of entity analytics and entity risk scoring, and normalized to a range
-        of 0 to 100.
-      example: 88.73
-      flat_name: user.target.risk.calculated_score_norm
-      level: extended
-      name: calculated_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an internal system.
-      type: float
-    user.target.risk.static_level:
-      dashed_name: user-target-risk-static-level
-      description: A risk classification level obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: High
-      flat_name: user.target.risk.static_level
-      ignore_above: 1024
-      level: extended
-      name: static_level
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification level obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: keyword
-    user.target.risk.static_score:
-      dashed_name: user-target-risk-static-score
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform.
-      example: 830.0
-      flat_name: user.target.risk.static_score
-      level: extended
-      name: static_score
-      normalize: []
-      original_fieldset: risk
-      short: A risk classification score obtained from outside the system, such as
-        from some external Threat Intelligence Platform.
-      type: float
-    user.target.risk.static_score_norm:
-      dashed_name: user-target-risk-static-score-norm
-      description: A risk classification score obtained from outside the system, such
-        as from some external Threat Intelligence Platform, and normalized to a range
-        of 0 to 100.
-      example: 83.0
-      flat_name: user.target.risk.static_score_norm
-      level: extended
-      name: static_score_norm
-      normalize: []
-      original_fieldset: risk
-      short: A normalized risk score calculated by an external system.
-      type: float
     user.target.roles:
       dashed_name: user-target-roles
       description: Array of user roles at the time of the event.
diff --git a/generated/elasticsearch/composable/component/client.json b/generated/elasticsearch/composable/component/client.json
index f9ede87ca7..08cadb7b8a 100644
--- a/generated/elasticsearch/composable/component/client.json
+++ b/generated/elasticsearch/composable/component/client.json
@@ -131,68 +131,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "entity": {
-                  "properties": {
-                    "attributes": {
-                      "type": "object"
-                    },
-                    "behavior": {
-                      "type": "object"
-                    },
-                    "display_name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "last_seen_timestamp": {
-                      "type": "date"
-                    },
-                    "lifecycle": {
-                      "type": "object"
-                    },
-                    "metrics": {
-                      "type": "object"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "raw": {
-                      "type": "object"
-                    },
-                    "reference": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "source": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sub_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
                 "full_name": {
                   "fields": {
                     "text": {
@@ -235,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index df3356be92..0c7f16bc49 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -24,68 +24,6 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
-            "entity": {
-              "properties": {
-                "attributes": {
-                  "type": "object"
-                },
-                "behavior": {
-                  "type": "object"
-                },
-                "display_name": {
-                  "fields": {
-                    "text": {
-                      "norms": false,
-                      "type": "text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "last_seen_timestamp": {
-                  "type": "date"
-                },
-                "lifecycle": {
-                  "type": "object"
-                },
-                "metrics": {
-                  "type": "object"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "norms": false,
-                      "type": "text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "raw": {
-                  "type": "object"
-                },
-                "reference": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "source": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sub_type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
             "instance": {
               "properties": {
                 "id": {
@@ -124,68 +62,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "entity": {
-                  "properties": {
-                    "attributes": {
-                      "type": "object"
-                    },
-                    "behavior": {
-                      "type": "object"
-                    },
-                    "display_name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "last_seen_timestamp": {
-                      "type": "date"
-                    },
-                    "lifecycle": {
-                      "type": "object"
-                    },
-                    "metrics": {
-                      "type": "object"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "raw": {
-                      "type": "object"
-                    },
-                    "reference": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "source": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sub_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
                 "instance": {
                   "properties": {
                     "id": {
diff --git a/generated/elasticsearch/composable/component/destination.json b/generated/elasticsearch/composable/component/destination.json
index 2d870fa6e9..12d0c9d349 100644
--- a/generated/elasticsearch/composable/component/destination.json
+++ b/generated/elasticsearch/composable/component/destination.json
@@ -131,68 +131,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "entity": {
-                  "properties": {
-                    "attributes": {
-                      "type": "object"
-                    },
-                    "behavior": {
-                      "type": "object"
-                    },
-                    "display_name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "last_seen_timestamp": {
-                      "type": "date"
-                    },
-                    "lifecycle": {
-                      "type": "object"
-                    },
-                    "metrics": {
-                      "type": "object"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "raw": {
-                      "type": "object"
-                    },
-                    "reference": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "source": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sub_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
                 "full_name": {
                   "fields": {
                     "text": {
@@ -235,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/entity.json b/generated/elasticsearch/composable/component/entity.json
deleted file mode 100644
index e1ff7943b9..0000000000
--- a/generated/elasticsearch/composable/component/entity.json
+++ /dev/null
@@ -1,74 +0,0 @@
-{
-  "_meta": {
-    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-entity.html",
-    "ecs_version": "9.3.0-dev"
-  },
-  "template": {
-    "mappings": {
-      "properties": {
-        "entity": {
-          "properties": {
-            "attributes": {
-              "type": "object"
-            },
-            "behavior": {
-              "type": "object"
-            },
-            "display_name": {
-              "fields": {
-                "text": {
-                  "norms": false,
-                  "type": "text"
-                }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "last_seen_timestamp": {
-              "type": "date"
-            },
-            "lifecycle": {
-              "type": "object"
-            },
-            "metrics": {
-              "type": "object"
-            },
-            "name": {
-              "fields": {
-                "text": {
-                  "norms": false,
-                  "type": "text"
-                }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "raw": {
-              "type": "object"
-            },
-            "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "source": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "sub_type": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        }
-      }
-    }
-  }
-}
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 4819b2d16b..a2b964c83c 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -15,167 +15,6 @@
             "args_count": {
               "type": "long"
             },
-            "attested_groups": {
-              "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "attested_user": {
-              "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entity": {
-                  "properties": {
-                    "attributes": {
-                      "type": "object"
-                    },
-                    "behavior": {
-                      "type": "object"
-                    },
-                    "display_name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "last_seen_timestamp": {
-                      "type": "date"
-                    },
-                    "lifecycle": {
-                      "type": "object"
-                    },
-                    "metrics": {
-                      "type": "object"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "raw": {
-                      "type": "object"
-                    },
-                    "reference": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "source": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sub_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "full_name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
-                "roles": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                }
-              }
-            },
             "code_signature": {
               "properties": {
                 "digest_algorithm": {
@@ -377,9 +216,6 @@
             "end": {
               "type": "date"
             },
-            "endpoint_security_client": {
-              "type": "boolean"
-            },
             "entity_id": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -395,14 +231,6 @@
                 },
                 "attested_groups": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -411,77 +239,11 @@
                 },
                 "attested_user": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
+                    "name": {
                       "fields": {
                         "text": {
                           "type": "match_only_text"
@@ -489,407 +251,276 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "group": {
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "entry_meta": {
+                  "properties": {
+                    "source": {
                       "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "ip": {
+                          "type": "ip"
                         }
                       }
                     },
-                    "hash": {
+                    "type": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
+                    }
+                  }
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
                     "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "parent": {
+                  "properties": {
+                    "entity_id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "risk": {
+                    "pid": {
+                      "type": "long"
+                    },
+                    "session_leader": {
                       "properties": {
-                        "calculated_level": {
+                        "entity_id": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "pid": {
+                          "type": "long"
                         },
-                        "static_score": {
-                          "type": "float"
+                        "start": {
+                          "type": "date"
                         },
-                        "static_score_norm": {
-                          "type": "float"
+                        "vpid": {
+                          "type": "long"
                         }
                       }
                     },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
+                    "start": {
+                      "type": "date"
+                    },
+                    "vpid": {
+                      "type": "long"
                     }
                   }
                 },
-                "code_signature": {
+                "pid": {
+                  "type": "long"
+                },
+                "real_group": {
                   "properties": {
-                    "digest_algorithm": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
+                    "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "signing_id": {
+                    }
+                  }
+                },
+                "real_user": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "status": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "subject_name": {
+                    }
+                  }
+                },
+                "same_as_process": {
+                  "type": "boolean"
+                },
+                "saved_group": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "team_id": {
+                    "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
                     }
                   }
                 },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
+                "saved_user": {
                   "properties": {
-                    "architecture": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "byte_order": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "cpu_type": {
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
+                    "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "header": {
+                    }
+                  }
+                },
+                "tty": {
+                  "properties": {
+                    "char_device": {
                       "properties": {
-                        "abi_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "class": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "data": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entrypoint": {
+                        "major": {
                           "type": "long"
                         },
-                        "object_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "os_abi": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "minor": {
+                          "type": "long"
                         }
                       }
-                    },
-                    "import_hash": {
+                    }
+                  },
+                  "type": "object"
+                },
+                "user": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "segments": {
-                      "properties": {
-                        "sections": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
                         }
                       },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "telfhash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "end": {
-                  "type": "date"
-                },
-                "endpoint_security_client": {
-                  "type": "boolean"
+                "vpid": {
+                  "type": "long"
                 },
-                "entity_id": {
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
                   "ignore_above": 1024,
                   "type": "keyword"
-                },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
-                      "properties": {
-                        "address": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "as": {
-                          "properties": {
-                            "number": {
-                              "type": "long"
-                            },
-                            "organization": {
-                              "properties": {
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "type": "match_only_text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "bytes": {
-                          "type": "long"
-                        },
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "geo": {
-                          "properties": {
-                            "city_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "location": {
-                              "type": "geo_point"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "postal_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "timezone": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "mac": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "nat": {
-                          "properties": {
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "port": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "packets": {
-                          "type": "long"
-                        },
-                        "port": {
-                          "type": "long"
-                        },
-                        "registered_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subdomain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "top_level_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                }
+              }
+            },
+            "env_vars": {
+              "ignore_above": 1024,
+              "synthetic_source_keep": "none",
+              "type": "keyword"
+            },
+            "executable": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "exit_code": {
+              "type": "long"
+            },
+            "group": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "group_leader": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
                     }
-                  }
+                  },
+                  "type": "wildcard"
                 },
-                "env_vars": {
+                "entity_id": {
                   "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
                   "type": "keyword"
                 },
                 "executable": {
@@ -901,15 +532,35 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "exit_code": {
-                  "type": "long"
-                },
                 "group": {
                   "properties": {
-                    "domain": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "real_group": {
+                  "properties": {
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -920,136 +571,106 @@
                     }
                   }
                 },
-                "hash": {
+                "real_user": {
                   "properties": {
-                    "cdhash": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "md5": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "sha1": {
+                    }
+                  }
+                },
+                "same_as_process": {
+                  "type": "boolean"
+                },
+                "saved_group": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "sha256": {
+                    "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "sha384": {
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "sha512": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "ssdeep": {
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "tlsh": {
+                    "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "io": {
+                "tty": {
                   "properties": {
-                    "bytes_skipped": {
+                    "char_device": {
                       "properties": {
-                        "length": {
+                        "major": {
                           "type": "long"
                         },
-                        "offset": {
+                        "minor": {
                           "type": "long"
                         }
-                      },
-                      "type": "object"
-                    },
-                    "max_bytes_per_process_exceeded": {
-                      "type": "boolean"
-                    },
-                    "text": {
-                      "type": "wildcard"
-                    },
-                    "total_bytes_captured": {
-                      "type": "long"
-                    },
-                    "total_bytes_skipped": {
-                      "type": "long"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                      }
                     }
                   },
                   "type": "object"
                 },
-                "macho": {
+                "user": {
                   "properties": {
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
                         }
                       },
-                      "type": "nested"
-                    },
-                    "symhash": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "name": {
+                "vpid": {
+                  "type": "long"
+                },
+                "working_directory": {
                   "fields": {
                     "text": {
                       "type": "match_only_text"
@@ -1057,13895 +678,616 @@
                   },
                   "ignore_above": 1024,
                   "type": "keyword"
+                }
+              }
+            },
+            "hash": {
+              "properties": {
+                "cdhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
-                "origin_referrer_url": {
-                  "ignore_above": 8192,
+                "md5": {
+                  "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "origin_url": {
-                  "ignore_above": 8192,
+                "sha1": {
+                  "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "parent": {
-                  "properties": {
-                    "args": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "args_count": {
-                      "type": "long"
-                    },
-                    "attested_groups": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "attested_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entity": {
-                          "properties": {
-                            "attributes": {
-                              "type": "object"
-                            },
-                            "behavior": {
-                              "type": "object"
-                            },
-                            "display_name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "last_seen_timestamp": {
-                              "type": "date"
-                            },
-                            "lifecycle": {
-                              "type": "object"
-                            },
-                            "metrics": {
-                              "type": "object"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw": {
-                              "type": "object"
-                            },
-                            "reference": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "source": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sub_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "code_signature": {
-                      "properties": {
-                        "digest_algorithm": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "exists": {
-                          "type": "boolean"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "signing_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "status": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subject_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "team_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "thumbprint_sha256": {
-                          "ignore_above": 64,
-                          "type": "keyword"
-                        },
-                        "timestamp": {
-                          "type": "date"
-                        },
-                        "trusted": {
-                          "type": "boolean"
-                        },
-                        "valid": {
-                          "type": "boolean"
-                        }
-                      }
-                    },
-                    "command_line": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "type": "wildcard"
-                    },
-                    "elf": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "byte_order": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "cpu_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "creation_date": {
-                          "type": "date"
-                        },
-                        "exports": {
-                          "type": "flattened"
-                        },
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "header": {
-                          "properties": {
-                            "abi_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "class": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "data": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entrypoint": {
-                              "type": "long"
-                            },
-                            "object_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "os_abi": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "sections": {
-                          "properties": {
-                            "chi2": {
-                              "type": "long"
-                            },
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "flags": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_offset": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_address": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "segments": {
-                          "properties": {
-                            "sections": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "shared_libraries": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "telfhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "end": {
-                      "type": "date"
-                    },
-                    "endpoint_security_client": {
-                      "type": "boolean"
-                    },
-                    "entity_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entry_meta": {
-                      "properties": {
-                        "source": {
-                          "properties": {
-                            "address": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "as": {
-                              "properties": {
-                                "number": {
-                                  "type": "long"
-                                },
-                                "organization": {
-                                  "properties": {
-                                    "name": {
-                                      "fields": {
-                                        "text": {
-                                          "type": "match_only_text"
-                                        }
-                                      },
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    }
-                                  }
-                                }
-                              }
-                            },
-                            "bytes": {
-                              "type": "long"
-                            },
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "geo": {
-                              "properties": {
-                                "city_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "continent_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "continent_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "country_iso_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "country_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "location": {
-                                  "type": "geo_point"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "postal_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "region_iso_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "region_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "timezone": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "mac": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "nat": {
-                              "properties": {
-                                "ip": {
-                                  "type": "ip"
-                                },
-                                "port": {
-                                  "type": "long"
-                                }
-                              }
-                            },
-                            "packets": {
-                              "type": "long"
-                            },
-                            "port": {
-                              "type": "long"
-                            },
-                            "registered_domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "subdomain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "top_level_domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "env_vars": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    },
-                    "executable": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exit_code": {
-                      "type": "long"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "properties": {
-                        "cdhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "md5": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha1": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha256": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha384": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha512": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "ssdeep": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "tlsh": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "interactive": {
-                      "type": "boolean"
-                    },
-                    "io": {
-                      "properties": {
-                        "bytes_skipped": {
-                          "properties": {
-                            "length": {
-                              "type": "long"
-                            },
-                            "offset": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "max_bytes_per_process_exceeded": {
-                          "type": "boolean"
-                        },
-                        "text": {
-                          "type": "wildcard"
-                        },
-                        "total_bytes_captured": {
-                          "type": "long"
-                        },
-                        "total_bytes_skipped": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "macho": {
-                      "properties": {
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "sections": {
-                          "properties": {
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "symhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "origin_referrer_url": {
-                      "ignore_above": 8192,
-                      "type": "keyword"
-                    },
-                    "origin_url": {
-                      "ignore_above": 8192,
-                      "type": "keyword"
-                    },
-                    "pe": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "company": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "description": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "file_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "imphash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "original_file_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "pehash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "product": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sections": {
-                          "properties": {
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        }
-                      }
-                    },
-                    "pid": {
-                      "type": "long"
-                    },
-                    "platform_binary": {
-                      "type": "boolean"
-                    },
-                    "real_group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "real_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entity": {
-                          "properties": {
-                            "attributes": {
-                              "type": "object"
-                            },
-                            "behavior": {
-                              "type": "object"
-                            },
-                            "display_name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "last_seen_timestamp": {
-                              "type": "date"
-                            },
-                            "lifecycle": {
-                              "type": "object"
-                            },
-                            "metrics": {
-                              "type": "object"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw": {
-                              "type": "object"
-                            },
-                            "reference": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "source": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sub_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "same_as_process": {
-                      "type": "boolean"
-                    },
-                    "saved_group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "saved_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entity": {
-                          "properties": {
-                            "attributes": {
-                              "type": "object"
-                            },
-                            "behavior": {
-                              "type": "object"
-                            },
-                            "display_name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "last_seen_timestamp": {
-                              "type": "date"
-                            },
-                            "lifecycle": {
-                              "type": "object"
-                            },
-                            "metrics": {
-                              "type": "object"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw": {
-                              "type": "object"
-                            },
-                            "reference": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "source": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sub_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "session_leader": {
-                      "properties": {
-                        "args": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "args_count": {
-                          "type": "long"
-                        },
-                        "attested_groups": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "attested_user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entity": {
-                              "properties": {
-                                "attributes": {
-                                  "type": "object"
-                                },
-                                "behavior": {
-                                  "type": "object"
-                                },
-                                "display_name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "last_seen_timestamp": {
-                                  "type": "date"
-                                },
-                                "lifecycle": {
-                                  "type": "object"
-                                },
-                                "metrics": {
-                                  "type": "object"
-                                },
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "raw": {
-                                  "type": "object"
-                                },
-                                "reference": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "source": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "sub_type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "code_signature": {
-                          "properties": {
-                            "digest_algorithm": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "exists": {
-                              "type": "boolean"
-                            },
-                            "flags": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "signing_id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "status": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "subject_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "team_id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "thumbprint_sha256": {
-                              "ignore_above": 64,
-                              "type": "keyword"
-                            },
-                            "timestamp": {
-                              "type": "date"
-                            },
-                            "trusted": {
-                              "type": "boolean"
-                            },
-                            "valid": {
-                              "type": "boolean"
-                            }
-                          }
-                        },
-                        "command_line": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "type": "wildcard"
-                        },
-                        "elf": {
-                          "properties": {
-                            "architecture": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "byte_order": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "cpu_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "creation_date": {
-                              "type": "date"
-                            },
-                            "exports": {
-                              "type": "flattened"
-                            },
-                            "go_import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_imports": {
-                              "type": "flattened"
-                            },
-                            "go_imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "go_imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "go_stripped": {
-                              "type": "boolean"
-                            },
-                            "header": {
-                              "properties": {
-                                "abi_version": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "class": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "data": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "entrypoint": {
-                                  "type": "long"
-                                },
-                                "object_version": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "os_abi": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "version": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "imports": {
-                              "type": "flattened"
-                            },
-                            "imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "sections": {
-                              "properties": {
-                                "chi2": {
-                                  "type": "long"
-                                },
-                                "entropy": {
-                                  "type": "long"
-                                },
-                                "flags": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_offset": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_size": {
-                                  "type": "long"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "var_entropy": {
-                                  "type": "long"
-                                },
-                                "virtual_address": {
-                                  "type": "long"
-                                },
-                                "virtual_size": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "nested"
-                            },
-                            "segments": {
-                              "properties": {
-                                "sections": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              },
-                              "type": "nested"
-                            },
-                            "shared_libraries": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "telfhash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "end": {
-                          "type": "date"
-                        },
-                        "endpoint_security_client": {
-                          "type": "boolean"
-                        },
-                        "entity_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entry_meta": {
-                          "properties": {
-                            "source": {
-                              "properties": {
-                                "address": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "as": {
-                                  "properties": {
-                                    "number": {
-                                      "type": "long"
-                                    },
-                                    "organization": {
-                                      "properties": {
-                                        "name": {
-                                          "fields": {
-                                            "text": {
-                                              "type": "match_only_text"
-                                            }
-                                          },
-                                          "ignore_above": 1024,
-                                          "type": "keyword"
-                                        }
-                                      }
-                                    }
-                                  }
-                                },
-                                "bytes": {
-                                  "type": "long"
-                                },
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "geo": {
-                                  "properties": {
-                                    "city_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "continent_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "continent_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "country_iso_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "country_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "location": {
-                                      "type": "geo_point"
-                                    },
-                                    "name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "postal_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "region_iso_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "region_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "timezone": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    }
-                                  }
-                                },
-                                "ip": {
-                                  "type": "ip"
-                                },
-                                "mac": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "nat": {
-                                  "properties": {
-                                    "ip": {
-                                      "type": "ip"
-                                    },
-                                    "port": {
-                                      "type": "long"
-                                    }
-                                  }
-                                },
-                                "packets": {
-                                  "type": "long"
-                                },
-                                "port": {
-                                  "type": "long"
-                                },
-                                "registered_domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "subdomain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "top_level_domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "env_vars": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "executable": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "exit_code": {
-                          "type": "long"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "properties": {
-                            "cdhash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "md5": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha1": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha256": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha384": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha512": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "ssdeep": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "tlsh": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "interactive": {
-                          "type": "boolean"
-                        },
-                        "io": {
-                          "properties": {
-                            "bytes_skipped": {
-                              "properties": {
-                                "length": {
-                                  "type": "long"
-                                },
-                                "offset": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "object"
-                            },
-                            "max_bytes_per_process_exceeded": {
-                              "type": "boolean"
-                            },
-                            "text": {
-                              "type": "wildcard"
-                            },
-                            "total_bytes_captured": {
-                              "type": "long"
-                            },
-                            "total_bytes_skipped": {
-                              "type": "long"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "macho": {
-                          "properties": {
-                            "go_import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_imports": {
-                              "type": "flattened"
-                            },
-                            "go_imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "go_imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "go_stripped": {
-                              "type": "boolean"
-                            },
-                            "import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "imports": {
-                              "type": "flattened"
-                            },
-                            "imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "sections": {
-                              "properties": {
-                                "entropy": {
-                                  "type": "long"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_size": {
-                                  "type": "long"
-                                },
-                                "var_entropy": {
-                                  "type": "long"
-                                },
-                                "virtual_size": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "nested"
-                            },
-                            "symhash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "origin_referrer_url": {
-                          "ignore_above": 8192,
-                          "type": "keyword"
-                        },
-                        "origin_url": {
-                          "ignore_above": 8192,
-                          "type": "keyword"
-                        },
-                        "pe": {
-                          "properties": {
-                            "architecture": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "company": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "description": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "file_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_imports": {
-                              "type": "flattened"
-                            },
-                            "go_imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "go_imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "go_stripped": {
-                              "type": "boolean"
-                            },
-                            "imphash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "imports": {
-                              "type": "flattened"
-                            },
-                            "imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "original_file_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "pehash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "product": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sections": {
-                              "properties": {
-                                "entropy": {
-                                  "type": "long"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_size": {
-                                  "type": "long"
-                                },
-                                "var_entropy": {
-                                  "type": "long"
-                                },
-                                "virtual_size": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "nested"
-                            }
-                          }
-                        },
-                        "pid": {
-                          "type": "long"
-                        },
-                        "platform_binary": {
-                          "type": "boolean"
-                        },
-                        "real_group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "real_user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entity": {
-                              "properties": {
-                                "attributes": {
-                                  "type": "object"
-                                },
-                                "behavior": {
-                                  "type": "object"
-                                },
-                                "display_name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "last_seen_timestamp": {
-                                  "type": "date"
-                                },
-                                "lifecycle": {
-                                  "type": "object"
-                                },
-                                "metrics": {
-                                  "type": "object"
-                                },
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "raw": {
-                                  "type": "object"
-                                },
-                                "reference": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "source": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "sub_type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "same_as_process": {
-                          "type": "boolean"
-                        },
-                        "saved_group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "saved_user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entity": {
-                              "properties": {
-                                "attributes": {
-                                  "type": "object"
-                                },
-                                "behavior": {
-                                  "type": "object"
-                                },
-                                "display_name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "last_seen_timestamp": {
-                                  "type": "date"
-                                },
-                                "lifecycle": {
-                                  "type": "object"
-                                },
-                                "metrics": {
-                                  "type": "object"
-                                },
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "raw": {
-                                  "type": "object"
-                                },
-                                "reference": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "source": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "sub_type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "start": {
-                          "type": "date"
-                        },
-                        "supplemental_groups": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "thread": {
-                          "properties": {
-                            "capabilities": {
-                              "properties": {
-                                "effective": {
-                                  "ignore_above": 1024,
-                                  "synthetic_source_keep": "none",
-                                  "type": "keyword"
-                                },
-                                "permitted": {
-                                  "ignore_above": 1024,
-                                  "synthetic_source_keep": "none",
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "id": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "title": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "tty": {
-                          "properties": {
-                            "char_device": {
-                              "properties": {
-                                "major": {
-                                  "type": "long"
-                                },
-                                "minor": {
-                                  "type": "long"
-                                }
-                              }
-                            },
-                            "columns": {
-                              "type": "long"
-                            },
-                            "rows": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "uptime": {
-                          "type": "long"
-                        },
-                        "user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entity": {
-                              "properties": {
-                                "attributes": {
-                                  "type": "object"
-                                },
-                                "behavior": {
-                                  "type": "object"
-                                },
-                                "display_name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "last_seen_timestamp": {
-                                  "type": "date"
-                                },
-                                "lifecycle": {
-                                  "type": "object"
-                                },
-                                "metrics": {
-                                  "type": "object"
-                                },
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "raw": {
-                                  "type": "object"
-                                },
-                                "reference": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "source": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "sub_type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "vpid": {
-                          "type": "long"
-                        },
-                        "working_directory": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "start": {
-                      "type": "date"
-                    },
-                    "supplemental_groups": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "thread": {
-                      "properties": {
-                        "capabilities": {
-                          "properties": {
-                            "effective": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            },
-                            "permitted": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "id": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "title": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tty": {
-                      "properties": {
-                        "char_device": {
-                          "properties": {
-                            "major": {
-                              "type": "long"
-                            },
-                            "minor": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "columns": {
-                          "type": "long"
-                        },
-                        "rows": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "uptime": {
-                      "type": "long"
-                    },
-                    "user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entity": {
-                          "properties": {
-                            "attributes": {
-                              "type": "object"
-                            },
-                            "behavior": {
-                              "type": "object"
-                            },
-                            "display_name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "last_seen_timestamp": {
-                              "type": "date"
-                            },
-                            "lifecycle": {
-                              "type": "object"
-                            },
-                            "metrics": {
-                              "type": "object"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw": {
-                              "type": "object"
-                            },
-                            "reference": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "source": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sub_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "vpid": {
-                      "type": "long"
-                    },
-                    "working_directory": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pehash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    }
-                  }
-                },
-                "pid": {
-                  "type": "long"
-                },
-                "platform_binary": {
-                  "type": "boolean"
-                },
-                "real_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "same_as_process": {
-                  "type": "boolean"
-                },
-                "saved_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "thread": {
-                  "properties": {
-                    "capabilities": {
-                      "properties": {
-                        "effective": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "permitted": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "id": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "title": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "tty": {
-                  "properties": {
-                    "char_device": {
-                      "properties": {
-                        "major": {
-                          "type": "long"
-                        },
-                        "minor": {
-                          "type": "long"
-                        }
-                      }
-                    },
-                    "columns": {
-                      "type": "long"
-                    },
-                    "rows": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                },
-                "uptime": {
-                  "type": "long"
-                },
-                "user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "vpid": {
-                  "type": "long"
-                },
-                "working_directory": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "entry_meta": {
-              "properties": {
-                "source": {
-                  "properties": {
-                    "address": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "as": {
-                      "properties": {
-                        "number": {
-                          "type": "long"
-                        },
-                        "organization": {
-                          "properties": {
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        }
-                      }
-                    },
-                    "bytes": {
-                      "type": "long"
-                    },
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "geo": {
-                      "properties": {
-                        "city_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "continent_code": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "continent_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "country_iso_code": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "country_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "location": {
-                          "type": "geo_point"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "postal_code": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "region_iso_code": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "region_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "timezone": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "ip": {
-                      "type": "ip"
-                    },
-                    "mac": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "nat": {
-                      "properties": {
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "port": {
-                          "type": "long"
-                        }
-                      }
-                    },
-                    "packets": {
-                      "type": "long"
-                    },
-                    "port": {
-                      "type": "long"
-                    },
-                    "registered_domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subdomain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "top_level_domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "env_vars": {
-              "ignore_above": 1024,
-              "synthetic_source_keep": "none",
-              "type": "keyword"
-            },
-            "executable": {
-              "fields": {
-                "text": {
-                  "type": "match_only_text"
-                }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "exit_code": {
-              "type": "long"
-            },
-            "group": {
-              "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "group_leader": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "attested_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "attested_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "code_signature": {
-                  "properties": {
-                    "digest_algorithm": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "signing_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "team_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "byte_order": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "cpu_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "header": {
-                      "properties": {
-                        "abi_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "class": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "data": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entrypoint": {
-                          "type": "long"
-                        },
-                        "object_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "os_abi": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "segments": {
-                      "properties": {
-                        "sections": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "telfhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "end": {
-                  "type": "date"
-                },
-                "endpoint_security_client": {
-                  "type": "boolean"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
-                      "properties": {
-                        "address": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "as": {
-                          "properties": {
-                            "number": {
-                              "type": "long"
-                            },
-                            "organization": {
-                              "properties": {
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "type": "match_only_text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "bytes": {
-                          "type": "long"
-                        },
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "geo": {
-                          "properties": {
-                            "city_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "location": {
-                              "type": "geo_point"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "postal_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "timezone": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "mac": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "nat": {
-                          "properties": {
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "port": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "packets": {
-                          "type": "long"
-                        },
-                        "port": {
-                          "type": "long"
-                        },
-                        "registered_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subdomain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "top_level_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "env_vars": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "properties": {
-                    "cdhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha384": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tlsh": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "io": {
-                  "properties": {
-                    "bytes_skipped": {
-                      "properties": {
-                        "length": {
-                          "type": "long"
-                        },
-                        "offset": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "max_bytes_per_process_exceeded": {
-                      "type": "boolean"
-                    },
-                    "text": {
-                      "type": "wildcard"
-                    },
-                    "total_bytes_captured": {
-                      "type": "long"
-                    },
-                    "total_bytes_skipped": {
-                      "type": "long"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  },
-                  "type": "object"
-                },
-                "macho": {
-                  "properties": {
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "symhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "origin_referrer_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "origin_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pehash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    }
-                  }
-                },
-                "pid": {
-                  "type": "long"
-                },
-                "platform_binary": {
-                  "type": "boolean"
-                },
-                "real_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "same_as_process": {
-                  "type": "boolean"
-                },
-                "saved_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "thread": {
-                  "properties": {
-                    "capabilities": {
-                      "properties": {
-                        "effective": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "permitted": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "id": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "title": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "tty": {
-                  "properties": {
-                    "char_device": {
-                      "properties": {
-                        "major": {
-                          "type": "long"
-                        },
-                        "minor": {
-                          "type": "long"
-                        }
-                      }
-                    },
-                    "columns": {
-                      "type": "long"
-                    },
-                    "rows": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                },
-                "uptime": {
-                  "type": "long"
-                },
-                "user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "vpid": {
-                  "type": "long"
-                },
-                "working_directory": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "hash": {
-              "properties": {
-                "cdhash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "md5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha256": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha384": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sha512": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ssdeep": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "tlsh": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "interactive": {
-              "type": "boolean"
-            },
-            "io": {
-              "properties": {
-                "bytes_skipped": {
-                  "properties": {
-                    "length": {
-                      "type": "long"
-                    },
-                    "offset": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                },
-                "max_bytes_per_process_exceeded": {
-                  "type": "boolean"
-                },
-                "text": {
-                  "type": "wildcard"
-                },
-                "total_bytes_captured": {
-                  "type": "long"
-                },
-                "total_bytes_skipped": {
-                  "type": "long"
-                },
-                "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              },
-              "type": "object"
-            },
-            "macho": {
-              "properties": {
-                "go_import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "go_imports": {
-                  "type": "flattened"
-                },
-                "go_imports_names_entropy": {
-                  "type": "long"
-                },
-                "go_imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "go_stripped": {
-                  "type": "boolean"
-                },
-                "import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "imports": {
-                  "type": "flattened"
-                },
-                "imports_names_entropy": {
-                  "type": "long"
-                },
-                "imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "sections": {
-                  "properties": {
-                    "entropy": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "physical_size": {
-                      "type": "long"
-                    },
-                    "var_entropy": {
-                      "type": "long"
-                    },
-                    "virtual_size": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "nested"
-                },
-                "symhash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "name": {
-              "fields": {
-                "text": {
-                  "type": "match_only_text"
-                }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "origin_referrer_url": {
-              "ignore_above": 8192,
-              "type": "keyword"
-            },
-            "origin_url": {
-              "ignore_above": 8192,
-              "type": "keyword"
-            },
-            "parent": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "attested_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "attested_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "code_signature": {
-                  "properties": {
-                    "digest_algorithm": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "signing_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "team_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "byte_order": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "cpu_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "header": {
-                      "properties": {
-                        "abi_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "class": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "data": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entrypoint": {
-                          "type": "long"
-                        },
-                        "object_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "os_abi": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "segments": {
-                      "properties": {
-                        "sections": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "telfhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "end": {
-                  "type": "date"
-                },
-                "endpoint_security_client": {
-                  "type": "boolean"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
-                      "properties": {
-                        "address": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "as": {
-                          "properties": {
-                            "number": {
-                              "type": "long"
-                            },
-                            "organization": {
-                              "properties": {
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "type": "match_only_text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "bytes": {
-                          "type": "long"
-                        },
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "geo": {
-                          "properties": {
-                            "city_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "location": {
-                              "type": "geo_point"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "postal_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "timezone": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "mac": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "nat": {
-                          "properties": {
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "port": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "packets": {
-                          "type": "long"
-                        },
-                        "port": {
-                          "type": "long"
-                        },
-                        "registered_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subdomain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "top_level_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "env_vars": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "group_leader": {
-                  "properties": {
-                    "args": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "args_count": {
-                      "type": "long"
-                    },
-                    "attested_groups": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "attested_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entity": {
-                          "properties": {
-                            "attributes": {
-                              "type": "object"
-                            },
-                            "behavior": {
-                              "type": "object"
-                            },
-                            "display_name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "last_seen_timestamp": {
-                              "type": "date"
-                            },
-                            "lifecycle": {
-                              "type": "object"
-                            },
-                            "metrics": {
-                              "type": "object"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw": {
-                              "type": "object"
-                            },
-                            "reference": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "source": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sub_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "code_signature": {
-                      "properties": {
-                        "digest_algorithm": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "exists": {
-                          "type": "boolean"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "signing_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "status": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subject_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "team_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "thumbprint_sha256": {
-                          "ignore_above": 64,
-                          "type": "keyword"
-                        },
-                        "timestamp": {
-                          "type": "date"
-                        },
-                        "trusted": {
-                          "type": "boolean"
-                        },
-                        "valid": {
-                          "type": "boolean"
-                        }
-                      }
-                    },
-                    "command_line": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "type": "wildcard"
-                    },
-                    "elf": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "byte_order": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "cpu_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "creation_date": {
-                          "type": "date"
-                        },
-                        "exports": {
-                          "type": "flattened"
-                        },
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "header": {
-                          "properties": {
-                            "abi_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "class": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "data": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entrypoint": {
-                              "type": "long"
-                            },
-                            "object_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "os_abi": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "sections": {
-                          "properties": {
-                            "chi2": {
-                              "type": "long"
-                            },
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "flags": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_offset": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_address": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "segments": {
-                          "properties": {
-                            "sections": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "shared_libraries": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "telfhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "end": {
-                      "type": "date"
-                    },
-                    "endpoint_security_client": {
-                      "type": "boolean"
-                    },
-                    "entity_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entry_meta": {
-                      "properties": {
-                        "source": {
-                          "properties": {
-                            "address": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "as": {
-                              "properties": {
-                                "number": {
-                                  "type": "long"
-                                },
-                                "organization": {
-                                  "properties": {
-                                    "name": {
-                                      "fields": {
-                                        "text": {
-                                          "type": "match_only_text"
-                                        }
-                                      },
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    }
-                                  }
-                                }
-                              }
-                            },
-                            "bytes": {
-                              "type": "long"
-                            },
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "geo": {
-                              "properties": {
-                                "city_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "continent_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "continent_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "country_iso_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "country_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "location": {
-                                  "type": "geo_point"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "postal_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "region_iso_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "region_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "timezone": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "mac": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "nat": {
-                              "properties": {
-                                "ip": {
-                                  "type": "ip"
-                                },
-                                "port": {
-                                  "type": "long"
-                                }
-                              }
-                            },
-                            "packets": {
-                              "type": "long"
-                            },
-                            "port": {
-                              "type": "long"
-                            },
-                            "registered_domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "subdomain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "top_level_domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "env_vars": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    },
-                    "executable": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exit_code": {
-                      "type": "long"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "properties": {
-                        "cdhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "md5": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha1": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha256": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha384": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha512": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "ssdeep": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "tlsh": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "interactive": {
-                      "type": "boolean"
-                    },
-                    "io": {
-                      "properties": {
-                        "bytes_skipped": {
-                          "properties": {
-                            "length": {
-                              "type": "long"
-                            },
-                            "offset": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "max_bytes_per_process_exceeded": {
-                          "type": "boolean"
-                        },
-                        "text": {
-                          "type": "wildcard"
-                        },
-                        "total_bytes_captured": {
-                          "type": "long"
-                        },
-                        "total_bytes_skipped": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "macho": {
-                      "properties": {
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "sections": {
-                          "properties": {
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "symhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "origin_referrer_url": {
-                      "ignore_above": 8192,
-                      "type": "keyword"
-                    },
-                    "origin_url": {
-                      "ignore_above": 8192,
-                      "type": "keyword"
-                    },
-                    "pe": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "company": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "description": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "file_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "imphash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "original_file_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "pehash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "product": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sections": {
-                          "properties": {
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        }
-                      }
-                    },
-                    "pid": {
-                      "type": "long"
-                    },
-                    "platform_binary": {
-                      "type": "boolean"
-                    },
-                    "real_group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "real_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entity": {
-                          "properties": {
-                            "attributes": {
-                              "type": "object"
-                            },
-                            "behavior": {
-                              "type": "object"
-                            },
-                            "display_name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "last_seen_timestamp": {
-                              "type": "date"
-                            },
-                            "lifecycle": {
-                              "type": "object"
-                            },
-                            "metrics": {
-                              "type": "object"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw": {
-                              "type": "object"
-                            },
-                            "reference": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "source": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sub_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "same_as_process": {
-                      "type": "boolean"
-                    },
-                    "saved_group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "saved_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entity": {
-                          "properties": {
-                            "attributes": {
-                              "type": "object"
-                            },
-                            "behavior": {
-                              "type": "object"
-                            },
-                            "display_name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "last_seen_timestamp": {
-                              "type": "date"
-                            },
-                            "lifecycle": {
-                              "type": "object"
-                            },
-                            "metrics": {
-                              "type": "object"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw": {
-                              "type": "object"
-                            },
-                            "reference": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "source": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sub_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "start": {
-                      "type": "date"
-                    },
-                    "supplemental_groups": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "thread": {
-                      "properties": {
-                        "capabilities": {
-                          "properties": {
-                            "effective": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            },
-                            "permitted": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "id": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "title": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tty": {
-                      "properties": {
-                        "char_device": {
-                          "properties": {
-                            "major": {
-                              "type": "long"
-                            },
-                            "minor": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "columns": {
-                          "type": "long"
-                        },
-                        "rows": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "uptime": {
-                      "type": "long"
-                    },
-                    "user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entity": {
-                          "properties": {
-                            "attributes": {
-                              "type": "object"
-                            },
-                            "behavior": {
-                              "type": "object"
-                            },
-                            "display_name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "last_seen_timestamp": {
-                              "type": "date"
-                            },
-                            "lifecycle": {
-                              "type": "object"
-                            },
-                            "metrics": {
-                              "type": "object"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw": {
-                              "type": "object"
-                            },
-                            "reference": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "source": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sub_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "vpid": {
-                      "type": "long"
-                    },
-                    "working_directory": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "properties": {
-                    "cdhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha384": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tlsh": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "io": {
-                  "properties": {
-                    "bytes_skipped": {
-                      "properties": {
-                        "length": {
-                          "type": "long"
-                        },
-                        "offset": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "max_bytes_per_process_exceeded": {
-                      "type": "boolean"
-                    },
-                    "text": {
-                      "type": "wildcard"
-                    },
-                    "total_bytes_captured": {
-                      "type": "long"
-                    },
-                    "total_bytes_skipped": {
-                      "type": "long"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  },
-                  "type": "object"
-                },
-                "macho": {
-                  "properties": {
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "symhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "origin_referrer_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "origin_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pehash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    }
-                  }
-                },
-                "pid": {
-                  "type": "long"
-                },
-                "platform_binary": {
-                  "type": "boolean"
-                },
-                "real_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "same_as_process": {
-                  "type": "boolean"
-                },
-                "saved_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "thread": {
-                  "properties": {
-                    "capabilities": {
-                      "properties": {
-                        "effective": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "permitted": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "id": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "title": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "tty": {
-                  "properties": {
-                    "char_device": {
-                      "properties": {
-                        "major": {
-                          "type": "long"
-                        },
-                        "minor": {
-                          "type": "long"
-                        }
-                      }
-                    },
-                    "columns": {
-                      "type": "long"
-                    },
-                    "rows": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                },
-                "uptime": {
-                  "type": "long"
-                },
-                "user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "vpid": {
-                  "type": "long"
-                },
-                "working_directory": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "pe": {
-              "properties": {
-                "architecture": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "company": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "description": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "file_version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "go_import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "go_imports": {
-                  "type": "flattened"
-                },
-                "go_imports_names_entropy": {
-                  "type": "long"
-                },
-                "go_imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "go_stripped": {
-                  "type": "boolean"
-                },
-                "imphash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "import_hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "imports": {
-                  "type": "flattened"
-                },
-                "imports_names_entropy": {
-                  "type": "long"
-                },
-                "imports_names_var_entropy": {
-                  "type": "long"
-                },
-                "original_file_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "pehash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "product": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sections": {
-                  "properties": {
-                    "entropy": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "physical_size": {
-                      "type": "long"
-                    },
-                    "var_entropy": {
-                      "type": "long"
-                    },
-                    "virtual_size": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "nested"
-                }
-              }
-            },
-            "pid": {
-              "type": "long"
-            },
-            "platform_binary": {
-              "type": "boolean"
-            },
-            "previous": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "attested_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "attested_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "code_signature": {
-                  "properties": {
-                    "digest_algorithm": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "signing_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "team_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "byte_order": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "cpu_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "header": {
-                      "properties": {
-                        "abi_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "class": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "data": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entrypoint": {
-                          "type": "long"
-                        },
-                        "object_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "os_abi": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "segments": {
-                      "properties": {
-                        "sections": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "telfhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "end": {
-                  "type": "date"
-                },
-                "endpoint_security_client": {
-                  "type": "boolean"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
-                      "properties": {
-                        "address": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "as": {
-                          "properties": {
-                            "number": {
-                              "type": "long"
-                            },
-                            "organization": {
-                              "properties": {
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "type": "match_only_text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "bytes": {
-                          "type": "long"
-                        },
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "geo": {
-                          "properties": {
-                            "city_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "location": {
-                              "type": "geo_point"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "postal_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "timezone": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "mac": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "nat": {
-                          "properties": {
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "port": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "packets": {
-                          "type": "long"
-                        },
-                        "port": {
-                          "type": "long"
-                        },
-                        "registered_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subdomain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "top_level_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "env_vars": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "properties": {
-                    "cdhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha384": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tlsh": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "io": {
-                  "properties": {
-                    "bytes_skipped": {
-                      "properties": {
-                        "length": {
-                          "type": "long"
-                        },
-                        "offset": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "max_bytes_per_process_exceeded": {
-                      "type": "boolean"
-                    },
-                    "text": {
-                      "type": "wildcard"
-                    },
-                    "total_bytes_captured": {
-                      "type": "long"
-                    },
-                    "total_bytes_skipped": {
-                      "type": "long"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  },
-                  "type": "object"
-                },
-                "macho": {
-                  "properties": {
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "symhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "origin_referrer_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "origin_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pehash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    }
-                  }
-                },
-                "pid": {
-                  "type": "long"
-                },
-                "platform_binary": {
-                  "type": "boolean"
-                },
-                "real_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "same_as_process": {
-                  "type": "boolean"
-                },
-                "saved_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "thread": {
-                  "properties": {
-                    "capabilities": {
-                      "properties": {
-                        "effective": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "permitted": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "id": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "title": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "tty": {
-                  "properties": {
-                    "char_device": {
-                      "properties": {
-                        "major": {
-                          "type": "long"
-                        },
-                        "minor": {
-                          "type": "long"
-                        }
-                      }
-                    },
-                    "columns": {
-                      "type": "long"
-                    },
-                    "rows": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                },
-                "uptime": {
-                  "type": "long"
-                },
-                "user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "vpid": {
-                  "type": "long"
-                },
-                "working_directory": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "real_group": {
-              "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "real_user": {
-              "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entity": {
-                  "properties": {
-                    "attributes": {
-                      "type": "object"
-                    },
-                    "behavior": {
-                      "type": "object"
-                    },
-                    "display_name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "last_seen_timestamp": {
-                      "type": "date"
-                    },
-                    "lifecycle": {
-                      "type": "object"
-                    },
-                    "metrics": {
-                      "type": "object"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "raw": {
-                      "type": "object"
-                    },
-                    "reference": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "source": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sub_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "full_name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
-                "roles": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                }
-              }
-            },
-            "responsible": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "attested_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "attested_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "code_signature": {
-                  "properties": {
-                    "digest_algorithm": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "signing_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "team_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "byte_order": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "cpu_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "header": {
-                      "properties": {
-                        "abi_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "class": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "data": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entrypoint": {
-                          "type": "long"
-                        },
-                        "object_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "os_abi": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "segments": {
-                      "properties": {
-                        "sections": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "telfhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "end": {
-                  "type": "date"
-                },
-                "endpoint_security_client": {
-                  "type": "boolean"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
-                      "properties": {
-                        "address": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "as": {
-                          "properties": {
-                            "number": {
-                              "type": "long"
-                            },
-                            "organization": {
-                              "properties": {
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "type": "match_only_text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "bytes": {
-                          "type": "long"
-                        },
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "geo": {
-                          "properties": {
-                            "city_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "location": {
-                              "type": "geo_point"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "postal_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "timezone": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "mac": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "nat": {
-                          "properties": {
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "port": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "packets": {
-                          "type": "long"
-                        },
-                        "port": {
-                          "type": "long"
-                        },
-                        "registered_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subdomain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "top_level_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "env_vars": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "properties": {
-                    "cdhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha384": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tlsh": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "interactive": {
-                  "type": "boolean"
-                },
-                "io": {
-                  "properties": {
-                    "bytes_skipped": {
-                      "properties": {
-                        "length": {
-                          "type": "long"
-                        },
-                        "offset": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "max_bytes_per_process_exceeded": {
-                      "type": "boolean"
-                    },
-                    "text": {
-                      "type": "wildcard"
-                    },
-                    "total_bytes_captured": {
-                      "type": "long"
-                    },
-                    "total_bytes_skipped": {
-                      "type": "long"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  },
-                  "type": "object"
-                },
-                "macho": {
-                  "properties": {
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "symhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "origin_referrer_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "origin_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
-                },
-                "pe": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pehash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    }
-                  }
-                },
-                "pid": {
-                  "type": "long"
-                },
-                "platform_binary": {
-                  "type": "boolean"
-                },
-                "real_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "real_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "same_as_process": {
-                  "type": "boolean"
-                },
-                "saved_group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "start": {
-                  "type": "date"
-                },
-                "supplemental_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "thread": {
-                  "properties": {
-                    "capabilities": {
-                      "properties": {
-                        "effective": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "permitted": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "id": {
-                      "type": "long"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "title": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "tty": {
-                  "properties": {
-                    "char_device": {
-                      "properties": {
-                        "major": {
-                          "type": "long"
-                        },
-                        "minor": {
-                          "type": "long"
-                        }
-                      }
-                    },
-                    "columns": {
-                      "type": "long"
-                    },
-                    "rows": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                },
-                "uptime": {
-                  "type": "long"
-                },
-                "user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "vpid": {
-                  "type": "long"
-                },
-                "working_directory": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "same_as_process": {
-              "type": "boolean"
-            },
-            "saved_group": {
-              "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "saved_user": {
-              "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entity": {
-                  "properties": {
-                    "attributes": {
-                      "type": "object"
-                    },
-                    "behavior": {
-                      "type": "object"
-                    },
-                    "display_name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "last_seen_timestamp": {
-                      "type": "date"
-                    },
-                    "lifecycle": {
-                      "type": "object"
-                    },
-                    "metrics": {
-                      "type": "object"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "raw": {
-                      "type": "object"
-                    },
-                    "reference": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "source": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sub_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "full_name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
-                "roles": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                }
-              }
-            },
-            "session_leader": {
-              "properties": {
-                "args": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "args_count": {
-                  "type": "long"
-                },
-                "attested_groups": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "attested_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "code_signature": {
-                  "properties": {
-                    "digest_algorithm": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "exists": {
-                      "type": "boolean"
-                    },
-                    "flags": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "signing_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "status": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "subject_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "team_id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "thumbprint_sha256": {
-                      "ignore_above": 64,
-                      "type": "keyword"
-                    },
-                    "timestamp": {
-                      "type": "date"
-                    },
-                    "trusted": {
-                      "type": "boolean"
-                    },
-                    "valid": {
-                      "type": "boolean"
-                    }
-                  }
-                },
-                "command_line": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "type": "wildcard"
-                },
-                "elf": {
-                  "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "byte_order": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "cpu_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "creation_date": {
-                      "type": "date"
-                    },
-                    "exports": {
-                      "type": "flattened"
-                    },
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "header": {
-                      "properties": {
-                        "abi_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "class": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "data": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entrypoint": {
-                          "type": "long"
-                        },
-                        "object_version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "os_abi": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "version": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "chi2": {
-                          "type": "long"
-                        },
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_offset": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_address": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "segments": {
-                      "properties": {
-                        "sections": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "shared_libraries": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "telfhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "end": {
-                  "type": "date"
-                },
-                "endpoint_security_client": {
-                  "type": "boolean"
-                },
-                "entity_id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entry_meta": {
-                  "properties": {
-                    "source": {
-                      "properties": {
-                        "address": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "as": {
-                          "properties": {
-                            "number": {
-                              "type": "long"
-                            },
-                            "organization": {
-                              "properties": {
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "type": "match_only_text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            }
-                          }
-                        },
-                        "bytes": {
-                          "type": "long"
-                        },
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "geo": {
-                          "properties": {
-                            "city_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "continent_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "country_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "location": {
-                              "type": "geo_point"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "postal_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_iso_code": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "region_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "timezone": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "ip": {
-                          "type": "ip"
-                        },
-                        "mac": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "nat": {
-                          "properties": {
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "port": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "packets": {
-                          "type": "long"
-                        },
-                        "port": {
-                          "type": "long"
-                        },
-                        "registered_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subdomain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "top_level_domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "env_vars": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
-                },
-                "executable": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "exit_code": {
-                  "type": "long"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
+                "sha256": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
-                "hash": {
-                  "properties": {
-                    "cdhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "md5": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha1": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha256": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha384": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sha512": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "ssdeep": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "tlsh": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
+                "sha384": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
-                "interactive": {
-                  "type": "boolean"
+                "sha512": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
-                "io": {
+                "ssdeep": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tlsh": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "interactive": {
+              "type": "boolean"
+            },
+            "io": {
+              "properties": {
+                "bytes_skipped": {
                   "properties": {
-                    "bytes_skipped": {
-                      "properties": {
-                        "length": {
-                          "type": "long"
-                        },
-                        "offset": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "object"
-                    },
-                    "max_bytes_per_process_exceeded": {
-                      "type": "boolean"
-                    },
-                    "text": {
-                      "type": "wildcard"
-                    },
-                    "total_bytes_captured": {
+                    "length": {
                       "type": "long"
                     },
-                    "total_bytes_skipped": {
+                    "offset": {
                       "type": "long"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
                     }
                   },
                   "type": "object"
                 },
-                "macho": {
-                  "properties": {
-                    "go_import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "import_hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "imports_names_var_entropy": {
-                      "type": "long"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
-                    },
-                    "symhash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
+                "max_bytes_per_process_exceeded": {
+                  "type": "boolean"
                 },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
+                "text": {
+                  "type": "wildcard"
+                },
+                "total_bytes_captured": {
+                  "type": "long"
+                },
+                "total_bytes_skipped": {
+                  "type": "long"
+                },
+                "type": {
                   "ignore_above": 1024,
                   "type": "keyword"
-                },
-                "origin_referrer_url": {
-                  "ignore_above": 8192,
+                }
+              },
+              "type": "object"
+            },
+            "macho": {
+              "properties": {
+                "go_import_hash": {
+                  "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "origin_url": {
-                  "ignore_above": 8192,
-                  "type": "keyword"
+                "go_imports": {
+                  "type": "flattened"
                 },
-                "parent": {
-                  "properties": {
-                    "args": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "args_count": {
-                      "type": "long"
-                    },
-                    "attested_groups": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "attested_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entity": {
-                          "properties": {
-                            "attributes": {
-                              "type": "object"
-                            },
-                            "behavior": {
-                              "type": "object"
-                            },
-                            "display_name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "last_seen_timestamp": {
-                              "type": "date"
-                            },
-                            "lifecycle": {
-                              "type": "object"
-                            },
-                            "metrics": {
-                              "type": "object"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw": {
-                              "type": "object"
-                            },
-                            "reference": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "source": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sub_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "code_signature": {
-                      "properties": {
-                        "digest_algorithm": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "exists": {
-                          "type": "boolean"
-                        },
-                        "flags": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "signing_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "status": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "subject_name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "team_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "thumbprint_sha256": {
-                          "ignore_above": 64,
-                          "type": "keyword"
-                        },
-                        "timestamp": {
-                          "type": "date"
-                        },
-                        "trusted": {
-                          "type": "boolean"
-                        },
-                        "valid": {
-                          "type": "boolean"
-                        }
-                      }
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
                     },
-                    "command_line": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "type": "wildcard"
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "elf": {
-                      "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "byte_order": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "cpu_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "creation_date": {
-                          "type": "date"
-                        },
-                        "exports": {
-                          "type": "flattened"
-                        },
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "header": {
-                          "properties": {
-                            "abi_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "class": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "data": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entrypoint": {
-                              "type": "long"
-                            },
-                            "object_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "os_abi": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "sections": {
-                          "properties": {
-                            "chi2": {
-                              "type": "long"
-                            },
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "flags": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_offset": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_address": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "segments": {
-                          "properties": {
-                            "sections": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "shared_libraries": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "telfhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
+                    "physical_size": {
+                      "type": "long"
                     },
-                    "end": {
-                      "type": "date"
+                    "var_entropy": {
+                      "type": "long"
+                    },
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
+                },
+                "symhash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "parent": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "code_signature": {
+                  "properties": {
+                    "digest_algorithm": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "endpoint_security_client": {
+                    "exists": {
                       "type": "boolean"
                     },
-                    "entity_id": {
+                    "flags": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "entry_meta": {
-                      "properties": {
-                        "source": {
-                          "properties": {
-                            "address": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "as": {
-                              "properties": {
-                                "number": {
-                                  "type": "long"
-                                },
-                                "organization": {
-                                  "properties": {
-                                    "name": {
-                                      "fields": {
-                                        "text": {
-                                          "type": "match_only_text"
-                                        }
-                                      },
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    }
-                                  }
-                                }
-                              }
-                            },
-                            "bytes": {
-                              "type": "long"
-                            },
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "geo": {
-                              "properties": {
-                                "city_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "continent_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "continent_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "country_iso_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "country_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "location": {
-                                  "type": "geo_point"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "postal_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "region_iso_code": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "region_name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "timezone": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "ip": {
-                              "type": "ip"
-                            },
-                            "mac": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "nat": {
-                              "properties": {
-                                "ip": {
-                                  "type": "ip"
-                                },
-                                "port": {
-                                  "type": "long"
-                                }
-                              }
-                            },
-                            "packets": {
-                              "type": "long"
-                            },
-                            "port": {
-                              "type": "long"
-                            },
-                            "registered_domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "subdomain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "top_level_domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
+                    "signing_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "env_vars": {
+                    "status": {
                       "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
                       "type": "keyword"
                     },
-                    "executable": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                    "subject_name": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "exit_code": {
-                      "type": "long"
+                    "team_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
+                    "thumbprint_sha256": {
+                      "ignore_above": 64,
+                      "type": "keyword"
                     },
-                    "hash": {
-                      "properties": {
-                        "cdhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "md5": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha1": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha256": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha384": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sha512": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "ssdeep": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "tlsh": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
+                    "timestamp": {
+                      "type": "date"
                     },
-                    "interactive": {
+                    "trusted": {
                       "type": "boolean"
                     },
-                    "io": {
-                      "properties": {
-                        "bytes_skipped": {
-                          "properties": {
-                            "length": {
-                              "type": "long"
-                            },
-                            "offset": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "max_bytes_per_process_exceeded": {
-                          "type": "boolean"
-                        },
-                        "text": {
-                          "type": "wildcard"
-                        },
-                        "total_bytes_captured": {
-                          "type": "long"
-                        },
-                        "total_bytes_skipped": {
-                          "type": "long"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      },
-                      "type": "object"
+                    "valid": {
+                      "type": "boolean"
+                    }
+                  }
+                },
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
+                },
+                "elf": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "macho": {
-                      "properties": {
-                        "go_import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "import_hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "sections": {
-                          "properties": {
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
-                        },
-                        "symhash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
+                    "byte_order": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                    "cpu_type": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "origin_referrer_url": {
-                      "ignore_above": 8192,
-                      "type": "keyword"
+                    "creation_date": {
+                      "type": "date"
+                    },
+                    "exports": {
+                      "type": "flattened"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
                     },
-                    "origin_url": {
-                      "ignore_above": 8192,
-                      "type": "keyword"
+                    "go_stripped": {
+                      "type": "boolean"
                     },
-                    "pe": {
+                    "header": {
                       "properties": {
-                        "architecture": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "company": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "description": {
+                        "abi_version": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "file_version": {
+                        "class": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "go_import_hash": {
+                        "data": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "go_imports": {
-                          "type": "flattened"
-                        },
-                        "go_imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "go_imports_names_var_entropy": {
+                        "entrypoint": {
                           "type": "long"
                         },
-                        "go_stripped": {
-                          "type": "boolean"
-                        },
-                        "imphash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "import_hash": {
+                        "object_version": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "imports": {
-                          "type": "flattened"
-                        },
-                        "imports_names_entropy": {
-                          "type": "long"
-                        },
-                        "imports_names_var_entropy": {
-                          "type": "long"
-                        },
-                        "original_file_name": {
+                        "os_abi": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "pehash": {
+                        "type": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "product": {
+                        "version": {
                           "ignore_above": 1024,
                           "type": "keyword"
-                        },
-                        "sections": {
-                          "properties": {
-                            "entropy": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "physical_size": {
-                              "type": "long"
-                            },
-                            "var_entropy": {
-                              "type": "long"
-                            },
-                            "virtual_size": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "nested"
                         }
                       }
                     },
-                    "pid": {
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
                       "type": "long"
                     },
-                    "platform_binary": {
-                      "type": "boolean"
+                    "imports_names_var_entropy": {
+                      "type": "long"
                     },
-                    "real_group": {
+                    "sections": {
                       "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "chi2": {
+                          "type": "long"
                         },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "entropy": {
+                          "type": "long"
                         },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "real_user": {
-                      "properties": {
-                        "domain": {
+                        "flags": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "email": {
+                        "name": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "entity": {
-                          "properties": {
-                            "attributes": {
-                              "type": "object"
-                            },
-                            "behavior": {
-                              "type": "object"
-                            },
-                            "display_name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "last_seen_timestamp": {
-                              "type": "date"
-                            },
-                            "lifecycle": {
-                              "type": "object"
-                            },
-                            "metrics": {
-                              "type": "object"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw": {
-                              "type": "object"
-                            },
-                            "reference": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "source": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sub_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
+                        "physical_offset": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "physical_size": {
+                          "type": "long"
                         },
-                        "id": {
+                        "type": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "var_entropy": {
+                          "type": "long"
                         },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
+                        "virtual_address": {
+                          "type": "long"
                         },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
+                        "virtual_size": {
+                          "type": "long"
                         }
-                      }
-                    },
-                    "same_as_process": {
-                      "type": "boolean"
+                      },
+                      "type": "nested"
                     },
-                    "saved_group": {
+                    "segments": {
                       "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
+                        "sections": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "name": {
+                        "type": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         }
-                      }
+                      },
+                      "type": "nested"
                     },
-                    "saved_user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entity": {
-                          "properties": {
-                            "attributes": {
-                              "type": "object"
-                            },
-                            "behavior": {
-                              "type": "object"
-                            },
-                            "display_name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "last_seen_timestamp": {
-                              "type": "date"
-                            },
-                            "lifecycle": {
-                              "type": "object"
-                            },
-                            "metrics": {
-                              "type": "object"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw": {
-                              "type": "object"
-                            },
-                            "reference": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "source": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sub_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
+                    "shared_libraries": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "session_leader": {
+                    "telfhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "end": {
+                  "type": "date"
+                },
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "exit_code": {
+                  "type": "long"
+                },
+                "group": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "group_leader": {
+                  "properties": {
+                    "entity_id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pid": {
+                      "type": "long"
+                    },
+                    "start": {
+                      "type": "date"
+                    },
+                    "vpid": {
+                      "type": "long"
+                    }
+                  }
+                },
+                "hash": {
+                  "properties": {
+                    "cdhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "md5": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha1": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha256": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha384": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sha512": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "ssdeep": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "tlsh": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "interactive": {
+                  "type": "boolean"
+                },
+                "macho": {
+                  "properties": {
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "sections": {
                       "properties": {
-                        "args": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "args_count": {
-                          "type": "long"
-                        },
-                        "attested_groups": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "attested_user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entity": {
-                              "properties": {
-                                "attributes": {
-                                  "type": "object"
-                                },
-                                "behavior": {
-                                  "type": "object"
-                                },
-                                "display_name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "last_seen_timestamp": {
-                                  "type": "date"
-                                },
-                                "lifecycle": {
-                                  "type": "object"
-                                },
-                                "metrics": {
-                                  "type": "object"
-                                },
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "raw": {
-                                  "type": "object"
-                                },
-                                "reference": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "source": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "sub_type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "code_signature": {
-                          "properties": {
-                            "digest_algorithm": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "exists": {
-                              "type": "boolean"
-                            },
-                            "flags": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "signing_id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "status": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "subject_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "team_id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "thumbprint_sha256": {
-                              "ignore_above": 64,
-                              "type": "keyword"
-                            },
-                            "timestamp": {
-                              "type": "date"
-                            },
-                            "trusted": {
-                              "type": "boolean"
-                            },
-                            "valid": {
-                              "type": "boolean"
-                            }
-                          }
-                        },
-                        "command_line": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "type": "wildcard"
-                        },
-                        "elf": {
-                          "properties": {
-                            "architecture": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "byte_order": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "cpu_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "creation_date": {
-                              "type": "date"
-                            },
-                            "exports": {
-                              "type": "flattened"
-                            },
-                            "go_import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_imports": {
-                              "type": "flattened"
-                            },
-                            "go_imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "go_imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "go_stripped": {
-                              "type": "boolean"
-                            },
-                            "header": {
-                              "properties": {
-                                "abi_version": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "class": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "data": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "entrypoint": {
-                                  "type": "long"
-                                },
-                                "object_version": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "os_abi": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "version": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "imports": {
-                              "type": "flattened"
-                            },
-                            "imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "sections": {
-                              "properties": {
-                                "chi2": {
-                                  "type": "long"
-                                },
-                                "entropy": {
-                                  "type": "long"
-                                },
-                                "flags": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_offset": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_size": {
-                                  "type": "long"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "var_entropy": {
-                                  "type": "long"
-                                },
-                                "virtual_address": {
-                                  "type": "long"
-                                },
-                                "virtual_size": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "nested"
-                            },
-                            "segments": {
-                              "properties": {
-                                "sections": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              },
-                              "type": "nested"
-                            },
-                            "shared_libraries": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "telfhash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "end": {
-                          "type": "date"
-                        },
-                        "endpoint_security_client": {
-                          "type": "boolean"
-                        },
-                        "entity_id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entry_meta": {
-                          "properties": {
-                            "source": {
-                              "properties": {
-                                "address": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "as": {
-                                  "properties": {
-                                    "number": {
-                                      "type": "long"
-                                    },
-                                    "organization": {
-                                      "properties": {
-                                        "name": {
-                                          "fields": {
-                                            "text": {
-                                              "type": "match_only_text"
-                                            }
-                                          },
-                                          "ignore_above": 1024,
-                                          "type": "keyword"
-                                        }
-                                      }
-                                    }
-                                  }
-                                },
-                                "bytes": {
-                                  "type": "long"
-                                },
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "geo": {
-                                  "properties": {
-                                    "city_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "continent_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "continent_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "country_iso_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "country_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "location": {
-                                      "type": "geo_point"
-                                    },
-                                    "name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "postal_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "region_iso_code": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "region_name": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    },
-                                    "timezone": {
-                                      "ignore_above": 1024,
-                                      "type": "keyword"
-                                    }
-                                  }
-                                },
-                                "ip": {
-                                  "type": "ip"
-                                },
-                                "mac": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "nat": {
-                                  "properties": {
-                                    "ip": {
-                                      "type": "ip"
-                                    },
-                                    "port": {
-                                      "type": "long"
-                                    }
-                                  }
-                                },
-                                "packets": {
-                                  "type": "long"
-                                },
-                                "port": {
-                                  "type": "long"
-                                },
-                                "registered_domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "subdomain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "top_level_domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "env_vars": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "executable": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "exit_code": {
+                        "entropy": {
                           "type": "long"
                         },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "properties": {
-                            "cdhash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "md5": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha1": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha256": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha384": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sha512": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "ssdeep": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "tlsh": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "interactive": {
-                          "type": "boolean"
-                        },
-                        "io": {
-                          "properties": {
-                            "bytes_skipped": {
-                              "properties": {
-                                "length": {
-                                  "type": "long"
-                                },
-                                "offset": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "object"
-                            },
-                            "max_bytes_per_process_exceeded": {
-                              "type": "boolean"
-                            },
-                            "text": {
-                              "type": "wildcard"
-                            },
-                            "total_bytes_captured": {
-                              "type": "long"
-                            },
-                            "total_bytes_skipped": {
-                              "type": "long"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "macho": {
-                          "properties": {
-                            "go_import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_imports": {
-                              "type": "flattened"
-                            },
-                            "go_imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "go_imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "go_stripped": {
-                              "type": "boolean"
-                            },
-                            "import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "imports": {
-                              "type": "flattened"
-                            },
-                            "imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "sections": {
-                              "properties": {
-                                "entropy": {
-                                  "type": "long"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_size": {
-                                  "type": "long"
-                                },
-                                "var_entropy": {
-                                  "type": "long"
-                                },
-                                "virtual_size": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "nested"
-                            },
-                            "symhash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
                         "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "origin_referrer_url": {
-                          "ignore_above": 8192,
-                          "type": "keyword"
-                        },
-                        "origin_url": {
-                          "ignore_above": 8192,
-                          "type": "keyword"
-                        },
-                        "pe": {
-                          "properties": {
-                            "architecture": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "company": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "description": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "file_version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "go_imports": {
-                              "type": "flattened"
-                            },
-                            "go_imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "go_imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "go_stripped": {
-                              "type": "boolean"
-                            },
-                            "imphash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "import_hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "imports": {
-                              "type": "flattened"
-                            },
-                            "imports_names_entropy": {
-                              "type": "long"
-                            },
-                            "imports_names_var_entropy": {
-                              "type": "long"
-                            },
-                            "original_file_name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "pehash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "product": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sections": {
-                              "properties": {
-                                "entropy": {
-                                  "type": "long"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "physical_size": {
-                                  "type": "long"
-                                },
-                                "var_entropy": {
-                                  "type": "long"
-                                },
-                                "virtual_size": {
-                                  "type": "long"
-                                }
-                              },
-                              "type": "nested"
-                            }
-                          }
-                        },
-                        "pid": {
+                        "physical_size": {
                           "type": "long"
                         },
-                        "platform_binary": {
-                          "type": "boolean"
-                        },
-                        "real_group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "real_user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entity": {
-                              "properties": {
-                                "attributes": {
-                                  "type": "object"
-                                },
-                                "behavior": {
-                                  "type": "object"
-                                },
-                                "display_name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "last_seen_timestamp": {
-                                  "type": "date"
-                                },
-                                "lifecycle": {
-                                  "type": "object"
-                                },
-                                "metrics": {
-                                  "type": "object"
-                                },
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "raw": {
-                                  "type": "object"
-                                },
-                                "reference": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "source": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "sub_type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "same_as_process": {
-                          "type": "boolean"
-                        },
-                        "saved_group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "saved_user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entity": {
-                              "properties": {
-                                "attributes": {
-                                  "type": "object"
-                                },
-                                "behavior": {
-                                  "type": "object"
-                                },
-                                "display_name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "last_seen_timestamp": {
-                                  "type": "date"
-                                },
-                                "lifecycle": {
-                                  "type": "object"
-                                },
-                                "metrics": {
-                                  "type": "object"
-                                },
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "raw": {
-                                  "type": "object"
-                                },
-                                "reference": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "source": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "sub_type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "start": {
-                          "type": "date"
-                        },
-                        "supplemental_groups": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "thread": {
-                          "properties": {
-                            "capabilities": {
-                              "properties": {
-                                "effective": {
-                                  "ignore_above": 1024,
-                                  "synthetic_source_keep": "none",
-                                  "type": "keyword"
-                                },
-                                "permitted": {
-                                  "ignore_above": 1024,
-                                  "synthetic_source_keep": "none",
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "id": {
-                              "type": "long"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "title": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "tty": {
-                          "properties": {
-                            "char_device": {
-                              "properties": {
-                                "major": {
-                                  "type": "long"
-                                },
-                                "minor": {
-                                  "type": "long"
-                                }
-                              }
-                            },
-                            "columns": {
-                              "type": "long"
-                            },
-                            "rows": {
-                              "type": "long"
-                            }
-                          },
-                          "type": "object"
-                        },
-                        "uptime": {
+                        "var_entropy": {
                           "type": "long"
                         },
-                        "user": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "email": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "entity": {
-                              "properties": {
-                                "attributes": {
-                                  "type": "object"
-                                },
-                                "behavior": {
-                                  "type": "object"
-                                },
-                                "display_name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "last_seen_timestamp": {
-                                  "type": "date"
-                                },
-                                "lifecycle": {
-                                  "type": "object"
-                                },
-                                "metrics": {
-                                  "type": "object"
-                                },
-                                "name": {
-                                  "fields": {
-                                    "text": {
-                                      "norms": false,
-                                      "type": "text"
-                                    }
-                                  },
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "raw": {
-                                  "type": "object"
-                                },
-                                "reference": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "source": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "sub_type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "type": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "full_name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "group": {
-                              "properties": {
-                                "domain": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "id": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "name": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                }
-                              }
-                            },
-                            "hash": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "type": "match_only_text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "risk": {
-                              "properties": {
-                                "calculated_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "calculated_score": {
-                                  "type": "float"
-                                },
-                                "calculated_score_norm": {
-                                  "type": "float"
-                                },
-                                "static_level": {
-                                  "ignore_above": 1024,
-                                  "type": "keyword"
-                                },
-                                "static_score": {
-                                  "type": "float"
-                                },
-                                "static_score_norm": {
-                                  "type": "float"
-                                }
-                              }
-                            },
-                            "roles": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "vpid": {
+                        "virtual_size": {
                           "type": "long"
-                        },
-                        "working_directory": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
                         }
-                      }
+                      },
+                      "type": "nested"
                     },
-                    "start": {
-                      "type": "date"
+                    "symhash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "pe": {
+                  "properties": {
+                    "architecture": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "company": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "description": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "file_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "go_imports": {
+                      "type": "flattened"
+                    },
+                    "go_imports_names_entropy": {
+                      "type": "long"
+                    },
+                    "go_imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "go_stripped": {
+                      "type": "boolean"
+                    },
+                    "imphash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "import_hash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "imports": {
+                      "type": "flattened"
+                    },
+                    "imports_names_entropy": {
+                      "type": "long"
                     },
-                    "supplemental_groups": {
+                    "imports_names_var_entropy": {
+                      "type": "long"
+                    },
+                    "original_file_name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "pehash": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "product": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "sections": {
                       "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "entropy": {
+                          "type": "long"
                         },
                         "name": {
                           "ignore_above": 1024,
                           "type": "keyword"
-                        }
-                      }
-                    },
-                    "thread": {
-                      "properties": {
-                        "capabilities": {
-                          "properties": {
-                            "effective": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            },
-                            "permitted": {
-                              "ignore_above": 1024,
-                              "synthetic_source_keep": "none",
-                              "type": "keyword"
-                            }
-                          }
                         },
-                        "id": {
+                        "physical_size": {
                           "type": "long"
                         },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "var_entropy": {
+                          "type": "long"
+                        },
+                        "virtual_size": {
+                          "type": "long"
                         }
-                      }
+                      },
+                      "type": "nested"
+                    }
+                  }
+                },
+                "pid": {
+                  "type": "long"
+                },
+                "real_group": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "real_user": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "title": {
+                    "name": {
                       "fields": {
                         "text": {
                           "type": "match_only_text"
@@ -14953,288 +1295,335 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
+                    }
+                  }
+                },
+                "saved_group": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "tty": {
-                      "properties": {
-                        "char_device": {
-                          "properties": {
-                            "major": {
-                              "type": "long"
-                            },
-                            "minor": {
-                              "type": "long"
-                            }
-                          }
-                        },
-                        "columns": {
-                          "type": "long"
-                        },
-                        "rows": {
-                          "type": "long"
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
                         }
                       },
-                      "type": "object"
-                    },
-                    "uptime": {
-                      "type": "long"
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
+                  "properties": {
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
-                    "user": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "email": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "entity": {
-                          "properties": {
-                            "attributes": {
-                              "type": "object"
-                            },
-                            "behavior": {
-                              "type": "object"
-                            },
-                            "display_name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "last_seen_timestamp": {
-                              "type": "date"
-                            },
-                            "lifecycle": {
-                              "type": "object"
-                            },
-                            "metrics": {
-                              "type": "object"
-                            },
-                            "name": {
-                              "fields": {
-                                "text": {
-                                  "norms": false,
-                                  "type": "text"
-                                }
-                              },
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "raw": {
-                              "type": "object"
-                            },
-                            "reference": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "source": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "sub_type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "type": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "full_name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "group": {
-                          "properties": {
-                            "domain": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "id": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "name": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        },
-                        "hash": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "type": "match_only_text"
-                            }
-                          },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "thread": {
+                  "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
                           "ignore_above": 1024,
+                          "synthetic_source_keep": "none",
                           "type": "keyword"
                         },
-                        "risk": {
-                          "properties": {
-                            "calculated_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "calculated_score": {
-                              "type": "float"
-                            },
-                            "calculated_score_norm": {
-                              "type": "float"
-                            },
-                            "static_level": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            },
-                            "static_score": {
-                              "type": "float"
-                            },
-                            "static_score_norm": {
-                              "type": "float"
-                            }
-                          }
-                        },
-                        "roles": {
+                        "permitted": {
                           "ignore_above": 1024,
                           "synthetic_source_keep": "none",
                           "type": "keyword"
                         }
                       }
                     },
-                    "vpid": {
+                    "id": {
                       "type": "long"
                     },
-                    "working_directory": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
+                    "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "pe": {
+                "title": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "tty": {
                   "properties": {
-                    "architecture": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "company": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "description": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "file_version": {
+                    "char_device": {
+                      "properties": {
+                        "major": {
+                          "type": "long"
+                        },
+                        "minor": {
+                          "type": "long"
+                        }
+                      }
+                    }
+                  },
+                  "type": "object"
+                },
+                "uptime": {
+                  "type": "long"
+                },
+                "user": {
+                  "properties": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "go_import_hash": {
+                    "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "go_imports": {
-                      "type": "flattened"
-                    },
-                    "go_imports_names_entropy": {
-                      "type": "long"
-                    },
-                    "go_imports_names_var_entropy": {
+                    }
+                  }
+                },
+                "vpid": {
+                  "type": "long"
+                },
+                "working_directory": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "pe": {
+              "properties": {
+                "architecture": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "company": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "description": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "file_version": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "go_imports": {
+                  "type": "flattened"
+                },
+                "go_imports_names_entropy": {
+                  "type": "long"
+                },
+                "go_imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "go_stripped": {
+                  "type": "boolean"
+                },
+                "imphash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "import_hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "imports": {
+                  "type": "flattened"
+                },
+                "imports_names_entropy": {
+                  "type": "long"
+                },
+                "imports_names_var_entropy": {
+                  "type": "long"
+                },
+                "original_file_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "pehash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "product": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "sections": {
+                  "properties": {
+                    "entropy": {
                       "type": "long"
                     },
-                    "go_stripped": {
-                      "type": "boolean"
-                    },
-                    "imphash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "import_hash": {
+                    "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "imports": {
-                      "type": "flattened"
-                    },
-                    "imports_names_entropy": {
+                    "physical_size": {
                       "type": "long"
                     },
-                    "imports_names_var_entropy": {
+                    "var_entropy": {
                       "type": "long"
                     },
-                    "original_file_name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pehash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "product": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sections": {
-                      "properties": {
-                        "entropy": {
-                          "type": "long"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "physical_size": {
-                          "type": "long"
-                        },
-                        "var_entropy": {
-                          "type": "long"
-                        },
-                        "virtual_size": {
-                          "type": "long"
-                        }
-                      },
-                      "type": "nested"
+                    "virtual_size": {
+                      "type": "long"
+                    }
+                  },
+                  "type": "nested"
+                }
+              }
+            },
+            "pid": {
+              "type": "long"
+            },
+            "previous": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
+                  "type": "long"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "real_group": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "real_user": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
                     }
-                  }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "saved_group": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
-                "pid": {
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "saved_user": {
+              "properties": {
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "session_leader": {
+              "properties": {
+                "args": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "args_count": {
                   "type": "long"
                 },
-                "platform_binary": {
-                  "type": "boolean"
+                "command_line": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "type": "wildcard"
                 },
-                "real_group": {
+                "entity_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "executable": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -15245,160 +1634,57 @@
                     }
                   }
                 },
-                "real_user": {
+                "interactive": {
+                  "type": "boolean"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "type": "match_only_text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "parent": {
                   "properties": {
-                    "domain": {
+                    "entity_id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
+                    "pid": {
+                      "type": "long"
                     },
-                    "entity": {
+                    "session_leader": {
                       "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
+                        "entity_id": {
                           "ignore_above": 1024,
                           "type": "keyword"
                         },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "pid": {
+                          "type": "long"
                         },
-                        "last_seen_timestamp": {
+                        "start": {
                           "type": "date"
                         },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                        "vpid": {
+                          "type": "long"
                         }
                       }
                     },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
+                    "start": {
+                      "type": "date"
                     },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
+                    "vpid": {
+                      "type": "long"
                     }
                   }
                 },
-                "same_as_process": {
-                  "type": "boolean"
+                "pid": {
+                  "type": "long"
                 },
-                "saved_group": {
+                "real_group": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -15406,110 +1692,11 @@
                     "name": {
                       "ignore_above": 1024,
                       "type": "keyword"
-                    }
-                  }
-                },
-                "saved_user": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
+                    }
+                  }
+                },
+                "real_user": {
+                  "properties": {
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -15522,75 +1709,49 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
                     }
                   }
                 },
-                "start": {
-                  "type": "date"
+                "same_as_process": {
+                  "type": "boolean"
                 },
-                "supplemental_groups": {
+                "saved_group": {
                   "properties": {
-                    "domain": {
+                    "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "saved_user": {
+                  "properties": {
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
                     },
                     "name": {
+                      "fields": {
+                        "text": {
+                          "type": "match_only_text"
+                        }
+                      },
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
                   }
                 },
-                "thread": {
+                "start": {
+                  "type": "date"
+                },
+                "supplemental_groups": {
                   "properties": {
-                    "capabilities": {
-                      "properties": {
-                        "effective": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        },
-                        "permitted": {
-                          "ignore_above": 1024,
-                          "synthetic_source_keep": "none",
-                          "type": "keyword"
-                        }
-                      }
-                    },
                     "id": {
-                      "type": "long"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
                     "name": {
                       "ignore_above": 1024,
@@ -15598,15 +1759,6 @@
                     }
                   }
                 },
-                "title": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
                 "tty": {
                   "properties": {
                     "char_device": {
@@ -15618,120 +1770,12 @@
                           "type": "long"
                         }
                       }
-                    },
-                    "columns": {
-                      "type": "long"
-                    },
-                    "rows": {
-                      "type": "long"
                     }
                   },
                   "type": "object"
                 },
-                "uptime": {
-                  "type": "long"
-                },
                 "user": {
                   "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "email": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "entity": {
-                      "properties": {
-                        "attributes": {
-                          "type": "object"
-                        },
-                        "behavior": {
-                          "type": "object"
-                        },
-                        "display_name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "last_seen_timestamp": {
-                          "type": "date"
-                        },
-                        "lifecycle": {
-                          "type": "object"
-                        },
-                        "metrics": {
-                          "type": "object"
-                        },
-                        "name": {
-                          "fields": {
-                            "text": {
-                              "norms": false,
-                              "type": "text"
-                            }
-                          },
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "raw": {
-                          "type": "object"
-                        },
-                        "reference": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "source": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "sub_type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "type": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "full_name": {
-                      "fields": {
-                        "text": {
-                          "type": "match_only_text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "group": {
-                      "properties": {
-                        "domain": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "id": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        }
-                      }
-                    },
-                    "hash": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
@@ -15744,35 +1788,6 @@
                       },
                       "ignore_above": 1024,
                       "type": "keyword"
-                    },
-                    "risk": {
-                      "properties": {
-                        "calculated_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "calculated_score": {
-                          "type": "float"
-                        },
-                        "calculated_score_norm": {
-                          "type": "float"
-                        },
-                        "static_level": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
-                        },
-                        "static_score": {
-                          "type": "float"
-                        },
-                        "static_score_norm": {
-                          "type": "float"
-                        }
-                      }
-                    },
-                    "roles": {
-                      "ignore_above": 1024,
-                      "synthetic_source_keep": "none",
-                      "type": "keyword"
                     }
                   }
                 },
@@ -15795,10 +1810,6 @@
             },
             "supplemental_groups": {
               "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
                 "id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -15869,105 +1880,6 @@
             },
             "user": {
               "properties": {
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "email": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "entity": {
-                  "properties": {
-                    "attributes": {
-                      "type": "object"
-                    },
-                    "behavior": {
-                      "type": "object"
-                    },
-                    "display_name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "last_seen_timestamp": {
-                      "type": "date"
-                    },
-                    "lifecycle": {
-                      "type": "object"
-                    },
-                    "metrics": {
-                      "type": "object"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "raw": {
-                      "type": "object"
-                    },
-                    "reference": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "source": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sub_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "full_name": {
-                  "fields": {
-                    "text": {
-                      "type": "match_only_text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "group": {
-                  "properties": {
-                    "domain": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "hash": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
                 "id": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -15980,35 +1892,6 @@
                   },
                   "ignore_above": 1024,
                   "type": "keyword"
-                },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
-                "roles": {
-                  "ignore_above": 1024,
-                  "synthetic_source_keep": "none",
-                  "type": "keyword"
                 }
               }
             },
diff --git a/generated/elasticsearch/composable/component/server.json b/generated/elasticsearch/composable/component/server.json
index b9948f86cd..76d7be670f 100644
--- a/generated/elasticsearch/composable/component/server.json
+++ b/generated/elasticsearch/composable/component/server.json
@@ -131,68 +131,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "entity": {
-                  "properties": {
-                    "attributes": {
-                      "type": "object"
-                    },
-                    "behavior": {
-                      "type": "object"
-                    },
-                    "display_name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "last_seen_timestamp": {
-                      "type": "date"
-                    },
-                    "lifecycle": {
-                      "type": "object"
-                    },
-                    "metrics": {
-                      "type": "object"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "raw": {
-                      "type": "object"
-                    },
-                    "reference": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "source": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sub_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
                 "full_name": {
                   "fields": {
                     "text": {
@@ -235,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index 14056a5bbb..1aa2d9117c 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -12,68 +12,6 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
-            "entity": {
-              "properties": {
-                "attributes": {
-                  "type": "object"
-                },
-                "behavior": {
-                  "type": "object"
-                },
-                "display_name": {
-                  "fields": {
-                    "text": {
-                      "norms": false,
-                      "type": "text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "last_seen_timestamp": {
-                  "type": "date"
-                },
-                "lifecycle": {
-                  "type": "object"
-                },
-                "metrics": {
-                  "type": "object"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "norms": false,
-                      "type": "text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "raw": {
-                  "type": "object"
-                },
-                "reference": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "source": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sub_type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
             "environment": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -113,68 +51,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "entity": {
-                  "properties": {
-                    "attributes": {
-                      "type": "object"
-                    },
-                    "behavior": {
-                      "type": "object"
-                    },
-                    "display_name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "last_seen_timestamp": {
-                      "type": "date"
-                    },
-                    "lifecycle": {
-                      "type": "object"
-                    },
-                    "metrics": {
-                      "type": "object"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "raw": {
-                      "type": "object"
-                    },
-                    "reference": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "source": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sub_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
                 "environment": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/composable/component/source.json b/generated/elasticsearch/composable/component/source.json
index 54c659611a..fbdd349235 100644
--- a/generated/elasticsearch/composable/component/source.json
+++ b/generated/elasticsearch/composable/component/source.json
@@ -131,68 +131,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "entity": {
-                  "properties": {
-                    "attributes": {
-                      "type": "object"
-                    },
-                    "behavior": {
-                      "type": "object"
-                    },
-                    "display_name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "last_seen_timestamp": {
-                      "type": "date"
-                    },
-                    "lifecycle": {
-                      "type": "object"
-                    },
-                    "metrics": {
-                      "type": "object"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "raw": {
-                      "type": "object"
-                    },
-                    "reference": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "source": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sub_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
                 "full_name": {
                   "fields": {
                     "text": {
@@ -235,30 +173,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index 99363df10d..affa8f0284 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -18,68 +18,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "entity": {
-                  "properties": {
-                    "attributes": {
-                      "type": "object"
-                    },
-                    "behavior": {
-                      "type": "object"
-                    },
-                    "display_name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "last_seen_timestamp": {
-                      "type": "date"
-                    },
-                    "lifecycle": {
-                      "type": "object"
-                    },
-                    "metrics": {
-                      "type": "object"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "raw": {
-                      "type": "object"
-                    },
-                    "reference": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "source": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sub_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
                 "full_name": {
                   "fields": {
                     "text": {
@@ -122,30 +60,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
@@ -167,68 +81,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "entity": {
-                  "properties": {
-                    "attributes": {
-                      "type": "object"
-                    },
-                    "behavior": {
-                      "type": "object"
-                    },
-                    "display_name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "id": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "last_seen_timestamp": {
-                      "type": "date"
-                    },
-                    "lifecycle": {
-                      "type": "object"
-                    },
-                    "metrics": {
-                      "type": "object"
-                    },
-                    "name": {
-                      "fields": {
-                        "text": {
-                          "norms": false,
-                          "type": "text"
-                        }
-                      },
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "raw": {
-                      "type": "object"
-                    },
-                    "reference": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "source": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "sub_type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
                 "full_name": {
                   "fields": {
                     "text": {
@@ -271,30 +123,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
@@ -306,68 +134,6 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
-            "entity": {
-              "properties": {
-                "attributes": {
-                  "type": "object"
-                },
-                "behavior": {
-                  "type": "object"
-                },
-                "display_name": {
-                  "fields": {
-                    "text": {
-                      "norms": false,
-                      "type": "text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "last_seen_timestamp": {
-                  "type": "date"
-                },
-                "lifecycle": {
-                  "type": "object"
-                },
-                "metrics": {
-                  "type": "object"
-                },
-                "name": {
-                  "fields": {
-                    "text": {
-                      "norms": false,
-                      "type": "text"
-                    }
-                  },
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "raw": {
-                  "type": "object"
-                },
-                "reference": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "source": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "sub_type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
             "full_name": {
               "fields": {
                 "text": {
@@ -553,30 +319,6 @@
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
-                "risk": {
-                  "properties": {
-                    "calculated_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "calculated_score": {
-                      "type": "float"
-                    },
-                    "calculated_score_norm": {
-                      "type": "float"
-                    },
-                    "static_level": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "static_score": {
-                      "type": "float"
-                    },
-                    "static_score_norm": {
-                      "type": "float"
-                    }
-                  }
-                },
                 "roles": {
                   "ignore_above": 1024,
                   "synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index 93c5b4aae8..ce90e997d0 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -4,8 +4,8 @@
     "ecs_version": "9.3.0-dev"
   },
   "composed_of": [
-    "ecs_9.3.0-dev_agent",
     "ecs_9.3.0-dev_base",
+    "ecs_9.3.0-dev_agent",
     "ecs_9.3.0-dev_client",
     "ecs_9.3.0-dev_cloud",
     "ecs_9.3.0-dev_container",
@@ -16,7 +16,6 @@
     "ecs_9.3.0-dev_dns",
     "ecs_9.3.0-dev_ecs",
     "ecs_9.3.0-dev_email",
-    "ecs_9.3.0-dev_entity",
     "ecs_9.3.0-dev_error",
     "ecs_9.3.0-dev_event",
     "ecs_9.3.0-dev_faas",
@@ -42,8 +41,8 @@
     "ecs_9.3.0-dev_tls",
     "ecs_9.3.0-dev_tracing",
     "ecs_9.3.0-dev_url",
-    "ecs_9.3.0-dev_user",
     "ecs_9.3.0-dev_user_agent",
+    "ecs_9.3.0-dev_user",
     "ecs_9.3.0-dev_volume",
     "ecs_9.3.0-dev_vulnerability"
   ],
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index faa937942c..cb2dbd54ed 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -179,68 +179,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "entity": {
-                "properties": {
-                  "attributes": {
-                    "type": "object"
-                  },
-                  "behavior": {
-                    "type": "object"
-                  },
-                  "display_name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "last_seen_timestamp": {
-                    "type": "date"
-                  },
-                  "lifecycle": {
-                    "type": "object"
-                  },
-                  "metrics": {
-                    "type": "object"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "raw": {
-                    "type": "object"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "source": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sub_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
               "full_name": {
                 "fields": {
                   "text": {
@@ -283,30 +221,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -334,68 +248,6 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
-          "entity": {
-            "properties": {
-              "attributes": {
-                "type": "object"
-              },
-              "behavior": {
-                "type": "object"
-              },
-              "display_name": {
-                "fields": {
-                  "text": {
-                    "norms": false,
-                    "type": "text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "last_seen_timestamp": {
-                "type": "date"
-              },
-              "lifecycle": {
-                "type": "object"
-              },
-              "metrics": {
-                "type": "object"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "norms": false,
-                    "type": "text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "raw": {
-                "type": "object"
-              },
-              "reference": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "source": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sub_type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
           "instance": {
             "properties": {
               "id": {
@@ -434,68 +286,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "entity": {
-                "properties": {
-                  "attributes": {
-                    "type": "object"
-                  },
-                  "behavior": {
-                    "type": "object"
-                  },
-                  "display_name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "last_seen_timestamp": {
-                    "type": "date"
-                  },
-                  "lifecycle": {
-                    "type": "object"
-                  },
-                  "metrics": {
-                    "type": "object"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "raw": {
-                    "type": "object"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "source": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sub_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
               "instance": {
                 "properties": {
                   "id": {
@@ -943,80 +733,18 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "entity": {
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
                 "properties": {
-                  "attributes": {
-                    "type": "object"
-                  },
-                  "behavior": {
-                    "type": "object"
-                  },
-                  "display_name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "last_seen_timestamp": {
-                    "type": "date"
-                  },
-                  "lifecycle": {
-                    "type": "object"
-                  },
-                  "metrics": {
-                    "type": "object"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "raw": {
-                    "type": "object"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "source": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sub_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
+                  "domain": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
@@ -1047,30 +775,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -1562,68 +1266,6 @@
           }
         }
       },
-      "entity": {
-        "properties": {
-          "attributes": {
-            "type": "object"
-          },
-          "behavior": {
-            "type": "object"
-          },
-          "display_name": {
-            "fields": {
-              "text": {
-                "norms": false,
-                "type": "text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "id": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "last_seen_timestamp": {
-            "type": "date"
-          },
-          "lifecycle": {
-            "type": "object"
-          },
-          "metrics": {
-            "type": "object"
-          },
-          "name": {
-            "fields": {
-              "text": {
-                "norms": false,
-                "type": "text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "raw": {
-            "type": "object"
-          },
-          "reference": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "source": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "sub_type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "type": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          }
-        }
-      },
       "error": {
         "properties": {
           "code": {
@@ -3405,167 +3047,6 @@
           "args_count": {
             "type": "long"
           },
-          "attested_groups": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "attested_user": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entity": {
-                "properties": {
-                  "attributes": {
-                    "type": "object"
-                  },
-                  "behavior": {
-                    "type": "object"
-                  },
-                  "display_name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "last_seen_timestamp": {
-                    "type": "date"
-                  },
-                  "lifecycle": {
-                    "type": "object"
-                  },
-                  "metrics": {
-                    "type": "object"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "raw": {
-                    "type": "object"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "source": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sub_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              }
-            }
-          },
           "code_signature": {
             "properties": {
               "digest_algorithm": {
@@ -3767,9 +3248,6 @@
           "end": {
             "type": "date"
           },
-          "endpoint_security_client": {
-            "type": "boolean"
-          },
           "entity_id": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -3785,14 +3263,6 @@
               },
               "attested_groups": {
                 "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
                   "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -3801,105 +3271,132 @@
               },
               "attested_user": {
                 "properties": {
-                  "domain": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "email": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "entity": {
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "entry_meta": {
+                "properties": {
+                  "source": {
                     "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "ip": {
+                        "type": "ip"
                       }
                     }
                   },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "group": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "parent": {
+                "properties": {
+                  "entity_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pid": {
+                    "type": "long"
+                  },
+                  "session_leader": {
                     "properties": {
-                      "domain": {
+                      "entity_id": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "pid": {
+                        "type": "long"
                       },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "start": {
+                        "type": "date"
+                      },
+                      "vpid": {
+                        "type": "long"
                       }
                     }
                   },
-                  "hash": {
+                  "start": {
+                    "type": "date"
+                  },
+                  "vpid": {
+                    "type": "long"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "real_group": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -3912,534 +3409,300 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
                   }
                 }
               },
-              "code_signature": {
+              "same_as_process": {
+                "type": "boolean"
+              },
+              "saved_group": {
                 "properties": {
-                  "digest_algorithm": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "signing_id": {
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "status": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "subject_name": {
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "team_id": {
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
                   }
                 }
               },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
+              "tty": {
+                "properties": {
+                  "char_device": {
+                    "properties": {
+                      "major": {
+                        "type": "long"
+                      },
+                      "minor": {
+                        "type": "long"
+                      }
+                    }
                   }
                 },
-                "type": "wildcard"
+                "type": "object"
               },
-              "elf": {
+              "user": {
                 "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "cpu_type": {
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
+                  }
+                }
+              },
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "env_vars": {
+            "ignore_above": 1024,
+            "synthetic_source_keep": "none",
+            "type": "keyword"
+          },
+          "executable": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "exit_code": {
+            "type": "long"
+          },
+          "group": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "group_leader": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "import_hash": {
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "pid": {
+                "type": "long"
+              },
+              "real_group": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "telfhash": {
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "end": {
-                "type": "date"
+              "real_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
               },
-              "endpoint_security_client": {
+              "same_as_process": {
                 "type": "boolean"
               },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
+              "saved_group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
               },
-              "entry_meta": {
+              "saved_user": {
                 "properties": {
-                  "source": {
-                    "properties": {
-                      "address": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "as": {
-                        "properties": {
-                          "number": {
-                            "type": "long"
-                          },
-                          "organization": {
-                            "properties": {
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "type": "match_only_text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "bytes": {
-                        "type": "long"
-                      },
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "geo": {
-                        "properties": {
-                          "city_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "location": {
-                            "type": "geo_point"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "postal_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "timezone": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "mac": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "nat": {
-                        "properties": {
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "port": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "packets": {
-                        "type": "long"
-                      },
-                      "port": {
-                        "type": "long"
-                      },
-                      "registered_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subdomain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "top_level_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "env_vars": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
                   "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "hash": {
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
                 "properties": {
-                  "cdhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "tlsh": {
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "interactive": {
-                "type": "boolean"
-              },
-              "io": {
+              "tty": {
                 "properties": {
-                  "bytes_skipped": {
+                  "char_device": {
                     "properties": {
-                      "length": {
+                      "major": {
                         "type": "long"
                       },
-                      "offset": {
+                      "minor": {
                         "type": "long"
                       }
-                    },
-                    "type": "object"
-                  },
-                  "max_bytes_per_process_exceeded": {
-                    "type": "boolean"
-                  },
-                  "text": {
-                    "type": "wildcard"
-                  },
-                  "total_bytes_captured": {
-                    "type": "long"
-                  },
-                  "total_bytes_skipped": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                    }
                   }
                 },
                 "type": "object"
               },
-              "macho": {
+              "user": {
                 "properties": {
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "import_hash": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
                       }
                     },
-                    "type": "nested"
-                  },
-                  "symhash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "name": {
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
                 "fields": {
                   "text": {
                     "type": "match_only_text"
@@ -4447,14086 +3710,508 @@
                 },
                 "ignore_above": 1024,
                 "type": "keyword"
+              }
+            }
+          },
+          "hash": {
+            "properties": {
+              "cdhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
               },
-              "origin_referrer_url": {
-                "ignore_above": 8192,
+              "md5": {
+                "ignore_above": 1024,
                 "type": "keyword"
               },
-              "origin_url": {
-                "ignore_above": 8192,
+              "sha1": {
+                "ignore_above": 1024,
                 "type": "keyword"
               },
-              "parent": {
-                "properties": {
-                  "args": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "args_count": {
-                    "type": "long"
-                  },
-                  "attested_groups": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
+              "sha256": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha384": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sha512": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "ssdeep": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tlsh": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "interactive": {
+            "type": "boolean"
+          },
+          "io": {
+            "properties": {
+              "bytes_skipped": {
+                "properties": {
+                  "length": {
+                    "type": "long"
                   },
-                  "attested_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entity": {
-                        "properties": {
-                          "attributes": {
-                            "type": "object"
-                          },
-                          "behavior": {
-                            "type": "object"
-                          },
-                          "display_name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "last_seen_timestamp": {
-                            "type": "date"
-                          },
-                          "lifecycle": {
-                            "type": "object"
-                          },
-                          "metrics": {
-                            "type": "object"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw": {
-                            "type": "object"
-                          },
-                          "reference": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "source": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sub_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
+                  "offset": {
+                    "type": "long"
+                  }
+                },
+                "type": "object"
+              },
+              "max_bytes_per_process_exceeded": {
+                "type": "boolean"
+              },
+              "text": {
+                "type": "wildcard"
+              },
+              "total_bytes_captured": {
+                "type": "long"
+              },
+              "total_bytes_skipped": {
+                "type": "long"
+              },
+              "type": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            },
+            "type": "object"
+          },
+          "macho": {
+            "properties": {
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
+                "type": "boolean"
+              },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
+              "sections": {
+                "properties": {
+                  "entropy": {
+                    "type": "long"
                   },
-                  "code_signature": {
-                    "properties": {
-                      "digest_algorithm": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "exists": {
-                        "type": "boolean"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "signing_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "status": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subject_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "team_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "thumbprint_sha256": {
-                        "ignore_above": 64,
-                        "type": "keyword"
-                      },
-                      "timestamp": {
-                        "type": "date"
-                      },
-                      "trusted": {
-                        "type": "boolean"
-                      },
-                      "valid": {
-                        "type": "boolean"
-                      }
-                    }
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "command_line": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "type": "wildcard"
+                  "physical_size": {
+                    "type": "long"
                   },
-                  "elf": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "byte_order": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "cpu_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "creation_date": {
-                        "type": "date"
-                      },
-                      "exports": {
-                        "type": "flattened"
-                      },
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "header": {
-                        "properties": {
-                          "abi_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "class": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "data": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entrypoint": {
-                            "type": "long"
-                          },
-                          "object_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "os_abi": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "sections": {
-                        "properties": {
-                          "chi2": {
-                            "type": "long"
-                          },
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_offset": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_address": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "segments": {
-                        "properties": {
-                          "sections": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "shared_libraries": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "telfhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
+                  "var_entropy": {
+                    "type": "long"
                   },
-                  "end": {
-                    "type": "date"
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              },
+              "symhash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "parent": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "code_signature": {
+                "properties": {
+                  "digest_algorithm": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "endpoint_security_client": {
+                  "exists": {
                     "type": "boolean"
                   },
-                  "entity_id": {
+                  "flags": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "entry_meta": {
-                    "properties": {
-                      "source": {
-                        "properties": {
-                          "address": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "as": {
-                            "properties": {
-                              "number": {
-                                "type": "long"
-                              },
-                              "organization": {
-                                "properties": {
-                                  "name": {
-                                    "fields": {
-                                      "text": {
-                                        "type": "match_only_text"
-                                      }
-                                    },
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  }
-                                }
-                              }
-                            }
-                          },
-                          "bytes": {
-                            "type": "long"
-                          },
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "geo": {
-                            "properties": {
-                              "city_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "continent_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "continent_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country_iso_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "location": {
-                                "type": "geo_point"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "postal_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "region_iso_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "region_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "timezone": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "mac": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "nat": {
-                            "properties": {
-                              "ip": {
-                                "type": "ip"
-                              },
-                              "port": {
-                                "type": "long"
-                              }
-                            }
-                          },
-                          "packets": {
-                            "type": "long"
-                          },
-                          "port": {
-                            "type": "long"
-                          },
-                          "registered_domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "subdomain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "top_level_domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "env_vars": {
+                  "signing_id": {
                     "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
                     "type": "keyword"
                   },
-                  "executable": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "status": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "exit_code": {
-                    "type": "long"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "properties": {
-                      "cdhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "md5": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha1": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha256": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha384": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha512": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ssdeep": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "tlsh": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "interactive": {
-                    "type": "boolean"
-                  },
-                  "io": {
-                    "properties": {
-                      "bytes_skipped": {
-                        "properties": {
-                          "length": {
-                            "type": "long"
-                          },
-                          "offset": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "max_bytes_per_process_exceeded": {
-                        "type": "boolean"
-                      },
-                      "text": {
-                        "type": "wildcard"
-                      },
-                      "total_bytes_captured": {
-                        "type": "long"
-                      },
-                      "total_bytes_skipped": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "macho": {
-                    "properties": {
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "sections": {
-                        "properties": {
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "symhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "subject_name": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "origin_referrer_url": {
-                    "ignore_above": 8192,
+                  "team_id": {
+                    "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "origin_url": {
-                    "ignore_above": 8192,
+                  "thumbprint_sha256": {
+                    "ignore_above": 64,
                     "type": "keyword"
                   },
-                  "pe": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "company": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "description": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "file_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "imphash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "original_file_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "pehash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "product": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sections": {
-                        "properties": {
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      }
-                    }
-                  },
-                  "pid": {
-                    "type": "long"
+                  "timestamp": {
+                    "type": "date"
                   },
-                  "platform_binary": {
+                  "trusted": {
                     "type": "boolean"
                   },
-                  "real_group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "real_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entity": {
-                        "properties": {
-                          "attributes": {
-                            "type": "object"
-                          },
-                          "behavior": {
-                            "type": "object"
-                          },
-                          "display_name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "last_seen_timestamp": {
-                            "type": "date"
-                          },
-                          "lifecycle": {
-                            "type": "object"
-                          },
-                          "metrics": {
-                            "type": "object"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw": {
-                            "type": "object"
-                          },
-                          "reference": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "source": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sub_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "same_as_process": {
+                  "valid": {
                     "type": "boolean"
+                  }
+                }
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "elf": {
+                "properties": {
+                  "architecture": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "saved_group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "saved_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entity": {
-                        "properties": {
-                          "attributes": {
-                            "type": "object"
-                          },
-                          "behavior": {
-                            "type": "object"
-                          },
-                          "display_name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "last_seen_timestamp": {
-                            "type": "date"
-                          },
-                          "lifecycle": {
-                            "type": "object"
-                          },
-                          "metrics": {
-                            "type": "object"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw": {
-                            "type": "object"
-                          },
-                          "reference": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "source": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sub_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "session_leader": {
-                    "properties": {
-                      "args": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "args_count": {
-                        "type": "long"
-                      },
-                      "attested_groups": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "attested_user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entity": {
-                            "properties": {
-                              "attributes": {
-                                "type": "object"
-                              },
-                              "behavior": {
-                                "type": "object"
-                              },
-                              "display_name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "last_seen_timestamp": {
-                                "type": "date"
-                              },
-                              "lifecycle": {
-                                "type": "object"
-                              },
-                              "metrics": {
-                                "type": "object"
-                              },
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "raw": {
-                                "type": "object"
-                              },
-                              "reference": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "source": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "sub_type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "code_signature": {
-                        "properties": {
-                          "digest_algorithm": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "exists": {
-                            "type": "boolean"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "signing_id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "status": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "subject_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "team_id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "thumbprint_sha256": {
-                            "ignore_above": 64,
-                            "type": "keyword"
-                          },
-                          "timestamp": {
-                            "type": "date"
-                          },
-                          "trusted": {
-                            "type": "boolean"
-                          },
-                          "valid": {
-                            "type": "boolean"
-                          }
-                        }
-                      },
-                      "command_line": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "type": "wildcard"
-                      },
-                      "elf": {
-                        "properties": {
-                          "architecture": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "byte_order": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "cpu_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "creation_date": {
-                            "type": "date"
-                          },
-                          "exports": {
-                            "type": "flattened"
-                          },
-                          "go_import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_imports": {
-                            "type": "flattened"
-                          },
-                          "go_imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "go_imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "go_stripped": {
-                            "type": "boolean"
-                          },
-                          "header": {
-                            "properties": {
-                              "abi_version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "class": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "data": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "entrypoint": {
-                                "type": "long"
-                              },
-                              "object_version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "os_abi": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "imports": {
-                            "type": "flattened"
-                          },
-                          "imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "sections": {
-                            "properties": {
-                              "chi2": {
-                                "type": "long"
-                              },
-                              "entropy": {
-                                "type": "long"
-                              },
-                              "flags": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_offset": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_size": {
-                                "type": "long"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "var_entropy": {
-                                "type": "long"
-                              },
-                              "virtual_address": {
-                                "type": "long"
-                              },
-                              "virtual_size": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "segments": {
-                            "properties": {
-                              "sections": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "shared_libraries": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "telfhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "end": {
-                        "type": "date"
-                      },
-                      "endpoint_security_client": {
-                        "type": "boolean"
-                      },
-                      "entity_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entry_meta": {
-                        "properties": {
-                          "source": {
-                            "properties": {
-                              "address": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "as": {
-                                "properties": {
-                                  "number": {
-                                    "type": "long"
-                                  },
-                                  "organization": {
-                                    "properties": {
-                                      "name": {
-                                        "fields": {
-                                          "text": {
-                                            "type": "match_only_text"
-                                          }
-                                        },
-                                        "ignore_above": 1024,
-                                        "type": "keyword"
-                                      }
-                                    }
-                                  }
-                                }
-                              },
-                              "bytes": {
-                                "type": "long"
-                              },
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "geo": {
-                                "properties": {
-                                  "city_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "continent_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "continent_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "country_iso_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "country_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "location": {
-                                    "type": "geo_point"
-                                  },
-                                  "name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "postal_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "region_iso_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "region_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "timezone": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  }
-                                }
-                              },
-                              "ip": {
-                                "type": "ip"
-                              },
-                              "mac": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "nat": {
-                                "properties": {
-                                  "ip": {
-                                    "type": "ip"
-                                  },
-                                  "port": {
-                                    "type": "long"
-                                  }
-                                }
-                              },
-                              "packets": {
-                                "type": "long"
-                              },
-                              "port": {
-                                "type": "long"
-                              },
-                              "registered_domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "subdomain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "top_level_domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "env_vars": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "executable": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "exit_code": {
-                        "type": "long"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "properties": {
-                          "cdhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "md5": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha1": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha256": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha384": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha512": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "ssdeep": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "tlsh": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "interactive": {
-                        "type": "boolean"
-                      },
-                      "io": {
-                        "properties": {
-                          "bytes_skipped": {
-                            "properties": {
-                              "length": {
-                                "type": "long"
-                              },
-                              "offset": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "object"
-                          },
-                          "max_bytes_per_process_exceeded": {
-                            "type": "boolean"
-                          },
-                          "text": {
-                            "type": "wildcard"
-                          },
-                          "total_bytes_captured": {
-                            "type": "long"
-                          },
-                          "total_bytes_skipped": {
-                            "type": "long"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "macho": {
-                        "properties": {
-                          "go_import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_imports": {
-                            "type": "flattened"
-                          },
-                          "go_imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "go_imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "go_stripped": {
-                            "type": "boolean"
-                          },
-                          "import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "imports": {
-                            "type": "flattened"
-                          },
-                          "imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "sections": {
-                            "properties": {
-                              "entropy": {
-                                "type": "long"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_size": {
-                                "type": "long"
-                              },
-                              "var_entropy": {
-                                "type": "long"
-                              },
-                              "virtual_size": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "symhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "origin_referrer_url": {
-                        "ignore_above": 8192,
-                        "type": "keyword"
-                      },
-                      "origin_url": {
-                        "ignore_above": 8192,
-                        "type": "keyword"
-                      },
-                      "pe": {
-                        "properties": {
-                          "architecture": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "company": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "description": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "file_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_imports": {
-                            "type": "flattened"
-                          },
-                          "go_imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "go_imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "go_stripped": {
-                            "type": "boolean"
-                          },
-                          "imphash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "imports": {
-                            "type": "flattened"
-                          },
-                          "imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "original_file_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "pehash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "product": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sections": {
-                            "properties": {
-                              "entropy": {
-                                "type": "long"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_size": {
-                                "type": "long"
-                              },
-                              "var_entropy": {
-                                "type": "long"
-                              },
-                              "virtual_size": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "nested"
-                          }
-                        }
-                      },
-                      "pid": {
-                        "type": "long"
-                      },
-                      "platform_binary": {
-                        "type": "boolean"
-                      },
-                      "real_group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "real_user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entity": {
-                            "properties": {
-                              "attributes": {
-                                "type": "object"
-                              },
-                              "behavior": {
-                                "type": "object"
-                              },
-                              "display_name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "last_seen_timestamp": {
-                                "type": "date"
-                              },
-                              "lifecycle": {
-                                "type": "object"
-                              },
-                              "metrics": {
-                                "type": "object"
-                              },
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "raw": {
-                                "type": "object"
-                              },
-                              "reference": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "source": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "sub_type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "same_as_process": {
-                        "type": "boolean"
-                      },
-                      "saved_group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "saved_user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entity": {
-                            "properties": {
-                              "attributes": {
-                                "type": "object"
-                              },
-                              "behavior": {
-                                "type": "object"
-                              },
-                              "display_name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "last_seen_timestamp": {
-                                "type": "date"
-                              },
-                              "lifecycle": {
-                                "type": "object"
-                              },
-                              "metrics": {
-                                "type": "object"
-                              },
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "raw": {
-                                "type": "object"
-                              },
-                              "reference": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "source": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "sub_type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "start": {
-                        "type": "date"
-                      },
-                      "supplemental_groups": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "thread": {
-                        "properties": {
-                          "capabilities": {
-                            "properties": {
-                              "effective": {
-                                "ignore_above": 1024,
-                                "synthetic_source_keep": "none",
-                                "type": "keyword"
-                              },
-                              "permitted": {
-                                "ignore_above": 1024,
-                                "synthetic_source_keep": "none",
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "id": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "title": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "tty": {
-                        "properties": {
-                          "char_device": {
-                            "properties": {
-                              "major": {
-                                "type": "long"
-                              },
-                              "minor": {
-                                "type": "long"
-                              }
-                            }
-                          },
-                          "columns": {
-                            "type": "long"
-                          },
-                          "rows": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "uptime": {
-                        "type": "long"
-                      },
-                      "user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entity": {
-                            "properties": {
-                              "attributes": {
-                                "type": "object"
-                              },
-                              "behavior": {
-                                "type": "object"
-                              },
-                              "display_name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "last_seen_timestamp": {
-                                "type": "date"
-                              },
-                              "lifecycle": {
-                                "type": "object"
-                              },
-                              "metrics": {
-                                "type": "object"
-                              },
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "raw": {
-                                "type": "object"
-                              },
-                              "reference": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "source": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "sub_type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "vpid": {
-                        "type": "long"
-                      },
-                      "working_directory": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "start": {
-                    "type": "date"
-                  },
-                  "supplemental_groups": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "thread": {
-                    "properties": {
-                      "capabilities": {
-                        "properties": {
-                          "effective": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          },
-                          "permitted": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "id": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "title": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tty": {
-                    "properties": {
-                      "char_device": {
-                        "properties": {
-                          "major": {
-                            "type": "long"
-                          },
-                          "minor": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "columns": {
-                        "type": "long"
-                      },
-                      "rows": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "uptime": {
-                    "type": "long"
-                  },
-                  "user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entity": {
-                        "properties": {
-                          "attributes": {
-                            "type": "object"
-                          },
-                          "behavior": {
-                            "type": "object"
-                          },
-                          "display_name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "last_seen_timestamp": {
-                            "type": "date"
-                          },
-                          "lifecycle": {
-                            "type": "object"
-                          },
-                          "metrics": {
-                            "type": "object"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw": {
-                            "type": "object"
-                          },
-                          "reference": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "source": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sub_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "vpid": {
-                    "type": "long"
-                  },
-                  "working_directory": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "platform_binary": {
-                "type": "boolean"
-              },
-              "real_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "thread": {
-                "properties": {
-                  "capabilities": {
-                    "properties": {
-                      "effective": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "permitted": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  },
-                  "columns": {
-                    "type": "long"
-                  },
-                  "rows": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "entry_meta": {
-            "properties": {
-              "source": {
-                "properties": {
-                  "address": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "as": {
-                    "properties": {
-                      "number": {
-                        "type": "long"
-                      },
-                      "organization": {
-                        "properties": {
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      }
-                    }
-                  },
-                  "bytes": {
-                    "type": "long"
-                  },
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "geo": {
-                    "properties": {
-                      "city_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "continent_code": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "continent_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "country_iso_code": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "country_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "location": {
-                        "type": "geo_point"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "postal_code": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "region_iso_code": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "region_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "timezone": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "mac": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "nat": {
-                    "properties": {
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "port": {
-                        "type": "long"
-                      }
-                    }
-                  },
-                  "packets": {
-                    "type": "long"
-                  },
-                  "port": {
-                    "type": "long"
-                  },
-                  "registered_domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subdomain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "top_level_domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "env_vars": {
-            "ignore_above": 1024,
-            "synthetic_source_keep": "none",
-            "type": "keyword"
-          },
-          "executable": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "exit_code": {
-            "type": "long"
-          },
-          "group": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "group_leader": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "attested_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "attested_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "code_signature": {
-                "properties": {
-                  "digest_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signing_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "status": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "team_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "endpoint_security_client": {
-                "type": "boolean"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entry_meta": {
-                "properties": {
-                  "source": {
-                    "properties": {
-                      "address": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "as": {
-                        "properties": {
-                          "number": {
-                            "type": "long"
-                          },
-                          "organization": {
-                            "properties": {
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "type": "match_only_text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "bytes": {
-                        "type": "long"
-                      },
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "geo": {
-                        "properties": {
-                          "city_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "location": {
-                            "type": "geo_point"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "postal_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "timezone": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "mac": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "nat": {
-                        "properties": {
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "port": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "packets": {
-                        "type": "long"
-                      },
-                      "port": {
-                        "type": "long"
-                      },
-                      "registered_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subdomain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "top_level_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "env_vars": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "properties": {
-                  "cdhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tlsh": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "io": {
-                "properties": {
-                  "bytes_skipped": {
-                    "properties": {
-                      "length": {
-                        "type": "long"
-                      },
-                      "offset": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "max_bytes_per_process_exceeded": {
-                    "type": "boolean"
-                  },
-                  "text": {
-                    "type": "wildcard"
-                  },
-                  "total_bytes_captured": {
-                    "type": "long"
-                  },
-                  "total_bytes_skipped": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                },
-                "type": "object"
-              },
-              "macho": {
-                "properties": {
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "symhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "origin_referrer_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "origin_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "platform_binary": {
-                "type": "boolean"
-              },
-              "real_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "thread": {
-                "properties": {
-                  "capabilities": {
-                    "properties": {
-                      "effective": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "permitted": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  },
-                  "columns": {
-                    "type": "long"
-                  },
-                  "rows": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "hash": {
-            "properties": {
-              "cdhash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "md5": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha1": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha256": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha384": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sha512": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "ssdeep": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tlsh": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "interactive": {
-            "type": "boolean"
-          },
-          "io": {
-            "properties": {
-              "bytes_skipped": {
-                "properties": {
-                  "length": {
-                    "type": "long"
-                  },
-                  "offset": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "max_bytes_per_process_exceeded": {
-                "type": "boolean"
-              },
-              "text": {
-                "type": "wildcard"
-              },
-              "total_bytes_captured": {
-                "type": "long"
-              },
-              "total_bytes_skipped": {
-                "type": "long"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            },
-            "type": "object"
-          },
-          "macho": {
-            "properties": {
-              "go_import_hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "go_imports": {
-                "type": "flattened"
-              },
-              "go_imports_names_entropy": {
-                "type": "long"
-              },
-              "go_imports_names_var_entropy": {
-                "type": "long"
-              },
-              "go_stripped": {
-                "type": "boolean"
-              },
-              "import_hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "imports": {
-                "type": "flattened"
-              },
-              "imports_names_entropy": {
-                "type": "long"
-              },
-              "imports_names_var_entropy": {
-                "type": "long"
-              },
-              "sections": {
-                "properties": {
-                  "entropy": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "physical_size": {
-                    "type": "long"
-                  },
-                  "var_entropy": {
-                    "type": "long"
-                  },
-                  "virtual_size": {
-                    "type": "long"
-                  }
-                },
-                "type": "nested"
-              },
-              "symhash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "name": {
-            "fields": {
-              "text": {
-                "type": "match_only_text"
-              }
-            },
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "origin_referrer_url": {
-            "ignore_above": 8192,
-            "type": "keyword"
-          },
-          "origin_url": {
-            "ignore_above": 8192,
-            "type": "keyword"
-          },
-          "parent": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "attested_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "attested_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "code_signature": {
-                "properties": {
-                  "digest_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signing_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "status": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "team_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "endpoint_security_client": {
-                "type": "boolean"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entry_meta": {
-                "properties": {
-                  "source": {
-                    "properties": {
-                      "address": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "as": {
-                        "properties": {
-                          "number": {
-                            "type": "long"
-                          },
-                          "organization": {
-                            "properties": {
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "type": "match_only_text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "bytes": {
-                        "type": "long"
-                      },
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "geo": {
-                        "properties": {
-                          "city_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "location": {
-                            "type": "geo_point"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "postal_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "timezone": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "mac": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "nat": {
-                        "properties": {
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "port": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "packets": {
-                        "type": "long"
-                      },
-                      "port": {
-                        "type": "long"
-                      },
-                      "registered_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subdomain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "top_level_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "env_vars": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "group_leader": {
-                "properties": {
-                  "args": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "args_count": {
-                    "type": "long"
-                  },
-                  "attested_groups": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "attested_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entity": {
-                        "properties": {
-                          "attributes": {
-                            "type": "object"
-                          },
-                          "behavior": {
-                            "type": "object"
-                          },
-                          "display_name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "last_seen_timestamp": {
-                            "type": "date"
-                          },
-                          "lifecycle": {
-                            "type": "object"
-                          },
-                          "metrics": {
-                            "type": "object"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw": {
-                            "type": "object"
-                          },
-                          "reference": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "source": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sub_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "code_signature": {
-                    "properties": {
-                      "digest_algorithm": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "exists": {
-                        "type": "boolean"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "signing_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "status": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subject_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "team_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "thumbprint_sha256": {
-                        "ignore_above": 64,
-                        "type": "keyword"
-                      },
-                      "timestamp": {
-                        "type": "date"
-                      },
-                      "trusted": {
-                        "type": "boolean"
-                      },
-                      "valid": {
-                        "type": "boolean"
-                      }
-                    }
-                  },
-                  "command_line": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "type": "wildcard"
-                  },
-                  "elf": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "byte_order": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "cpu_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "creation_date": {
-                        "type": "date"
-                      },
-                      "exports": {
-                        "type": "flattened"
-                      },
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "header": {
-                        "properties": {
-                          "abi_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "class": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "data": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entrypoint": {
-                            "type": "long"
-                          },
-                          "object_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "os_abi": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "sections": {
-                        "properties": {
-                          "chi2": {
-                            "type": "long"
-                          },
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_offset": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_address": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "segments": {
-                        "properties": {
-                          "sections": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "shared_libraries": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "telfhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "end": {
-                    "type": "date"
-                  },
-                  "endpoint_security_client": {
-                    "type": "boolean"
-                  },
-                  "entity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entry_meta": {
-                    "properties": {
-                      "source": {
-                        "properties": {
-                          "address": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "as": {
-                            "properties": {
-                              "number": {
-                                "type": "long"
-                              },
-                              "organization": {
-                                "properties": {
-                                  "name": {
-                                    "fields": {
-                                      "text": {
-                                        "type": "match_only_text"
-                                      }
-                                    },
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  }
-                                }
-                              }
-                            }
-                          },
-                          "bytes": {
-                            "type": "long"
-                          },
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "geo": {
-                            "properties": {
-                              "city_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "continent_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "continent_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country_iso_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "location": {
-                                "type": "geo_point"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "postal_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "region_iso_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "region_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "timezone": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "mac": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "nat": {
-                            "properties": {
-                              "ip": {
-                                "type": "ip"
-                              },
-                              "port": {
-                                "type": "long"
-                              }
-                            }
-                          },
-                          "packets": {
-                            "type": "long"
-                          },
-                          "port": {
-                            "type": "long"
-                          },
-                          "registered_domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "subdomain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "top_level_domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "env_vars": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  },
-                  "executable": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exit_code": {
-                    "type": "long"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "properties": {
-                      "cdhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "md5": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha1": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha256": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha384": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha512": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ssdeep": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "tlsh": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "interactive": {
-                    "type": "boolean"
-                  },
-                  "io": {
-                    "properties": {
-                      "bytes_skipped": {
-                        "properties": {
-                          "length": {
-                            "type": "long"
-                          },
-                          "offset": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "max_bytes_per_process_exceeded": {
-                        "type": "boolean"
-                      },
-                      "text": {
-                        "type": "wildcard"
-                      },
-                      "total_bytes_captured": {
-                        "type": "long"
-                      },
-                      "total_bytes_skipped": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "macho": {
-                    "properties": {
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "sections": {
-                        "properties": {
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "symhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "origin_referrer_url": {
-                    "ignore_above": 8192,
-                    "type": "keyword"
-                  },
-                  "origin_url": {
-                    "ignore_above": 8192,
-                    "type": "keyword"
-                  },
-                  "pe": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "company": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "description": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "file_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "imphash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "original_file_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "pehash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "product": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sections": {
-                        "properties": {
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      }
-                    }
-                  },
-                  "pid": {
-                    "type": "long"
-                  },
-                  "platform_binary": {
-                    "type": "boolean"
-                  },
-                  "real_group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "real_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entity": {
-                        "properties": {
-                          "attributes": {
-                            "type": "object"
-                          },
-                          "behavior": {
-                            "type": "object"
-                          },
-                          "display_name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "last_seen_timestamp": {
-                            "type": "date"
-                          },
-                          "lifecycle": {
-                            "type": "object"
-                          },
-                          "metrics": {
-                            "type": "object"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw": {
-                            "type": "object"
-                          },
-                          "reference": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "source": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sub_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "same_as_process": {
-                    "type": "boolean"
-                  },
-                  "saved_group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "saved_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entity": {
-                        "properties": {
-                          "attributes": {
-                            "type": "object"
-                          },
-                          "behavior": {
-                            "type": "object"
-                          },
-                          "display_name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "last_seen_timestamp": {
-                            "type": "date"
-                          },
-                          "lifecycle": {
-                            "type": "object"
-                          },
-                          "metrics": {
-                            "type": "object"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw": {
-                            "type": "object"
-                          },
-                          "reference": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "source": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sub_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "start": {
-                    "type": "date"
-                  },
-                  "supplemental_groups": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "thread": {
-                    "properties": {
-                      "capabilities": {
-                        "properties": {
-                          "effective": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          },
-                          "permitted": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "id": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "title": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tty": {
-                    "properties": {
-                      "char_device": {
-                        "properties": {
-                          "major": {
-                            "type": "long"
-                          },
-                          "minor": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "columns": {
-                        "type": "long"
-                      },
-                      "rows": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "uptime": {
-                    "type": "long"
-                  },
-                  "user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entity": {
-                        "properties": {
-                          "attributes": {
-                            "type": "object"
-                          },
-                          "behavior": {
-                            "type": "object"
-                          },
-                          "display_name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "last_seen_timestamp": {
-                            "type": "date"
-                          },
-                          "lifecycle": {
-                            "type": "object"
-                          },
-                          "metrics": {
-                            "type": "object"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw": {
-                            "type": "object"
-                          },
-                          "reference": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "source": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sub_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "vpid": {
-                    "type": "long"
-                  },
-                  "working_directory": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "properties": {
-                  "cdhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tlsh": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "io": {
-                "properties": {
-                  "bytes_skipped": {
-                    "properties": {
-                      "length": {
-                        "type": "long"
-                      },
-                      "offset": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "max_bytes_per_process_exceeded": {
-                    "type": "boolean"
-                  },
-                  "text": {
-                    "type": "wildcard"
-                  },
-                  "total_bytes_captured": {
-                    "type": "long"
-                  },
-                  "total_bytes_skipped": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                },
-                "type": "object"
-              },
-              "macho": {
-                "properties": {
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "symhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "origin_referrer_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "origin_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "platform_binary": {
-                "type": "boolean"
-              },
-              "real_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "thread": {
-                "properties": {
-                  "capabilities": {
-                    "properties": {
-                      "effective": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "permitted": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  },
-                  "columns": {
-                    "type": "long"
-                  },
-                  "rows": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "pe": {
-            "properties": {
-              "architecture": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "company": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "description": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "file_version": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "go_import_hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "go_imports": {
-                "type": "flattened"
-              },
-              "go_imports_names_entropy": {
-                "type": "long"
-              },
-              "go_imports_names_var_entropy": {
-                "type": "long"
-              },
-              "go_stripped": {
-                "type": "boolean"
-              },
-              "imphash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "import_hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "imports": {
-                "type": "flattened"
-              },
-              "imports_names_entropy": {
-                "type": "long"
-              },
-              "imports_names_var_entropy": {
-                "type": "long"
-              },
-              "original_file_name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "pehash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "product": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sections": {
-                "properties": {
-                  "entropy": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "physical_size": {
-                    "type": "long"
-                  },
-                  "var_entropy": {
-                    "type": "long"
-                  },
-                  "virtual_size": {
-                    "type": "long"
-                  }
-                },
-                "type": "nested"
-              }
-            }
-          },
-          "pid": {
-            "type": "long"
-          },
-          "platform_binary": {
-            "type": "boolean"
-          },
-          "previous": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "attested_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "attested_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "code_signature": {
-                "properties": {
-                  "digest_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signing_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "status": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "team_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "endpoint_security_client": {
-                "type": "boolean"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entry_meta": {
-                "properties": {
-                  "source": {
-                    "properties": {
-                      "address": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "as": {
-                        "properties": {
-                          "number": {
-                            "type": "long"
-                          },
-                          "organization": {
-                            "properties": {
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "type": "match_only_text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "bytes": {
-                        "type": "long"
-                      },
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "geo": {
-                        "properties": {
-                          "city_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "location": {
-                            "type": "geo_point"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "postal_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "timezone": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "mac": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "nat": {
-                        "properties": {
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "port": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "packets": {
-                        "type": "long"
-                      },
-                      "port": {
-                        "type": "long"
-                      },
-                      "registered_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subdomain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "top_level_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "env_vars": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "properties": {
-                  "cdhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tlsh": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "io": {
-                "properties": {
-                  "bytes_skipped": {
-                    "properties": {
-                      "length": {
-                        "type": "long"
-                      },
-                      "offset": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "max_bytes_per_process_exceeded": {
-                    "type": "boolean"
-                  },
-                  "text": {
-                    "type": "wildcard"
-                  },
-                  "total_bytes_captured": {
-                    "type": "long"
-                  },
-                  "total_bytes_skipped": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                },
-                "type": "object"
-              },
-              "macho": {
-                "properties": {
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "symhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "origin_referrer_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "origin_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "platform_binary": {
-                "type": "boolean"
-              },
-              "real_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "thread": {
-                "properties": {
-                  "capabilities": {
-                    "properties": {
-                      "effective": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "permitted": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  },
-                  "columns": {
-                    "type": "long"
-                  },
-                  "rows": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "real_group": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "real_user": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entity": {
-                "properties": {
-                  "attributes": {
-                    "type": "object"
-                  },
-                  "behavior": {
-                    "type": "object"
-                  },
-                  "display_name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "last_seen_timestamp": {
-                    "type": "date"
-                  },
-                  "lifecycle": {
-                    "type": "object"
-                  },
-                  "metrics": {
-                    "type": "object"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "raw": {
-                    "type": "object"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "source": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sub_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              }
-            }
-          },
-          "responsible": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "attested_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "attested_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "code_signature": {
-                "properties": {
-                  "digest_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signing_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "status": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "team_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "endpoint_security_client": {
-                "type": "boolean"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entry_meta": {
-                "properties": {
-                  "source": {
-                    "properties": {
-                      "address": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "as": {
-                        "properties": {
-                          "number": {
-                            "type": "long"
-                          },
-                          "organization": {
-                            "properties": {
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "type": "match_only_text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "bytes": {
-                        "type": "long"
-                      },
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "geo": {
-                        "properties": {
-                          "city_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "location": {
-                            "type": "geo_point"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "postal_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "timezone": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "mac": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "nat": {
-                        "properties": {
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "port": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "packets": {
-                        "type": "long"
-                      },
-                      "port": {
-                        "type": "long"
-                      },
-                      "registered_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subdomain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "top_level_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "env_vars": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "properties": {
-                  "cdhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tlsh": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "io": {
-                "properties": {
-                  "bytes_skipped": {
-                    "properties": {
-                      "length": {
-                        "type": "long"
-                      },
-                      "offset": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "max_bytes_per_process_exceeded": {
-                    "type": "boolean"
-                  },
-                  "text": {
-                    "type": "wildcard"
-                  },
-                  "total_bytes_captured": {
-                    "type": "long"
-                  },
-                  "total_bytes_skipped": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                },
-                "type": "object"
-              },
-              "macho": {
-                "properties": {
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "symhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "origin_referrer_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "origin_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "pe": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "company": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "description": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "file_version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "imphash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "original_file_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "pehash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "product": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  }
-                }
-              },
-              "pid": {
-                "type": "long"
-              },
-              "platform_binary": {
-                "type": "boolean"
-              },
-              "real_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "real_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "same_as_process": {
-                "type": "boolean"
-              },
-              "saved_group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "saved_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "start": {
-                "type": "date"
-              },
-              "supplemental_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "thread": {
-                "properties": {
-                  "capabilities": {
-                    "properties": {
-                      "effective": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "permitted": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "id": {
-                    "type": "long"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "tty": {
-                "properties": {
-                  "char_device": {
-                    "properties": {
-                      "major": {
-                        "type": "long"
-                      },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  },
-                  "columns": {
-                    "type": "long"
-                  },
-                  "rows": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "vpid": {
-                "type": "long"
-              },
-              "working_directory": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "same_as_process": {
-            "type": "boolean"
-          },
-          "saved_group": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
-          "saved_user": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entity": {
-                "properties": {
-                  "attributes": {
-                    "type": "object"
-                  },
-                  "behavior": {
-                    "type": "object"
-                  },
-                  "display_name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "last_seen_timestamp": {
-                    "type": "date"
-                  },
-                  "lifecycle": {
-                    "type": "object"
-                  },
-                  "metrics": {
-                    "type": "object"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "raw": {
-                    "type": "object"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "source": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sub_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              }
-            }
-          },
-          "session_leader": {
-            "properties": {
-              "args": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "args_count": {
-                "type": "long"
-              },
-              "attested_groups": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "attested_user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  }
-                }
-              },
-              "code_signature": {
-                "properties": {
-                  "digest_algorithm": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exists": {
-                    "type": "boolean"
-                  },
-                  "flags": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "signing_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "status": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "subject_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "team_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "thumbprint_sha256": {
-                    "ignore_above": 64,
-                    "type": "keyword"
-                  },
-                  "timestamp": {
-                    "type": "date"
-                  },
-                  "trusted": {
-                    "type": "boolean"
-                  },
-                  "valid": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "command_line": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "type": "wildcard"
-              },
-              "elf": {
-                "properties": {
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "byte_order": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "cpu_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "creation_date": {
-                    "type": "date"
-                  },
-                  "exports": {
-                    "type": "flattened"
-                  },
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "header": {
-                    "properties": {
-                      "abi_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "class": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "data": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entrypoint": {
-                        "type": "long"
-                      },
-                      "object_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "os_abi": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "chi2": {
-                        "type": "long"
-                      },
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_offset": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_address": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "segments": {
-                    "properties": {
-                      "sections": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "shared_libraries": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "telfhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "end": {
-                "type": "date"
-              },
-              "endpoint_security_client": {
-                "type": "boolean"
-              },
-              "entity_id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entry_meta": {
-                "properties": {
-                  "source": {
-                    "properties": {
-                      "address": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "as": {
-                        "properties": {
-                          "number": {
-                            "type": "long"
-                          },
-                          "organization": {
-                            "properties": {
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "type": "match_only_text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          }
-                        }
-                      },
-                      "bytes": {
-                        "type": "long"
-                      },
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "geo": {
-                        "properties": {
-                          "city_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "continent_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "country_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "location": {
-                            "type": "geo_point"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "postal_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_iso_code": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "region_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "timezone": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "ip": {
-                        "type": "ip"
-                      },
-                      "mac": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "nat": {
-                        "properties": {
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "port": {
-                            "type": "long"
-                          }
-                        }
-                      },
-                      "packets": {
-                        "type": "long"
-                      },
-                      "port": {
-                        "type": "long"
-                      },
-                      "registered_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subdomain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "top_level_domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "env_vars": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
-              },
-              "executable": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "exit_code": {
-                "type": "long"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "properties": {
-                  "cdhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "md5": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha1": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha256": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha384": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sha512": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ssdeep": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "tlsh": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "interactive": {
-                "type": "boolean"
-              },
-              "io": {
-                "properties": {
-                  "bytes_skipped": {
-                    "properties": {
-                      "length": {
-                        "type": "long"
-                      },
-                      "offset": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "max_bytes_per_process_exceeded": {
-                    "type": "boolean"
-                  },
-                  "text": {
-                    "type": "wildcard"
-                  },
-                  "total_bytes_captured": {
-                    "type": "long"
-                  },
-                  "total_bytes_skipped": {
-                    "type": "long"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                },
-                "type": "object"
-              },
-              "macho": {
-                "properties": {
-                  "go_import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "go_imports": {
-                    "type": "flattened"
-                  },
-                  "go_imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "go_imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "go_stripped": {
-                    "type": "boolean"
-                  },
-                  "import_hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "imports": {
-                    "type": "flattened"
-                  },
-                  "imports_names_entropy": {
-                    "type": "long"
-                  },
-                  "imports_names_var_entropy": {
-                    "type": "long"
-                  },
-                  "sections": {
-                    "properties": {
-                      "entropy": {
-                        "type": "long"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "physical_size": {
-                        "type": "long"
-                      },
-                      "var_entropy": {
-                        "type": "long"
-                      },
-                      "virtual_size": {
-                        "type": "long"
-                      }
-                    },
-                    "type": "nested"
-                  },
-                  "symhash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "origin_referrer_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "origin_url": {
-                "ignore_above": 8192,
-                "type": "keyword"
-              },
-              "parent": {
-                "properties": {
-                  "args": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "args_count": {
-                    "type": "long"
-                  },
-                  "attested_groups": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "attested_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entity": {
-                        "properties": {
-                          "attributes": {
-                            "type": "object"
-                          },
-                          "behavior": {
-                            "type": "object"
-                          },
-                          "display_name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "last_seen_timestamp": {
-                            "type": "date"
-                          },
-                          "lifecycle": {
-                            "type": "object"
-                          },
-                          "metrics": {
-                            "type": "object"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw": {
-                            "type": "object"
-                          },
-                          "reference": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "source": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sub_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "code_signature": {
-                    "properties": {
-                      "digest_algorithm": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "exists": {
-                        "type": "boolean"
-                      },
-                      "flags": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "signing_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "status": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "subject_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "team_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "thumbprint_sha256": {
-                        "ignore_above": 64,
-                        "type": "keyword"
-                      },
-                      "timestamp": {
-                        "type": "date"
-                      },
-                      "trusted": {
-                        "type": "boolean"
-                      },
-                      "valid": {
-                        "type": "boolean"
-                      }
-                    }
-                  },
-                  "command_line": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "type": "wildcard"
-                  },
-                  "elf": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "byte_order": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "cpu_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "creation_date": {
-                        "type": "date"
-                      },
-                      "exports": {
-                        "type": "flattened"
-                      },
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "header": {
-                        "properties": {
-                          "abi_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "class": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "data": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entrypoint": {
-                            "type": "long"
-                          },
-                          "object_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "os_abi": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "sections": {
-                        "properties": {
-                          "chi2": {
-                            "type": "long"
-                          },
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_offset": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_address": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "segments": {
-                        "properties": {
-                          "sections": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "shared_libraries": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "telfhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "end": {
-                    "type": "date"
-                  },
-                  "endpoint_security_client": {
-                    "type": "boolean"
-                  },
-                  "entity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entry_meta": {
-                    "properties": {
-                      "source": {
-                        "properties": {
-                          "address": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "as": {
-                            "properties": {
-                              "number": {
-                                "type": "long"
-                              },
-                              "organization": {
-                                "properties": {
-                                  "name": {
-                                    "fields": {
-                                      "text": {
-                                        "type": "match_only_text"
-                                      }
-                                    },
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  }
-                                }
-                              }
-                            }
-                          },
-                          "bytes": {
-                            "type": "long"
-                          },
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "geo": {
-                            "properties": {
-                              "city_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "continent_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "continent_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country_iso_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "country_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "location": {
-                                "type": "geo_point"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "postal_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "region_iso_code": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "region_name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "timezone": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "ip": {
-                            "type": "ip"
-                          },
-                          "mac": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "nat": {
-                            "properties": {
-                              "ip": {
-                                "type": "ip"
-                              },
-                              "port": {
-                                "type": "long"
-                              }
-                            }
-                          },
-                          "packets": {
-                            "type": "long"
-                          },
-                          "port": {
-                            "type": "long"
-                          },
-                          "registered_domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "subdomain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "top_level_domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "env_vars": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
-                  },
-                  "executable": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "exit_code": {
-                    "type": "long"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
-                    "properties": {
-                      "cdhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "md5": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha1": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha256": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha384": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sha512": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ssdeep": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "tlsh": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "interactive": {
-                    "type": "boolean"
-                  },
-                  "io": {
-                    "properties": {
-                      "bytes_skipped": {
-                        "properties": {
-                          "length": {
-                            "type": "long"
-                          },
-                          "offset": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "max_bytes_per_process_exceeded": {
-                        "type": "boolean"
-                      },
-                      "text": {
-                        "type": "wildcard"
-                      },
-                      "total_bytes_captured": {
-                        "type": "long"
-                      },
-                      "total_bytes_skipped": {
-                        "type": "long"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    },
-                    "type": "object"
-                  },
-                  "macho": {
-                    "properties": {
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "sections": {
-                        "properties": {
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      },
-                      "symhash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "origin_referrer_url": {
-                    "ignore_above": 8192,
-                    "type": "keyword"
-                  },
-                  "origin_url": {
-                    "ignore_above": 8192,
-                    "type": "keyword"
-                  },
-                  "pe": {
-                    "properties": {
-                      "architecture": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "company": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "description": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "file_version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "go_imports": {
-                        "type": "flattened"
-                      },
-                      "go_imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "go_imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "go_stripped": {
-                        "type": "boolean"
-                      },
-                      "imphash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "import_hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "imports": {
-                        "type": "flattened"
-                      },
-                      "imports_names_entropy": {
-                        "type": "long"
-                      },
-                      "imports_names_var_entropy": {
-                        "type": "long"
-                      },
-                      "original_file_name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "pehash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "product": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sections": {
-                        "properties": {
-                          "entropy": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "physical_size": {
-                            "type": "long"
-                          },
-                          "var_entropy": {
-                            "type": "long"
-                          },
-                          "virtual_size": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "nested"
-                      }
-                    }
-                  },
-                  "pid": {
-                    "type": "long"
-                  },
-                  "platform_binary": {
-                    "type": "boolean"
-                  },
-                  "real_group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "real_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entity": {
-                        "properties": {
-                          "attributes": {
-                            "type": "object"
-                          },
-                          "behavior": {
-                            "type": "object"
-                          },
-                          "display_name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "last_seen_timestamp": {
-                            "type": "date"
-                          },
-                          "lifecycle": {
-                            "type": "object"
-                          },
-                          "metrics": {
-                            "type": "object"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw": {
-                            "type": "object"
-                          },
-                          "reference": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "source": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sub_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "same_as_process": {
-                    "type": "boolean"
-                  },
-                  "saved_group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "saved_user": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entity": {
-                        "properties": {
-                          "attributes": {
-                            "type": "object"
-                          },
-                          "behavior": {
-                            "type": "object"
-                          },
-                          "display_name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "last_seen_timestamp": {
-                            "type": "date"
-                          },
-                          "lifecycle": {
-                            "type": "object"
-                          },
-                          "metrics": {
-                            "type": "object"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw": {
-                            "type": "object"
-                          },
-                          "reference": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "source": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sub_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
-                      },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "session_leader": {
-                    "properties": {
-                      "args": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "args_count": {
-                        "type": "long"
-                      },
-                      "attested_groups": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "attested_user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entity": {
-                            "properties": {
-                              "attributes": {
-                                "type": "object"
-                              },
-                              "behavior": {
-                                "type": "object"
-                              },
-                              "display_name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "last_seen_timestamp": {
-                                "type": "date"
-                              },
-                              "lifecycle": {
-                                "type": "object"
-                              },
-                              "metrics": {
-                                "type": "object"
-                              },
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "raw": {
-                                "type": "object"
-                              },
-                              "reference": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "source": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "sub_type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "code_signature": {
-                        "properties": {
-                          "digest_algorithm": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "exists": {
-                            "type": "boolean"
-                          },
-                          "flags": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "signing_id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "status": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "subject_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "team_id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "thumbprint_sha256": {
-                            "ignore_above": 64,
-                            "type": "keyword"
-                          },
-                          "timestamp": {
-                            "type": "date"
-                          },
-                          "trusted": {
-                            "type": "boolean"
-                          },
-                          "valid": {
-                            "type": "boolean"
-                          }
-                        }
-                      },
-                      "command_line": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "type": "wildcard"
-                      },
-                      "elf": {
-                        "properties": {
-                          "architecture": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "byte_order": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "cpu_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "creation_date": {
-                            "type": "date"
-                          },
-                          "exports": {
-                            "type": "flattened"
-                          },
-                          "go_import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_imports": {
-                            "type": "flattened"
-                          },
-                          "go_imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "go_imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "go_stripped": {
-                            "type": "boolean"
-                          },
-                          "header": {
-                            "properties": {
-                              "abi_version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "class": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "data": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "entrypoint": {
-                                "type": "long"
-                              },
-                              "object_version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "os_abi": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "version": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "imports": {
-                            "type": "flattened"
-                          },
-                          "imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "sections": {
-                            "properties": {
-                              "chi2": {
-                                "type": "long"
-                              },
-                              "entropy": {
-                                "type": "long"
-                              },
-                              "flags": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_offset": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_size": {
-                                "type": "long"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "var_entropy": {
-                                "type": "long"
-                              },
-                              "virtual_address": {
-                                "type": "long"
-                              },
-                              "virtual_size": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "segments": {
-                            "properties": {
-                              "sections": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "shared_libraries": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "telfhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "end": {
-                        "type": "date"
-                      },
-                      "endpoint_security_client": {
-                        "type": "boolean"
-                      },
-                      "entity_id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entry_meta": {
-                        "properties": {
-                          "source": {
-                            "properties": {
-                              "address": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "as": {
-                                "properties": {
-                                  "number": {
-                                    "type": "long"
-                                  },
-                                  "organization": {
-                                    "properties": {
-                                      "name": {
-                                        "fields": {
-                                          "text": {
-                                            "type": "match_only_text"
-                                          }
-                                        },
-                                        "ignore_above": 1024,
-                                        "type": "keyword"
-                                      }
-                                    }
-                                  }
-                                }
-                              },
-                              "bytes": {
-                                "type": "long"
-                              },
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "geo": {
-                                "properties": {
-                                  "city_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "continent_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "continent_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "country_iso_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "country_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "location": {
-                                    "type": "geo_point"
-                                  },
-                                  "name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "postal_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "region_iso_code": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "region_name": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  },
-                                  "timezone": {
-                                    "ignore_above": 1024,
-                                    "type": "keyword"
-                                  }
-                                }
-                              },
-                              "ip": {
-                                "type": "ip"
-                              },
-                              "mac": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "nat": {
-                                "properties": {
-                                  "ip": {
-                                    "type": "ip"
-                                  },
-                                  "port": {
-                                    "type": "long"
-                                  }
-                                }
-                              },
-                              "packets": {
-                                "type": "long"
-                              },
-                              "port": {
-                                "type": "long"
-                              },
-                              "registered_domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "subdomain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "top_level_domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "env_vars": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "executable": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "exit_code": {
-                        "type": "long"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "properties": {
-                          "cdhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "md5": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha1": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha256": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha384": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sha512": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "ssdeep": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "tlsh": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "interactive": {
-                        "type": "boolean"
-                      },
-                      "io": {
-                        "properties": {
-                          "bytes_skipped": {
-                            "properties": {
-                              "length": {
-                                "type": "long"
-                              },
-                              "offset": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "object"
-                          },
-                          "max_bytes_per_process_exceeded": {
-                            "type": "boolean"
-                          },
-                          "text": {
-                            "type": "wildcard"
-                          },
-                          "total_bytes_captured": {
-                            "type": "long"
-                          },
-                          "total_bytes_skipped": {
-                            "type": "long"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "macho": {
-                        "properties": {
-                          "go_import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_imports": {
-                            "type": "flattened"
-                          },
-                          "go_imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "go_imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "go_stripped": {
-                            "type": "boolean"
-                          },
-                          "import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "imports": {
-                            "type": "flattened"
-                          },
-                          "imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "sections": {
-                            "properties": {
-                              "entropy": {
-                                "type": "long"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_size": {
-                                "type": "long"
-                              },
-                              "var_entropy": {
-                                "type": "long"
-                              },
-                              "virtual_size": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "nested"
-                          },
-                          "symhash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "origin_referrer_url": {
-                        "ignore_above": 8192,
-                        "type": "keyword"
-                      },
-                      "origin_url": {
-                        "ignore_above": 8192,
-                        "type": "keyword"
-                      },
-                      "pe": {
-                        "properties": {
-                          "architecture": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "company": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "description": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "file_version": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "go_imports": {
-                            "type": "flattened"
-                          },
-                          "go_imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "go_imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "go_stripped": {
-                            "type": "boolean"
-                          },
-                          "imphash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "import_hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "imports": {
-                            "type": "flattened"
-                          },
-                          "imports_names_entropy": {
-                            "type": "long"
-                          },
-                          "imports_names_var_entropy": {
-                            "type": "long"
-                          },
-                          "original_file_name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "pehash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "product": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sections": {
-                            "properties": {
-                              "entropy": {
-                                "type": "long"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "physical_size": {
-                                "type": "long"
-                              },
-                              "var_entropy": {
-                                "type": "long"
-                              },
-                              "virtual_size": {
-                                "type": "long"
-                              }
-                            },
-                            "type": "nested"
-                          }
-                        }
-                      },
-                      "pid": {
-                        "type": "long"
-                      },
-                      "platform_binary": {
-                        "type": "boolean"
-                      },
-                      "real_group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "real_user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entity": {
-                            "properties": {
-                              "attributes": {
-                                "type": "object"
-                              },
-                              "behavior": {
-                                "type": "object"
-                              },
-                              "display_name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "last_seen_timestamp": {
-                                "type": "date"
-                              },
-                              "lifecycle": {
-                                "type": "object"
-                              },
-                              "metrics": {
-                                "type": "object"
-                              },
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "raw": {
-                                "type": "object"
-                              },
-                              "reference": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "source": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "sub_type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "same_as_process": {
-                        "type": "boolean"
-                      },
-                      "saved_group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "saved_user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entity": {
-                            "properties": {
-                              "attributes": {
-                                "type": "object"
-                              },
-                              "behavior": {
-                                "type": "object"
-                              },
-                              "display_name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "last_seen_timestamp": {
-                                "type": "date"
-                              },
-                              "lifecycle": {
-                                "type": "object"
-                              },
-                              "metrics": {
-                                "type": "object"
-                              },
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "raw": {
-                                "type": "object"
-                              },
-                              "reference": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "source": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "sub_type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "start": {
-                        "type": "date"
-                      },
-                      "supplemental_groups": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "thread": {
-                        "properties": {
-                          "capabilities": {
-                            "properties": {
-                              "effective": {
-                                "ignore_above": 1024,
-                                "synthetic_source_keep": "none",
-                                "type": "keyword"
-                              },
-                              "permitted": {
-                                "ignore_above": 1024,
-                                "synthetic_source_keep": "none",
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "id": {
-                            "type": "long"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "title": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "tty": {
-                        "properties": {
-                          "char_device": {
-                            "properties": {
-                              "major": {
-                                "type": "long"
-                              },
-                              "minor": {
-                                "type": "long"
-                              }
-                            }
-                          },
-                          "columns": {
-                            "type": "long"
-                          },
-                          "rows": {
-                            "type": "long"
-                          }
-                        },
-                        "type": "object"
-                      },
-                      "uptime": {
-                        "type": "long"
-                      },
-                      "user": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "email": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "entity": {
-                            "properties": {
-                              "attributes": {
-                                "type": "object"
-                              },
-                              "behavior": {
-                                "type": "object"
-                              },
-                              "display_name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "last_seen_timestamp": {
-                                "type": "date"
-                              },
-                              "lifecycle": {
-                                "type": "object"
-                              },
-                              "metrics": {
-                                "type": "object"
-                              },
-                              "name": {
-                                "fields": {
-                                  "text": {
-                                    "norms": false,
-                                    "type": "text"
-                                  }
-                                },
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "raw": {
-                                "type": "object"
-                              },
-                              "reference": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "source": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "sub_type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "type": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "full_name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "group": {
-                            "properties": {
-                              "domain": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "id": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "name": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              }
-                            }
-                          },
-                          "hash": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "type": "match_only_text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "risk": {
-                            "properties": {
-                              "calculated_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "calculated_score": {
-                                "type": "float"
-                              },
-                              "calculated_score_norm": {
-                                "type": "float"
-                              },
-                              "static_level": {
-                                "ignore_above": 1024,
-                                "type": "keyword"
-                              },
-                              "static_score": {
-                                "type": "float"
-                              },
-                              "static_score_norm": {
-                                "type": "float"
-                              }
-                            }
-                          },
-                          "roles": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "vpid": {
-                        "type": "long"
-                      },
-                      "working_directory": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "start": {
+                  "byte_order": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "cpu_type": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "creation_date": {
                     "type": "date"
                   },
-                  "supplemental_groups": {
+                  "exports": {
+                    "type": "flattened"
+                  },
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "header": {
                     "properties": {
-                      "domain": {
+                      "abi_version": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "id": {
+                      "class": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "name": {
+                      "data": {
                         "ignore_above": 1024,
                         "type": "keyword"
-                      }
-                    }
-                  },
-                  "thread": {
-                    "properties": {
-                      "capabilities": {
-                        "properties": {
-                          "effective": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          },
-                          "permitted": {
-                            "ignore_above": 1024,
-                            "synthetic_source_keep": "none",
-                            "type": "keyword"
-                          }
-                        }
                       },
-                      "id": {
+                      "entrypoint": {
                         "type": "long"
                       },
-                      "name": {
+                      "object_version": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "os_abi": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "version": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       }
                     }
                   },
-                  "title": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "import_hash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "tty": {
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
                     "properties": {
-                      "char_device": {
-                        "properties": {
-                          "major": {
-                            "type": "long"
-                          },
-                          "minor": {
-                            "type": "long"
-                          }
-                        }
+                      "chi2": {
+                        "type": "long"
+                      },
+                      "entropy": {
+                        "type": "long"
+                      },
+                      "flags": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_offset": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "physical_size": {
+                        "type": "long"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "var_entropy": {
+                        "type": "long"
                       },
-                      "columns": {
+                      "virtual_address": {
                         "type": "long"
                       },
-                      "rows": {
+                      "virtual_size": {
                         "type": "long"
                       }
                     },
-                    "type": "object"
+                    "type": "nested"
+                  },
+                  "segments": {
+                    "properties": {
+                      "sections": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "type": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    },
+                    "type": "nested"
+                  },
+                  "shared_libraries": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "telfhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "end": {
+                "type": "date"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "exit_code": {
+                "type": "long"
+              },
+              "group": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "group_leader": {
+                "properties": {
+                  "entity_id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "pid": {
+                    "type": "long"
+                  },
+                  "start": {
+                    "type": "date"
+                  },
+                  "vpid": {
+                    "type": "long"
+                  }
+                }
+              },
+              "hash": {
+                "properties": {
+                  "cdhash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "md5": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha1": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha256": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha384": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "sha512": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "ssdeep": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "tlsh": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "interactive": {
+                "type": "boolean"
+              },
+              "macho": {
+                "properties": {
+                  "go_import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "go_imports": {
+                    "type": "flattened"
+                  },
+                  "go_imports_names_entropy": {
+                    "type": "long"
+                  },
+                  "go_imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "go_stripped": {
+                    "type": "boolean"
+                  },
+                  "import_hash": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
-                  "uptime": {
+                  "imports": {
+                    "type": "flattened"
+                  },
+                  "imports_names_entropy": {
                     "type": "long"
                   },
-                  "user": {
+                  "imports_names_var_entropy": {
+                    "type": "long"
+                  },
+                  "sections": {
                     "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "email": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "entity": {
-                        "properties": {
-                          "attributes": {
-                            "type": "object"
-                          },
-                          "behavior": {
-                            "type": "object"
-                          },
-                          "display_name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "last_seen_timestamp": {
-                            "type": "date"
-                          },
-                          "lifecycle": {
-                            "type": "object"
-                          },
-                          "metrics": {
-                            "type": "object"
-                          },
-                          "name": {
-                            "fields": {
-                              "text": {
-                                "norms": false,
-                                "type": "text"
-                              }
-                            },
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "raw": {
-                            "type": "object"
-                          },
-                          "reference": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "source": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "sub_type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "type": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "full_name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "group": {
-                        "properties": {
-                          "domain": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "id": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "name": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          }
-                        }
-                      },
-                      "hash": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "entropy": {
+                        "type": "long"
                       },
                       "name": {
-                        "fields": {
-                          "text": {
-                            "type": "match_only_text"
-                          }
-                        },
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "risk": {
-                        "properties": {
-                          "calculated_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "calculated_score": {
-                            "type": "float"
-                          },
-                          "calculated_score_norm": {
-                            "type": "float"
-                          },
-                          "static_level": {
-                            "ignore_above": 1024,
-                            "type": "keyword"
-                          },
-                          "static_score": {
-                            "type": "float"
-                          },
-                          "static_score_norm": {
-                            "type": "float"
-                          }
-                        }
+                      "physical_size": {
+                        "type": "long"
                       },
-                      "roles": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "vpid": {
-                    "type": "long"
-                  },
-                  "working_directory": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
+                      "var_entropy": {
+                        "type": "long"
+                      },
+                      "virtual_size": {
+                        "type": "long"
                       }
                     },
+                    "type": "nested"
+                  },
+                  "symhash": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "pe": {
                 "properties": {
                   "architecture": {
@@ -18616,126 +4301,133 @@
               "pid": {
                 "type": "long"
               },
-              "platform_binary": {
-                "type": "boolean"
-              },
               "real_group": {
                 "properties": {
-                  "domain": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
                   "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "real_user": {
+              "saved_group": {
                 "properties": {
-                  "domain": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "email": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "entity": {
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "thread": {
+                "properties": {
+                  "capabilities": {
                     "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
+                      "effective": {
                         "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
                         "type": "keyword"
                       },
-                      "type": {
+                      "permitted": {
                         "ignore_above": 1024,
+                        "synthetic_source_keep": "none",
                         "type": "keyword"
                       }
                     }
                   },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "id": {
+                    "type": "long"
+                  },
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "group": {
+                  }
+                }
+              },
+              "title": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "tty": {
+                "properties": {
+                  "char_device": {
                     "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "major": {
+                        "type": "long"
                       },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "minor": {
+                        "type": "long"
                       }
                     }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
+                  }
+                },
+                "type": "object"
+              },
+              "uptime": {
+                "type": "long"
+              },
+              "user": {
+                "properties": {
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -18748,47 +4440,222 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
                   }
                 }
               },
-              "same_as_process": {
+              "vpid": {
+                "type": "long"
+              },
+              "working_directory": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "pe": {
+            "properties": {
+              "architecture": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "company": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "description": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "file_version": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "go_imports": {
+                "type": "flattened"
+              },
+              "go_imports_names_entropy": {
+                "type": "long"
+              },
+              "go_imports_names_var_entropy": {
+                "type": "long"
+              },
+              "go_stripped": {
                 "type": "boolean"
               },
-              "saved_group": {
+              "imphash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "import_hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "imports": {
+                "type": "flattened"
+              },
+              "imports_names_entropy": {
+                "type": "long"
+              },
+              "imports_names_var_entropy": {
+                "type": "long"
+              },
+              "original_file_name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "pehash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "product": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "sections": {
                 "properties": {
-                  "domain": {
+                  "entropy": {
+                    "type": "long"
+                  },
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "physical_size": {
+                    "type": "long"
+                  },
+                  "var_entropy": {
+                    "type": "long"
+                  },
+                  "virtual_size": {
+                    "type": "long"
+                  }
+                },
+                "type": "nested"
+              }
+            }
+          },
+          "pid": {
+            "type": "long"
+          },
+          "previous": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "real_group": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "real_user": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "saved_group": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "saved_user": {
+            "properties": {
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
+          "session_leader": {
+            "properties": {
+              "args": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "args_count": {
+                "type": "long"
+              },
+              "command_line": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "type": "wildcard"
+              },
+              "entity_id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "executable": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -18799,107 +4666,69 @@
                   }
                 }
               },
-              "saved_user": {
+              "interactive": {
+                "type": "boolean"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "type": "match_only_text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "parent": {
                 "properties": {
-                  "domain": {
+                  "entity_id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
+                  "pid": {
+                    "type": "long"
                   },
-                  "entity": {
+                  "session_leader": {
                     "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
+                      "entity_id": {
                         "ignore_above": 1024,
                         "type": "keyword"
                       },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "pid": {
+                        "type": "long"
                       },
-                      "last_seen_timestamp": {
+                      "start": {
                         "type": "date"
                       },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "vpid": {
+                        "type": "long"
                       }
                     }
                   },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
+                  "start": {
+                    "type": "date"
+                  },
+                  "vpid": {
+                    "type": "long"
+                  }
+                }
+              },
+              "pid": {
+                "type": "long"
+              },
+              "real_group": {
+                "properties": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "hash": {
+                  "name": {
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
+                  }
+                }
+              },
+              "real_user": {
+                "properties": {
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -18912,75 +4741,49 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
                   }
                 }
               },
-              "start": {
-                "type": "date"
+              "same_as_process": {
+                "type": "boolean"
               },
-              "supplemental_groups": {
+              "saved_group": {
                 "properties": {
-                  "domain": {
+                  "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "saved_user": {
+                "properties": {
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
                   },
                   "name": {
+                    "fields": {
+                      "text": {
+                        "type": "match_only_text"
+                      }
+                    },
                     "ignore_above": 1024,
                     "type": "keyword"
                   }
                 }
               },
-              "thread": {
+              "start": {
+                "type": "date"
+              },
+              "supplemental_groups": {
                 "properties": {
-                  "capabilities": {
-                    "properties": {
-                      "effective": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      },
-                      "permitted": {
-                        "ignore_above": 1024,
-                        "synthetic_source_keep": "none",
-                        "type": "keyword"
-                      }
-                    }
-                  },
                   "id": {
-                    "type": "long"
+                    "ignore_above": 1024,
+                    "type": "keyword"
                   },
                   "name": {
                     "ignore_above": 1024,
@@ -18988,15 +4791,6 @@
                   }
                 }
               },
-              "title": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
               "tty": {
                 "properties": {
                   "char_device": {
@@ -19004,124 +4798,16 @@
                       "major": {
                         "type": "long"
                       },
-                      "minor": {
-                        "type": "long"
-                      }
-                    }
-                  },
-                  "columns": {
-                    "type": "long"
-                  },
-                  "rows": {
-                    "type": "long"
-                  }
-                },
-                "type": "object"
-              },
-              "uptime": {
-                "type": "long"
-              },
-              "user": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "email": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "entity": {
-                    "properties": {
-                      "attributes": {
-                        "type": "object"
-                      },
-                      "behavior": {
-                        "type": "object"
-                      },
-                      "display_name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "last_seen_timestamp": {
-                        "type": "date"
-                      },
-                      "lifecycle": {
-                        "type": "object"
-                      },
-                      "metrics": {
-                        "type": "object"
-                      },
-                      "name": {
-                        "fields": {
-                          "text": {
-                            "norms": false,
-                            "type": "text"
-                          }
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "raw": {
-                        "type": "object"
-                      },
-                      "reference": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "source": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "sub_type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "full_name": {
-                    "fields": {
-                      "text": {
-                        "type": "match_only_text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "group": {
-                    "properties": {
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                      "minor": {
+                        "type": "long"
                       }
                     }
-                  },
-                  "hash": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
+                  }
+                },
+                "type": "object"
+              },
+              "user": {
+                "properties": {
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
@@ -19134,35 +4820,6 @@
                     },
                     "ignore_above": 1024,
                     "type": "keyword"
-                  },
-                  "risk": {
-                    "properties": {
-                      "calculated_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "calculated_score": {
-                        "type": "float"
-                      },
-                      "calculated_score_norm": {
-                        "type": "float"
-                      },
-                      "static_level": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "static_score": {
-                        "type": "float"
-                      },
-                      "static_score_norm": {
-                        "type": "float"
-                      }
-                    }
-                  },
-                  "roles": {
-                    "ignore_above": 1024,
-                    "synthetic_source_keep": "none",
-                    "type": "keyword"
                   }
                 }
               },
@@ -19185,10 +4842,6 @@
           },
           "supplemental_groups": {
             "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
               "id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -19259,105 +4912,6 @@
           },
           "user": {
             "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entity": {
-                "properties": {
-                  "attributes": {
-                    "type": "object"
-                  },
-                  "behavior": {
-                    "type": "object"
-                  },
-                  "display_name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "last_seen_timestamp": {
-                    "type": "date"
-                  },
-                  "lifecycle": {
-                    "type": "object"
-                  },
-                  "metrics": {
-                    "type": "object"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "raw": {
-                    "type": "object"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "source": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sub_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "full_name": {
-                "fields": {
-                  "text": {
-                    "type": "match_only_text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "group": {
-                "properties": {
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "hash": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
               "id": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -19370,35 +4924,6 @@
                 },
                 "ignore_above": 1024,
                 "type": "keyword"
-              },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
-              "roles": {
-                "ignore_above": 1024,
-                "synthetic_source_keep": "none",
-                "type": "keyword"
               }
             }
           },
@@ -19603,107 +5128,45 @@
           },
           "mac": {
             "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "nat": {
-            "properties": {
-              "ip": {
-                "type": "ip"
-              },
-              "port": {
-                "type": "long"
-              }
-            }
-          },
-          "packets": {
-            "type": "long"
-          },
-          "port": {
-            "type": "long"
-          },
-          "registered_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "subdomain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "top_level_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "user": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entity": {
-                "properties": {
-                  "attributes": {
-                    "type": "object"
-                  },
-                  "behavior": {
-                    "type": "object"
-                  },
-                  "display_name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "last_seen_timestamp": {
-                    "type": "date"
-                  },
-                  "lifecycle": {
-                    "type": "object"
-                  },
-                  "metrics": {
-                    "type": "object"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "raw": {
-                    "type": "object"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "source": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sub_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
+            "type": "keyword"
+          },
+          "nat": {
+            "properties": {
+              "ip": {
+                "type": "ip"
+              },
+              "port": {
+                "type": "long"
+              }
+            }
+          },
+          "packets": {
+            "type": "long"
+          },
+          "port": {
+            "type": "long"
+          },
+          "registered_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "top_level_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "full_name": {
                 "fields": {
@@ -19747,30 +5210,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -19786,68 +5225,6 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
-          "entity": {
-            "properties": {
-              "attributes": {
-                "type": "object"
-              },
-              "behavior": {
-                "type": "object"
-              },
-              "display_name": {
-                "fields": {
-                  "text": {
-                    "norms": false,
-                    "type": "text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "last_seen_timestamp": {
-                "type": "date"
-              },
-              "lifecycle": {
-                "type": "object"
-              },
-              "metrics": {
-                "type": "object"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "norms": false,
-                    "type": "text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "raw": {
-                "type": "object"
-              },
-              "reference": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "source": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sub_type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
           "environment": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -19887,68 +5264,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "entity": {
-                "properties": {
-                  "attributes": {
-                    "type": "object"
-                  },
-                  "behavior": {
-                    "type": "object"
-                  },
-                  "display_name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "last_seen_timestamp": {
-                    "type": "date"
-                  },
-                  "lifecycle": {
-                    "type": "object"
-                  },
-                  "metrics": {
-                    "type": "object"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "raw": {
-                    "type": "object"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "source": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sub_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
               "environment": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -20231,86 +5546,24 @@
           "registered_domain": {
             "ignore_above": 1024,
             "type": "keyword"
-          },
-          "subdomain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "top_level_domain": {
-            "ignore_above": 1024,
-            "type": "keyword"
-          },
-          "user": {
-            "properties": {
-              "domain": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "email": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "entity": {
-                "properties": {
-                  "attributes": {
-                    "type": "object"
-                  },
-                  "behavior": {
-                    "type": "object"
-                  },
-                  "display_name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "last_seen_timestamp": {
-                    "type": "date"
-                  },
-                  "lifecycle": {
-                    "type": "object"
-                  },
-                  "metrics": {
-                    "type": "object"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "raw": {
-                    "type": "object"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "source": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sub_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
+          },
+          "subdomain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "top_level_domain": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "user": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
               },
               "full_name": {
                 "fields": {
@@ -20354,30 +5607,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -22745,68 +7974,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "entity": {
-                "properties": {
-                  "attributes": {
-                    "type": "object"
-                  },
-                  "behavior": {
-                    "type": "object"
-                  },
-                  "display_name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "last_seen_timestamp": {
-                    "type": "date"
-                  },
-                  "lifecycle": {
-                    "type": "object"
-                  },
-                  "metrics": {
-                    "type": "object"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "raw": {
-                    "type": "object"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "source": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sub_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
               "full_name": {
                 "fields": {
                   "text": {
@@ -22849,30 +8016,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -22894,68 +8037,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "entity": {
-                "properties": {
-                  "attributes": {
-                    "type": "object"
-                  },
-                  "behavior": {
-                    "type": "object"
-                  },
-                  "display_name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "last_seen_timestamp": {
-                    "type": "date"
-                  },
-                  "lifecycle": {
-                    "type": "object"
-                  },
-                  "metrics": {
-                    "type": "object"
-                  },
-                  "name": {
-                    "fields": {
-                      "text": {
-                        "norms": false,
-                        "type": "text"
-                      }
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "raw": {
-                    "type": "object"
-                  },
-                  "reference": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "source": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "sub_type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
               "full_name": {
                 "fields": {
                   "text": {
@@ -22998,30 +8079,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",
@@ -23033,68 +8090,6 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
-          "entity": {
-            "properties": {
-              "attributes": {
-                "type": "object"
-              },
-              "behavior": {
-                "type": "object"
-              },
-              "display_name": {
-                "fields": {
-                  "text": {
-                    "norms": false,
-                    "type": "text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "id": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "last_seen_timestamp": {
-                "type": "date"
-              },
-              "lifecycle": {
-                "type": "object"
-              },
-              "metrics": {
-                "type": "object"
-              },
-              "name": {
-                "fields": {
-                  "text": {
-                    "norms": false,
-                    "type": "text"
-                  }
-                },
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "raw": {
-                "type": "object"
-              },
-              "reference": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "source": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "sub_type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              },
-              "type": {
-                "ignore_above": 1024,
-                "type": "keyword"
-              }
-            }
-          },
           "full_name": {
             "fields": {
               "text": {
@@ -23280,30 +8275,6 @@
                 "ignore_above": 1024,
                 "type": "keyword"
               },
-              "risk": {
-                "properties": {
-                  "calculated_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "calculated_score": {
-                    "type": "float"
-                  },
-                  "calculated_score_norm": {
-                    "type": "float"
-                  },
-                  "static_level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "static_score": {
-                    "type": "float"
-                  },
-                  "static_score_norm": {
-                    "type": "float"
-                  }
-                }
-              },
               "roles": {
                 "ignore_above": 1024,
                 "synthetic_source_keep": "none",

From 5f878bdc74a7c2b4a53b15c0b8e376468e410a01 Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Wed, 8 Oct 2025 08:57:14 -0400
Subject: [PATCH 09/20] Update examples

---
 rfcs/text/0052/gen_ai.yaml | 94 +++++++++++++++++++++++++++++++++++---
 1 file changed, 88 insertions(+), 6 deletions(-)

diff --git a/rfcs/text/0052/gen_ai.yaml b/rfcs/text/0052/gen_ai.yaml
index 95139ffb07..dc331bc50b 100644
--- a/rfcs/text/0052/gen_ai.yaml
+++ b/rfcs/text/0052/gen_ai.yaml
@@ -4,7 +4,11 @@
     - name: system_instructions
       type: flattened
       description: The system message or instructions provided to the GenAI model separately from the chat history.
-      example: TODO
+      example: >
+        {
+          "type": "text",
+          "content": "You are an Agent that greet users, always use greetings tool to respond"
+        }        
       level: extended
       beta: This field reuse is beta and subject to change.
       otel:
@@ -12,7 +16,39 @@
     - name: input.messages
       type: flattened
       description: The chat history provided to the model as an input.
-      example: TODO
+      example: >
+        {
+          "role": "user",
+          "parts": [
+            {
+              "type": "text",
+              "content": "Weather in Paris?"
+            }
+          ]
+        },
+        {
+          "role": "assistant",
+          "parts": [
+            {
+              "type": "tool_call",
+              "id": "call_VSPygqKTWdrhaFErNvMV18Yl",
+              "name": "get_weather",
+              "arguments": {
+                "location": "Paris"
+              }
+            }
+          ]
+        },
+        {
+          "role": "tool",
+          "parts": [
+            {
+              "type": "tool_call_response",
+              "id": " call_VSPygqKTWdrhaFErNvMV18Yl",
+              "result": "rainy, 57°F"
+            }
+          ]
+        }      
       level: extended
       beta: This field reuse is beta and subject to change.
       otel:
@@ -20,7 +56,17 @@
     - name: output.messages
       type: flattened
       description: Messages returned by the model where each message represents a specific model response (choice, candidate).
-      example: TODO
+      example: >
+        {
+          "role": "assistant",
+          "parts": [
+            {
+              "type": "text",
+              "content": "The weather in Paris is currently rainy with a temperature of 57°F."
+            }
+          ],
+          "finish_reason": "stop"
+        }      
       level: extended
       beta: This field reuse is beta and subject to change.
       otel:
@@ -28,7 +74,32 @@
     - name: tool.definitions
       type: nested
       description: The list of source system tool definitions available to the GenAI agent or model.
-      example: TODO
+      example: >
+        {
+          "type": "function",
+          "name": "get_current_weather",
+          "description": "Get the current weather in a given location",
+          "parameters": {
+            "type": "object",
+            "properties": {
+              "location": {
+                "type": "string",
+                "description": "The city and state, e.g. San Francisco, CA"
+              },
+              "unit": {
+                "type": "string",
+                "enum": [
+                  "celsius",
+                  "fahrenheit"
+                ]
+              }
+            },
+            "required": [
+              "location",
+              "unit"
+            ]
+          }
+        }      
       level: extended
       beta: This field reuse is beta and subject to change.
       otel:
@@ -36,7 +107,11 @@
     - name: tool.call.arguments
       type: nested
       description: Parameters passed to the tool call.
-      example: TODO
+      example: >
+        {
+            "location": "San Francisco?",
+            "date": "2025-10-01"
+        }      
       level: extended
       beta: This field reuse is beta and subject to change.
       otel:
@@ -44,7 +119,14 @@
     - name: tool.call.result
       type: flattened
       description: The result returned by the tool call (if any and if execution was successful).
-      example: TODO
+      example: >
+        {
+          "temperature_range": {
+            "high": 75,
+            "low": 60
+          },
+          "conditions": "sunny"
+        }      
       level: extended
       beta: This field reuse is beta and subject to change.
       otel:

From 8a89add47aa862ff839e1e5ff931eceab82ed445 Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Wed, 8 Oct 2025 10:01:01 -0400
Subject: [PATCH 10/20] Grab doc file from main

---
 docs/reference/ecs-entity.md | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md
index 1cbe67b082..aca767a2e7 100644
--- a/docs/reference/ecs-entity.md
+++ b/docs/reference/ecs-entity.md
@@ -17,17 +17,16 @@ The entity fields provide a standardized way to represent and categorize differe
 | --- | --- | --- |
 | $$$field-entity-attributes$$$ [entity.attributes](#field-entity-attributes) | _This field is beta and subject to change._ A set of static or semi-static attributes of the entity. Usually boolean or keyword field data types. Use this field set when you need to track static or semi-static characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.<br><br>type: object | extended |
 | $$$field-entity-behavior$$$ [entity.behavior](#field-entity-behavior) | _This field is beta and subject to change._ A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. Usually boolean field data type. Use this field set when you need to capture and track ephemeral characteristics of an entity for advanced searching, correlation of normalized values across different providers/sources and entity types.<br><br>type: object | extended |
-| $$$field-entity-display-name$$$ [entity.display_name](#field-entity-display-name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.display_name.text (type: text) | extended |
+| $$$field-entity-display_name$$$ [entity.display_name](#field-entity-display_name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.display_name.text (type: match_only_text) | extended |
 | $$$field-entity-id$$$ [entity.id](#field-entity-id) | A unique identifier for the entity. When multiple identifiers exist, this should be the most stable and commonly used identifier that: 1) persists across the entity's lifecycle, 2) ensures uniqueness within its scope, 3) is commonly used for queries and correlation, and 4) is readily available in most observations (logs/events). For entities with dedicated field sets (e.g., host, user), this value should match the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.<br><br>type: keyword | core |
-| $$$field-entity-last-seen-timestamp$$$ [entity.last_seen_timestamp](#field-entity-last-seen-timestamp) | _This field is beta and subject to change._ Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity.<br><br>type: date | extended |
+| $$$field-entity-last_seen_timestamp$$$ [entity.last_seen_timestamp](#field-entity-last_seen_timestamp) | _This field is beta and subject to change._ Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity.<br><br>type: date | extended |
 | $$$field-entity-lifecycle$$$ [entity.lifecycle](#field-entity-lifecycle) | _This field is beta and subject to change._ A set of temporal characteristics of the entity. Usually date field data type. Use this field set when you need to track temporal characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.<br><br>type: object | extended |
 | $$$field-entity-metrics$$$ [entity.metrics](#field-entity-metrics) | _This field is beta and subject to change._ Field set for any fields containing numeric entity metrics. These use dynamic field data type mapping.<br><br>type: object | extended |
-| $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.name.text (type: text) | core |
+| $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.name.text (type: match_only_text) | core |
 | $$$field-entity-raw$$$ [entity.raw](#field-entity-raw) | _This field is beta and subject to change._ Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities.<br><br>type: object | extended |
 | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.<br><br>type: keyword | extended |
 | $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).<br><br>type: keyword | core |
-| $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`.  `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.<br><br>type: keyword<br><br>example: `aws_s3_bucket` | extended |
-| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>**Important:** The field value must be one of the following:<br><br>bucket, database, container, function, queue, host, user, application, service, session<br><br>To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)<br> | core |
+| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.<br><br>type: keyword<br><br>example: `host` | core |
 
 ## Field reuse [_field_reuse]
 

From 47aa573add465410572246efa78915823930f299 Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Thu, 9 Oct 2025 16:04:38 -0400
Subject: [PATCH 11/20] Update field types based on feedback tradeoffs

---
 rfcs/text/0052/gen_ai.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rfcs/text/0052/gen_ai.yaml b/rfcs/text/0052/gen_ai.yaml
index dc331bc50b..806bd06e8e 100644
--- a/rfcs/text/0052/gen_ai.yaml
+++ b/rfcs/text/0052/gen_ai.yaml
@@ -14,7 +14,7 @@
       otel:
         - relation: match
     - name: input.messages
-      type: flattened
+      type: nested
       description: The chat history provided to the model as an input.
       example: >
         {
@@ -54,7 +54,7 @@
       otel:
         - relation: match
     - name: output.messages
-      type: flattened
+      type: nested
       description: Messages returned by the model where each message represents a specific model response (choice, candidate).
       example: >
         {
@@ -105,7 +105,7 @@
       otel:
         - relation: match
     - name: tool.call.arguments
-      type: nested
+      type: flattened
       description: Parameters passed to the tool call.
       example: >
         {

From dc83c9061cfd88c92cb97b34e6958bb9976e4a80 Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Fri, 10 Oct 2025 10:00:52 -0400
Subject: [PATCH 12/20] Change field beta reuse wording

---
 rfcs/text/0052/gen_ai.yaml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/rfcs/text/0052/gen_ai.yaml b/rfcs/text/0052/gen_ai.yaml
index 806bd06e8e..6febb99ab4 100644
--- a/rfcs/text/0052/gen_ai.yaml
+++ b/rfcs/text/0052/gen_ai.yaml
@@ -10,7 +10,7 @@
           "content": "You are an Agent that greet users, always use greetings tool to respond"
         }        
       level: extended
-      beta: This field reuse is beta and subject to change.
+      beta: This field is beta and subject to change.
       otel:
         - relation: match
     - name: input.messages
@@ -50,7 +50,7 @@
           ]
         }      
       level: extended
-      beta: This field reuse is beta and subject to change.
+      beta: This field is beta and subject to change.
       otel:
         - relation: match
     - name: output.messages
@@ -68,7 +68,7 @@
           "finish_reason": "stop"
         }      
       level: extended
-      beta: This field reuse is beta and subject to change.
+      beta: This field is beta and subject to change.
       otel:
         - relation: match
     - name: tool.definitions
@@ -101,7 +101,7 @@
           }
         }      
       level: extended
-      beta: This field reuse is beta and subject to change.
+      beta: This field is beta and subject to change.
       otel:
         - relation: match
     - name: tool.call.arguments
@@ -113,7 +113,7 @@
             "date": "2025-10-01"
         }      
       level: extended
-      beta: This field reuse is beta and subject to change.
+      beta: This field is beta and subject to change.
       otel:
         - relation: match
     - name: tool.call.result
@@ -128,6 +128,6 @@
           "conditions": "sunny"
         }      
       level: extended
-      beta: This field reuse is beta and subject to change.
+      beta: This field is beta and subject to change.
       otel:
         - relation: match

From 2b53588b67e708b5c067969e649a98017850479d Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Fri, 10 Oct 2025 10:07:13 -0400
Subject: [PATCH 13/20] Clean up wording and examples in rfcs/text

---
 rfcs/text/0052-gen_ai-additional-fields.md | 136 ++++++++-------------
 1 file changed, 54 insertions(+), 82 deletions(-)

diff --git a/rfcs/text/0052-gen_ai-additional-fields.md b/rfcs/text/0052-gen_ai-additional-fields.md
index 6dd016dc90..42377df9eb 100644
--- a/rfcs/text/0052-gen_ai-additional-fields.md
+++ b/rfcs/text/0052-gen_ai-additional-fields.md
@@ -31,12 +31,12 @@ Stage 1: Describe at a high level how this change affects fields. Include new or
 
 Field | Type | Description /Usage
 -- | -- | --
-gen_ai.system_instructions | (Looking for feedback) flattened | The system message or instructions provided to the GenAI model separately from the chat history.
-gen_ai.input.messages | (Looking for feedback) flattened | The chat history provided to the model as an input.
-gen_ai.output.messages | (Looking for feedback) flattened | Messages returned by the model where each message represents a specific model response (choice, candidate).
-gen_ai.tool.definitions | (Looking for feedback) nested | (Part of invoke_agent span) The list of source system tool definitions available to the GenAI agent or model.
-gen_ai.tool.call.arguments | (Looking for feedback) nested | (Part of OTel execute_tool span) Parameters passed to the tool call.
-gen_ai.tool.call.result | (Looking for feedback) flattened | (Part of OTel execute_tool span) The result returned by the tool call (if any and if execution was successful).
+gen_ai.system_instructions | flattened | The system message or instructions provided to the GenAI model separately from the chat history.
+gen_ai.input.messages | nested | The chat history provided to the model as an input.
+gen_ai.output.messages | nested | Messages returned by the model where each message represents a specific model response (choice, candidate).
+gen_ai.tool.definitions | nested | (Part of invoke_agent span) The list of source system tool definitions available to the GenAI agent or model.
+gen_ai.tool.call.arguments | flattened | (Part of OTel execute_tool span) Parameters passed to the tool call.
+gen_ai.tool.call.result | flattened | (Part of OTel execute_tool span) The result returned by the tool call (if any and if execution was successful).
 
 Changes based on OTel https://github.com/open-telemetry/semantic-conventions/pull/2179/files
 
@@ -62,97 +62,73 @@ Example usage:
 {
     "gen_ai": {
         "system_instructions": {
-        [
-            {
-                "type": "text",
-                "content": "You are a assistant for frequent travelers."
-            },
-            {
-                "type": "text",
-                "content": "Your mission is to assist travelers with their queries about locations around the world."
-            }
+            [
+                {
+                    "type": "text",
+                    "content": "You are a assistant for frequent travelers."
+                },
+                {
+                    "type": "text",
+                    "content": "Your mission is to assist travelers with their queries about locations around the world."
+                }
             ]
         },
         "input": {
             "messages": {
                 [
-                {
-                    "role": "user",
-                    "parts": [
                     {
-                        "type": "text",
-                        "content": "Weather in Paris?"
-                    }
-                    ]
-                },
-                {
-                    "role": "assistant",
-                    "parts": [
+                        "role": "user",
+                        "parts": [
+                        {
+                            "type": "text",
+                            "content": "Weather in Paris?"
+                        }
+                        ]
+                    },
                     {
-                        "type": "tool_call",
-                        "id": "call_VSPygqKTWdrhaFErNvMV18Yl",
-                        "name": "get_weather",
-                        "arguments": {
-                        "location": "Paris"
+                        "role": "assistant",
+                        "parts": [
+                        {
+                            "type": "tool_call",
+                            "id": "call_VSPygqKTWdrhaFErNvMV18Yl",
+                            "name": "get_weather",
+                            "arguments": {
+                            "location": "Paris"
+                            }
                         }
-                    }
-                    ]
-                },
-                {
-                    "role": "tool",
-                    "parts": [
+                        ]
+                    },
                     {
-                        "type": "tool_call_response",
-                        "id": " call_VSPygqKTWdrhaFErNvMV18Yl",
-                        "result": "rainy, 57°F"
+                        "role": "tool",
+                        "parts": [
+                        {
+                            "type": "tool_call_response",
+                            "id": " call_VSPygqKTWdrhaFErNvMV18Yl",
+                            "result": "rainy, 57°F"
+                        }
+                        ]
                     }
-                    ]
-                }
                 ]
             }
         },
         "output" :{
             "messages": {
                 [
-                {
-                    "role": "assistant",
-                    "parts": [
                     {
-                        "type": "text",
-                        "content": "The weather in Paris is currently rainy with a temperature of 57°F."
-                    }
-                    ],
-                    "finish_reason": "stop"
-                }
-                ]            
-        },
-
-        // Below needs to be updated, but keeping in this commit for illustration purposes.
-        "assistant": {
-            "message": {
-                "content": "To carry a 5lb package, you would need a drone with sufficient payload capacity. Drones designed for heavy lifting often fall in the industrial or commercial category. Consider drones with a payload capacity of at least 6-7lbs to ensure safe transport and account for additional factors like battery and stability.",
-                "role": "assistant",
-                "tool_calls": [
-                    {
-                        "function": "getDroneSpecifications",
-                        "arguments": {"payloadWeight": 5},
-                        "name": "getDroneSpecifications",
-                        "id": "toolCall1",
-                        "type": "function_call",
-                    },
-                    {
-                        "function": "retrieveAvailableDronesDocument",
-                        "arguments": {"documentType": "availableDrones", "payloadRequirement": 5},
-                        "name": "retrieveAvailableDronesDocument",
-                        "id": "toolCall2",
-                        "type": "function_call",
+                        "role": "assistant",
+                        "parts": [
+                        {
+                            "type": "text",
+                            "content": "The weather in Paris is currently rainy with a temperature of 57°F."
+                        }
+                        ],
+                        "finish_reason": "stop"
                     }
-                ],
-            }
-        },
+                ]
+            },
+        }
     }
 }
-}
 ```
 
 
@@ -226,8 +202,4 @@ e.g.:
 <!-- An RFC should link to the PRs for each of it stage advancements. -->
 
 * Stage 0: https://github.com/elastic/ecs/pull/2519
-
-<!--
-* Stage 1: https://github.com/elastic/ecs/pull/NNN
-...
--->
+* Stage 1: https://github.com/elastic/ecs/pull/2525

From 0b7379ecacfa7534591c3b2d2bdbb0e860e2395a Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Fri, 10 Oct 2025 10:10:19 -0400
Subject: [PATCH 14/20] Update schemas/gen_ai.yml

---
 schemas/gen_ai.yml | 130 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 130 insertions(+)

diff --git a/schemas/gen_ai.yml b/schemas/gen_ai.yml
index 95a567a641..c8bfdfd909 100644
--- a/schemas/gen_ai.yml
+++ b/schemas/gen_ai.yml
@@ -235,3 +235,133 @@
       beta: This field is beta and subject to change.
       otel:
         - relation: match
+    - name: system_instructions
+      type: flattened
+      description: The system message or instructions provided to the GenAI model separately from the chat history.
+      example: >
+        {
+          "type": "text",
+          "content": "You are an Agent that greet users, always use greetings tool to respond"
+        }        
+      level: extended
+      beta: This field is beta and subject to change.
+      otel:
+        - relation: match
+    - name: input.messages
+      type: nested
+      description: The chat history provided to the model as an input.
+      example: >
+        {
+          "role": "user",
+          "parts": [
+            {
+              "type": "text",
+              "content": "Weather in Paris?"
+            }
+          ]
+        },
+        {
+          "role": "assistant",
+          "parts": [
+            {
+              "type": "tool_call",
+              "id": "call_VSPygqKTWdrhaFErNvMV18Yl",
+              "name": "get_weather",
+              "arguments": {
+                "location": "Paris"
+              }
+            }
+          ]
+        },
+        {
+          "role": "tool",
+          "parts": [
+            {
+              "type": "tool_call_response",
+              "id": " call_VSPygqKTWdrhaFErNvMV18Yl",
+              "result": "rainy, 57°F"
+            }
+          ]
+        }      
+      level: extended
+      beta: This field is beta and subject to change.
+      otel:
+        - relation: match
+    - name: output.messages
+      type: nested
+      description: Messages returned by the model where each message represents a specific model response (choice, candidate).
+      example: >
+        {
+          "role": "assistant",
+          "parts": [
+            {
+              "type": "text",
+              "content": "The weather in Paris is currently rainy with a temperature of 57°F."
+            }
+          ],
+          "finish_reason": "stop"
+        }      
+      level: extended
+      beta: This field is beta and subject to change.
+      otel:
+        - relation: match
+    - name: tool.definitions
+      type: nested
+      description: The list of source system tool definitions available to the GenAI agent or model.
+      example: >
+        {
+          "type": "function",
+          "name": "get_current_weather",
+          "description": "Get the current weather in a given location",
+          "parameters": {
+            "type": "object",
+            "properties": {
+              "location": {
+                "type": "string",
+                "description": "The city and state, e.g. San Francisco, CA"
+              },
+              "unit": {
+                "type": "string",
+                "enum": [
+                  "celsius",
+                  "fahrenheit"
+                ]
+              }
+            },
+            "required": [
+              "location",
+              "unit"
+            ]
+          }
+        }      
+      level: extended
+      beta: This field is beta and subject to change.
+      otel:
+        - relation: match
+    - name: tool.call.arguments
+      type: flattened
+      description: Parameters passed to the tool call.
+      example: >
+        {
+            "location": "San Francisco?",
+            "date": "2025-10-01"
+        }      
+      level: extended
+      beta: This field is beta and subject to change.
+      otel:
+        - relation: match
+    - name: tool.call.result
+      type: flattened
+      description: The result returned by the tool call (if any and if execution was successful).
+      example: >
+        {
+          "temperature_range": {
+            "high": 75,
+            "low": 60
+          },
+          "conditions": "sunny"
+        }      
+      level: extended
+      beta: This field is beta and subject to change.
+      otel:
+        - relation: match

From 065887cb3aaa60872cf8f90bb0779b00ea35f5d6 Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Fri, 17 Oct 2025 11:25:17 -0400
Subject: [PATCH 15/20] Comment out not-merged OTel fields

---
 schemas/gen_ai.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/schemas/gen_ai.yml b/schemas/gen_ai.yml
index 274516c9f8..335ffb64c6 100644
--- a/schemas/gen_ai.yml
+++ b/schemas/gen_ai.yml
@@ -349,8 +349,8 @@
         }      
       level: extended
       beta: This field is beta and subject to change.
-      otel:
-        - relation: match
+      # otel:
+      #   - relation: match
     - name: tool.call.result
       type: flattened
       description: The result returned by the tool call (if any and if execution was successful).
@@ -364,5 +364,5 @@
         }      
       level: extended
       beta: This field is beta and subject to change.
-      otel:
-        - relation: match
+      # otel:
+      #   - relation: match

From 4bf7e593cab091f531a690bc419d2ef57120daad Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Fri, 17 Oct 2025 11:32:51 -0400
Subject: [PATCH 16/20] Comment out not-merged OTel fields

---
 rfcs/text/0052/gen_ai.yaml | 12 ++++++------
 schemas/gen_ai.yml         |  4 ++--
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/rfcs/text/0052/gen_ai.yaml b/rfcs/text/0052/gen_ai.yaml
index 6febb99ab4..2a8182b0dc 100644
--- a/rfcs/text/0052/gen_ai.yaml
+++ b/rfcs/text/0052/gen_ai.yaml
@@ -102,8 +102,8 @@
         }      
       level: extended
       beta: This field is beta and subject to change.
-      otel:
-        - relation: match
+      # otel:
+      #   - relation: match
     - name: tool.call.arguments
       type: flattened
       description: Parameters passed to the tool call.
@@ -114,8 +114,8 @@
         }      
       level: extended
       beta: This field is beta and subject to change.
-      otel:
-        - relation: match
+      # otel:
+      #   - relation: match
     - name: tool.call.result
       type: flattened
       description: The result returned by the tool call (if any and if execution was successful).
@@ -129,5 +129,5 @@
         }      
       level: extended
       beta: This field is beta and subject to change.
-      otel:
-        - relation: match
+      # otel:
+      #   - relation: match
diff --git a/schemas/gen_ai.yml b/schemas/gen_ai.yml
index 335ffb64c6..059c2ee51b 100644
--- a/schemas/gen_ai.yml
+++ b/schemas/gen_ai.yml
@@ -337,8 +337,8 @@
         }      
       level: extended
       beta: This field is beta and subject to change.
-      otel:
-        - relation: match
+      # otel:
+      #   - relation: match
     - name: tool.call.arguments
       type: flattened
       description: Parameters passed to the tool call.

From d90ed1c609c507403125578df89c2ade2e0e69bf Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Fri, 17 Oct 2025 11:49:57 -0400
Subject: [PATCH 17/20] Update related OTel

---
 schemas/gen_ai.yml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/schemas/gen_ai.yml b/schemas/gen_ai.yml
index 059c2ee51b..52986391cc 100644
--- a/schemas/gen_ai.yml
+++ b/schemas/gen_ai.yml
@@ -337,8 +337,9 @@
         }      
       level: extended
       beta: This field is beta and subject to change.
-      # otel:
-      #   - relation: match
+      otel:
+        - relation: related
+          attribute: gen_ai.operation.name    
     - name: tool.call.arguments
       type: flattened
       description: Parameters passed to the tool call.
@@ -349,8 +350,9 @@
         }      
       level: extended
       beta: This field is beta and subject to change.
-      # otel:
-      #   - relation: match
+      otel:
+        - relation: related
+          attribute: gen_ai.operation.name
     - name: tool.call.result
       type: flattened
       description: The result returned by the tool call (if any and if execution was successful).
@@ -364,5 +366,6 @@
         }      
       level: extended
       beta: This field is beta and subject to change.
-      # otel:
-      #   - relation: match
+      otel:
+        - relation: related
+          attribute: gen_ai.operation.name

From 72330fd8e2be8c285e6757a6d6c6cebfcdff4c98 Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Fri, 17 Oct 2025 11:53:04 -0400
Subject: [PATCH 18/20] Remove trailing spaces via lint

---
 schemas/gen_ai.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/schemas/gen_ai.yml b/schemas/gen_ai.yml
index 52986391cc..ec471b45f2 100644
--- a/schemas/gen_ai.yml
+++ b/schemas/gen_ai.yml
@@ -243,7 +243,7 @@
         {
           "type": "text",
           "content": "You are an Agent that greet users, always use greetings tool to respond"
-        }        
+        }
       level: extended
       beta: This field is beta and subject to change.
       otel:
@@ -283,7 +283,7 @@
               "result": "rainy, 57°F"
             }
           ]
-        }      
+        }
       level: extended
       beta: This field is beta and subject to change.
       otel:
@@ -301,7 +301,7 @@
             }
           ],
           "finish_reason": "stop"
-        }      
+        }
       level: extended
       beta: This field is beta and subject to change.
       otel:
@@ -334,12 +334,12 @@
               "unit"
             ]
           }
-        }      
+        }
       level: extended
       beta: This field is beta and subject to change.
       otel:
         - relation: related
-          attribute: gen_ai.operation.name    
+          attribute: gen_ai.operation.name
     - name: tool.call.arguments
       type: flattened
       description: Parameters passed to the tool call.
@@ -347,7 +347,7 @@
         {
             "location": "San Francisco?",
             "date": "2025-10-01"
-        }      
+        }
       level: extended
       beta: This field is beta and subject to change.
       otel:
@@ -363,7 +363,7 @@
             "low": 60
           },
           "conditions": "sunny"
-        }      
+        }
       level: extended
       beta: This field is beta and subject to change.
       otel:

From aebee50dc53a18a1eda73d0e2443138c6fa8b07b Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Fri, 17 Oct 2025 11:59:26 -0400
Subject: [PATCH 19/20] Update proposal text file

---
 rfcs/text/0052/gen_ai.yaml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/rfcs/text/0052/gen_ai.yaml b/rfcs/text/0052/gen_ai.yaml
index 2a8182b0dc..923af8f6c8 100644
--- a/rfcs/text/0052/gen_ai.yaml
+++ b/rfcs/text/0052/gen_ai.yaml
@@ -102,8 +102,9 @@
         }      
       level: extended
       beta: This field is beta and subject to change.
-      # otel:
-      #   - relation: match
+      otel:
+        - relation: related
+          attribute: gen_ai.operation.name
     - name: tool.call.arguments
       type: flattened
       description: Parameters passed to the tool call.
@@ -114,8 +115,9 @@
         }      
       level: extended
       beta: This field is beta and subject to change.
-      # otel:
-      #   - relation: match
+      otel:
+        - relation: related
+          attribute: gen_ai.operation.name
     - name: tool.call.result
       type: flattened
       description: The result returned by the tool call (if any and if execution was successful).
@@ -129,5 +131,6 @@
         }      
       level: extended
       beta: This field is beta and subject to change.
-      # otel:
-      #   - relation: match
+      otel:
+        - relation: related
+          attribute: gen_ai.operation.name

From 672d40d1359cfcc4eb20ae422d5dbad7745c6be4 Mon Sep 17 00:00:00 2001
From: susan <shuhsuan.chang@elastic.co>
Date: Fri, 17 Oct 2025 12:00:11 -0400
Subject: [PATCH 20/20] Update generated files

---
 docs/reference/ecs-gen_ai.md                  |   6 +
 docs/reference/ecs-otel-alignment-details.md  |   6 +
 docs/reference/ecs-otel-alignment-overview.md |   2 +-
 experimental/generated/beats/fields.ecs.yml   |  60 +++++++++
 experimental/generated/csv/fields.csv         |  80 ++++++++++++
 experimental/generated/ecs/ecs_flat.yml       | 112 +++++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 114 ++++++++++++++++++
 .../composable/component/gen_ai.json          |  22 ++++
 .../elasticsearch/legacy/template.json        |  22 ++++
 generated/beats/fields.ecs.yml                |  60 +++++++++
 generated/csv/fields.csv                      |  80 ++++++++++++
 generated/ecs/ecs_flat.yml                    | 112 +++++++++++++++++
 generated/ecs/ecs_nested.yml                  | 114 ++++++++++++++++++
 .../composable/component/gen_ai.json          |  22 ++++
 generated/elasticsearch/legacy/template.json  |  22 ++++
 15 files changed, 833 insertions(+), 1 deletion(-)

diff --git a/docs/reference/ecs-gen_ai.md b/docs/reference/ecs-gen_ai.md
index 23300697b2..de4b9cb95c 100644
--- a/docs/reference/ecs-gen_ai.md
+++ b/docs/reference/ecs-gen_ai.md
@@ -20,7 +20,9 @@ This field group definition is based on the Gen AI namespace of the OpenTelemetr
 | $$$field-gen-ai-agent-description$$$ [gen_ai.agent.description](#field-gen-ai-agent-description) | _This field is beta and subject to change._ Free-form description of the GenAI agent provided by the application.<br><br>type: keyword<br><br>example: `Helps with math problems; Generates fiction stories`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.agent.description](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-agent-description) | extended |
 | $$$field-gen-ai-agent-id$$$ [gen_ai.agent.id](#field-gen-ai-agent-id) | _This field is beta and subject to change._ The unique identifier of the GenAI agent.<br><br>type: keyword<br><br>example: `asst_5j66UpCpwteGg4YSxUnt7lPY`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.agent.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-agent-id) | extended |
 | $$$field-gen-ai-agent-name$$$ [gen_ai.agent.name](#field-gen-ai-agent-name) | _This field is beta and subject to change._ Human-readable name of the GenAI agent provided by the application.<br><br>type: keyword<br><br>example: `Math Tutor; Fiction Writer`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.agent.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-agent-name) | extended |
+| $$$field-gen-ai-input-messages$$$ [gen_ai.input.messages](#field-gen-ai-input-messages) | _This field is beta and subject to change._ The chat history provided to the model as an input.<br><br>type: nested<br><br>example: `{  "role": "user",  "parts": [    {      "type": "text",      "content": "Weather in Paris?"    }  ]}, {  "role": "assistant",  "parts": [    {      "type": "tool_call",      "id": "call_VSPygqKTWdrhaFErNvMV18Yl",      "name": "get_weather",      "arguments": {        "location": "Paris"      }    }  ]}, {  "role": "tool",  "parts": [    {      "type": "tool_call_response",      "id": " call_VSPygqKTWdrhaFErNvMV18Yl",      "result": "rainy, 57°F"    }  ]}`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.input.messages](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-input-messages) | extended |
 | $$$field-gen-ai-operation-name$$$ [gen_ai.operation.name](#field-gen-ai-operation-name) | _This field is beta and subject to change._ The name of the operation being performed.<br><br>type: keyword<br><br>example: `chat; text_completion; embeddings`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.operation.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-operation-name) | extended |
+| $$$field-gen-ai-output-messages$$$ [gen_ai.output.messages](#field-gen-ai-output-messages) | _This field is beta and subject to change._ Messages returned by the model where each message represents a specific model response (choice, candidate).<br><br>type: nested<br><br>example: `{  "role": "assistant",  "parts": [    {      "type": "text",      "content": "The weather in Paris is currently rainy with a temperature of 57°F."    }  ],  "finish_reason": "stop"}`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.output.messages](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-output-messages) | extended |
 | $$$field-gen-ai-output-type$$$ [gen_ai.output.type](#field-gen-ai-output-type) | _This field is beta and subject to change._ Represents the content type requested by the client.<br><br>type: keyword<br><br>example: `text; json; image`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.output.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-output-type) | extended |
 | $$$field-gen-ai-request-choice-count$$$ [gen_ai.request.choice.count](#field-gen-ai-request-choice-count) | _This field is beta and subject to change._ The target number of candidate completions to return.<br><br>type: integer<br><br>example: `3`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.request.choice.count](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-request-choice-count) | extended |
 | $$$field-gen-ai-request-encoding-formats$$$ [gen_ai.request.encoding_formats](#field-gen-ai-request-encoding-formats) | _This field is beta and subject to change._ The encoding formats requested in an embeddings operation, if specified.<br><br>type: nested<br><br>example: `["float", "binary"]`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.request.encoding_formats](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-request-encoding-formats) | extended |
@@ -37,8 +39,12 @@ This field group definition is based on the Gen AI namespace of the OpenTelemetr
 | $$$field-gen-ai-response-id$$$ [gen_ai.response.id](#field-gen-ai-response-id) | _This field is beta and subject to change._ The unique identifier for the completion.<br><br>type: keyword<br><br>example: `chatcmpl-123`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.response.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-id) | extended |
 | $$$field-gen-ai-response-model$$$ [gen_ai.response.model](#field-gen-ai-response-model) | _This field is beta and subject to change._ The name of the model that generated the response.<br><br>type: keyword<br><br>example: `gpt-4-0613`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.response.model](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-model) | extended |
 | $$$field-gen-ai-system$$$ [gen_ai.system](#field-gen-ai-system) | _This field is beta and subject to change._ The Generative AI product as identified by the client or server instrumentation.<br><br>type: keyword<br><br>example: `openai`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.provider.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-provider-name) | extended |
+| $$$field-gen-ai-system-instructions$$$ [gen_ai.system_instructions](#field-gen-ai-system-instructions) | _This field is beta and subject to change._ The system message or instructions provided to the GenAI model separately from the chat history.<br><br>type: flattened<br><br>example: `{  "type": "text",  "content": "You are an Agent that greet users, always use greetings tool to respond"}`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.system_instructions](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-system-instructions) | extended |
 | $$$field-gen-ai-token-type$$$ [gen_ai.token.type](#field-gen-ai-token-type) | _This field is beta and subject to change._ The type of token being counted.<br><br>type: keyword<br><br>example: `input; output`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.token.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-token-type) | extended |
+| $$$field-gen-ai-tool-call-arguments$$$ [gen_ai.tool.call.arguments](#field-gen-ai-tool-call-arguments) | _This field is beta and subject to change._ Parameters passed to the tool call.<br><br>type: flattened<br><br>example: `{    "location": "San Francisco?",    "date": "2025-10-01"}`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![related](https://img.shields.io/badge/related-efc20d?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.operation.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-operation-name) | extended |
 | $$$field-gen-ai-tool-call-id$$$ [gen_ai.tool.call.id](#field-gen-ai-tool-call-id) | _This field is beta and subject to change._ The tool call identifier.<br><br>type: keyword<br><br>example: `call_mszuSIzqtI65i1wAUOE8w5H4`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.tool.call.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-call-id) | extended |
+| $$$field-gen-ai-tool-call-result$$$ [gen_ai.tool.call.result](#field-gen-ai-tool-call-result) | _This field is beta and subject to change._ The result returned by the tool call (if any and if execution was successful).<br><br>type: flattened<br><br>example: `{  "temperature_range": {    "high": 75,    "low": 60  },  "conditions": "sunny"}`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![related](https://img.shields.io/badge/related-efc20d?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.operation.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-operation-name) | extended |
+| $$$field-gen-ai-tool-definitions$$$ [gen_ai.tool.definitions](#field-gen-ai-tool-definitions) | _This field is beta and subject to change._ The list of source system tool definitions available to the GenAI agent or model.<br><br>type: nested<br><br>example: `{  "type": "function",  "name": "get_current_weather",  "description": "Get the current weather in a given location",  "parameters": {    "type": "object",    "properties": {      "location": {        "type": "string",        "description": "The city and state, e.g. San Francisco, CA"      },      "unit": {        "type": "string",        "enum": [          "celsius",          "fahrenheit"        ]      }    },    "required": [      "location",      "unit"    ]  }}`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![related](https://img.shields.io/badge/related-efc20d?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.operation.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-operation-name) | extended |
 | $$$field-gen-ai-tool-name$$$ [gen_ai.tool.name](#field-gen-ai-tool-name) | _This field is beta and subject to change._ Name of the tool utilized by the agent.<br><br>type: keyword<br><br>example: `Flights`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.tool.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-name) | extended |
 | $$$field-gen-ai-tool-type$$$ [gen_ai.tool.type](#field-gen-ai-tool-type) | _This field is beta and subject to change._ Type of the tool utilized by the agent<br><br>type: keyword<br><br>example: `function; extension; datastore`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.tool.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-type) | extended |
 | $$$field-gen-ai-usage-input-tokens$$$ [gen_ai.usage.input_tokens](#field-gen-ai-usage-input-tokens) | _This field is beta and subject to change._ The number of tokens used in the GenAI input (prompt).<br><br>type: integer<br><br>example: `100`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.usage.input_tokens](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-usage-input-tokens) | extended |
diff --git a/docs/reference/ecs-otel-alignment-details.md b/docs/reference/ecs-otel-alignment-details.md
index 351f7c6db7..e9578cab0f 100644
--- a/docs/reference/ecs-otel-alignment-details.md
+++ b/docs/reference/ecs-otel-alignment-details.md
@@ -86,7 +86,9 @@ The following table gives an overview of mappings between individual ECS fields
 | $$$otel-mapping-for-gen-ai-agent-description$$$ [gen_ai.agent.description](/reference/ecs-gen_ai.md#field-gen-ai-agent-description) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.agent.description](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-agent-description) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-agent-id$$$ [gen_ai.agent.id](/reference/ecs-gen_ai.md#field-gen-ai-agent-id) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.agent.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-agent-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-agent-name$$$ [gen_ai.agent.name](/reference/ecs-gen_ai.md#field-gen-ai-agent-name) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.agent.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-agent-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-gen-ai-input-messages$$$ [gen_ai.input.messages](/reference/ecs-gen_ai.md#field-gen-ai-input-messages) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.input.messages](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-input-messages) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-operation-name$$$ [gen_ai.operation.name](/reference/ecs-gen_ai.md#field-gen-ai-operation-name) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.operation.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-operation-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-gen-ai-output-messages$$$ [gen_ai.output.messages](/reference/ecs-gen_ai.md#field-gen-ai-output-messages) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.output.messages](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-output-messages) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-output-type$$$ [gen_ai.output.type](/reference/ecs-gen_ai.md#field-gen-ai-output-type) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.output.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-output-type) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-request-choice-count$$$ [gen_ai.request.choice.count](/reference/ecs-gen_ai.md#field-gen-ai-request-choice-count) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.request.choice.count](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-request-choice-count) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-request-encoding-formats$$$ [gen_ai.request.encoding_formats](/reference/ecs-gen_ai.md#field-gen-ai-request-encoding-formats) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.request.encoding_formats](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-request-encoding-formats) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
@@ -103,8 +105,12 @@ The following table gives an overview of mappings between individual ECS fields
 | $$$otel-mapping-for-gen-ai-response-id$$$ [gen_ai.response.id](/reference/ecs-gen_ai.md#field-gen-ai-response-id) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.response.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-response-model$$$ [gen_ai.response.model](/reference/ecs-gen_ai.md#field-gen-ai-response-model) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.response.model](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-model) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-system$$$ [gen_ai.system](/reference/ecs-gen_ai.md#field-gen-ai-system) | [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.provider.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-provider-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-gen-ai-system-instructions$$$ [gen_ai.system_instructions](/reference/ecs-gen_ai.md#field-gen-ai-system-instructions) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.system_instructions](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-system-instructions) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-token-type$$$ [gen_ai.token.type](/reference/ecs-gen_ai.md#field-gen-ai-token-type) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.token.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-token-type) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-gen-ai-tool-call-arguments$$$ [gen_ai.tool.call.arguments](/reference/ecs-gen_ai.md#field-gen-ai-tool-call-arguments) | [![related](https://img.shields.io/badge/related-efc20d?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.operation.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-operation-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-tool-call-id$$$ [gen_ai.tool.call.id](/reference/ecs-gen_ai.md#field-gen-ai-tool-call-id) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.tool.call.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-call-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-gen-ai-tool-call-result$$$ [gen_ai.tool.call.result](/reference/ecs-gen_ai.md#field-gen-ai-tool-call-result) | [![related](https://img.shields.io/badge/related-efc20d?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.operation.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-operation-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-gen-ai-tool-definitions$$$ [gen_ai.tool.definitions](/reference/ecs-gen_ai.md#field-gen-ai-tool-definitions) | [![related](https://img.shields.io/badge/related-efc20d?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.operation.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-operation-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-tool-name$$$ [gen_ai.tool.name](/reference/ecs-gen_ai.md#field-gen-ai-tool-name) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.tool.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-tool-type$$$ [gen_ai.tool.type](/reference/ecs-gen_ai.md#field-gen-ai-tool-type) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.tool.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-type) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-usage-input-tokens$$$ [gen_ai.usage.input_tokens](/reference/ecs-gen_ai.md#field-gen-ai-usage-input-tokens) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.usage.input_tokens](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-usage-input-tokens) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
diff --git a/docs/reference/ecs-otel-alignment-overview.md b/docs/reference/ecs-otel-alignment-overview.md
index 83968d8b81..c64c8e6333 100644
--- a/docs/reference/ecs-otel-alignment-overview.md
+++ b/docs/reference/ecs-otel-alignment-overview.md
@@ -55,7 +55,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | Feature Flag | · | [8](https://opentelemetry.io/docs/specs/semconv/attributes-registry/feature-flag) | · | · | · | · | · | · |  |
 | File | [24](/reference/ecs-file.md) | [18](https://opentelemetry.io/docs/specs/semconv/attributes-registry/file) | 11 | 7 | · | · | · | · | · |
 | GCP Client | · | [14](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gcp) | · | · | · | · | · | · |  |
-| Gen AI | [26](/reference/ecs-gen_ai.md) | [32](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai) | 25 | 1 | · | · | · | · | · |
+| Gen AI | [32](/reference/ecs-gen_ai.md) | [32](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai) | 28 | 1 | 3 | · | · | · | · |
 | Geo | [11](/reference/ecs-geo.md) | [7](https://opentelemetry.io/docs/specs/semconv/attributes-registry/geo) | 1 | 4 | 2 | · | · | · | · |
 | Go | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/go) | · | · | · | · | · | · |  |
 | GraphQL | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/graphql) | · | · | · | · | · | · |  |
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 3a51a50f2c..8adea495ae 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -3808,6 +3808,19 @@
       description: Human-readable name of the GenAI agent provided by the application.
       example: Math Tutor; Fiction Writer
       default_field: false
+    - name: input.messages
+      level: extended
+      type: nested
+      description: The chat history provided to the model as an input.
+      example: "{\n  \"role\": \"user\",\n  \"parts\": [\n    {\n      \"type\": \"\
+        text\",\n      \"content\": \"Weather in Paris?\"\n    }\n  ]\n}, {\n  \"\
+        role\": \"assistant\",\n  \"parts\": [\n    {\n      \"type\": \"tool_call\"\
+        ,\n      \"id\": \"call_VSPygqKTWdrhaFErNvMV18Yl\",\n      \"name\": \"get_weather\"\
+        ,\n      \"arguments\": {\n        \"location\": \"Paris\"\n      }\n    }\n\
+        \  ]\n}, {\n  \"role\": \"tool\",\n  \"parts\": [\n    {\n      \"type\":\
+        \ \"tool_call_response\",\n      \"id\": \" call_VSPygqKTWdrhaFErNvMV18Yl\"\
+        ,\n      \"result\": \"rainy, 57°F\"\n    }\n  ]\n}"
+      default_field: false
     - name: operation.name
       level: extended
       type: keyword
@@ -3815,6 +3828,16 @@
       description: The name of the operation being performed.
       example: chat; text_completion; embeddings
       default_field: false
+    - name: output.messages
+      level: extended
+      type: nested
+      description: Messages returned by the model where each message represents a
+        specific model response (choice, candidate).
+      example: "{\n  \"role\": \"assistant\",\n  \"parts\": [\n    {\n      \"type\"\
+        : \"text\",\n      \"content\": \"The weather in Paris is currently rainy\
+        \ with a temperature of 57°F.\"\n    }\n  ],\n  \"finish_reason\": \"stop\"\
+        \n}"
+      default_field: false
     - name: output.type
       level: extended
       type: keyword
@@ -3919,6 +3942,14 @@
         instrumentation.
       example: openai
       default_field: false
+    - name: system_instructions
+      level: extended
+      type: flattened
+      description: The system message or instructions provided to the GenAI model
+        separately from the chat history.
+      example: "{\n  \"type\": \"text\",\n  \"content\": \"You are an Agent that greet\
+        \ users, always use greetings tool to respond\"\n}"
+      default_field: false
     - name: token.type
       level: extended
       type: keyword
@@ -3926,6 +3957,13 @@
       description: The type of token being counted.
       example: input; output
       default_field: false
+    - name: tool.call.arguments
+      level: extended
+      type: flattened
+      description: Parameters passed to the tool call.
+      example: "{\n    \"location\": \"San Francisco?\",\n    \"date\": \"2025-10-01\"\
+        \n}"
+      default_field: false
     - name: tool.call.id
       level: extended
       type: keyword
@@ -3933,6 +3971,28 @@
       description: The tool call identifier.
       example: call_mszuSIzqtI65i1wAUOE8w5H4
       default_field: false
+    - name: tool.call.result
+      level: extended
+      type: flattened
+      description: The result returned by the tool call (if any and if execution was
+        successful).
+      example: "{\n  \"temperature_range\": {\n    \"high\": 75,\n    \"low\": 60\n\
+        \  },\n  \"conditions\": \"sunny\"\n}"
+      default_field: false
+    - name: tool.definitions
+      level: extended
+      type: nested
+      description: The list of source system tool definitions available to the GenAI
+        agent or model.
+      example: "{\n  \"type\": \"function\",\n  \"name\": \"get_current_weather\"\
+        ,\n  \"description\": \"Get the current weather in a given location\",\n \
+        \ \"parameters\": {\n    \"type\": \"object\",\n    \"properties\": {\n  \
+        \    \"location\": {\n        \"type\": \"string\",\n        \"description\"\
+        : \"The city and state, e.g. San Francisco, CA\"\n      },\n      \"unit\"\
+        : {\n        \"type\": \"string\",\n        \"enum\": [\n          \"celsius\"\
+        ,\n          \"fahrenheit\"\n        ]\n      }\n    },\n    \"required\"\
+        : [\n      \"location\",\n      \"unit\"\n    ]\n  }\n}"
+      default_field: false
     - name: tool.name
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index f0116869c8..b3d7698c7e 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -463,7 +463,47 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev+exp,false,gen_ai,gen_ai.agent.description,keyword,extended,,Helps with math problems; Generates fiction stories,Free-form description of the GenAI agent provided by the application.
 9.3.0-dev+exp,true,gen_ai,gen_ai.agent.id,keyword,extended,,asst_5j66UpCpwteGg4YSxUnt7lPY,The unique identifier of the GenAI agent.
 9.3.0-dev+exp,true,gen_ai,gen_ai.agent.name,keyword,extended,,Math Tutor; Fiction Writer,Human-readable name of the GenAI agent provided by the application.
+9.3.0-dev+exp,true,gen_ai,gen_ai.input.messages,nested,extended,,"{
+  ""role"": ""user"",
+  ""parts"": [
+    {
+      ""type"": ""text"",
+      ""content"": ""Weather in Paris?""
+    }
+  ]
+}, {
+  ""role"": ""assistant"",
+  ""parts"": [
+    {
+      ""type"": ""tool_call"",
+      ""id"": ""call_VSPygqKTWdrhaFErNvMV18Yl"",
+      ""name"": ""get_weather"",
+      ""arguments"": {
+        ""location"": ""Paris""
+      }
+    }
+  ]
+}, {
+  ""role"": ""tool"",
+  ""parts"": [
+    {
+      ""type"": ""tool_call_response"",
+      ""id"": "" call_VSPygqKTWdrhaFErNvMV18Yl"",
+      ""result"": ""rainy, 57°F""
+    }
+  ]
+}",The chat history provided to the model as an input.
 9.3.0-dev+exp,true,gen_ai,gen_ai.operation.name,keyword,extended,,chat; text_completion; embeddings,The name of the operation being performed.
+9.3.0-dev+exp,true,gen_ai,gen_ai.output.messages,nested,extended,,"{
+  ""role"": ""assistant"",
+  ""parts"": [
+    {
+      ""type"": ""text"",
+      ""content"": ""The weather in Paris is currently rainy with a temperature of 57°F.""
+    }
+  ],
+  ""finish_reason"": ""stop""
+}","Messages returned by the model where each message represents a specific model response (choice, candidate)."
 9.3.0-dev+exp,true,gen_ai,gen_ai.output.type,keyword,extended,,text; json; image,Represents the content type requested by the client.
 9.3.0-dev+exp,true,gen_ai,gen_ai.request.choice.count,integer,extended,,3,The target number of candidate completions to return.
 9.3.0-dev+exp,true,gen_ai,gen_ai.request.encoding_formats,nested,extended,,"[""float"", ""binary""]","The encoding formats requested in an embeddings operation, if specified."
@@ -480,8 +520,48 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev+exp,true,gen_ai,gen_ai.response.id,keyword,extended,,chatcmpl-123,The unique identifier for the completion.
 9.3.0-dev+exp,true,gen_ai,gen_ai.response.model,keyword,extended,,gpt-4-0613,The name of the model that generated the response.
 9.3.0-dev+exp,true,gen_ai,gen_ai.system,keyword,extended,,openai,The Generative AI product as identified by the client or server instrumentation.
+9.3.0-dev+exp,true,gen_ai,gen_ai.system_instructions,flattened,extended,,"{
+  ""type"": ""text"",
+  ""content"": ""You are an Agent that greet users, always use greetings tool to respond""
+}",The system message or instructions provided to the GenAI model separately from the chat history.
 9.3.0-dev+exp,true,gen_ai,gen_ai.token.type,keyword,extended,,input; output,The type of token being counted.
+9.3.0-dev+exp,true,gen_ai,gen_ai.tool.call.arguments,flattened,extended,,"{
+    ""location"": ""San Francisco?"",
+    ""date"": ""2025-10-01""
+}",Parameters passed to the tool call.
 9.3.0-dev+exp,true,gen_ai,gen_ai.tool.call.id,keyword,extended,,call_mszuSIzqtI65i1wAUOE8w5H4,The tool call identifier.
+9.3.0-dev+exp,true,gen_ai,gen_ai.tool.call.result,flattened,extended,,"{
+  ""temperature_range"": {
+    ""high"": 75,
+    ""low"": 60
+  },
+  ""conditions"": ""sunny""
+}",The result returned by the tool call (if any and if execution was successful).
+9.3.0-dev+exp,true,gen_ai,gen_ai.tool.definitions,nested,extended,,"{
+  ""type"": ""function"",
+  ""name"": ""get_current_weather"",
+  ""description"": ""Get the current weather in a given location"",
+  ""parameters"": {
+    ""type"": ""object"",
+    ""properties"": {
+      ""location"": {
+        ""type"": ""string"",
+        ""description"": ""The city and state, e.g. San Francisco, CA""
+      },
+      ""unit"": {
+        ""type"": ""string"",
+        ""enum"": [
+          ""celsius"",
+          ""fahrenheit""
+        ]
+      }
+    },
+    ""required"": [
+      ""location"",
+      ""unit""
+    ]
+  }
+}",The list of source system tool definitions available to the GenAI agent or model.
 9.3.0-dev+exp,true,gen_ai,gen_ai.tool.name,keyword,extended,,Flights,Name of the tool utilized by the agent.
 9.3.0-dev+exp,true,gen_ai,gen_ai.tool.type,keyword,extended,,function; extension; datastore,Type of the tool utilized by the agent
 9.3.0-dev+exp,true,gen_ai,gen_ai.usage.input_tokens,integer,extended,,100,The number of tokens used in the GenAI input (prompt).
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 82935b7df5..3de8ab87be 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -6551,6 +6551,27 @@ gen_ai.agent.name:
     stability: development
   short: Human-readable name of the GenAI agent provided by the application.
   type: keyword
+gen_ai.input.messages:
+  beta: This field is beta and subject to change.
+  dashed_name: gen-ai-input-messages
+  description: The chat history provided to the model as an input.
+  example: "{\n  \"role\": \"user\",\n  \"parts\": [\n    {\n      \"type\": \"text\"\
+    ,\n      \"content\": \"Weather in Paris?\"\n    }\n  ]\n}, {\n  \"role\": \"\
+    assistant\",\n  \"parts\": [\n    {\n      \"type\": \"tool_call\",\n      \"\
+    id\": \"call_VSPygqKTWdrhaFErNvMV18Yl\",\n      \"name\": \"get_weather\",\n \
+    \     \"arguments\": {\n        \"location\": \"Paris\"\n      }\n    }\n  ]\n\
+    }, {\n  \"role\": \"tool\",\n  \"parts\": [\n    {\n      \"type\": \"tool_call_response\"\
+    ,\n      \"id\": \" call_VSPygqKTWdrhaFErNvMV18Yl\",\n      \"result\": \"rainy,\
+    \ 57°F\"\n    }\n  ]\n}"
+  flat_name: gen_ai.input.messages
+  level: extended
+  name: input.messages
+  normalize: []
+  otel:
+  - relation: match
+    stability: development
+  short: The chat history provided to the model as an input.
+  type: nested
 gen_ai.operation.name:
   beta: This field is beta and subject to change.
   dashed_name: gen-ai-operation-name
@@ -6566,6 +6587,24 @@ gen_ai.operation.name:
     stability: development
   short: The name of the operation being performed.
   type: keyword
+gen_ai.output.messages:
+  beta: This field is beta and subject to change.
+  dashed_name: gen-ai-output-messages
+  description: Messages returned by the model where each message represents a specific
+    model response (choice, candidate).
+  example: "{\n  \"role\": \"assistant\",\n  \"parts\": [\n    {\n      \"type\":\
+    \ \"text\",\n      \"content\": \"The weather in Paris is currently rainy with\
+    \ a temperature of 57°F.\"\n    }\n  ],\n  \"finish_reason\": \"stop\"\n}"
+  flat_name: gen_ai.output.messages
+  level: extended
+  name: output.messages
+  normalize: []
+  otel:
+  - relation: match
+    stability: development
+  short: Messages returned by the model where each message represents a specific model
+    response (choice, candidate).
+  type: nested
 gen_ai.output.type:
   beta: This field is beta and subject to change.
   dashed_name: gen-ai-output-type
@@ -6799,6 +6838,23 @@ gen_ai.system:
     stability: development
   short: The Generative AI product as identified by the client or server instrumentation.
   type: keyword
+gen_ai.system_instructions:
+  beta: This field is beta and subject to change.
+  dashed_name: gen-ai-system-instructions
+  description: The system message or instructions provided to the GenAI model separately
+    from the chat history.
+  example: "{\n  \"type\": \"text\",\n  \"content\": \"You are an Agent that greet\
+    \ users, always use greetings tool to respond\"\n}"
+  flat_name: gen_ai.system_instructions
+  level: extended
+  name: system_instructions
+  normalize: []
+  otel:
+  - relation: match
+    stability: development
+  short: The system message or instructions provided to the GenAI model separately
+    from the chat history.
+  type: flattened
 gen_ai.token.type:
   beta: This field is beta and subject to change.
   dashed_name: gen-ai-token-type
@@ -6814,6 +6870,22 @@ gen_ai.token.type:
     stability: development
   short: The type of token being counted.
   type: keyword
+gen_ai.tool.call.arguments:
+  beta: This field is beta and subject to change.
+  dashed_name: gen-ai-tool-call-arguments
+  description: Parameters passed to the tool call.
+  example: "{\n    \"location\": \"San Francisco?\",\n    \"date\": \"2025-10-01\"\
+    \n}"
+  flat_name: gen_ai.tool.call.arguments
+  level: extended
+  name: tool.call.arguments
+  normalize: []
+  otel:
+  - attribute: gen_ai.operation.name
+    relation: related
+    stability: development
+  short: Parameters passed to the tool call.
+  type: flattened
 gen_ai.tool.call.id:
   beta: This field is beta and subject to change.
   dashed_name: gen-ai-tool-call-id
@@ -6829,6 +6901,46 @@ gen_ai.tool.call.id:
     stability: development
   short: The tool call identifier.
   type: keyword
+gen_ai.tool.call.result:
+  beta: This field is beta and subject to change.
+  dashed_name: gen-ai-tool-call-result
+  description: The result returned by the tool call (if any and if execution was successful).
+  example: "{\n  \"temperature_range\": {\n    \"high\": 75,\n    \"low\": 60\n  },\n\
+    \  \"conditions\": \"sunny\"\n}"
+  flat_name: gen_ai.tool.call.result
+  level: extended
+  name: tool.call.result
+  normalize: []
+  otel:
+  - attribute: gen_ai.operation.name
+    relation: related
+    stability: development
+  short: The result returned by the tool call (if any and if execution was successful).
+  type: flattened
+gen_ai.tool.definitions:
+  beta: This field is beta and subject to change.
+  dashed_name: gen-ai-tool-definitions
+  description: The list of source system tool definitions available to the GenAI agent
+    or model.
+  example: "{\n  \"type\": \"function\",\n  \"name\": \"get_current_weather\",\n \
+    \ \"description\": \"Get the current weather in a given location\",\n  \"parameters\"\
+    : {\n    \"type\": \"object\",\n    \"properties\": {\n      \"location\": {\n\
+    \        \"type\": \"string\",\n        \"description\": \"The city and state,\
+    \ e.g. San Francisco, CA\"\n      },\n      \"unit\": {\n        \"type\": \"\
+    string\",\n        \"enum\": [\n          \"celsius\",\n          \"fahrenheit\"\
+    \n        ]\n      }\n    },\n    \"required\": [\n      \"location\",\n     \
+    \ \"unit\"\n    ]\n  }\n}"
+  flat_name: gen_ai.tool.definitions
+  level: extended
+  name: tool.definitions
+  normalize: []
+  otel:
+  - attribute: gen_ai.operation.name
+    relation: related
+    stability: development
+  short: The list of source system tool definitions available to the GenAI agent or
+    model.
+  type: nested
 gen_ai.tool.name:
   beta: This field is beta and subject to change.
   dashed_name: gen-ai-tool-name
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index e9f9f1a261..0dffbd4c3b 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -7714,6 +7714,27 @@ gen_ai:
         stability: development
       short: Human-readable name of the GenAI agent provided by the application.
       type: keyword
+    gen_ai.input.messages:
+      beta: This field is beta and subject to change.
+      dashed_name: gen-ai-input-messages
+      description: The chat history provided to the model as an input.
+      example: "{\n  \"role\": \"user\",\n  \"parts\": [\n    {\n      \"type\": \"\
+        text\",\n      \"content\": \"Weather in Paris?\"\n    }\n  ]\n}, {\n  \"\
+        role\": \"assistant\",\n  \"parts\": [\n    {\n      \"type\": \"tool_call\"\
+        ,\n      \"id\": \"call_VSPygqKTWdrhaFErNvMV18Yl\",\n      \"name\": \"get_weather\"\
+        ,\n      \"arguments\": {\n        \"location\": \"Paris\"\n      }\n    }\n\
+        \  ]\n}, {\n  \"role\": \"tool\",\n  \"parts\": [\n    {\n      \"type\":\
+        \ \"tool_call_response\",\n      \"id\": \" call_VSPygqKTWdrhaFErNvMV18Yl\"\
+        ,\n      \"result\": \"rainy, 57°F\"\n    }\n  ]\n}"
+      flat_name: gen_ai.input.messages
+      level: extended
+      name: input.messages
+      normalize: []
+      otel:
+      - relation: match
+        stability: development
+      short: The chat history provided to the model as an input.
+      type: nested
     gen_ai.operation.name:
       beta: This field is beta and subject to change.
       dashed_name: gen-ai-operation-name
@@ -7729,6 +7750,25 @@ gen_ai:
         stability: development
       short: The name of the operation being performed.
       type: keyword
+    gen_ai.output.messages:
+      beta: This field is beta and subject to change.
+      dashed_name: gen-ai-output-messages
+      description: Messages returned by the model where each message represents a
+        specific model response (choice, candidate).
+      example: "{\n  \"role\": \"assistant\",\n  \"parts\": [\n    {\n      \"type\"\
+        : \"text\",\n      \"content\": \"The weather in Paris is currently rainy\
+        \ with a temperature of 57°F.\"\n    }\n  ],\n  \"finish_reason\": \"stop\"\
+        \n}"
+      flat_name: gen_ai.output.messages
+      level: extended
+      name: output.messages
+      normalize: []
+      otel:
+      - relation: match
+        stability: development
+      short: Messages returned by the model where each message represents a specific
+        model response (choice, candidate).
+      type: nested
     gen_ai.output.type:
       beta: This field is beta and subject to change.
       dashed_name: gen-ai-output-type
@@ -7964,6 +8004,23 @@ gen_ai:
         stability: development
       short: The Generative AI product as identified by the client or server instrumentation.
       type: keyword
+    gen_ai.system_instructions:
+      beta: This field is beta and subject to change.
+      dashed_name: gen-ai-system-instructions
+      description: The system message or instructions provided to the GenAI model
+        separately from the chat history.
+      example: "{\n  \"type\": \"text\",\n  \"content\": \"You are an Agent that greet\
+        \ users, always use greetings tool to respond\"\n}"
+      flat_name: gen_ai.system_instructions
+      level: extended
+      name: system_instructions
+      normalize: []
+      otel:
+      - relation: match
+        stability: development
+      short: The system message or instructions provided to the GenAI model separately
+        from the chat history.
+      type: flattened
     gen_ai.token.type:
       beta: This field is beta and subject to change.
       dashed_name: gen-ai-token-type
@@ -7979,6 +8036,22 @@ gen_ai:
         stability: development
       short: The type of token being counted.
       type: keyword
+    gen_ai.tool.call.arguments:
+      beta: This field is beta and subject to change.
+      dashed_name: gen-ai-tool-call-arguments
+      description: Parameters passed to the tool call.
+      example: "{\n    \"location\": \"San Francisco?\",\n    \"date\": \"2025-10-01\"\
+        \n}"
+      flat_name: gen_ai.tool.call.arguments
+      level: extended
+      name: tool.call.arguments
+      normalize: []
+      otel:
+      - attribute: gen_ai.operation.name
+        relation: related
+        stability: development
+      short: Parameters passed to the tool call.
+      type: flattened
     gen_ai.tool.call.id:
       beta: This field is beta and subject to change.
       dashed_name: gen-ai-tool-call-id
@@ -7994,6 +8067,47 @@ gen_ai:
         stability: development
       short: The tool call identifier.
       type: keyword
+    gen_ai.tool.call.result:
+      beta: This field is beta and subject to change.
+      dashed_name: gen-ai-tool-call-result
+      description: The result returned by the tool call (if any and if execution was
+        successful).
+      example: "{\n  \"temperature_range\": {\n    \"high\": 75,\n    \"low\": 60\n\
+        \  },\n  \"conditions\": \"sunny\"\n}"
+      flat_name: gen_ai.tool.call.result
+      level: extended
+      name: tool.call.result
+      normalize: []
+      otel:
+      - attribute: gen_ai.operation.name
+        relation: related
+        stability: development
+      short: The result returned by the tool call (if any and if execution was successful).
+      type: flattened
+    gen_ai.tool.definitions:
+      beta: This field is beta and subject to change.
+      dashed_name: gen-ai-tool-definitions
+      description: The list of source system tool definitions available to the GenAI
+        agent or model.
+      example: "{\n  \"type\": \"function\",\n  \"name\": \"get_current_weather\"\
+        ,\n  \"description\": \"Get the current weather in a given location\",\n \
+        \ \"parameters\": {\n    \"type\": \"object\",\n    \"properties\": {\n  \
+        \    \"location\": {\n        \"type\": \"string\",\n        \"description\"\
+        : \"The city and state, e.g. San Francisco, CA\"\n      },\n      \"unit\"\
+        : {\n        \"type\": \"string\",\n        \"enum\": [\n          \"celsius\"\
+        ,\n          \"fahrenheit\"\n        ]\n      }\n    },\n    \"required\"\
+        : [\n      \"location\",\n      \"unit\"\n    ]\n  }\n}"
+      flat_name: gen_ai.tool.definitions
+      level: extended
+      name: tool.definitions
+      normalize: []
+      otel:
+      - attribute: gen_ai.operation.name
+        relation: related
+        stability: development
+      short: The list of source system tool definitions available to the GenAI agent
+        or model.
+      type: nested
     gen_ai.tool.name:
       beta: This field is beta and subject to change.
       dashed_name: gen-ai-tool-name
diff --git a/experimental/generated/elasticsearch/composable/component/gen_ai.json b/experimental/generated/elasticsearch/composable/component/gen_ai.json
index 769bf2ba63..9f32e2f9ff 100644
--- a/experimental/generated/elasticsearch/composable/component/gen_ai.json
+++ b/experimental/generated/elasticsearch/composable/component/gen_ai.json
@@ -25,6 +25,13 @@
                 }
               }
             },
+            "input": {
+              "properties": {
+                "messages": {
+                  "type": "nested"
+                }
+              }
+            },
             "operation": {
               "properties": {
                 "name": {
@@ -35,6 +42,9 @@
             },
             "output": {
               "properties": {
+                "messages": {
+                  "type": "nested"
+                },
                 "type": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -102,6 +112,9 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "system_instructions": {
+              "type": "flattened"
+            },
             "token": {
               "properties": {
                 "type": {
@@ -114,12 +127,21 @@
               "properties": {
                 "call": {
                   "properties": {
+                    "arguments": {
+                      "type": "flattened"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "result": {
+                      "type": "flattened"
                     }
                   }
                 },
+                "definitions": {
+                  "type": "nested"
+                },
                 "name": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 4b5250eb7c..21aedf58cb 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -2131,6 +2131,13 @@
               }
             }
           },
+          "input": {
+            "properties": {
+              "messages": {
+                "type": "nested"
+              }
+            }
+          },
           "operation": {
             "properties": {
               "name": {
@@ -2141,6 +2148,9 @@
           },
           "output": {
             "properties": {
+              "messages": {
+                "type": "nested"
+              },
               "type": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2208,6 +2218,9 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "system_instructions": {
+            "type": "flattened"
+          },
           "token": {
             "properties": {
               "type": {
@@ -2220,12 +2233,21 @@
             "properties": {
               "call": {
                 "properties": {
+                  "arguments": {
+                    "type": "flattened"
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "result": {
+                    "type": "flattened"
                   }
                 }
               },
+              "definitions": {
+                "type": "nested"
+              },
               "name": {
                 "ignore_above": 1024,
                 "type": "keyword"
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 4f18299a56..c7a5695911 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -3758,6 +3758,19 @@
       description: Human-readable name of the GenAI agent provided by the application.
       example: Math Tutor; Fiction Writer
       default_field: false
+    - name: input.messages
+      level: extended
+      type: nested
+      description: The chat history provided to the model as an input.
+      example: "{\n  \"role\": \"user\",\n  \"parts\": [\n    {\n      \"type\": \"\
+        text\",\n      \"content\": \"Weather in Paris?\"\n    }\n  ]\n}, {\n  \"\
+        role\": \"assistant\",\n  \"parts\": [\n    {\n      \"type\": \"tool_call\"\
+        ,\n      \"id\": \"call_VSPygqKTWdrhaFErNvMV18Yl\",\n      \"name\": \"get_weather\"\
+        ,\n      \"arguments\": {\n        \"location\": \"Paris\"\n      }\n    }\n\
+        \  ]\n}, {\n  \"role\": \"tool\",\n  \"parts\": [\n    {\n      \"type\":\
+        \ \"tool_call_response\",\n      \"id\": \" call_VSPygqKTWdrhaFErNvMV18Yl\"\
+        ,\n      \"result\": \"rainy, 57°F\"\n    }\n  ]\n}"
+      default_field: false
     - name: operation.name
       level: extended
       type: keyword
@@ -3765,6 +3778,16 @@
       description: The name of the operation being performed.
       example: chat; text_completion; embeddings
       default_field: false
+    - name: output.messages
+      level: extended
+      type: nested
+      description: Messages returned by the model where each message represents a
+        specific model response (choice, candidate).
+      example: "{\n  \"role\": \"assistant\",\n  \"parts\": [\n    {\n      \"type\"\
+        : \"text\",\n      \"content\": \"The weather in Paris is currently rainy\
+        \ with a temperature of 57°F.\"\n    }\n  ],\n  \"finish_reason\": \"stop\"\
+        \n}"
+      default_field: false
     - name: output.type
       level: extended
       type: keyword
@@ -3869,6 +3892,14 @@
         instrumentation.
       example: openai
       default_field: false
+    - name: system_instructions
+      level: extended
+      type: flattened
+      description: The system message or instructions provided to the GenAI model
+        separately from the chat history.
+      example: "{\n  \"type\": \"text\",\n  \"content\": \"You are an Agent that greet\
+        \ users, always use greetings tool to respond\"\n}"
+      default_field: false
     - name: token.type
       level: extended
       type: keyword
@@ -3876,6 +3907,13 @@
       description: The type of token being counted.
       example: input; output
       default_field: false
+    - name: tool.call.arguments
+      level: extended
+      type: flattened
+      description: Parameters passed to the tool call.
+      example: "{\n    \"location\": \"San Francisco?\",\n    \"date\": \"2025-10-01\"\
+        \n}"
+      default_field: false
     - name: tool.call.id
       level: extended
       type: keyword
@@ -3883,6 +3921,28 @@
       description: The tool call identifier.
       example: call_mszuSIzqtI65i1wAUOE8w5H4
       default_field: false
+    - name: tool.call.result
+      level: extended
+      type: flattened
+      description: The result returned by the tool call (if any and if execution was
+        successful).
+      example: "{\n  \"temperature_range\": {\n    \"high\": 75,\n    \"low\": 60\n\
+        \  },\n  \"conditions\": \"sunny\"\n}"
+      default_field: false
+    - name: tool.definitions
+      level: extended
+      type: nested
+      description: The list of source system tool definitions available to the GenAI
+        agent or model.
+      example: "{\n  \"type\": \"function\",\n  \"name\": \"get_current_weather\"\
+        ,\n  \"description\": \"Get the current weather in a given location\",\n \
+        \ \"parameters\": {\n    \"type\": \"object\",\n    \"properties\": {\n  \
+        \    \"location\": {\n        \"type\": \"string\",\n        \"description\"\
+        : \"The city and state, e.g. San Francisco, CA\"\n      },\n      \"unit\"\
+        : {\n        \"type\": \"string\",\n        \"enum\": [\n          \"celsius\"\
+        ,\n          \"fahrenheit\"\n        ]\n      }\n    },\n    \"required\"\
+        : [\n      \"location\",\n      \"unit\"\n    ]\n  }\n}"
+      default_field: false
     - name: tool.name
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index efafe871d7..3c39053e39 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -456,7 +456,47 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,false,gen_ai,gen_ai.agent.description,keyword,extended,,Helps with math problems; Generates fiction stories,Free-form description of the GenAI agent provided by the application.
 9.3.0-dev,true,gen_ai,gen_ai.agent.id,keyword,extended,,asst_5j66UpCpwteGg4YSxUnt7lPY,The unique identifier of the GenAI agent.
 9.3.0-dev,true,gen_ai,gen_ai.agent.name,keyword,extended,,Math Tutor; Fiction Writer,Human-readable name of the GenAI agent provided by the application.
+9.3.0-dev,true,gen_ai,gen_ai.input.messages,nested,extended,,"{
+  ""role"": ""user"",
+  ""parts"": [
+    {
+      ""type"": ""text"",
+      ""content"": ""Weather in Paris?""
+    }
+  ]
+}, {
+  ""role"": ""assistant"",
+  ""parts"": [
+    {
+      ""type"": ""tool_call"",
+      ""id"": ""call_VSPygqKTWdrhaFErNvMV18Yl"",
+      ""name"": ""get_weather"",
+      ""arguments"": {
+        ""location"": ""Paris""
+      }
+    }
+  ]
+}, {
+  ""role"": ""tool"",
+  ""parts"": [
+    {
+      ""type"": ""tool_call_response"",
+      ""id"": "" call_VSPygqKTWdrhaFErNvMV18Yl"",
+      ""result"": ""rainy, 57°F""
+    }
+  ]
+}",The chat history provided to the model as an input.
 9.3.0-dev,true,gen_ai,gen_ai.operation.name,keyword,extended,,chat; text_completion; embeddings,The name of the operation being performed.
+9.3.0-dev,true,gen_ai,gen_ai.output.messages,nested,extended,,"{
+  ""role"": ""assistant"",
+  ""parts"": [
+    {
+      ""type"": ""text"",
+      ""content"": ""The weather in Paris is currently rainy with a temperature of 57°F.""
+    }
+  ],
+  ""finish_reason"": ""stop""
+}","Messages returned by the model where each message represents a specific model response (choice, candidate)."
 9.3.0-dev,true,gen_ai,gen_ai.output.type,keyword,extended,,text; json; image,Represents the content type requested by the client.
 9.3.0-dev,true,gen_ai,gen_ai.request.choice.count,integer,extended,,3,The target number of candidate completions to return.
 9.3.0-dev,true,gen_ai,gen_ai.request.encoding_formats,nested,extended,,"[""float"", ""binary""]","The encoding formats requested in an embeddings operation, if specified."
@@ -473,8 +513,48 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.3.0-dev,true,gen_ai,gen_ai.response.id,keyword,extended,,chatcmpl-123,The unique identifier for the completion.
 9.3.0-dev,true,gen_ai,gen_ai.response.model,keyword,extended,,gpt-4-0613,The name of the model that generated the response.
 9.3.0-dev,true,gen_ai,gen_ai.system,keyword,extended,,openai,The Generative AI product as identified by the client or server instrumentation.
+9.3.0-dev,true,gen_ai,gen_ai.system_instructions,flattened,extended,,"{
+  ""type"": ""text"",
+  ""content"": ""You are an Agent that greet users, always use greetings tool to respond""
+}",The system message or instructions provided to the GenAI model separately from the chat history.
 9.3.0-dev,true,gen_ai,gen_ai.token.type,keyword,extended,,input; output,The type of token being counted.
+9.3.0-dev,true,gen_ai,gen_ai.tool.call.arguments,flattened,extended,,"{
+    ""location"": ""San Francisco?"",
+    ""date"": ""2025-10-01""
+}",Parameters passed to the tool call.
 9.3.0-dev,true,gen_ai,gen_ai.tool.call.id,keyword,extended,,call_mszuSIzqtI65i1wAUOE8w5H4,The tool call identifier.
+9.3.0-dev,true,gen_ai,gen_ai.tool.call.result,flattened,extended,,"{
+  ""temperature_range"": {
+    ""high"": 75,
+    ""low"": 60
+  },
+  ""conditions"": ""sunny""
+}",The result returned by the tool call (if any and if execution was successful).
+9.3.0-dev,true,gen_ai,gen_ai.tool.definitions,nested,extended,,"{
+  ""type"": ""function"",
+  ""name"": ""get_current_weather"",
+  ""description"": ""Get the current weather in a given location"",
+  ""parameters"": {
+    ""type"": ""object"",
+    ""properties"": {
+      ""location"": {
+        ""type"": ""string"",
+        ""description"": ""The city and state, e.g. San Francisco, CA""
+      },
+      ""unit"": {
+        ""type"": ""string"",
+        ""enum"": [
+          ""celsius"",
+          ""fahrenheit""
+        ]
+      }
+    },
+    ""required"": [
+      ""location"",
+      ""unit""
+    ]
+  }
+}",The list of source system tool definitions available to the GenAI agent or model.
 9.3.0-dev,true,gen_ai,gen_ai.tool.name,keyword,extended,,Flights,Name of the tool utilized by the agent.
 9.3.0-dev,true,gen_ai,gen_ai.tool.type,keyword,extended,,function; extension; datastore,Type of the tool utilized by the agent
 9.3.0-dev,true,gen_ai,gen_ai.usage.input_tokens,integer,extended,,100,The number of tokens used in the GenAI input (prompt).
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 8336eaac97..f2af89d5fb 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -6482,6 +6482,27 @@ gen_ai.agent.name:
     stability: development
   short: Human-readable name of the GenAI agent provided by the application.
   type: keyword
+gen_ai.input.messages:
+  beta: This field is beta and subject to change.
+  dashed_name: gen-ai-input-messages
+  description: The chat history provided to the model as an input.
+  example: "{\n  \"role\": \"user\",\n  \"parts\": [\n    {\n      \"type\": \"text\"\
+    ,\n      \"content\": \"Weather in Paris?\"\n    }\n  ]\n}, {\n  \"role\": \"\
+    assistant\",\n  \"parts\": [\n    {\n      \"type\": \"tool_call\",\n      \"\
+    id\": \"call_VSPygqKTWdrhaFErNvMV18Yl\",\n      \"name\": \"get_weather\",\n \
+    \     \"arguments\": {\n        \"location\": \"Paris\"\n      }\n    }\n  ]\n\
+    }, {\n  \"role\": \"tool\",\n  \"parts\": [\n    {\n      \"type\": \"tool_call_response\"\
+    ,\n      \"id\": \" call_VSPygqKTWdrhaFErNvMV18Yl\",\n      \"result\": \"rainy,\
+    \ 57°F\"\n    }\n  ]\n}"
+  flat_name: gen_ai.input.messages
+  level: extended
+  name: input.messages
+  normalize: []
+  otel:
+  - relation: match
+    stability: development
+  short: The chat history provided to the model as an input.
+  type: nested
 gen_ai.operation.name:
   beta: This field is beta and subject to change.
   dashed_name: gen-ai-operation-name
@@ -6497,6 +6518,24 @@ gen_ai.operation.name:
     stability: development
   short: The name of the operation being performed.
   type: keyword
+gen_ai.output.messages:
+  beta: This field is beta and subject to change.
+  dashed_name: gen-ai-output-messages
+  description: Messages returned by the model where each message represents a specific
+    model response (choice, candidate).
+  example: "{\n  \"role\": \"assistant\",\n  \"parts\": [\n    {\n      \"type\":\
+    \ \"text\",\n      \"content\": \"The weather in Paris is currently rainy with\
+    \ a temperature of 57°F.\"\n    }\n  ],\n  \"finish_reason\": \"stop\"\n}"
+  flat_name: gen_ai.output.messages
+  level: extended
+  name: output.messages
+  normalize: []
+  otel:
+  - relation: match
+    stability: development
+  short: Messages returned by the model where each message represents a specific model
+    response (choice, candidate).
+  type: nested
 gen_ai.output.type:
   beta: This field is beta and subject to change.
   dashed_name: gen-ai-output-type
@@ -6730,6 +6769,23 @@ gen_ai.system:
     stability: development
   short: The Generative AI product as identified by the client or server instrumentation.
   type: keyword
+gen_ai.system_instructions:
+  beta: This field is beta and subject to change.
+  dashed_name: gen-ai-system-instructions
+  description: The system message or instructions provided to the GenAI model separately
+    from the chat history.
+  example: "{\n  \"type\": \"text\",\n  \"content\": \"You are an Agent that greet\
+    \ users, always use greetings tool to respond\"\n}"
+  flat_name: gen_ai.system_instructions
+  level: extended
+  name: system_instructions
+  normalize: []
+  otel:
+  - relation: match
+    stability: development
+  short: The system message or instructions provided to the GenAI model separately
+    from the chat history.
+  type: flattened
 gen_ai.token.type:
   beta: This field is beta and subject to change.
   dashed_name: gen-ai-token-type
@@ -6745,6 +6801,22 @@ gen_ai.token.type:
     stability: development
   short: The type of token being counted.
   type: keyword
+gen_ai.tool.call.arguments:
+  beta: This field is beta and subject to change.
+  dashed_name: gen-ai-tool-call-arguments
+  description: Parameters passed to the tool call.
+  example: "{\n    \"location\": \"San Francisco?\",\n    \"date\": \"2025-10-01\"\
+    \n}"
+  flat_name: gen_ai.tool.call.arguments
+  level: extended
+  name: tool.call.arguments
+  normalize: []
+  otel:
+  - attribute: gen_ai.operation.name
+    relation: related
+    stability: development
+  short: Parameters passed to the tool call.
+  type: flattened
 gen_ai.tool.call.id:
   beta: This field is beta and subject to change.
   dashed_name: gen-ai-tool-call-id
@@ -6760,6 +6832,46 @@ gen_ai.tool.call.id:
     stability: development
   short: The tool call identifier.
   type: keyword
+gen_ai.tool.call.result:
+  beta: This field is beta and subject to change.
+  dashed_name: gen-ai-tool-call-result
+  description: The result returned by the tool call (if any and if execution was successful).
+  example: "{\n  \"temperature_range\": {\n    \"high\": 75,\n    \"low\": 60\n  },\n\
+    \  \"conditions\": \"sunny\"\n}"
+  flat_name: gen_ai.tool.call.result
+  level: extended
+  name: tool.call.result
+  normalize: []
+  otel:
+  - attribute: gen_ai.operation.name
+    relation: related
+    stability: development
+  short: The result returned by the tool call (if any and if execution was successful).
+  type: flattened
+gen_ai.tool.definitions:
+  beta: This field is beta and subject to change.
+  dashed_name: gen-ai-tool-definitions
+  description: The list of source system tool definitions available to the GenAI agent
+    or model.
+  example: "{\n  \"type\": \"function\",\n  \"name\": \"get_current_weather\",\n \
+    \ \"description\": \"Get the current weather in a given location\",\n  \"parameters\"\
+    : {\n    \"type\": \"object\",\n    \"properties\": {\n      \"location\": {\n\
+    \        \"type\": \"string\",\n        \"description\": \"The city and state,\
+    \ e.g. San Francisco, CA\"\n      },\n      \"unit\": {\n        \"type\": \"\
+    string\",\n        \"enum\": [\n          \"celsius\",\n          \"fahrenheit\"\
+    \n        ]\n      }\n    },\n    \"required\": [\n      \"location\",\n     \
+    \ \"unit\"\n    ]\n  }\n}"
+  flat_name: gen_ai.tool.definitions
+  level: extended
+  name: tool.definitions
+  normalize: []
+  otel:
+  - attribute: gen_ai.operation.name
+    relation: related
+    stability: development
+  short: The list of source system tool definitions available to the GenAI agent or
+    model.
+  type: nested
 gen_ai.tool.name:
   beta: This field is beta and subject to change.
   dashed_name: gen-ai-tool-name
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index af8b28777f..15a1ad4b48 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -7634,6 +7634,27 @@ gen_ai:
         stability: development
       short: Human-readable name of the GenAI agent provided by the application.
       type: keyword
+    gen_ai.input.messages:
+      beta: This field is beta and subject to change.
+      dashed_name: gen-ai-input-messages
+      description: The chat history provided to the model as an input.
+      example: "{\n  \"role\": \"user\",\n  \"parts\": [\n    {\n      \"type\": \"\
+        text\",\n      \"content\": \"Weather in Paris?\"\n    }\n  ]\n}, {\n  \"\
+        role\": \"assistant\",\n  \"parts\": [\n    {\n      \"type\": \"tool_call\"\
+        ,\n      \"id\": \"call_VSPygqKTWdrhaFErNvMV18Yl\",\n      \"name\": \"get_weather\"\
+        ,\n      \"arguments\": {\n        \"location\": \"Paris\"\n      }\n    }\n\
+        \  ]\n}, {\n  \"role\": \"tool\",\n  \"parts\": [\n    {\n      \"type\":\
+        \ \"tool_call_response\",\n      \"id\": \" call_VSPygqKTWdrhaFErNvMV18Yl\"\
+        ,\n      \"result\": \"rainy, 57°F\"\n    }\n  ]\n}"
+      flat_name: gen_ai.input.messages
+      level: extended
+      name: input.messages
+      normalize: []
+      otel:
+      - relation: match
+        stability: development
+      short: The chat history provided to the model as an input.
+      type: nested
     gen_ai.operation.name:
       beta: This field is beta and subject to change.
       dashed_name: gen-ai-operation-name
@@ -7649,6 +7670,25 @@ gen_ai:
         stability: development
       short: The name of the operation being performed.
       type: keyword
+    gen_ai.output.messages:
+      beta: This field is beta and subject to change.
+      dashed_name: gen-ai-output-messages
+      description: Messages returned by the model where each message represents a
+        specific model response (choice, candidate).
+      example: "{\n  \"role\": \"assistant\",\n  \"parts\": [\n    {\n      \"type\"\
+        : \"text\",\n      \"content\": \"The weather in Paris is currently rainy\
+        \ with a temperature of 57°F.\"\n    }\n  ],\n  \"finish_reason\": \"stop\"\
+        \n}"
+      flat_name: gen_ai.output.messages
+      level: extended
+      name: output.messages
+      normalize: []
+      otel:
+      - relation: match
+        stability: development
+      short: Messages returned by the model where each message represents a specific
+        model response (choice, candidate).
+      type: nested
     gen_ai.output.type:
       beta: This field is beta and subject to change.
       dashed_name: gen-ai-output-type
@@ -7884,6 +7924,23 @@ gen_ai:
         stability: development
       short: The Generative AI product as identified by the client or server instrumentation.
       type: keyword
+    gen_ai.system_instructions:
+      beta: This field is beta and subject to change.
+      dashed_name: gen-ai-system-instructions
+      description: The system message or instructions provided to the GenAI model
+        separately from the chat history.
+      example: "{\n  \"type\": \"text\",\n  \"content\": \"You are an Agent that greet\
+        \ users, always use greetings tool to respond\"\n}"
+      flat_name: gen_ai.system_instructions
+      level: extended
+      name: system_instructions
+      normalize: []
+      otel:
+      - relation: match
+        stability: development
+      short: The system message or instructions provided to the GenAI model separately
+        from the chat history.
+      type: flattened
     gen_ai.token.type:
       beta: This field is beta and subject to change.
       dashed_name: gen-ai-token-type
@@ -7899,6 +7956,22 @@ gen_ai:
         stability: development
       short: The type of token being counted.
       type: keyword
+    gen_ai.tool.call.arguments:
+      beta: This field is beta and subject to change.
+      dashed_name: gen-ai-tool-call-arguments
+      description: Parameters passed to the tool call.
+      example: "{\n    \"location\": \"San Francisco?\",\n    \"date\": \"2025-10-01\"\
+        \n}"
+      flat_name: gen_ai.tool.call.arguments
+      level: extended
+      name: tool.call.arguments
+      normalize: []
+      otel:
+      - attribute: gen_ai.operation.name
+        relation: related
+        stability: development
+      short: Parameters passed to the tool call.
+      type: flattened
     gen_ai.tool.call.id:
       beta: This field is beta and subject to change.
       dashed_name: gen-ai-tool-call-id
@@ -7914,6 +7987,47 @@ gen_ai:
         stability: development
       short: The tool call identifier.
       type: keyword
+    gen_ai.tool.call.result:
+      beta: This field is beta and subject to change.
+      dashed_name: gen-ai-tool-call-result
+      description: The result returned by the tool call (if any and if execution was
+        successful).
+      example: "{\n  \"temperature_range\": {\n    \"high\": 75,\n    \"low\": 60\n\
+        \  },\n  \"conditions\": \"sunny\"\n}"
+      flat_name: gen_ai.tool.call.result
+      level: extended
+      name: tool.call.result
+      normalize: []
+      otel:
+      - attribute: gen_ai.operation.name
+        relation: related
+        stability: development
+      short: The result returned by the tool call (if any and if execution was successful).
+      type: flattened
+    gen_ai.tool.definitions:
+      beta: This field is beta and subject to change.
+      dashed_name: gen-ai-tool-definitions
+      description: The list of source system tool definitions available to the GenAI
+        agent or model.
+      example: "{\n  \"type\": \"function\",\n  \"name\": \"get_current_weather\"\
+        ,\n  \"description\": \"Get the current weather in a given location\",\n \
+        \ \"parameters\": {\n    \"type\": \"object\",\n    \"properties\": {\n  \
+        \    \"location\": {\n        \"type\": \"string\",\n        \"description\"\
+        : \"The city and state, e.g. San Francisco, CA\"\n      },\n      \"unit\"\
+        : {\n        \"type\": \"string\",\n        \"enum\": [\n          \"celsius\"\
+        ,\n          \"fahrenheit\"\n        ]\n      }\n    },\n    \"required\"\
+        : [\n      \"location\",\n      \"unit\"\n    ]\n  }\n}"
+      flat_name: gen_ai.tool.definitions
+      level: extended
+      name: tool.definitions
+      normalize: []
+      otel:
+      - attribute: gen_ai.operation.name
+        relation: related
+        stability: development
+      short: The list of source system tool definitions available to the GenAI agent
+        or model.
+      type: nested
     gen_ai.tool.name:
       beta: This field is beta and subject to change.
       dashed_name: gen-ai-tool-name
diff --git a/generated/elasticsearch/composable/component/gen_ai.json b/generated/elasticsearch/composable/component/gen_ai.json
index de78621d19..b1ce0aee83 100644
--- a/generated/elasticsearch/composable/component/gen_ai.json
+++ b/generated/elasticsearch/composable/component/gen_ai.json
@@ -25,6 +25,13 @@
                 }
               }
             },
+            "input": {
+              "properties": {
+                "messages": {
+                  "type": "nested"
+                }
+              }
+            },
             "operation": {
               "properties": {
                 "name": {
@@ -35,6 +42,9 @@
             },
             "output": {
               "properties": {
+                "messages": {
+                  "type": "nested"
+                },
                 "type": {
                   "ignore_above": 1024,
                   "type": "keyword"
@@ -102,6 +112,9 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "system_instructions": {
+              "type": "flattened"
+            },
             "token": {
               "properties": {
                 "type": {
@@ -114,12 +127,21 @@
               "properties": {
                 "call": {
                   "properties": {
+                    "arguments": {
+                      "type": "flattened"
+                    },
                     "id": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "result": {
+                      "type": "flattened"
                     }
                   }
                 },
+                "definitions": {
+                  "type": "nested"
+                },
                 "name": {
                   "ignore_above": 1024,
                   "type": "keyword"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 511251bfc9..e05047e074 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -2089,6 +2089,13 @@
               }
             }
           },
+          "input": {
+            "properties": {
+              "messages": {
+                "type": "nested"
+              }
+            }
+          },
           "operation": {
             "properties": {
               "name": {
@@ -2099,6 +2106,9 @@
           },
           "output": {
             "properties": {
+              "messages": {
+                "type": "nested"
+              },
               "type": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -2166,6 +2176,9 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "system_instructions": {
+            "type": "flattened"
+          },
           "token": {
             "properties": {
               "type": {
@@ -2178,12 +2191,21 @@
             "properties": {
               "call": {
                 "properties": {
+                  "arguments": {
+                    "type": "flattened"
+                  },
                   "id": {
                     "ignore_above": 1024,
                     "type": "keyword"
+                  },
+                  "result": {
+                    "type": "flattened"
                   }
                 }
               },
+              "definitions": {
+                "type": "nested"
+              },
               "name": {
                 "ignore_above": 1024,
                 "type": "keyword"